Age | Commit message (Collapse) | Author |
|
A wrong decryption key would cause a badmatch in
generic_block_cipher_from_bin/2. The try in block_decipher/5 was
probably intendend to deal with that, but was misplace for this.
Additionaly, generating a failure alert erly, without computing the
record MAC, creates vector for a timing attack on CBC padding (for
details check TLS 1.2 RFC 5246, Sect. 6.2.3.2.). This attach vector
and the counter meassure applies to all SSL/TLS versions.
As a counter messure, compute the MAC even when decryption or padding
checks fail. A invalid padding will force a MAC failure by intentionaly
invalidating the content.
|
|
I accidentally removed a little too much, only peercert/2 was deprecated.
|
|
* ia/ssl/remove-old-ssl/OTP-7048:
Remove old ssl implementation and deprecated function ssl:peercert/1
Conflicts:
lib/ssl/test/Makefile
|
|
* ia/ssl/dist-more-tests:
Better option handling
Improve code structure
Remove ssl_prim calls that are remains from the old ssl distribution
Add payload test
|
|
|
|
Also cleaned up old gaurds.
|
|
|
|
|
|
|
|
|
|
* dev:
Update copyright years
|
|
|
|
|
|
|
|
* upstream/dev:
Both the SSLv3 and TLS 1.0/TLS 1.1 specifications require implementations to ignore data following the ClientHello (i.e., extensions) if they do not understand them.
fix unknown ssl extension parsing by changing length from bits to bytes
Temporary disable tests on MAC due to issus with the MAC ODBC drivers
|
|
implementations to ignore data following the ClientHello (i.e.,
extensions) if they do not understand them.
Data not following the protocol format for extensions will be
ignored by the last dec_hello_extensions-clause.
OTP-8596
|
|
|
|
Conflicts:
erts/aclocal.m4
erts/include/internal/ethread_header_config.h.in
|
|
* ta/docs-fixes:
Fix misspelling of intermediate
Fix typos in erts/preloaded/src
Fix more misspellings of compatibility
Fix misspelling of kept
Fix misspelling of compatibility in ssl_basic_SUITE
Fix misspelling of compatibility
Fix misspelling of accommodate
Fix misspelling of exceed
Fix misspelling of accidentally
Fix misspelling of erroneous in xmerl_xsd
Fix misspelling of erroneous
Fix misspelling of successful
Fix typos in instrument(3)
Fix typos in dbg(3)
dialyzer: fix a small typo in list_to_bitstring test
Fix typos in cover.erl
Fix typos (variable name) in erl_nif(3)
Fix typos in mod_esi(3)
Fix trivial typos in erlang(3)
OTP-9555
|
|
|
|
* upstream/dev:
Support explicit use of packet option httph and httph_bin
|
|
|
|
|
|
|
|
* ia/ssl/dist/OTP-7053:
First fully working version
Use ssl instead of being a proxy command
Connect from both sides works now
|
|
|
|
* dev:
Corrected faulty dialyzer spec
|
|
|
|
* upstream/dev:
Corrected spec name errors: ip_adress -> ip_address port_num -> port_number
|
|
|
|
|
|
|
|
* upstream/dev:
Use inet and gen_* dialyzer specs
|
|
* ia/ssl/use-inet-and-gen-specs:
Use inet and gen_* dialyzer specs
|
|
|
|
* dev:
Corrected input argument to error_logger:error_report/1
|
|
|
|
|
|
|
|
|
|
Create directories first, not within implicit rules. If two
'install' instances runs at the same time attempting to create
a directory, one of them may fail with an "File exists" error.
I tried to use order-only prerequisites to create the directories,
but run into two problems: First, order-only prerequisites are
only implemented in Make 3.80 and later. Second, on a computer
running Solaris/Intel 2.8 (with Make 3.80), order-only prerequisites
seemed to work like ordinary prerequisites, causing targets to
be re-built if the timestamp for the directory changed.
Therefore, using a shell command to run mkdir seems to be the
more portable solution.
|
|
* ia/ssl/connect-twice:
Added test case
|
|
* ia/ssl/improved-test-case:
Improved test case so that it will not fail due to last_delay_timer = undefined
|
|
|
|
|
|
We want the certificate table to be handled the same way as the
session table and not have a global name, so that we may easier
create a separate ssl-manager to handle erlang distribution over ssl.
|
|
* ia/ssl/use-erlang-send-after-instead-of-timer-send-after:
Use erlang:send_after instead of timer:send_after
Conflicts:
lib/ssl/test/ssl_session_cache_SUITE.erl
|
|
Also save latest delay cleanup timer ref so that we can
use erlang:read_timer to write a more reliable
test case.
|
|
|
|
* ia/ssl/longer-timeout-in-testcase:
Time out in test case needs to be longer to make sure clean up is properly executed
|