aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/test
AgeCommit message (Collapse)Author
2016-04-05Add ssl_crl_hash_dir moduleMagnus Henoch
This module is an implementation of the ssl_crl_cache_api behaviour. It can be used when there is a directory containing CRLs for all relevant CAs, in the form used by e.g. Apache. The module assumes that the directory is being updated through an external process.
2016-03-23Fix transportoption, ssloption, ssloptions types names in the documentationdef_null
2016-02-25Merge branch 'maint'Henrik Nord
2016-02-25Merge branch 'legoscia/crl-check-without-dp' into maintHenrik Nord
* legoscia/crl-check-without-dp: Be suspicious of certificates without CRL DPs Refactor ssl_crl_SUITE: extract crl_verify_error/6 OTP-13378
2016-02-25Merge branch 'legoscia/critical-extension-verify-none' into maintHenrik Nord
* legoscia/critical-extension-verify-none: ssl: with verify_none, accept critical extensions OTP-13377
2016-02-22Merge branch 'maint'Ingela Anderton Andin
2016-02-22ssl: Newer cipher suites now presented correctlyIngela Anderton Andin
Older SSL/TLS versions have cipher suites that look like {key_exchange(), cipher(), MAC::hash()} and the hash function used by the PRF (Pseudo Random function) is implicit and always the same for that protocol version. In TLS 1.2 a cipher suite is {key_exchange(), cipher(), MAC::hash(), PRF::hash()}. Internally a cipher suite is always a four tuple but for backwards compatibility older cipher suites will be presented as a three tuples, however new cipher suites should be presented as four tuples.
2016-02-22ssl: Include options form connect/listen/accept in connection_information/[1,2]Ingela Anderton Andin
Make sure that options only relevant for one role (client|server) is set to undefined when the other role is invoked. As there are many options to ssl, and many are optional, we choose to filter out all undefined options to avoid overwhelming the user with not relevant information. This way there is no need for any special handling of the role specific options which is also nice.
2016-02-19Merge branch 'ia/ssl/remove-default-DES/OTP-13195'Ingela Anderton Andin
* ia/ssl/remove-default-DES/OTP-13195: ssl: Remove DES ciphers from default configuration
2016-02-18ssl: Remove DES ciphers from default configurationIngela Anderton Andin
DES is not considered secure. Also correct 'Server Name Indication' support description.
2016-02-18Merge branch 'bjorn/remove-test_server/OTP-12705'Björn Gustavsson
* bjorn/remove-test_server/OTP-12705: Remove test_server as a standalone application Erlang mode for Emacs: Include ct.hrl instead test_server.hrl Remove out-commented references to the test_server applications Makefiles: Remove test_server from include path and code path Eliminate use of test_server.hrl and test_server_line.hrl
2016-02-17Be suspicious of certificates without CRL DPsMagnus Henoch
Previously, if certificate revocation checking was turned on, and a certificate didn't contain a CRL Distribution Points extension, and there was no relevant CRL in the cache, then ssl_handshake:crl_check would accept the certificate even if the crl_check option was set to reject certificates for which the revocation status could not be determined. With this change, such certificates will only be accepted if the crl_check option was set to best_effort. The process for CRL validation is described in section 6.3 of RFC 5280. The text doesn't mention any special treatment to be given to certificates without distribution points: it just says "For each distribution point..." (section 6.3.3), which would leave the revocation status undetermined, unless there were "any available CRLs not specified in a distribution point but issued by the certificate issuer". Thus the result of this algorithm should be UNDETERMINED in this case, not UNREVOKED, and the crl_check option should govern how the implementation reacts to this result.
2016-02-17ssl: with verify_none, accept critical extensionsMagnus Henoch
When establishing a TLS connection with {verify, verify_none}, if the server has a certificate with a critical extension, for example a "Netscape Cert Type" extension, certificate verification would fail, which is surprising given that the name of the option suggests that no verification would be performed. With this change, certificate extensions marked as critical are ignored when using verify_none.
2016-02-17Makefiles: Remove test_server from include path and code pathBjörn Gustavsson
Since no test suites includede test_server.hrl, there is no need to have test_server in the include path or code path.
2016-02-16Merge branch 'maint'Ingela Anderton Andin
2016-02-16Merge branch 'ia/pr/958/OTP-13334' into maintIngela Anderton Andin
* ia/pr/958/OTP-13334: ssl: verify cert signature against original cert binary
2016-02-08Merge branch 'maint'Sverker Eriksson
2016-02-08Merge branch 'sverk/ecc-fixes' into maintSverker Eriksson
OTP-13311 * sverk/ecc-fixes: Ensure testing ssl with supported ciphers only Only use supported EC curves in crypto tests Check the result of EC_GROUP_new_curve_* calls
2016-02-08ssl: verify cert signature against original cert binaryMatt Campbell
When searching for a certificate's issuer in the `CertDB`, verify the signature against the original DER certificate from the handshake instead of a re-encoding of the parsed certificate. This avoids false negatives due to differences between DER encoding implementations of OTP and other platforms.
2016-02-02Merge branch 'maint'Zandra
2016-02-02Merge branch 'legoscia/tls-dist-connect-options' into maintZandra
* legoscia/tls-dist-connect-options: ssl_dist_SUITE: don't use deprecated functions TLS distribution: support inet_dist_connect_options OTP-13285
2016-01-28Ensure testing ssl with supported ciphers onlyDániel Szoboszlay
There are two problematic areas: EC curve selection and interoperability tests with OpenSSL. The tests shouldn't assume any particular EC curve is available, but should always check the list of curves reported by tls_v1:ecc_curves/1. And during interoperability tests the tests shouldn't assume that any cipher suite supported by Erlang is also supported by OpenSSL. There are OpenSSL packages where the command line openssl tool only supports a subset of the ciphers available in libcrypto. The actual list of supported cipher suites thus shall be queried from OpenSSL.
2016-01-27Refactor ssl_crl_SUITE: extract crl_verify_error/6Magnus Henoch
Just like crl_verify_valid/5 checks for a positive result given certain options, crl_verify_error/6 checks for a negative result.
2016-01-25Merge branch 'maint'Ingela Anderton Andin
2016-01-21ssl: Fix typos that broke alpn testsIngela Anderton Andin
2016-01-21Merge branch 'maint'Ingela Anderton Andin
2016-01-21ssl: In interop tests always check if SSL/TLS version is supported by OpenSSLIngela Anderton Andin
As sslv3 is being faced out we need to test for old version support as well as newer versions.
2016-01-12ssl_dist_SUITE: don't use deprecated functionsMagnus Henoch
Use erlang:unique_integer/1 instead of erlang:now/0 to generate a unique node name. Use rand:uniform/1 instead of random:uniform/1, so we don't need to generate a seed ourselves.
2016-01-12TLS distribution: support inet_dist_connect_optionsMagnus Henoch
Allow adding extra options for outgoing TLS distribution connnections, as supported for plain TCP connections.
2015-12-15Merge branch 'maint'Ingela Anderton Andin
2015-12-15Merge branch 'ia/libressl' into maintIngela Anderton Andin
* ia/libressl: ssl: Print openssl version string ssl: Do not use environment variables in openSSL config file
2015-12-15Merge branch 'maint'Ingela Anderton Andin
2015-12-15ssl: Convert all test to use "ssl_test_lib:portable_open_port"Ingela Anderton Andin
2015-12-14ssl: Print openssl version stringIngela Anderton Andin
2015-12-14ssl: Do not use environment variables in openSSL config fileIngela Anderton Andin
LibreSSL does not allow it.
2015-12-14Merge branch 'maint'Ingela Anderton Andin
2015-12-11ssl: fix hibernate_after with instant or near instant timeoutsAndrey Mayorov
2015-12-11Merge branch 'maint'Ingela Anderton Andin
2015-12-11ssl: Fix typosIngela Anderton Andin
2015-12-11Merge branch 'maint'Ingela Anderton Andin
2015-12-11Merge branch 'ia/ssl/windows-tests' into maintIngela Anderton Andin
* ia/ssl/windows-tests: ssl: Use test case time out instead ssl: Use spawn_executable
2015-12-09ssl: Use test case time out insteadIngela Anderton Andin
2015-12-09ssl: Use spawn_executableIngela Anderton Andin
2015-12-09ssl: Add renegotiation exceptionIngela Anderton Andin
2015-12-07Merge branch 'maint'Henrik Nord
2015-12-07Merge branch 'rlipscombe/rl-ssl-options' into maintHenrik Nord
* rlipscombe/rl-ssl-options: Ensure single 'raw' option is handled correctly Pass 'raw' options through OTP-13166
2015-12-07Merge branch 'maint'Ingela Anderton Andin
2015-12-03ssl: Add upper limit for session cacheIngela Anderton Andin
If upper limit is reached invalidate the current cache entries, e.i the session lifetime is the max time a session will be keept, but it may be invalidated earlier if the max limit for the table is reached. This will keep the ssl manager process well behaved, not exhusting memeory. Invalidating the entries will incrementally empty the cache to make room for fresh sessions entries.
2015-12-01Merge branch 'maint'Zandra
2015-12-01Merge branch 'legoscia/tls_dist_options' into maintZandra
* legoscia/tls_dist_options: Test interface listen option for TLS distribution Test socket listen options for TLS distribution Test port options for TLS distribution TLS Dist: Use inet_dist_ options Conflicts: lib/ssl/src/ssl_tls_dist_proxy.erl lib/ssl/test/ssl_dist_SUITE.erl OTP-12838