Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
|
|
|
|
|
|
* dz/fix_ssl_max_seq_num:
ssl: fix max sequence number so it does not overflow
|
|
|
|
|
|
* ia/ssl/inherit/OTP-11897:
ssl: Handle socket option inheritance when pooling of accept sockets is used
|
|
The old value of 18446744073709552000 was calculated using math:pow
which returns float therefore isn't precise. And it would overflow:
erlang:integer_to_list(18446744073709552000, 16) = "10000000000000180"
This patch changes MAX_SEQENCE_NUMBER to value calculated with bitwise
shift:
(1 bsl 64) - 1 = 18446744073709551615
|
|
* ia/ssl/false-alerts/OTP-11890:
ssl: Add checks to avoid processing of illegal alerts
|
|
Implement a listen socket tracker process that holds the emulated socket
options so that it is possible to implement a destructive ssl:setopts
on SSL/TLS listen sockets without changing the options of the internal
socket as we want that socket to have the internal socket option values.
|
|
|
|
|
|
|
|
|
|
If a client sends some garbage in ssl record instead of
valid fragment, server crashes with function_clause while
receiving next record from client.
This patch makes server raise handshake failure instead of
crashing and exposing internal state to user code.
|
|
Also fix DTLS call to supply its corresponding TLS version
|
|
Negotiated version is now always passed to ssl_handshake:select_hashsign
because ssl_handshake:select_cert_hashsign has different rsa defaults on
tlsv1.2 and older versions.
|
|
|
|
* ia/ssl/decrypt-alert/OTP-11880:
ssl: Correct decryption error handling
|
|
* ia/ssl/recv/OTP-11878:
ssl: recv shall ruturn {error, einval} on active socket
|
|
* ia/ssl/suites-match-negotiated-version/OTP-11875:
ssl: Select supported cipher suites for the negotiated SSL/TLS-version
|
|
|
|
|
|
Generalize last warning alert function clause
|
|
When selecting the available cipher suites for the server all cipher suites
for the highest supported SSL/TLS-version would be selected, and not
all supported for the negotiated SSL/TLS-version. This could lead
to that faulty clients could negotiate cipher suites that they
can not support. This change will enable the faulty client to negotiate
another cipher suite that it can support.
|
|
|
|
* ia/ssl/accept-with-options:
ssl: Add possibility to specify ssl options when calling ssl:ssl_accept
|
|
|
|
Certificates uses: default_md = sha256
This is not supported on all test platforms, use md5 instead for testing.
|
|
|
|
|
|
|
|
* Handle v1 CRLs, with no extensions.
* Compare the IDP on a CRL correctly, if present
* Don't try to double-decode altnames
Tests are also included, and the make_certs testing tool in the SSL
application has been greatly extended.
|
|
* ia/ssl/continue-dtls-and-specs:
ssl: Avoid dialyzer warnings in dtls code
ssl: Improve type specs
ssl: Refactor and start implementing dtls_connection.erl
|
|
Even if DTLS is not finished, e.i. not runnable yet we
want to phase in the code together with refactoring of TLS code,
but without introducing warnings in the release.
|
|
Conflicts:
lib/ssl/src/dtls_record.erl
|
|
|
|
unexpected alerts.
Add recognitions of RFC 4366 alerts and handle possible
unimplementd alerts in a gracefully way.
|
|
Most dependencies introduced are exactly the dependencies to other
applications found by xref. That is, there might be real dependencies
missing. There might also be pure debug dependencies listed that
probably should be removed. Each application has to be manually
inspected in order to ensure that all real dependencies are listed.
All dependencies introduced are to application versions used in
OTP 17.0. This since the previously used version scheme wasn't
designed for this, and in order to minimize the work of introducing
the dependencies.
|
|
crashing.
When TLS client sends Supported Elliptic Curves Client Hello Extension
the server shall select a curve supported by both sides or refuse to
negotiate the use of an ECC cipher suite.
|
|
When TLS client sends a Supported Elliptic Curves Client Hello Extension
containing an unknown curve enum value, a server crashes with a
function_clause instead of just ignoring specified unknown curve.
|
|
|
|
* ia/ssl/proplist-input-check/OTP-11760:
ssl: Add input sanity check
|
|
Avoid puzzling behavior due to options being disregarded if they
are not key value tuples.
|
|
|
|
|
|
|