| Age | Commit message (Collapse) | Author |
|---|
|
* ia/pr/958/OTP-13334:
ssl: verify cert signature against original cert binary
|
|
OTP-13311
* sverk/ecc-fixes:
Ensure testing ssl with supported ciphers only
Only use supported EC curves in crypto tests
Check the result of EC_GROUP_new_curve_* calls
|
|
When searching for a certificate's issuer in the `CertDB`, verify the signature
against the original DER certificate from the handshake instead of a re-encoding
of the parsed certificate. This avoids false negatives due to differences
between DER encoding implementations of OTP and other platforms.
|
|
* legoscia/tls-dist-connect-options:
ssl_dist_SUITE: don't use deprecated functions
TLS distribution: support inet_dist_connect_options
OTP-13285
|
|
There are two problematic areas: EC curve selection and
interoperability tests with OpenSSL.
The tests shouldn't assume any particular EC curve is available, but
should always check the list of curves reported by
tls_v1:ecc_curves/1.
And during interoperability tests the tests shouldn't assume that any
cipher suite supported by Erlang is also supported by OpenSSL. There
are OpenSSL packages where the command line openssl tool only supports
a subset of the ciphers available in libcrypto. The actual list of
supported cipher suites thus shall be queried from OpenSSL.
|
|
|
|
As sslv3 is being faced out we need to test for old version support as well as
newer versions.
|
|
Use erlang:unique_integer/1 instead of erlang:now/0 to generate a
unique node name.
Use rand:uniform/1 instead of random:uniform/1, so we don't need to
generate a seed ourselves.
|
|
Allow adding extra options for outgoing TLS distribution connnections,
as supported for plain TCP connections.
|
|
* ia/libressl:
ssl: Print openssl version string
ssl: Do not use environment variables in openSSL config file
|
|
|
|
|
|
LibreSSL does not allow it.
|
|
|
|
|
|
* ia/ssl/windows-tests:
ssl: Use test case time out instead
ssl: Use spawn_executable
|
|
|
|
|
|
|
|
* rlipscombe/rl-ssl-options:
Ensure single 'raw' option is handled correctly
Pass 'raw' options through
OTP-13166
|
|
If upper limit is reached invalidate the current cache entries, e.i the session
lifetime is the max time a session will be keept, but it may be invalidated
earlier if the max limit for the table is reached. This will keep the ssl
manager process well behaved, not exhusting memeory. Invalidating the entries
will incrementally empty the cache to make room for fresh sessions entries.
|
|
* legoscia/tls_dist_options:
Test interface listen option for TLS distribution
Test socket listen options for TLS distribution
Test port options for TLS distribution
TLS Dist: Use inet_dist_ options
Conflicts:
lib/ssl/src/ssl_tls_dist_proxy.erl
lib/ssl/test/ssl_dist_SUITE.erl
OTP-12838
|
|
* legoscia/tls_dist_nodelay:
Add test for dist_nodelay option
Honour dist_nodelay socket option in tls_dist proxy
OTP-13143
|
|
Add a test to ensure that a single 'raw' option can be passed to
ssl:listen correctly.
Note: multiple raw options are (incorrectly) handled by
inet:listen_options. See
http://erlang.org/pipermail/erlang-questions/2014-March/078371.html
|
|
Add test that checks that the option inet_dist_use_interface is used
when starting a node with TLS distribution.
|
|
Add test that checks that the option inet_dist_listen_options is used
when starting a node with TLS distribution.
This test was adapted from inet_dist_options_options in
erl_distribution_SUITE.
|
|
Add test that checks that the options inet_dist_listen_min and
inet_dist_listen_max are used when starting a node with TLS
distribution.
|
|
Needed after the fix in 120975c4fcb57ecd14031ac046f483e56a3daa4d.
|
|
Run the 'basic' test with dist_nodelay set to false.
|
|
To avoid test case failure due to test case setup timing issues.
Suspected problem is that the listen queue builds up to quickly in
client_unique_session test when running on slow computers.
|
|
|
|
Soft upgrade test did not work as expected due to that the upgrade
frame work keeps the control of the test case process to itself,
so we need a proxy process to receive messages from ssl test framework.
|
|
|
|
* ia/ssl/register-unique-session/OTP-12980:
ssl: Correct return value of default session callback module
|
|
Add possibility to downgrade an SSL/TLS connection to a tcp connection,
and give back the socket control to a user process.
Add application setting to be able to change fatal alert shutdown
timeout, also shorten the default timeout. The fatal alert timeout is
the number of milliseconds between sending of a fatal alert and
closing the connection. Waiting a little while improves the
peers chances to properly receiving the alert so it may
shutdown gracefully.
|
|
ssl_session_cache:select_session/2 returned [sesionid(), #session{}]
instead of #session{} as the API demands.
This was wrongly compensated for in the code in one place making it
look like everything was good. But the client check for unique session
would always fail, potentially making the client session table grow
a lot and causing long setup times.
|
|
|
|
|
|
|
|
* ia/ssl/modern-timetrap:
ssl: Make init functions fail if make_certs:all fails
ssl: Avoid sleep
ssl: modernize timetrap handling
|
|
|
|
When possible avoid sleep in test cases.
|
|
Watchdog is legacy test_server use only ct:timetrap/1
|
|
|
|
The test cases does not use any hooks and including the ts_install_cth
trips up the test case setup on some platforms cuasing the test cases
to fail with {error, enoent}
|
|
* ia/ssl/test-fips:
ssl: Filter suites for openssl FIPS if necessary
|
|
|
|
* ferd/deny-client-renegotiation:
Add disable client-initiated renegotiation option
Conflicts:
lib/ssl/doc/src/ssl.xml
lib/ssl/src/ssl.erl
OTP-12815
|
|
Client-initiated renegotiation is more costly for the server than the
client, and this feature can be abused in denial of service attempts.
Although the ssl application already takes counter-measure for these
(via cooldown periods between renegotiations), it can be useful to
disable the feature entirely.
This patch adds the `{client_renegotiation, boolean()}' option to the
server-side of the SSL application (defaulting to `true' to be
compatible with the current behaviour).
The option disables the ability to do any renegotiation at all in the
protocol's state, reusing the existing denial code, but without opening
the code path that sets up a timed message to eventually reopen it up.
|
|
|
