aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl
AgeCommit message (Collapse)Author
2016-06-14Merge branch 'legoscia/ssl_crl_hash_dir-bis/PR-982/OTP-13530'Ingela Anderton Andin
* legoscia/ssl_crl_hash_dir-bis/PR-982/OTP-13530: Skip crl_hash_dir_expired test for LibreSSL Add ssl_crl_hash_dir module Function for generating OpenSSL-style name hashes Add public_key:pkix_match_dist_point Improve formatting for crl_{check,cache} options Add issuer arg to ssl_crl_cache_api lookup callback Conflicts: lib/public_key/test/public_key_SUITE.erl
2016-06-14Merge branch 'lukas/erts/testfixes-19'Lukas Larsson
* lukas/erts/testfixes-19: erts: Increase bif and nif call_time trace test erts: Fix distribution_SUITE:bulk_send_bigbig on windows erts: Ensure bs_add_overflow test has enough memory kernel: Better explain controlling_process' tcp behaviour kernel: Fix t_recv_delim on bsd os_mon: Make sure to start/stop os_mon in tests correctly ssl: Fix use_interface dist_SSL test erl_interface: Fix signed int overflow tc bug erts: fix atom_roundtrip_r15b tc erts: Require more memory for debug tests
2016-06-14Merge branch 'maint'Henrik Nord
Conflicts: OTP_VERSION lib/inets/vsn.mk lib/ssl/test/ssl_basic_SUITE.erl lib/ssl/vsn.mk
2016-06-14ssl: Fix use_interface dist_SSL testLukas Larsson
Doing inet:port will cause an port_control to be sent to the port, and not all ports in the vm can handle having arbitrary data sent to them.
2016-06-13Update release notesErlang/OTP
2016-06-13Merge branch 'ingela/maint/ssl/max-session-table/OTP-13490' into maint-18Erlang/OTP
* ingela/maint/ssl/max-session-table/OTP-13490: ssl: Mitigate load increase when the whole session table is invalidated
2016-06-13Merge branch 'joedevivo/maint/ssl/PR-1063/OTP-13635' into maint-18Erlang/OTP
* joedevivo/maint/ssl/PR-1063/OTP-13635: ssl:recv timeout() can be 0
2016-06-13Merge branch 'ingela/maint/ssl/tls-1.2-available-hashsigns/OTP-13670' into ↵Erlang/OTP
maint-18 * ingela/maint/ssl/tls-1.2-available-hashsigns/OTP-13670: ssl: ordsets:intersection/2 did not give the expected result
2016-06-13Merge branch 'kennethlakin/maint/tls-use-negotiated-prf/PR-1042/OTP-13546' ↵Erlang/OTP
into maint-18 * kennethlakin/maint/tls-use-negotiated-prf/PR-1042/OTP-13546: ssl: Use cipher suite's PRF in prf/5
2016-06-13ssl: Mitigate load increase when the whole session table is invalidatedIngela Anderton Andin
2016-06-13ssl: Prepare for releaseIngela Anderton Andin
2016-06-09ssl: Use cipher suite's PRF in prf/5Kenneth Lakin
Use the negotiated cipher suite's PRF algorithm in calls to ssl:prf/5, rather than a hard-coded one. For TLS 1.0 the PRF algorithm was hard-coded to MD5/SHA1. This was correct 100% of the time. For TLS 1.1 and 1.2 the PRF algorithm was hard-coded to SHA256. This was correct only some of the time for TLS 1.2 and none of the time for TLS 1.1. Because the TLS handshake code calls tls_v1:prf/5 through another path, the handshaking process used the negotiated PRF and did not encounter this bug. A new test (prf) has been added to ssl_basic_SUITE to guard against future breakage.
2016-06-09ssl:recv timeout() can be 0Joe DeVivo
gen_tcp:recv allows this, and if you're doing something like Transport:recv(Socket, 0, 0), TCP will work and SSL will exit with function_clause There were other cases of this throughout the module. This PR cleans them all up.
2016-06-09ssl: ordsets:intersection/2 did not give the expected resultIngela Anderton Andin
Turns out we can not count on the "hashsigns" sent by the client and the supported "hashigns" sets to have required properties of ordsets.
2016-06-09Merge branch 'ingela/ssl/crl-find-issuer/OTP-13656'Ingela Anderton Andin
* ingela/ssl/crl-find-issuer/OTP-13656: ssl: Propagate error so that public_key crl validation process continues correctly and determines what should happen.
2016-06-09ssl: Propagate error so that public_key crl validation process continuesIngela Anderton Andin
correctly and determines what should happen.
2016-06-09Add ssl:getstat/1 and ssl:getstat/2Loïc Hoguin
These functions call getstat on the underlying TCP socket. The only way to do this before now was to use a hack, either by looking inside the #sslsocket{} record directly, or by not using the SSL listen/accept functions and upgrading from a TCP socket that is kept around for the purpose of calling getstat later on.
2016-06-07Merge branch 'ingela/ssl/unexpected-client-cert/OTP-13651'Ingela Anderton Andin
* ingela/ssl/unexpected-client-cert/OTP-13651: ssl: Reject unrequested client cert
2016-06-07Merge branch 'ingela/ssl/max-session-table/OTP-13490'Ingela Anderton Andin
* ingela/ssl/max-session-table/OTP-13490: ssl: Mitigate load increase when the whole session table is invalidated
2016-06-07Merge branch 'ingela/ssl/phase-out-sslv2-hello/OTP-13465'Ingela Anderton Andin
* ingela/ssl/phase-out-sslv2-hello/OTP-13465: ssl: Add option to phase out support for sslv2 client hello
2016-06-03ssl: Reject unrequested client certIngela Anderton Andin
2016-06-03ssl: Mitigate load increase when the whole session table is invalidatedIngela Anderton Andin
2016-06-03ssl: Add option to phase out support for sslv2 client helloIngela Anderton Andin
ssl servers can recognize sslv2 client hellos to interop with clients that support higher version of SSL/TLS but also offers sslv2 Conflicts: lib/ssl/src/tls_connection.erl
2016-06-03Move misplaced period in ssl documentationKenneth Lakin
2016-06-02Revert "Prepare release"Erlang/OTP
This reverts commit e020f75c10410a6943cd055bfa072a2641eab7da.
2016-06-02Prepare releaseErlang/OTP
2016-06-01ssl: simplyfy code using gen_statemIngela Anderton Andin
2016-06-01Merge branch 'ingela/ssl/DH/OTP-13636'Ingela Anderton Andin
* ingela/ssl/DH/OTP-13636: ssl: Stronger default DH prime
2016-06-01Merge branch 'legoscia/ssl/tls-dist-more-opts/PR-956/OTP-13429'Raimo Niskanen
* legoscia/ssl/tls-dist-more-opts/PR-956/OTP-13429: Quote curly brackets in command line options Avoid disappearing ETS tables in ssl_dist_SUITE Fix db handle for TLS distribution crl_cache opts Fix ssl_dist_SUITE logging on Windows More logging in ssl_dist_SUITE TLS distribution: crl_check and crl_cache options Allow passing verify_fun for TLS distribution More informative malformed_ssl_dist_opt error
2016-06-01ssl: Stronger default DH primeIngela Anderton Andin
2016-06-01ssl: Update runtime dependency due to use of gen_statemIngela Anderton Andin
2016-06-01ssl: Avoid two renegotiatesIngela Anderton Andin
2016-06-01ssl: Handle freebsd OpenSSL flavourIngela Anderton Andin
The selection of CA cert files in ssl_ECC_SUITE and ssl_test_lib ought to be refactored, it is quite confusing. But use this workaround until we get time to make a refactor.
2016-06-01Merge branch 'joedevivo/ssl/PR-1063/OTP-13635'Ingela Anderton Andin
* joedevivo/ssl/PR-1063/OTP-13635: ssl:recv timeout() can be 0
2016-06-01Quote curly brackets in command line optionsRaimo Niskanen
Some shells i.e the bash emulating sh regard curly brackets as special characters so e.g {a,b,{}} is expanded to a b {} which is by erlang regarded as 3 arguments instead of a 3-tuple. Other shells e.g Bourne classic /bin/sh, the ash/dash variants and public domain Korn shell all avoid this surprise.
2016-05-31Merge branch 'ingela/ssl/test-timeouts'Ingela Anderton Andin
* ingela/ssl/test-timeouts: ssl: Increase timeouts due to slow test machines
2016-05-31ssl: Increase timeouts due to slow test machinesIngela Anderton Andin
2016-05-31ssl:recv timeout() can be 0Joe DeVivo
gen_tcp:recv allows this, and if you're doing something like Transport:recv(Socket, 0, 0), TCP will work and SSL will exit with function_clause There were other cases of this throughout the module. This PR cleans them all up.
2016-05-31ssl: Remove error logger reportsIngela Anderton Andin
We do not want error reports that can leek secret information into the logs.
2016-05-31ssl: Better error handling of keys rejected by cryptoIngela Anderton Andin
2016-05-31Improve SSL diagnosticsAlexey Lebedeff
There are a lot of cases where `ssl` application just returns unhelpful `handshake failure` or `internal error`. This patch tries to provide better diagnostics so operator can debug his SSL misconfiguration without doing hardcore erlang debugging. Here is an example escript that incorrectly uses server certificate as a client one: https://gist.github.com/binarin/35c34c2df7556bf04c8a878682ef3d67 With the patch it is properly reported as an error in "extended key usage".
2016-05-27ssl: Fix TLS version handling in dtls adepted testsIngela Anderton Andin
2016-05-27Merge branch 'ingela/ssl/doc-enhancment/ERL-131'Ingela Anderton Andin
* ingela/ssl/doc-enhancment/ERL-131: ssl: Add default values and clarifications
2016-05-27ssl: Add default values and clarificationsIngela Anderton Andin
2016-05-27Merge branch 'kennethlakin/beast-mitigation-options/PR-1041/OTP-13629'Ingela Anderton Andin
* kennethlakin/beast-mitigation-options/PR-1041/OTP-13629: ssl: Add BEAST mitigation selection option
2016-05-26ssl: Add BEAST mitigation selection optionKenneth Lakin
Some legacy TLS 1.0 software does not tolerate the 1/n-1 content split BEAST mitigation technique. This commit adds a beast_mitigation SSL option (defaulting to one_n_minus_one) to select or disable the BEAST mitigation technique. Valid option values are (one_n_minus_one | zero_n | disabled).
2016-05-25Use the -epmd_module flag consistentlyMagnus Henoch
If the -epmd_module flag has been specified on the command line, use that module to register and look up node names instead of the default, erl_epmd. Also document this option.
2016-05-23Merge branch 'ingela/ssl-httpc/ERL-144'Ingela Anderton Andin
* ingela/ssl-httpc/ERL-144: ssl: Send correct close message
2016-05-20ssl: Send correct close messageIngela Anderton Andin
2016-05-20ssl: Increase timeoutIngela Anderton Andin
We want to avoid tests timeing out regularly on slow test machines.
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-02 07:37:07 +0000