Age | Commit message (Collapse) | Author |
|
* ia/ssl-prepare-release:
ssl: Correct spec
ssl: Prepare for release
|
|
|
|
|
|
* rlipscombe/rl-ssl-options:
Ensure single 'raw' option is handled correctly
Pass 'raw' options through
OTP-13166
|
|
* ia/ssl/sslv3-completeness:
ssl: SSLv3 completeness
|
|
We are considering removing default support for DES cipher suites.
However this cipher suite is currently allowed in TLS and missing from
SSL.
|
|
* ia/ssl/max-sessions/OTP-12392:
ssl: Fix documentation mistakes
ssl: Add upper limit for session cache
ssl: Measure elapsed time with erlang:monotonic_time
|
|
|
|
Conflicts:
OTP_VERSION
erts/doc/src/notes.xml
erts/vsn.mk
lib/kernel/doc/src/notes.xml
lib/kernel/src/kernel.appup.src
lib/kernel/vsn.mk
lib/ssl/doc/src/notes.xml
lib/ssl/src/ssl.appup.src
lib/ssl/src/ssl_cipher.erl
lib/ssl/vsn.mk
otp_versions.table
|
|
If upper limit is reached invalidate the current cache entries, e.i the session
lifetime is the max time a session will be keept, but it may be invalidated
earlier if the max limit for the table is reached. This will keep the ssl
manager process well behaved, not exhusting memeory. Invalidating the entries
will incrementally empty the cache to make room for fresh sessions entries.
|
|
|
|
|
|
|
|
* legoscia/tls_dist_options:
Test interface listen option for TLS distribution
Test socket listen options for TLS distribution
Test port options for TLS distribution
TLS Dist: Use inet_dist_ options
Conflicts:
lib/ssl/src/ssl_tls_dist_proxy.erl
lib/ssl/test/ssl_dist_SUITE.erl
OTP-12838
|
|
* legoscia/ssl_connection_terminate_crash:
Avoid crash for SSL connections with nonexistent keyfile
OTP-13144
|
|
* legoscia/tls_dist_nodelay:
Add test for dist_nodelay option
Honour dist_nodelay socket option in tls_dist proxy
OTP-13143
|
|
* legoscia/ssl-dist-error-handling:
In ssl_tls_dist_proxy, pass along EPMD registration errors
OTP-13142
|
|
* zandra/fix-24h-macro-in-suite:
fix 24h macro in test suite
|
|
* ppikula/fix-24h-macro:
fix incorrect number of seconds in 24h macro The previous commit - 7b93f5d8a224a0a076a420294c95a666a763ee60 fixed the macro only in one place.
OTP-13141
|
|
Add a test to ensure that a single 'raw' option can be passed to
ssl:listen correctly.
Note: multiple raw options are (incorrectly) handled by
inet:listen_options. See
http://erlang.org/pipermail/erlang-questions/2014-March/078371.html
|
|
Add test that checks that the option inet_dist_use_interface is used
when starting a node with TLS distribution.
|
|
Add test that checks that the option inet_dist_listen_options is used
when starting a node with TLS distribution.
This test was adapted from inet_dist_options_options in
erl_distribution_SUITE.
|
|
Add test that checks that the options inet_dist_listen_min and
inet_dist_listen_max are used when starting a node with TLS
distribution.
|
|
The inet_dist_ options, such as min/max port numbers aren't used
with TLS distribution. This commits uses those settings in the
same way as they're used in inet_tcp_dist.erl
|
|
* legoscia/tls-dist-shutdown:
Adjust shutdown strategies for distribution over TLS
OTP-13134
|
|
willing to support
Refactor highest_protocol_version so that code is symmetrical with lowest_protocol_version. For clarity and possible future use cases of highest_protocol_version/2
|
|
Needed after the fix in 120975c4fcb57ecd14031ac046f483e56a3daa4d.
|
|
Run the 'basic' test with dist_nodelay set to false.
|
|
Starting an SSL connection with a nonexistent keyfile will obviously
return an error:
> ssl:connect("www.google.com", 443, [{keyfile, "nonexistent"}]).
{error,{options,{keyfile,"nonexistent",{error,enoent}}}}
But it also generates an error report with the following backtrace:
** Reason for termination =
** {badarg,[{ets,select_delete,
[undefined,[{{{undefined,'_','_'},'_'},[],[true]}]],
[]},
{ets,match_delete,2,[{file,"ets.erl"},{line,700}]},
{ssl_pkix_db,remove_certs,2,[{file,"ssl_pkix_db.erl"},{line,243}]},
{ssl_connection,terminate,3,
[{file,"ssl_connection.erl"},{line,941}]},
{tls_connection,terminate,3,
[{file,"tls_connection.erl"},{line,335}]},
{gen_fsm,terminate,7,[{file,"gen_fsm.erl"},{line,610}]},
{gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,532}]},
{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,240}]}]}
This happens because the ssl_connection process receives its cert_db
while handling the {start, Timeout} message, but if the handshake
fails, the cert_db will never be inserted into the state data, and the
terminate function will use 'undefined' as an ETS table name.
Avoid this by checking for 'undefined' in the handle_trusted_certs_db
function.
|
|
The duplicate_name error returned from erl_epmd:register_node elicits a
particularly precise error message from net_kernel, so let's pass it
along to our caller.
Not doing this for the other things that could go wrong here, since for
those having the line number will likely aid debugging.
|
|
The previous commit - 7b93f5d8a224a0a076a420294c95a666a763ee60 fixed the macro
only in one place.
|
|
Change ssl_dist_sup to be considered as a supervisor with infinite
shutdown time.
Change the ssl_connection_dist instance of tls_connection_sup to have
infinite shutdown time.
This avoids spurious error messages when shutting down a node that
uses distribution over TLS.
|
|
In Erlang R16B03-1, I've been passing raw options to ssl:listen as
follows, and it's been working fine:
% The constants are defined elsewhere.
LOpts = [{raw, ?IPPROTO_TCP, ?TCP_MAXSEG, <<MSS:32/native>>} | ...],
{ok, LSocket} = ssl:listen(0, LOpts)
In Erlang 17.3, this fails with
{option_not_a_key_value_tuple,{raw,6,2,<<64,2,0,0>>}}
I originally reported this in
http://erlang.org/pipermail/erlang-questions/2014-October/081226.html
I need to pass this particular raw option to ssl:listen, because it
needs to be applied when the socket is first opened -- between inet:open
and prim_inet:listen -- it cannot be applied later by setopts. This
means that it needs to be done by inet_tcp:listen/2 -- well, actually by
inet:open/8, but...
Otherwise it's racey -- a client could connect between prim_inet:listen
and the setopts call. The MSS option is advertised in the SYN,ACK
packet, and can't be changed later.
|
|
To avoid test case failure due to test case setup timing issues.
Suspected problem is that the listen queue builds up to quickly in
client_unique_session test when running on slow computers.
|
|
|
|
|
|
Soft upgrade test did not work as expected due to that the upgrade
frame work keeps the control of the test case process to itself,
so we need a proxy process to receive messages from ssl test framework.
|
|
|
|
We do not want ssl_soft_upgrade_SUITE to fail, but for now
we do not know the details of these changes so we use a general
fallback for now.
|
|
* ia/ssl/register-unique-session/OTP-12980:
ssl: Correct return value of default session callback module
|
|
|
|
Add possibility to downgrade an SSL/TLS connection to a tcp connection,
and give back the socket control to a user process.
Add application setting to be able to change fatal alert shutdown
timeout, also shorten the default timeout. The fatal alert timeout is
the number of milliseconds between sending of a fatal alert and
closing the connection. Waiting a little while improves the
peers chances to properly receiving the alert so it may
shutdown gracefully.
|
|
ssl_session_cache:select_session/2 returned [sesionid(), #session{}]
instead of #session{} as the API demands.
This was wrongly compensated for in the code in one place making it
look like everything was good. But the client check for unique session
would always fail, potentially making the client session table grow
a lot and causing long setup times.
|
|
* ia/pr/801/OTP-12974:
Accept 'ECPrivateKey' as a ssl key option
|
|
|
|
Correct merge that went wrong.
|
|
* ericmj/patch-1:
Fix formatting of depth option
|
|
TLS hash_sign algorithms may have proprietary values see
http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
We should add callbacks to let applications handle them.
But for now we do not want to crash if they are present and
let other algorithms be negotiated.
|
|
|
|
|