| Age | Commit message (Collapse) | Author |
|---|
|
When protocol version is proagated from the DTLS connection processes
state into general ssl functions it must be converted to the corresponding
TLS version.
|
|
Conflicts:
lib/ssl/src/ssl_handshake.erl
|
|
The callback is invoke before entering state 'connection'.
It allows a connection module to remove data from the
connection state that is no longer needed (e.g.
handshake history).
|
|
Conflicts:
lib/ssl/src/ssl_connection.erl
|
|
|
|
|
|
|
|
Even though v2 is never supported v2 hellos can be.
No support for v2 client hellos gives "handshake failiure" alert.
Support for v2 hello but no higher SSL/TLS version offered
gives "protocol version" alert.
|
|
|
|
Avoid to run tests of algorithms not supported by crypto.
|
|
Fix some older errors as well.
|
|
The benchmarks run through the local node only, as an attempt to show
more potential contention on certificate usage.
|
|
* raimo/gen_statem-callback_mode/OTP-13752:
ssl: Upgrade suite testing skipped if stdlib upgrade is required
Fix version numbers and dependencies
Conflicts:
lib/ssl/src/ssl.appup.src
lib/ssl/vsn.mk
|
|
* ingela/ssl/cuddle:
ssl: Test and test suites shall be independent of each other
|
|
|
|
* ingela/ssl/ERL-232/OTP-13853:
ssl: Remove clause that postponed unexpected messages
|
|
Skip some test on really slow solaris machines
|
|
|
|
|
|
|
|
* raimo/gen_statem-callback_mode/OTP-13752:
Include trap_exit in server skeletons
Improve sys debug
Handle exceptions in init/1 and callback_mode/0
Clarify error values
Doc fixes
Rewrite SSH for gen_statem M:callback_mode/0
Rewrite SSL for gen_statem M:callback_mode/0
Rewrite Tools for gen_statem M:callback_mode/0
Rewrite gen_statem docs for M:callback_mode/0
Rewrite gen_statem TCs for M:callback_mode/0
Rewrite gen_statem for M:callback_mode/0
|
|
|
|
The current SSL implementation has a PEM cache running through the ssl
manager process, whose primary role is caching CA chains from files on
disk. This is intended as a way to save on disk operation when the
requested certificates are often the same, and those cache values are
both time-bound and reference-counted. The code path also includes
caching the Erlang-formatted certificate as decoded by the public_key
application
The same code path is used for DER-encoded certificates, which are
passed in memory and do not require file access. These certificates are
cached, but not reference-counted and also not shared across
connections.
For heavy usage of DER-encoded certificates, the PEM cache becomes a
central bottleneck for a server, forcing the decoding of every one of
them individually through a single critical process. It is also not
clear if the cache remains useful for disk certificates in all cases.
This commit adds a configuration variable for the ssl application
(bypass_pem_cache = true | false) which allows to open files and decode
certificates in the calling connection process rather than the manager.
When this action takes place, the operations to cache and return data
are replaced to strictly return data.
To provide a transparent behaviour, the 'CacheDbRef' used to keep track
of the certificates in the cache is replaced by the certificates itself,
and all further lookup functions or folds can be done locally.
This has proven under benchmark to more than triple the performance of
the SSL application under load (once the session cache had also been
disabled).
|
|
|
|
|
|
Conflicts:
lib/ssl/src/ssl.appup.src
|
|
|
|
|
|
maint
* lemenkov/kernel/fix-register_ipv6_epmd/PR-1129/OTP-13770:
Respect -proto_dist switch while connection to EPMD
|
|
Conflicts:
OTP_VERSION
erts/doc/src/notes.xml
erts/vsn.mk
lib/common_test/doc/src/notes.xml
lib/common_test/vsn.mk
lib/ssl/doc/src/notes.xml
lib/ssl/src/ssl.appup.src
lib/ssl/vsn.mk
lib/stdlib/test/ets_SUITE.erl
otp_versions.table
|
|
|
|
raimo/ssl/version-selection/maint-19/OTP-13753
Conflicts:
lib/ssl/vsn.mk
lib/ssl/src/ssl.appup.src
|
|
Use the list of versions that the server allows and among those choose
the highest version that is not higher than the client's version.
Note that this chosen version might be lower than the client's version,
but is used to improve interoperability.
Patch suggested by Dimitry Borisov refering to RFC 5246 appendix E.1.
|
|
Signed-off-by: Peter Lemenkov <[email protected]>
|
|
Make sure ssl application has a fresh start, so that test do
not fail due to that other tests did not clean up properly.
|
|
In TLS-1.2 the selection of the servers algorithms and the the
possible selection of algorithms for the client certificate verify
message have different requirements.
|
|
Tests in ECC_SUITE did not always use the certs implied by the
name. Variable naming also confused the intent.
ssl_certificate_verify_SUITE did not clean up properly and tests could
fail due to cache problems.
|
|
Function to stop SSL/TLS node may not exit as a test case will start more than
one node and all nodes must be stopped.
|
|
|
|
|
|
Note these where supported before ssl-8.0
|
|
* ingela/ssl/runtime-dep:
ssl: Add new public_key to runtime dependencies
|
|
* shlonny/add-asn1-app-to-ssl-distribution-doc/PR-1101:
added asn1 to applications needed for start_ssl
|
|
Due to 5268c7b957c30c31e551f197463cdd55a792ea69
|
|
|
|
This should only be used in legacy test case not in test cases
testing other functionality.
|
|
* ingela/ssl/packet_SUITE/test-timeouts:
ssl: Make diffrent timeouts
|
|
Some test cases takes really long time on old machines. But normaly
all tests are under 15 seconds. Try to avoid long timeouts
for all test cases.
Although we like to find a better tuning, set timeouts high for now
to avoid tests cases failing with timeout.
|
|
* ingela/ssl/dtls-next-step-flights/OTP-13678:
dtls: Avoid dialyzer errors
dtls: add implementation for msg sequence
dtls: Remove TODO
dtls: sync dtls_record DTLS version and crypto handling with TLS
dtls: handle Hello and HelloVerify's in dtls_handshake
dtls: rework/simplify DTLS fragment decoder
dtls: add support first packet and HelloVerifyRequest
dtls: sync handle_info for connection close with TLS
dtls: sync handling of ClientHello with TLS
dtls: rework handshake flight encodeing
dtls: implement next_tls_record
dtls: sync init and initial_state with tls_connection
dtls: update start_fsm for new ssl_connection API
ssl: introduce the notion of flights for dtls and tls
ssl: move available_signature_algs to ssl_handshake
|
|
|
