aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/test
AgeCommit message (Collapse)Author
2017-05-25Fix non-delivery of ssl_closed message in active onceJohannes Weißl
The commit 8b10920 (OTP 19.3.1) fixed the non-delivery of final TLS record in {active, once}, but this causes the ssl_closed message to be lost when the TCP connection closes before ssl:close/1. The patch restores the behavior of OTP 18. This is the second part to fix https://bugs.erlang.org/browse/ERL-420
2017-05-19ssl: Improve testsIngela Anderton Andin
Test should check that we get the expected key exchange algorithm for the provided server cert. We do not want to test OpenSSL s_server. Do not try to test cipher suites against OpenSSL that it does not support.
2017-05-19ssl: Add missing algorithm ecdh_ecdsaIngela Anderton Andin
2017-05-15Merge branch 'ingela/ssl/bench-certs'Ingela Anderton Andin
* ingela/ssl/bench-certs: ssl: Disable Server Name verification in bench tests for now
2017-05-15ssl: Disable Server Name verification in bench tests for nowIngela Anderton Andin
2017-05-11Merge branch 'ingela/ssl/windows-cuddle'Ingela Anderton Andin
* ingela/ssl/windows-cuddle: ssl: Only run sslv2 reject tests on old OpenSSL version ssl: Try to workaround OpenSSL windows obscurities
2017-05-09ssl: Only run sslv2 reject tests on old OpenSSL versionIngela Anderton Andin
2017-05-08ssl: Try to workaround OpenSSL windows obscuritiesIngela Anderton Andin
2017-05-06ssl: Add hostname check of server certificateIngela Anderton Andin
When the server_name_indication is sent automatize the clients check of that the hostname is present in the servers certificate. Currently server_name_indication shall be on the dns_id format. If server_name_indication is disabled it is up to the user to do its own check in the verify_fun.
2017-05-04Update copyright yearRaimo Niskanen
2017-04-21ssl: Rewrite test data generationIngela Anderton Andin
With the new help functions for creating test data we can simplify the code. And sometimes corrections have been made so that the test actually perform the test intended.
2017-04-12ssl: Generate correct certificate chains for the ECC testsIngela Anderton Andin
The certificate chain handling had become quite entangled and was not correct.
2017-03-23Merge branch 'ingela/ssl/make-cert-test-data/OTP-14294'Ingela Anderton Andin
* ingela/ssl/make-cert-test-data/OTP-14294: ssl, public_key: Add functionality for generating X509 cert test data
2017-03-23ssl, public_key: Add functionality for generating X509 cert test dataIngela Anderton Andin
For now this functionality is located in ssl. And existing public_key function is extended. However some of the functionality may be moved to public_key in a later stage.
2017-03-21ssl: Add connection information itemsIngela Anderton Andin
Add session_id and remove undocumented ssl:session_info/1 Add client_random, server_random and master_secret, they will not be included in ssl:connection_information/1 as they may affect the connections security if used recklessly.
2017-03-10dtls: Test case fixesIngela Anderton Andin
2017-03-08Merge branch 'maint'Ingela Anderton Andin
2017-03-08dtls: Only test this for TLS for nowIngela Anderton Andin
We want to avoid failing test cases but still be able to merge DTLS progress for 19.3
2017-03-07dtls: Avoid mixup of protocol to testIngela Anderton Andin
2017-03-06dtls: Correct dialyzer spec and postpone inclusion of testIngela Anderton Andin
The new_options_in_accept test is not working yet, however DTLS is still work in progress and we want to make a progress merge to avoid merge conflicts with other progress of the ssl application.
2017-03-06dtls: Enable some DTLS tests in ssl_to_openssl_SUITEIngela Anderton Andin
We need to figure out a good way of knowing if the OpenSSL-"DTLS server" is up. Some of the code in this commit is attempting this, but it is not really working yet, and hence only tests where OpenSSL is client are enabled.
2017-03-06dtls: Enable DTLS test in ssl_certificate_verify_SUITEIngela Anderton Andin
2017-03-06dtls: Hibernation and retransmit timersIngela Anderton Andin
Change retransmissions timers to use gen_statem state timeouts. We do not need a retransmission timer in the state connection as data traffic in DTLS over UDP is not retransmitted. If the last flight before transitioning into connection is lost, it will be resent when the peer resends its last flight. This will also make hibernation testing more straight forward. We need more adjustments later to handle a reliable DTLS transport such as SCTP.
2017-03-06dtls: DTLS specific handling of socket and ciphersIngela Anderton Andin
DTLS does not support stream ciphers and needs diffrent handling of the "#ssl_socket{}" handle .
2017-03-06Merge branch 'maint'Siri Hansen
2017-02-20Add dummy end_per_suite/1Siri Hansen
common_test requires that if init_per_suite/1 exists, then end_per_suite/1 must also exist. If end_per_suite/1 does not exist, then it will be marked in the log as failed with reason 'undef'. Some test suites are corrected to avoid this.
2017-02-14Merge branch 'maint'Ingela Anderton Andin
2017-02-13ssl: Test case robustnessIngela Anderton Andin
2017-02-08ssl: Avoid SSL/TLS hello format confusionIngela Anderton Andin
Valid SSL 3.0 or TLS hellos might accidentally match SSL 2.0 format (and sometimes the other way around before inspecting data) so we need to match SSL 3.0 and TLS first and only match SSL 2.0 hellos when flag to support it is set.
2017-01-25Merge branch 'maint'Ingela Anderton Andin
2017-01-25Merge branch 'ingela/ssl/crl-validity' into maintIngela Anderton Andin
* ingela/ssl/crl-validity: ssl: Make crls valid for a week instead of 24 hours
2017-01-25Merge branch 'maint'Ingela Anderton Andin
2017-01-25Merge branch 'egil/percept/remove-application/OTP-14163'Björn-Egil Dahlberg
* egil/percept/remove-application/OTP-14163: ssl: Remove percept from benchmark otp: Don't mention percept in documentation runtime_tools: Remove percept percept: Remove application
2017-01-20ssl: Remove percept from benchmarkBjörn-Egil Dahlberg
2017-01-19ssl: Move PEM cache to a dedicated processIngela Anderton Andin
The PEM cache handling has proven to be too disruptive of the manager process.
2017-01-17ssl: Handle really big handshake packagesIngela Anderton Andin
If a handshake message is really big it could happen that the ssl process would hang due to failing of requesting more data from the socket. This has been fixed. Also added option to limit max handshake size. It has a default value that should be big enough to handle normal usage and small enough to mitigate DoS attacks.
2017-01-12ssl: Make crls valid for a week instead of 24 hoursIngela Anderton Andin
With the 24 option we might be unlucky and get failing tests just because cert expired before the test is run.
2016-12-07Update copyright-yearErlang/OTP
2016-12-06Merge branch 'ingela/dtls/statem/OTP-12982' into maintIngela Anderton Andin
* ingela/dtls/statem/OTP-12982: ssl: Implement DTLS state machine
2016-12-05Merge branch 'ingela/ECC-tests' into maintIngela Anderton Andin
* ingela/ECC-tests: ssl: Make sure common-test priv_dir is used for test case generated files
2016-12-05ssl: Implement DTLS state machineIngela Anderton Andin
Beta DTLS, not production ready. Only very basically tested, and not everything in the SPEC is implemented and some things are hard coded that should not be, so this implementation can not be consider secure. Refactor "TLS connection state" and socket handling, to facilitate DTLS implementation. Create dtls "listner" (multiplexor) process that spawns DTLS connection process handlers. Handle DTLS fragmentation. Framework for handling retransmissions. Replay Detection is not implemented yet. Alerts currently always handled as in TLS.
2016-11-10ssl: Use SHA2 for signing ECC certs if possibleIngela Anderton Andin
ECC certs should preferably use SHA2, this is what we want to be testing. Also assembling of all available test suites must consider TLS version.
2016-11-09Merge branch 'ingela/ssl/tune-timeouts-packet_SUITE' into maintIngela Anderton Andin
* ingela/ssl/tune-timeouts-packet_SUITE: ssl: Change to more modest timeouts
2016-11-09ssl: Remove faulty workaroundIngela Anderton Andin
We where never really satisfied with this workaround it was a bit far fetched, so we are pleased to be able to remove it.
2016-11-07ssl: Make sure common-test priv_dir is used for test case generated filesIngela Anderton Andin
2016-11-02Add ECC curve selection order config in TLS serverFred Hebert
As per RFC 4492 Sec 5.1, the preferred order of selection of named curves is based on client preferences. Currently, the SSL application only picks entries according to the absolute order of entries as tracked in a hardcoded list in code. This patch changes things so that the client-specified order is preferred. It also allows a mode where the server can be configured to override the client's preferred order with its own, although the chosen ECC must still be within both lists. The configuration is done through the following options: - `eccs`, shared by clients and servers alike, allows the specification of the supported named curves, in their preferred order, and may eventually support more values for explicit primes and so on. - `honor_ecc_order`, a server-only option, is similar to `honor_cipher_order` and will, by default let the server pick the client-preferred ECC, and otherwise pick the server-preferred one. The default value for `eccs` is the same as before, although the server-chosen ECC now defaults to the client rather than previous choice. A function `ssl:eccs()` has been added that returns the highest supported ECCs for the library.
2016-10-21ssl: Change to more modest timeoutsIngela Anderton Andin
This should be fine as timeout problem was due to test case bug that treated a stream as if it was packet oriented.
2016-10-14ssl: Tune timeout for old solaris machineIngela Anderton Andin
2016-10-11Merge branch 'ingela/ssl/crl_SUITE' into maintIngela Anderton Andin
* ingela/ssl/crl_SUITE: ssl: Make sure test has correct input
2016-10-04ssl: Correct tests tcp stream handlingIngela Anderton Andin
Data collection function active_once_raw/4 did not handle streamed data correctly (it assumed the stream was "packet oriented"), which could result in that the test case perceived that it did not receive all data even though it did.