aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/test
AgeCommit message (Collapse)Author
2016-07-08ssl: Simplify and refactor testsIngela Anderton Andin
Tests in ECC_SUITE did not always use the certs implied by the name. Variable naming also confused the intent. ssl_certificate_verify_SUITE did not clean up properly and tests could fail due to cache problems.
2016-06-28ssl: All started test nodes must be cleaned upIngela Anderton Andin
Function to stop SSL/TLS node may not exit as a test case will start more than one node and all nodes must be stopped.
2016-06-22ssl: Do not leave zoombie nodes if tests failIngela Anderton Andin
2016-06-15ssl: Make sure openssl client does not use sslv2 helloIngela Anderton Andin
This should only be used in legacy test case not in test cases testing other functionality.
2016-06-15Merge branch 'ingela/ssl/packet_SUITE/test-timeouts'Ingela Anderton Andin
* ingela/ssl/packet_SUITE/test-timeouts: ssl: Make diffrent timeouts
2016-06-15ssl: Make diffrent timeoutsIngela Anderton Andin
Some test cases takes really long time on old machines. But normaly all tests are under 15 seconds. Try to avoid long timeouts for all test cases. Although we like to find a better tuning, set timeouts high for now to avoid tests cases failing with timeout.
2016-06-14Merge branch 'ingela/ssl_to_openssl_SUITE-timeouts'Ingela Anderton Andin
* ingela/ssl_to_openssl_SUITE-timeouts: ssl: Timeout tuning
2016-06-14Merge branch 'ingela/ssl/ssl_basic_SUITE-timeouts'Ingela Anderton Andin
* ingela/ssl/ssl_basic_SUITE-timeouts: ssl: Tune timeouts
2016-06-14Merge branch 'legoscia/ssl_crl_hash_dir-bis/PR-982/OTP-13530'Ingela Anderton Andin
* legoscia/ssl_crl_hash_dir-bis/PR-982/OTP-13530: Skip crl_hash_dir_expired test for LibreSSL Add ssl_crl_hash_dir module Function for generating OpenSSL-style name hashes Add public_key:pkix_match_dist_point Improve formatting for crl_{check,cache} options Add issuer arg to ssl_crl_cache_api lookup callback Conflicts: lib/public_key/test/public_key_SUITE.erl
2016-06-14Merge branch 'lukas/erts/testfixes-19'Lukas Larsson
* lukas/erts/testfixes-19: erts: Increase bif and nif call_time trace test erts: Fix distribution_SUITE:bulk_send_bigbig on windows erts: Ensure bs_add_overflow test has enough memory kernel: Better explain controlling_process' tcp behaviour kernel: Fix t_recv_delim on bsd os_mon: Make sure to start/stop os_mon in tests correctly ssl: Fix use_interface dist_SSL test erl_interface: Fix signed int overflow tc bug erts: fix atom_roundtrip_r15b tc erts: Require more memory for debug tests
2016-06-14ssl: Fix use_interface dist_SSL testLukas Larsson
Doing inet:port will cause an port_control to be sent to the port, and not all ports in the vm can handle having arbitrary data sent to them.
2016-06-09Add ssl:getstat/1 and ssl:getstat/2Loïc Hoguin
These functions call getstat on the underlying TCP socket. The only way to do this before now was to use a hack, either by looking inside the #sslsocket{} record directly, or by not using the SSL listen/accept functions and upgrading from a TCP socket that is kept around for the purpose of calling getstat later on.
2016-06-07ssl: Tune timeoutsIngela Anderton Andin
2016-06-03ssl: Add option to phase out support for sslv2 client helloIngela Anderton Andin
ssl servers can recognize sslv2 client hellos to interop with clients that support higher version of SSL/TLS but also offers sslv2 Conflicts: lib/ssl/src/tls_connection.erl
2016-06-02ssl: Timeout tuningIngela Anderton Andin
2016-06-01Merge branch 'legoscia/ssl/tls-dist-more-opts/PR-956/OTP-13429'Raimo Niskanen
* legoscia/ssl/tls-dist-more-opts/PR-956/OTP-13429: Quote curly brackets in command line options Avoid disappearing ETS tables in ssl_dist_SUITE Fix db handle for TLS distribution crl_cache opts Fix ssl_dist_SUITE logging on Windows More logging in ssl_dist_SUITE TLS distribution: crl_check and crl_cache options Allow passing verify_fun for TLS distribution More informative malformed_ssl_dist_opt error
2016-06-01ssl: Avoid two renegotiatesIngela Anderton Andin
2016-06-01ssl: Handle freebsd OpenSSL flavourIngela Anderton Andin
The selection of CA cert files in ssl_ECC_SUITE and ssl_test_lib ought to be refactored, it is quite confusing. But use this workaround until we get time to make a refactor.
2016-06-01Merge branch 'joedevivo/ssl/PR-1063/OTP-13635'Ingela Anderton Andin
* joedevivo/ssl/PR-1063/OTP-13635: ssl:recv timeout() can be 0
2016-06-01Quote curly brackets in command line optionsRaimo Niskanen
Some shells i.e the bash emulating sh regard curly brackets as special characters so e.g {a,b,{}} is expanded to a b {} which is by erlang regarded as 3 arguments instead of a 3-tuple. Other shells e.g Bourne classic /bin/sh, the ash/dash variants and public domain Korn shell all avoid this surprise.
2016-05-31Merge branch 'ingela/ssl/test-timeouts'Ingela Anderton Andin
* ingela/ssl/test-timeouts: ssl: Increase timeouts due to slow test machines
2016-05-31ssl: Increase timeouts due to slow test machinesIngela Anderton Andin
2016-05-31ssl:recv timeout() can be 0Joe DeVivo
gen_tcp:recv allows this, and if you're doing something like Transport:recv(Socket, 0, 0), TCP will work and SSL will exit with function_clause There were other cases of this throughout the module. This PR cleans them all up.
2016-05-31Improve SSL diagnosticsAlexey Lebedeff
There are a lot of cases where `ssl` application just returns unhelpful `handshake failure` or `internal error`. This patch tries to provide better diagnostics so operator can debug his SSL misconfiguration without doing hardcore erlang debugging. Here is an example escript that incorrectly uses server certificate as a client one: https://gist.github.com/binarin/35c34c2df7556bf04c8a878682ef3d67 With the patch it is properly reported as an error in "extended key usage".
2016-05-27ssl: Fix TLS version handling in dtls adepted testsIngela Anderton Andin
2016-05-26ssl: Add BEAST mitigation selection optionKenneth Lakin
Some legacy TLS 1.0 software does not tolerate the 1/n-1 content split BEAST mitigation technique. This commit adds a beast_mitigation SSL option (defaulting to one_n_minus_one) to select or disable the BEAST mitigation technique. Valid option values are (one_n_minus_one | zero_n | disabled).
2016-05-20ssl: Increase timeoutIngela Anderton Andin
We want to avoid tests timeing out regularly on slow test machines.
2016-05-20ssl: Remove use of test_server config macroIngela Anderton Andin
2016-05-20ssl: Disable DTLS test for nowIngela Anderton Andin
We are working on including DTLS support. And we want to include the contributed tests now before making planned enhancements to the test suits.
2016-05-20ssl: move TLS/DTLS version logging into helperAndreas Schultz
Consolidate code that logs TLS/DTLS version during testing into ssl_test_lib.
2016-05-20ssl: tests for DTLSAndreas Schultz
2016-05-19Skip crl_hash_dir_expired test for LibreSSLMagnus Henoch
LibreSSL doesn't like it when we pass a negative number for the -crlhours argument. I'm not sure if there is another way to make it generate a CRL with expiry date in the past, so let's skip that test in this case.
2016-05-10ssl: Correct test suiteIngela Anderton Andin
2016-05-05ssl: Use cipher suite's PRF in prf/5Kenneth Lakin
Use the negotiated cipher suite's PRF algorithm in calls to ssl:prf/5, rather than a hard-coded one. For TLS 1.0 the PRF algorithm was hard-coded to MD5/SHA1. This was correct 100% of the time. For TLS 1.1 and 1.2 the PRF algorithm was hard-coded to SHA256. This was correct only some of the time for TLS 1.2 and none of the time for TLS 1.1. Because the TLS handshake code calls tls_v1:prf/5 through another path, the handshaking process used the negotiated PRF and did not encounter this bug. A new test (prf) has been added to ssl_basic_SUITE to guard against future breakage.
2016-05-04Merge branch 'ingela/ssl-gen-statem/OTP-13464'Ingela Anderton Andin
* ingela/ssl-gen-statem/OTP-13464: ssl: Adapt DTLS to gen_statem ssl: Use gen_statem instead of gen_fsm
2016-05-04ssl: Correct and clean test suiteIngela Anderton Andin
Active option was not handled correctly in all places. Dead code has been removed.
2016-05-03ssl: Use gen_statem instead of gen_fsmIngela Anderton Andin
Also reduce timing issues in tests
2016-04-29ssl: Correct cipher suites conversionIngela Anderton Andin
Correct conversion errors form commit d2381e1a8d7cd54f7dc0a5105d172460b005a8fb
2016-04-27Avoid disappearing ETS tables in ssl_dist_SUITEMagnus Henoch
When recording the fact that a verify function ran, spawn a new process to own the ETS table, to ensure that it's still there when we want to query it.
2016-04-27Fix db handle for TLS distribution crl_cache optsMagnus Henoch
'internal' is reserved for the ssl_crl_cache module. Since the stub CRL cache implementation in the test module essentially uses the file system as its "database", let's pass the directory as database handle.
2016-04-27Fix ssl_dist_SUITE logging on WindowsMagnus Henoch
Can't use single quotes to hide double quotes. Let's fix that with more backslashes.
2016-04-25ssl: Corrections to cipher suite handlingIngela Anderton Andin
It was not possible to mix ssl 3 and 4 tuple cipher suites in the ciphers option. Some ssl_cipher:suite/1 clauses wrongly returned 3-tuples that should have been 4 tuples Conflicts: lib/ssl/test/ssl_basic_SUITE.erl
2016-04-25ssl: Remove use of crypto:rand_bytes/1Ingela Anderton Andin
ssl already used crypto:strong_rand_bytes/1 for most operations as its use cases are mostly cryptographical. Now crypto:strong_rand_bytes/1 will be used everywhere. However crypto:rand_bytes/1 was used as fallback if crypto:strong_rand_bytes/1 throws low_entropy, this will no longer be the case. This is a potential incompatibility. The fallback was introduced a long time ago for interoperability reasons. Now days this should not be a problem, and if it is, the security compromise is not acceptable anyway.
2016-04-13Merge branch 'henrik/update-copyrightyear'Henrik Nord
* henrik/update-copyrightyear: update copyright-year
2016-04-06ssl: Add option signature_algsIngela Anderton Andin
In TLS-1.2 The signature algorithm and the hash function algorithm used to produce the digest that is used when creating the digital signature may be negotiated through the signature algorithm extension RFC 5246. We want to make these algorithm pairs configurable. In connections using lower versions of TLS these algorithms are implicit defined and can not be negotiated or configured. DTLS is updated to not cause dialyzer errors, but needs to get a real implementation later.
2016-04-05Add ssl_crl_hash_dir moduleMagnus Henoch
This module is an implementation of the ssl_crl_cache_api behaviour. It can be used when there is a directory containing CRLs for all relevant CAs, in the form used by e.g. Apache. The module assumes that the directory is being updated through an external process.
2016-04-04More logging in ssl_dist_SUITEMagnus Henoch
Make SSL nodes used during testing write log messages to a file. Also activate verbose logging of distribution connection events.
2016-03-23Fix transportoption, ssloption, ssloptions types names in the documentationdef_null
2016-03-17TLS distribution: crl_check and crl_cache optionsMagnus Henoch
Allow specifying the crl_check and crl_cache options for TLS distribution connections.
2016-03-17Allow passing verify_fun for TLS distributionMagnus Henoch
Accept a value of the form {Module, Function, State} from the command line. This is different from the {Fun, State} that ssl:connect etc expect, since there's no clean way to parse a fun from a command line argument.