aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl
AgeCommit message (Collapse)Author
2014-08-11ssl: Test ECDSA and improve test suite maintainabilityIngela Anderton Andin
Use generated certs instead of hard coded
2014-08-08ssl: Correct handling of certificate_types in Certificate RequestsIngela Anderton Andin
FROM TLS 1.2 RFC: The interaction of the certificate_types and supported_signature_algorithms fields is somewhat complicated. certificate_types has been present in TLS since SSLv3, but was somewhat underspecified. Much of its functionality is superseded by supported_signature_algorithms. The following rules apply: - Any certificates provided by the client MUST be signed using a hash/signature algorithm pair found in supported_signature_algorithms. - The end-entity certificate provided by the client MUST contain a key that is compatible with certificate_types. If the key is a signature key, it MUST be usable with some hash/signature algorithm pair in supported_signature_algorithms. - For historical reasons, the names of some client certificate types include the algorithm used to sign the certificate. For example, in earlier versions of TLS, rsa_fixed_dh meant a certificate signed with RSA and containing a static DH key. In TLS 1.2, this functionality has been obsoleted by the supported_signature_algorithms, and the certificate type no longer restricts the algorithm used to sign the certificate. For example, if the server sends dss_fixed_dh certificate type and {{sha1, dsa}, {sha1, rsa}} signature types, the client MAY reply with a certificate containing a static DH key, signed with RSA- SHA1.
2014-07-07Merge branch 'dnet/parse_sni' into maintBruce Yinhe
* dnet/parse_sni: added SNI decode test to SSL handshake suite ssl: parse SNI in received client hello records OTP-12048
2014-06-19Prepare releaseErlang/OTP
2014-06-16Revert "ssl: Avoid creating a huge session table"Ingela Anderton Andin
This reverts commit fcc6a756277c8f041aae1b2aa431e43f9285c368.
2014-06-16Merge branch 'ia/ssl/test-cuddle' into maintIngela Anderton Andin
* ia/ssl/test-cuddle: ssl: Test case stability
2014-06-12ssl: Test case stabilityIngela Anderton Andin
2014-06-12ssl: Fix dialyzer specs to reflect realityIngela Anderton Andin
2014-06-12Merge branch 'ia/ssl/CSS/OTP-11975' into maintIngela Anderton Andin
* ia/ssl/CSS/OTP-11975: ssl: Make sure change cipher spec is correctly handled
2014-06-11Merge branch 'ia/ssl/version-argument' into maintIngela Anderton Andin
* ia/ssl/version-argument: ssl: Version argument to ssl_cipher:anonymous_suites should not be added yet!
2014-06-11ssl: Make sure change cipher spec is correctly handledIngela Anderton Andin
2014-06-11Merge branch 'qrilka/ssl-seconds-in-24h' into maintHenrik Nord
* qrilka/ssl-seconds-in-24h: ssl: Fix incorrect number of seconds in 24 hours
2014-06-05added SNI decode test to SSL handshake suiteAndrás Veres-Szentkirályi
2014-06-05ssl: Version argument to ssl_cipher:anonymous_suites should not be added yet!Ingela Anderton Andin
2014-06-05Merge branch 'ia/ssl/dumb-clients/OTP-11969' into maintIngela Anderton Andin
* ia/ssl/dumb-clients/OTP-11969: ssl: Avoid creating a huge session table
2014-06-04Merge branch 'RoadRunnr/ssl/fix-tests' into maintMarcus Arendt
* RoadRunnr/ssl/fix-tests: SSL: fix OpenSSL known renegotiation bug detection SSL: in tests, filter ssl client ciphers for version compatibility
2014-06-04Merge branch 'ia/ssl/default-ciphers/OTP-11966' into maintIngela Anderton Andin
* ia/ssl/default-ciphers/OTP-11966: ssl: Workaround that gen_fsm does not call CB:format_status when CB:terminate crashes. SSL: always filter the full list of supported ciphers against the supported algorithms ssl: Filter default ciphers for supported Crypto algorihms
2014-06-03ssl: Workaround that gen_fsm does not call CB:format_status when CB:terminateIngela Anderton Andin
crashes.
2014-06-03SSL: always filter the full list of supported ciphers against the supported ↵Andreas Schultz
algorithms With the addition of more ciphers that are not supported in all configurations, using a manually prefiltered cipher list (e.g. EC vs. non-EC ciphers) becomes to complex. Replace the manual split with ssl_cipher:filter_suites/1 in all places. Conflicts: lib/ssl/src/ssl.erl lib/ssl/src/tls_v1.erl
2014-06-01ssl: parse SNI in received client hello recordsAndrás Veres-Szentkirályi
2014-05-28ssl: Fix incorrect number of seconds in 24 hoursKirill Zaborsky
24 hours in seconds should be equal to 86400 and 86400000 in milliseconds
2014-05-28SSL: fix OpenSSL known renegotiation bug detectionAndreas Schultz
The OpenSSL detection match would actually consider all 1.0.1 versions as affected when really only 1.0.1 - 1.0.1c are.
2014-05-28SSL: in tests, filter ssl client ciphers for version compatibilityAndreas Schultz
Some psk and some not yet supported anonymous suites are only supported with TLS version >= 1.2. This adds them to the tests and makes sure that they are not tested on TLS versions that do not support them.
2014-05-28ssl: Filter default ciphers for supported Crypto algorihmsIngela Anderton Andin
2014-05-28ssl: Prepare for releaseIngela Anderton Andin
2014-05-27ssl: Correct test SUITEIngela Anderton Andin
2014-05-27ssl: Add format_status function to ssl connection processIngela Anderton Andin
2014-05-26ssl: Add ssl options to listen options trackerIngela Anderton Andin
2014-05-26ssl: Move initIngela Anderton Andin
2014-05-22Merge branch 'dz/fix_ssl_max_seq_num' into maintMarcus Arendt
* dz/fix_ssl_max_seq_num: ssl: fix max sequence number so it does not overflow
2014-05-14ssl: Fix dialyzer specIngela Anderton Andin
2014-05-13ssl: Only allow one next protocol handsake messageIngela Anderton Andin
2014-05-12Merge branch 'ia/ssl/inherit/OTP-11897' into maintIngela Anderton Andin
* ia/ssl/inherit/OTP-11897: ssl: Handle socket option inheritance when pooling of accept sockets is used
2014-05-10ssl: fix max sequence number so it does not overflowDanil Zagoskin
The old value of 18446744073709552000 was calculated using math:pow which returns float therefore isn't precise. And it would overflow: erlang:integer_to_list(18446744073709552000, 16) = "10000000000000180" This patch changes MAX_SEQENCE_NUMBER to value calculated with bitwise shift: (1 bsl 64) - 1 = 18446744073709551615
2014-05-09Merge branch 'ia/ssl/false-alerts/OTP-11890' into maintIngela Anderton Andin
* ia/ssl/false-alerts/OTP-11890: ssl: Add checks to avoid processing of illegal alerts
2014-05-09ssl: Handle socket option inheritance when pooling of accept sockets is usedIngela Anderton Andin
Implement a listen socket tracker process that holds the emulated socket options so that it is possible to implement a destructive ssl:setopts on SSL/TLS listen sockets without changing the options of the internal socket as we want that socket to have the internal socket option values.
2014-05-07ssl: SSL/TLS version input list shall not be order dependentIngela Anderton Andin
2014-04-30ssl: Add checks to avoid processing of illegal alertsIngela Anderton Andin
2014-04-24ssl: Fixes ssl_crl_SUITE errors on mixed ipv6-v4 interfacesHans Nilsson
2014-04-24ssl: Remove outdated documentationIngela Anderton Andin
2014-04-23ssl: Fix crash on garbage during handshakeDanil Zagoskin
If a client sends some garbage in ssl record instead of valid fragment, server crashes with function_clause while receiving next record from client. This patch makes server raise handshake failure instead of crashing and exposing internal state to user code.
2014-04-23ssl: Refactor so that there is only one source for the default hashsign valuesIngela Anderton Andin
Also fix DTLS call to supply its corresponding TLS version
2014-04-23ssl: always pass negotiated version when selecting hashsignDanil Zagoskin
Negotiated version is now always passed to ssl_handshake:select_hashsign because ssl_handshake:select_cert_hashsign has different rsa defaults on tlsv1.2 and older versions.
2014-04-23ssl: TLSv1.2: proper default sign algo for RSADanil Zagoskin
2014-04-22Merge branch 'ia/ssl/decrypt-alert/OTP-11880' into maintIngela Anderton Andin
* ia/ssl/decrypt-alert/OTP-11880: ssl: Correct decryption error handling
2014-04-22Merge branch 'ia/ssl/recv/OTP-11878' into maintIngela Anderton Andin
* ia/ssl/recv/OTP-11878: ssl: recv shall ruturn {error, einval} on active socket
2014-04-22Merge branch 'ia/ssl/suites-match-negotiated-version/OTP-11875' into maintIngela Anderton Andin
* ia/ssl/suites-match-negotiated-version/OTP-11875: ssl: Select supported cipher suites for the negotiated SSL/TLS-version
2014-04-17ssl: Correct decryption error handlingIngela Anderton Andin
2014-04-17ssl: recv shall ruturn {error, einval} on active socketIngela Anderton Andin
2014-04-17ssl: Graceful handling of warning alertsIngela Anderton Andin
Generalize last warning alert function clause