| Age | Commit message (Collapse) | Author |
|---|
|
The certificate chain handling had become quite entangled and
was not correct.
|
|
* ingela/ssl/dtls-cookie/OTP-14076:
dtls: Implement DTLS cookie secret generation
|
|
Conflicts:
OTP_VERSION
erts/vsn.mk
lib/crypto/c_src/crypto.c
lib/crypto/src/crypto.erl
lib/ssh/src/ssh.erl
|
|
|
|
|
|
|
|
Emulate active once in such a way that data recived by the TLS
connection process, but not fetch via active once option
by the user, can be delivered at next active once before final close.
|
|
* ingela/ssl/make-cert-test-data/OTP-14294:
ssl, public_key: Add functionality for generating X509 cert test data
|
|
For now this functionality is located in ssl. And existing
public_key function is extended. However some of the functionality may
be moved to public_key in a later stage.
|
|
* ingela/ssl/dtls-frag:
dtls: Handle overlapping fragments
|
|
Fragment reassembling needs to handle that a smaller
fragment then sent originally might overlap an earlier
received fragment.
|
|
Add session_id and remove undocumented ssl:session_info/1
Add client_random, server_random and master_secret, they will not be included
in ssl:connection_information/1 as they may affect the connections security if
used recklessly.
|
|
|
|
* ingela/ssl/dtls-test:
dtls: Correct version check
dtls: Test case fixes
|
|
* maint:
Updated OTP version
Prepare release
Conflicts:
OTP_VERSION
lib/typer/doc/src/notes.xml
lib/typer/vsn.mk
|
|
|
|
|
|
|
|
|
|
|
|
* ingela/ssl/next-maint-version:
ssl: Version update
|
|
We want to avoid failing test cases but still be able to merge
DTLS progress for 19.3
|
|
|
|
'dtlsv1.2' should not be included in MIN_DATAGRAM_SUPPORTED_VERSIONS
as this is the default when crypto does not have sufficient support for
'tlsv1.2' and 'dtlsv1.2'
|
|
The new_options_in_accept test is not working yet, however DTLS is still
work in progress and we want to make a progress merge to avoid merge conflicts
with other progress of the ssl application.
|
|
Erlang distribution requiers a reliable transport, which udp is not.
Maybe could be interesting later when SCTP support is added to DTLS.
|
|
We need to figure out a good way of knowing if the OpenSSL-"DTLS server" is up.
Some of the code in this commit is attempting this, but it is not really working
yet, and hence only tests where OpenSSL is client are enabled.
|
|
|
|
Change retransmissions timers to use gen_statem state timeouts. We do
not need a retransmission timer in the state connection as data traffic in
DTLS over UDP is not retransmitted. If the last flight before
transitioning into connection is lost, it will be resent when the peer
resends its last flight. This will also make hibernation testing more
straight forward.
We need more adjustments later to handle a reliable DTLS transport
such as SCTP.
|
|
|
|
DTLS does not support stream ciphers and needs diffrent
handling of the "#ssl_socket{}" handle .
|
|
|
|
* siri/ct_hooks/callbacks-on-skip/OTP-10599:
[ct] Update built-in ct hooks with new Suite parameter
[cth_surefire] Handle skips from test spec
[ct] Remove excessive skipped/failed tag in hook function
[ct] Send tc_start event on force_stop and failed sequence
[ct] Correctly handle process died in init and end_per_testcase
[ct] Fix faulty hook callbacks for skipped tests
Add dummy end_per_suite/1
[ct] Fix hooks and fail when one of init/end_per_* does not exit
[ct] Add Suite argument to hook callback functions
[ct] Fix function_clause in ct_framework when hook function crashes
|
|
|
|
* ingela/ssl/default-ciphers-suites/OTP-14235:
ssl: Always prefer AES over 3DES
|
|
|
|
AES256 was preferred over 3DES already, so this only makes sure AES128
is preferred over 3DES also. This changes the default but probably
nobody will notice as a better algorithm will be chosen anyhow.
|
|
The size/1 callback was added as a non-optional callback in
42b8a29dbae1d626f32bc16dd81a129caf741138 but wasn't added to the
documentation for the ssl_session_cache_api behavior.
Signed-off-by: Steven Danna <[email protected]>
|
|
common_test requires that if init_per_suite/1 exists, then
end_per_suite/1 must also exist. If end_per_suite/1 does not exist,
then it will be marked in the log as failed with reason 'undef'. Some
test suites are corrected to avoid this.
|
|
* fix-source-typos: (25 commits)
Fixed typos in system/doc
Fixed typos in lib/xmerl
Fixed typos in lib/wx
Fixed typos in lib/stdlib
Fixed typos in lib/snmp
Fixed typos in lib/ssl
Fixed typos in lib/ssh
Fixed typos in PKCS-8.asn1 file
Fixed typos in lib/parsetools
Fixed typos in lib/orber
Fixed typos in lib/mnesia
Fixed typos in lib/megaco
Fixed typos in lib/kernel
Fixed typos in lib/jinterface
Fixed typos in lib/inets
Fixed typos in lib/hipe
Fixed typos in lib/eunit
Fixed typos in lib/erl_interface
Fixed typos in lib/eldap
Fixed typos in lib/edoc
...
|
|
|
|
|
|
|
|
Valid SSL 3.0 or TLS hellos might accidentally match SSL 2.0 format
(and sometimes the other way around before inspecting data)
so we need to match SSL 3.0 and TLS first and only match SSL 2.0
hellos when flag to support it is set.
|
|
|
|
Use map instead of large tuple, which was not an option when the code
was written originally. More simplifications along these lines may
be done later to the state record.
|
|
Move of PEM cache to own process was flawed and not all PEM files
where cached properly. We must properly handle both the ditributed
and the normal mode of the ssl application.
|
|
|
|
* ingela/ssl/key-ext-validate/ERL-338/OTP-14141:
ssl: The certificate path may be used as a source to find intermediate CAs for the CRL
ssl: Handle more than one DistributionPoint
ssl: Correct ssl_certificate:validate/3
|
|
for the CRL
|
