aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/test
AgeCommit message (Collapse)Author
2019-02-13Add server GC info to bench resultsRaimo Niskanen
2019-02-05ssl: Use specs to generate type documentationIngela Anderton Andin
2019-02-04ssl: Enhance error handlingIngela Anderton Andin
2019-01-30Merge branch 'peterdmv/ssl/improve_openssl_interop_tests' into maintPéter Dimitrov
* peterdmv/ssl/improve_openssl_interop_tests: ssl: Improve openssl interop tests Change-Id: I65b63ddb8c8948d246e341f8c821b3b499507cb6
2019-01-29ssl: Improve openssl interop testsPéter Dimitrov
openssl 1.1.x changed the default ECC curves that made testcases fail in the ECC suite. openssl s_server and s_client sent 'Illegal Parameter' alert when the CertificateVerify (client) or ServerKeyExchange (server) message was signed with a curve that was not present in openssl's default ECC curve list (x25519, secp256r1, secp521r1, secp384r1, brainpoolP256r1, brainpoolP384r1, brainpool512r1). This commit changes the default curve of make_ec_cert_chains to 'secp256r1' and explicitly configures the default curve in those testcases where the default curve of the ssl application is expected. Change-Id: I81ebe1a30b8f863b0e2836b1dad3d8bc767cc47e
2019-01-21ssl: Correct test inputIngela Anderton Andin
2019-01-16ssl: Cuddle testsIngela Anderton Andin
2019-01-14ssl: Add value 'save' to reuse_sessions and reuse_session client optionIngela Anderton Andin
We want to be able to save a specific session to reuse, and make sure it is reusable immediatly when the connection has been established. Add client option {reuse_session, SessionID::binary()} We also do not want clients to save sessions that it did not verify. Additionaly change behaviour of the client and server to not save sessions if reuse_session is set to false.
2019-01-14ssl: Client shall only save verified sessionsIngela Anderton Andin
Modernize test case option handling
2019-01-14ssl: Uncomplicate test codeIngela Anderton Andin
No need for this test case to set a specific cipher suite. An appropriate cipher suite will be negotiated and it will of course be the same for clients with the same configuration.
2019-01-14ssl: Modernize test suiteIngela Anderton Andin
2019-01-10Merge branch 'peterdmv/ssl/fix-crl-suite' into maintPéter Dimitrov
* peterdmv/ssl/fix-crl-suite: ssl: Fix CRL suite with openssl-1.1.1a Change-Id: I2847107b6cf0210c3002c016a6ba49288505d06f
2019-01-10ssl: Add renegotiation test case to OpenSSL sanity checkIngela Anderton Andin
2019-01-10ssl: Better stream handlingIngela Anderton Andin
Remove rizzo rests that made incorrect assumptions
2019-01-09ssl: Fix CRL suite with openssl-1.1.1aPéter Dimitrov
Later versions of openssl do not support negative integers for CRL due time (used for negative testing). As a workaround this commit implements a function that can set CRL due time in seconds and makes the testcase 'crl_hash_dir_expired' sleep for one second. Change-Id: I2ef8b3c6ee545bd09170fa6027cb9ca38cfb42c0
2019-01-08Merge branch 'peterdmv/ssl/fix-srp-encode-decode/ERL-790/OTP-15477' into maintPéter Dimitrov
* peterdmv/ssl/fix-srp-encode-decode/ERL-790/OTP-15477: ssl: Fix encoding/decoding of the SRP extension Change-Id: Iee3276a60041a2c04c89385b2de2edb1cd81babd
2019-01-08ssl: Fix encoding/decoding of the SRP extensionPéter Dimitrov
The encoded value of the SRP extension length was bigger than the actual length of the extension. This could cause interoperability problems with third party SSL implementations. This commit corrects the encoding and decoding of the SRP extension length. Change-Id: I78d118faab7f5d02b755a7d1e2e8561b86f5a15c
2018-12-27ssl: Gurantee active once data deliveryIngela Anderton Andin
New internal active N changed timing, and new check is needed.
2018-12-20ssl: Add renegotiate test caseIngela Anderton Andin
2018-12-20ssl: Fix downgradeIngela Anderton Andin
Both test case and code needed updates to work as intended. Code needed update due to new tls_sender process and the test case gave false positive reusult erarlier probably due to beeing to sloopy in order to avoid timeouts.
2018-12-20ssl: Add static_env recordIngela Anderton Andin
State values created at init
2018-12-19ssl: Add renegotiate test caseIngela Anderton Andin
2018-12-19ssl: Cuddle test casesIngela Anderton Andin
Cipher test case also needed updating to handle streams correctly We should not rizzo test chacha20_poly1305 Conflicts: lib/ssl/test/ssl_basic_SUITE.erl
2018-12-14ssl: Fix test caseIngela Anderton Andin
packet raw is a stream, test code manged it packet oriented in the function active_raw.
2018-12-13ssl: Fix downgradeIngela Anderton Andin
Both test case and code needed updates to work as intended. Code needed update due to new tls_sender process and the test case gave false positive reusult erarlier probably due to beeing to sloopy in order to avoid timeouts.
2018-12-12ssl: Add static_env recordIngela Anderton Andin
State values created at init
2018-12-05Rewrite to work for stream connectionRaimo Niskanen
2018-12-04Merge branch 'raimo/ssl/tls_dist-profiling' into maintRaimo Niskanen
* raimo/ssl/tls_dist-profiling: Improve benchmark Implement print on other node Fix compiler warnings
2018-12-04Merge branch 'ingela/ssl/test-cuddle-ssl_basic_SUITE' into maintIngela Anderton Andin
* ingela/ssl/test-cuddle-ssl_basic_SUITE: ssl: Correct test case
2018-12-03ssl: Correct ssl:shutdownIngela Anderton Andin
When internaly using active N, bugs in shutdown implementation where reveled.
2018-12-03ssl: Internaly use {active, N}Ingela Anderton Andin
Make next_record an internal help function to next_event and avoid duplicate calls to tls_socket:setopts for setting the active option.
2018-12-03ssl: Correct test caseIngela Anderton Andin
2018-11-30Improve benchmarkRaimo Niskanen
2018-11-30Fix compiler warningsRaimo Niskanen
2018-11-30crypto: Update test engine with fake rsa supportHans Nilsson
We need to test the Engine interface not only for loading, key retrieval and hashing, so it is complemented with a fake rsa method to check sign/verify also.
2018-11-12ssl: Handle unicode ~s -> ~tsIngela Anderton Andin
2018-11-09ssl: Add engine handling clause to RSA key exchangeIngela Anderton Andin
2018-11-05ssl: controlling_process should be allowed on transpor_accept sockets alongIngela Anderton Andin
with handshake Fix of commit 68d9244ae33e5eea36250c3bb9ffe046a4db5647
2018-11-02ssl: Correct filter functionIngela Anderton Andin
2018-11-02ssl: Make sure benchmark SUITE has a clean startIngela Anderton Andin
2018-11-01ssl: Return error to user that tries to use a "transport accepted" socket forIngela Anderton Andin
other purposes than handshaking
2018-10-10ssl: TLS sender process needs to get updates of the socket option packetIngela Anderton Andin
If the socket option is set to {packet, 1|2|3|4} sender process needs to add a packet length header. If packet is changed with ssl:setopts/2 this needs to be communicated to tls_sender.
2018-10-08ssl: ERL-738 - Correct alert handling with new TLS sender processIngela Anderton Andin
With the new TLS sender process, solving ERL-622, TLS ALERTs sent in the connection state must be encrypted and sent by the TLS sender process. This to make sure that the correct encryption state is used to encode the ALERTS. Care must also be taken to ensure a graceful close down behavior both for normal shutdown and downgrading from TLS to TCP. The original TR ERL-738 is verified by cowboy tests, and close down behavior by our tests. However we alas have not been able to yet create a minimal test case for the originating problem. Also it seems it has become less likely that we run in to the TCP delivery problem, that is the guarantee is only on transport level, not application level. Keep work around function in ssl_test_lib but we can have better test as long as we do not get to much wobbling tests.
2018-09-21Update copyright yearHenrik Nord
2018-09-20ssl: Improve interop checksIngela Anderton Andin
2018-09-12ssl: Handle incomplete and unorded chainsIngela Anderton Andin
If the peer sends an incomplete chain that we can reconstruct with our known CA-certs it will be accepted. We will assume that the peer honors the protocol and sends an orded chain, however if validation fails we will try to order the chain in case it was unorded. Will also handle that extraneous cert where present. See Note form RFC 8446 Note: Prior to TLS 1.3, "certificate_list" ordering required each certificate to certify the one immediately preceding it; however, some implementations allowed some flexibility. Servers sometimes send both a current and deprecated intermediate for transitional purposes, and others are simply configured incorrectly, but these cases can nonetheless be validated properly. For maximum compatibility, all implementations SHOULD be prepared to handle potentially extraneous certificates and arbitrary orderings from any TLS version, with the exception of the end-entity certificate which MUST be first.
2018-09-11ssl: Correct handling of all PSK cipher suitesIngela Anderton Andin
Before only some PSK suites would be correctly negotiated and most PSK ciphers suites would fail the connection. PSK cipher suites are anonymous in the sense that they do not use certificates except for rsa_psk.
2018-08-27ssl: Add new sender process for TLS state machineIngela Anderton Andin
Separate sending and receiving when using TCP as transport as prim_inet:send may block which in turn may result in a deadlock between two Erlang processes communicating over TLS, this is especially likely to happen when running Erlang distribution over TLS.
2018-08-21ssl: Move formatting code to own moduleIngela Anderton Andin
The conversion code for different representations of cipher suites is long an repetitive. We want to hide it in a module that does not have other functions that we like to look at.
2018-08-14Merge branch 'ingela/ssl/ERL-686/OTP-15224' into maintIngela Anderton Andin
* ingela/ssl/ERL-686/OTP-15224: ssl: Error handling improvment