| Age | Commit message (Collapse) | Author |
|---|
|
|
|
* ingela/ssl/prepare-patch:
ssl: Prepare for release
|
|
* ingela/ssl/ECC-selection-fix/OTP-13918:
ssl: Correct ECC curve selection, the error could cause default to always be selected.
|
|
selected.
|
|
|
|
Several handshake events may be received in the same TLS packet. Then there
will be several events pushed to the gen_statems internal queue.
New events already in the socket-buffer should not be processed
if there are more unprocessed handshake events in next_event queue.
We need to handle this in the next_record/1 function.
|
|
|
|
* ingela/ssl/packet-tests:
ssl: Add timetrap scale calls
ssl: Add nodelay to packet=0|raw tests
|
|
|
|
* ferd/bypass-pem-cache/PR-1143/OTP-13883:
ssl: Add documentation of bypass_pem_cache application environment configuration
ssl: Add new benchmarks to skip file for normal testing
Adding PEM cache bypass benchmark entries
Fixing CRL searching in cache bypass
Add option to bypass SSL PEM cache
|
|
|
|
|
|
|
|
init_per_testcase timeout for renegotiation tests would be overridden
by local timeout in test case help function.
|
|
* ingela/ssl/dtls-progress/connection-states-as-maps:
dtls: fix encoding of client hello cookie
dtls: Prepare start of DTLS connection manager with SSL app
ssl: Refactor to use maps for the connection states
ssl, dtls: Refactor sni handling
dtls: Add close/5
dtls: Add renegotiate/2
dtls: Add protocol event handling
ssl: Refactor code so that tls and dtls can share more code
ssl, dtls: Disable V2 compatibility clause from ssl_handshake:update_handshake_history
ssl: Make sure common code for TLS and DTLS uses the TLS Version
ssl: remove unused RecordCB argument from master_secret
dtls: Add reinit_handshake_data/1 to dtls
dtls: replace tls_record with RecordCB in connection_info
Fix version numbers and dependencies
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
We want to share more alert and application data handling code.
Some of the application data handling code, packet handling,
will not be relevant for dtls, but this code can be excluded from dtls
by options checking.
|
|
ssl_handshake:update_handshake_history
This proably a much bigger problem for DTLS than TLS, but should be
disabled for both unless explicitly configured for TLS.
|
|
When protocol version is proagated from the DTLS connection processes
state into general ssl functions it must be converted to the corresponding
TLS version.
|
|
Conflicts:
lib/ssl/src/ssl_handshake.erl
|
|
The callback is invoke before entering state 'connection'.
It allows a connection module to remove data from the
connection state that is no longer needed (e.g.
handshake history).
|
|
Conflicts:
lib/ssl/src/ssl_connection.erl
|
|
|
|
|
|
|
|
Even though v2 is never supported v2 hellos can be.
No support for v2 client hellos gives "handshake failiure" alert.
Support for v2 hello but no higher SSL/TLS version offered
gives "protocol version" alert.
|
|
|
|
Avoid to run tests of algorithms not supported by crypto.
|
|
Fix some older errors as well.
|
|
The benchmarks run through the local node only, as an attempt to show
more potential contention on certificate usage.
|
|
* raimo/gen_statem-callback_mode/OTP-13752:
ssl: Upgrade suite testing skipped if stdlib upgrade is required
Fix version numbers and dependencies
Conflicts:
lib/ssl/src/ssl.appup.src
lib/ssl/vsn.mk
|
|
* ingela/ssl/cuddle:
ssl: Test and test suites shall be independent of each other
|
|
|
|
* ingela/ssl/ERL-232/OTP-13853:
ssl: Remove clause that postponed unexpected messages
|
|
Skip some test on really slow solaris machines
|
|
|
|
|
|
|
|
* raimo/gen_statem-callback_mode/OTP-13752:
Include trap_exit in server skeletons
Improve sys debug
Handle exceptions in init/1 and callback_mode/0
Clarify error values
Doc fixes
Rewrite SSH for gen_statem M:callback_mode/0
Rewrite SSL for gen_statem M:callback_mode/0
Rewrite Tools for gen_statem M:callback_mode/0
Rewrite gen_statem docs for M:callback_mode/0
Rewrite gen_statem TCs for M:callback_mode/0
Rewrite gen_statem for M:callback_mode/0
|
|
|
|
The current SSL implementation has a PEM cache running through the ssl
manager process, whose primary role is caching CA chains from files on
disk. This is intended as a way to save on disk operation when the
requested certificates are often the same, and those cache values are
both time-bound and reference-counted. The code path also includes
caching the Erlang-formatted certificate as decoded by the public_key
application
The same code path is used for DER-encoded certificates, which are
passed in memory and do not require file access. These certificates are
cached, but not reference-counted and also not shared across
connections.
For heavy usage of DER-encoded certificates, the PEM cache becomes a
central bottleneck for a server, forcing the decoding of every one of
them individually through a single critical process. It is also not
clear if the cache remains useful for disk certificates in all cases.
This commit adds a configuration variable for the ssl application
(bypass_pem_cache = true | false) which allows to open files and decode
certificates in the calling connection process rather than the manager.
When this action takes place, the operations to cache and return data
are replaced to strictly return data.
To provide a transparent behaviour, the 'CacheDbRef' used to keep track
of the certificates in the cache is replaced by the certificates itself,
and all further lookup functions or folds can be done locally.
This has proven under benchmark to more than triple the performance of
the SSL application under load (once the session cache had also been
disabled).
|
|
|
|
|
|
Conflicts:
lib/ssl/src/ssl.appup.src
|
