aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl
AgeCommit message (Collapse)Author
2015-12-28Merge branch 'legoscia/tls_dist_error_reporting' into maintZandra
* legoscia/tls_dist_error_reporting: Report bad options for outgoing TLS distribution Save error reasons for TLS distribution connections Report bad options for TLS distribution connections OTP-13219
2015-12-16Merge tag 'OTP-18.2' into maintHenrik Nord
=== OTP-18.2 === Changed Applications: - asn1-4.0.1 - common_test-1.11.1 - compiler-6.0.2 - crypto-3.6.2 - dialyzer-2.8.2 - diameter-1.11.1 - erl_docgen-0.4.1 - erl_interface-3.8.1 - erts-7.2 - eunit-2.2.12 - hipe-3.14 - inets-6.1 - jinterface-1.6.1 - kernel-4.1.1 - observer-2.1.1 - parsetools-2.1.1 - public_key-1.1 - runtime_tools-1.9.2 - sasl-2.6.1 - snmp-5.2.1 - ssh-4.2 - ssl-7.2 - stdlib-2.7 - test_server-3.9.1 - tools-2.8.2 - typer-0.9.10 - wx-1.6 - xmerl-1.3.9 Unchanged Applications: - cosEvent-2.2 - cosEventDomain-1.2 - cosFileTransfer-1.2 - cosNotification-1.2 - cosProperty-1.2 - cosTime-1.2 - cosTransactions-1.3 - debugger-4.1.1 - edoc-0.7.17 - eldap-1.2 - et-1.5.1 - gs-1.6 - ic-4.4 - megaco-3.18 - mnesia-4.13.2 - odbc-2.11.1 - orber-3.8 - os_mon-2.4 - ose-1.1 - otp_mibs-1.1 - percept-0.8.11 - reltool-0.7 - syntax_tools-1.7 - webtool-0.9
2015-12-15Merge branch 'ia/libressl' into maintIngela Anderton Andin
* ia/libressl: ssl: Print openssl version string ssl: Do not use environment variables in openSSL config file
2015-12-15ssl: Convert all test to use "ssl_test_lib:portable_open_port"Ingela Anderton Andin
2015-12-15Update release notesErlang/OTP
2015-12-15Merge branch 'ia/libressl' into maintErlang/OTP
* ia/libressl: ssl: Print openssl version string ssl: Do not use environment variables in openSSL config file
2015-12-14ssl: Print openssl version stringIngela Anderton Andin
2015-12-14ssl: Do not use environment variables in openSSL config fileIngela Anderton Andin
LibreSSL does not allow it.
2015-12-11ssl: fix hibernate_after with instant or near instant timeoutsAndrey Mayorov
2015-12-11ssl: Fix typosIngela Anderton Andin
2015-12-11Merge branch 'ia/ssl/windows-tests' into maintIngela Anderton Andin
* ia/ssl/windows-tests: ssl: Use test case time out instead ssl: Use spawn_executable
2015-12-11Merge branch 'ia/ssl/renegotiate-tests' into maintIngela Anderton Andin
* ia/ssl/renegotiate-tests: ssl: Add renegotiation exception
2015-12-11[ssl] Moved description details to man(6) pageLars Thorsen
2015-12-11[ssl] Correct the documentation so it follows the DTDLars Thorsen
2015-12-10Report bad options for outgoing TLS distributionMagnus Henoch
If ssl:connect/3 returns an error related to options, let's log that so we have a chance to see it and fix it.
2015-12-10Save error reasons for TLS distribution connectionsMagnus Henoch
When establishing an outbound connection for TLS distribution, let's hold on to the failure reasons and use them as exit reasons. These exit reasons are normally invisible, but they can be seen in the logs after calling net_kernel:verbose(1). While there are trace messages in the code already, those require recompiling the module with a special flag, which is more cumbersome than changing the net_kernel verbosity level at run time.
2015-12-09ssl: Use test case time out insteadIngela Anderton Andin
2015-12-09ssl: Use spawn_executableIngela Anderton Andin
2015-12-09ssl: Add renegotiation exceptionIngela Anderton Andin
2015-12-09Merge branch 'ia/ssl-prepare-release' into maintIngela Anderton Andin
* ia/ssl-prepare-release: ssl: Correct spec ssl: Prepare for release
2015-12-08ssl: Correct specIngela Anderton Andin
2015-12-08ssl: Prepare for releaseIngela Anderton Andin
2015-12-07Merge branch 'rlipscombe/rl-ssl-options' into maintHenrik Nord
* rlipscombe/rl-ssl-options: Ensure single 'raw' option is handled correctly Pass 'raw' options through OTP-13166
2015-12-07Merge branch 'ia/ssl/sslv3-completeness' into maintIngela Anderton Andin
* ia/ssl/sslv3-completeness: ssl: SSLv3 completeness
2015-12-07ssl: SSLv3 completenessIngela Anderton Andin
We are considering removing default support for DES cipher suites. However this cipher suite is currently allowed in TLS and missing from SSL.
2015-12-07Merge branch 'ia/ssl/max-sessions/OTP-12392' into maintIngela Anderton Andin
* ia/ssl/max-sessions/OTP-12392: ssl: Fix documentation mistakes ssl: Add upper limit for session cache ssl: Measure elapsed time with erlang:monotonic_time
2015-12-07ssl: Fix documentation mistakesIngela Anderton Andin
2015-12-04Merge branch 'maint-17' into maintHenrik Nord
Conflicts: OTP_VERSION erts/doc/src/notes.xml erts/vsn.mk lib/kernel/doc/src/notes.xml lib/kernel/src/kernel.appup.src lib/kernel/vsn.mk lib/ssl/doc/src/notes.xml lib/ssl/src/ssl.appup.src lib/ssl/src/ssl_cipher.erl lib/ssl/vsn.mk otp_versions.table
2015-12-03ssl: Add upper limit for session cacheIngela Anderton Andin
If upper limit is reached invalidate the current cache entries, e.i the session lifetime is the max time a session will be keept, but it may be invalidated earlier if the max limit for the table is reached. This will keep the ssl manager process well behaved, not exhusting memeory. Invalidating the entries will incrementally empty the cache to make room for fresh sessions entries.
2015-12-03ssl: Measure elapsed time with erlang:monotonic_timeIngela Anderton Andin
2015-12-03Prepare releaseErlang/OTP
2015-12-03ssl: Prepare for releaseIngela Anderton Andin
2015-12-01Merge branch 'legoscia/tls_dist_options' into maintZandra
* legoscia/tls_dist_options: Test interface listen option for TLS distribution Test socket listen options for TLS distribution Test port options for TLS distribution TLS Dist: Use inet_dist_ options Conflicts: lib/ssl/src/ssl_tls_dist_proxy.erl lib/ssl/test/ssl_dist_SUITE.erl OTP-12838
2015-11-26Merge branch 'legoscia/ssl_connection_terminate_crash' into maintZandra
* legoscia/ssl_connection_terminate_crash: Avoid crash for SSL connections with nonexistent keyfile OTP-13144
2015-11-26Merge branch 'legoscia/tls_dist_nodelay' into maintZandra
* legoscia/tls_dist_nodelay: Add test for dist_nodelay option Honour dist_nodelay socket option in tls_dist proxy OTP-13143
2015-11-26Merge branch 'legoscia/ssl-dist-error-handling' into maintZandra
* legoscia/ssl-dist-error-handling: In ssl_tls_dist_proxy, pass along EPMD registration errors OTP-13142
2015-11-26Merge branch 'zandra/fix-24h-macro-in-suite' into maintZandra
* zandra/fix-24h-macro-in-suite: fix 24h macro in test suite
2015-11-26Merge branch 'ppikula/fix-24h-macro' into maintZandra
* ppikula/fix-24h-macro: fix incorrect number of seconds in 24h macro The previous commit - 7b93f5d8a224a0a076a420294c95a666a763ee60 fixed the macro only in one place. OTP-13141
2015-11-25Ensure single 'raw' option is handled correctlyRoger Lipscombe
Add a test to ensure that a single 'raw' option can be passed to ssl:listen correctly. Note: multiple raw options are (incorrectly) handled by inet:listen_options. See http://erlang.org/pipermail/erlang-questions/2014-March/078371.html
2015-11-24Test interface listen option for TLS distributionMagnus Henoch
Add test that checks that the option inet_dist_use_interface is used when starting a node with TLS distribution.
2015-11-24Test socket listen options for TLS distributionMagnus Henoch
Add test that checks that the option inet_dist_listen_options is used when starting a node with TLS distribution. This test was adapted from inet_dist_options_options in erl_distribution_SUITE.
2015-11-24Test port options for TLS distributionMagnus Henoch
Add test that checks that the options inet_dist_listen_min and inet_dist_listen_max are used when starting a node with TLS distribution.
2015-11-24TLS Dist: Use inet_dist_ optionsTom Briden
The inet_dist_ options, such as min/max port numbers aren't used with TLS distribution. This commits uses those settings in the same way as they're used in inet_tcp_dist.erl
2015-11-24Merge branch 'legoscia/tls-dist-shutdown' into maintZandra
* legoscia/tls-dist-shutdown: Adjust shutdown strategies for distribution over TLS OTP-13134
2015-11-18ssl: Client should send the hello message in the lowest version it is ↵Ingela Anderton Andin
willing to support Refactor highest_protocol_version so that code is symmetrical with lowest_protocol_version. For clarity and possible future use cases of highest_protocol_version/2
2015-11-16fix 24h macro in test suiteZandra
Needed after the fix in 120975c4fcb57ecd14031ac046f483e56a3daa4d.
2015-11-13Add test for dist_nodelay optionMagnus Henoch
Run the 'basic' test with dist_nodelay set to false.
2015-10-28Report bad options for TLS distribution connectionsMagnus Henoch
If ssl:ssl_accept/2 returns an error related to options, it's most likely something we want to log. In particular, if the specified certificate file doesn't exist, this is where the error ends up, so we shouldn't just throw the error away.
2015-10-28Avoid crash for SSL connections with nonexistent keyfileMagnus Henoch
Starting an SSL connection with a nonexistent keyfile will obviously return an error: > ssl:connect("www.google.com", 443, [{keyfile, "nonexistent"}]). {error,{options,{keyfile,"nonexistent",{error,enoent}}}} But it also generates an error report with the following backtrace: ** Reason for termination = ** {badarg,[{ets,select_delete, [undefined,[{{{undefined,'_','_'},'_'},[],[true]}]], []}, {ets,match_delete,2,[{file,"ets.erl"},{line,700}]}, {ssl_pkix_db,remove_certs,2,[{file,"ssl_pkix_db.erl"},{line,243}]}, {ssl_connection,terminate,3, [{file,"ssl_connection.erl"},{line,941}]}, {tls_connection,terminate,3, [{file,"tls_connection.erl"},{line,335}]}, {gen_fsm,terminate,7,[{file,"gen_fsm.erl"},{line,610}]}, {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,532}]}, {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,240}]}]} This happens because the ssl_connection process receives its cert_db while handling the {start, Timeout} message, but if the handshake fails, the cert_db will never be inserted into the state data, and the terminate function will use 'undefined' as an ETS table name. Avoid this by checking for 'undefined' in the handle_trusted_certs_db function.
2015-10-23In ssl_tls_dist_proxy, pass along EPMD registration errorsMagnus Henoch
The duplicate_name error returned from erl_epmd:register_node elicits a particularly precise error message from net_kernel, so let's pass it along to our caller. Not doing this for the other things that could go wrong here, since for those having the line number will likely aid debugging.