Age | Commit message (Collapse) | Author |
|
|
|
|
|
* rb/ssl-fix-http-packet-decoding:
Fix ssl to decode http packets in the same way as gen_tcp
OTP-8545 rb/ssl-fix-http-packet-decoding
|
|
|
|
* rb/ssl-transport-accept-fix:
Fix ssl:transport_accept/2 to return properly when socket is closed
OTP-8560 rb/ssl-transport-accept-fix
Fixed ssl:transport_accept/2 to return properly when socket is closed.
Thanks to Rory Byrne.
|
|
|
|
|
|
|
|
When gen_tcp is configured with the {packet,http} option, it
automatically switches to expect HTTP Headers after a HTTP
Request/Response line has been received. This update fixes ssl to
behave in the same way.
|
|
A badmatch exception is thrown from ssl:transport_accept/2 when
ssl:close/1 is called on the socket. This fixes it to return
{error,closed} as expected.
|
|
|
|
The SSL handshake fails when an ssl server is configured with the
'fail_if_no_peer_cert' option and a valid client sends its certificate
as instructed. On the server-side ssl:ssl_accept/2 will return
{error,esslerrssl}, and it will send an "Unexpected Message" SSL Alert
(type 10) to the client.
|
|
Using certain valid options in the new ssl implementation results
in badarg exceptions. This happens for one documented option
'fail_if_no_peer_cert' and two undocumented options
'verify_client_once' and 'cb_info'.
|
|
|
|
|
|
|
|
|
|
hence not covered by test cases.
|
|
|
|
|
|
New ssl now properly handles ssl renegotiation, and initiates a
renegotiation if ssl/ltls-sequence numbers comes close to the max value.
|
|
Fixed a crash in the certificate certification part.
|
|
|
|
|
|
packet.
|
|
* yh/packet_option_for_new_ssl_send:
Fixed ssl:setopts(Socket, binary) which was didn't work for 'new' ssl.
Fixed bug file cache bug and improved the error messages.
Allow <c>ssl:listen/2</c> to be called with option {ssl_imp, old}.
prepend packet size bytes in ssl:send() in new_ssl implementation
OTP-8441 ssl:send/2 ignored packet option, fix provided by YAMASHINA Hio.
Fixed a file cache bug which caused problems when the same file
was used for both cert and cacert.
Allow ssl:listen/2 to be called with option {ssl_imp, old}.
Fixed ssl:setopts(Socket, binary) which didn't work for 'new'
ssl..
|
|
|
|
|
|
|
|
With the {ssl_imp,new} option enabled, {packet,PacketType} only
works when receiving. When sending, {packet,0} is always used.
|
|
improvements.
Most notable:
Lots of cross compilation improvements. The old cross compilation
support was more or less non-existing as well as broken. Please,
note that the cross compilation support should still be
considered as experimental. Also note that old cross compilation
configurations cannot be used without modifications. For more
information on cross compiling Erlang/OTP see the
$ERL_TOP/xcomp/README file.
Support for staged install using <url
href="http://www.gnu.org/prep/standards/html_node/DESTDIR.html">D
ESTDIR</url>. The old broken INSTALL_PREFIX has also been fixed.
For more information see the $ERL_TOP/README file.
Documentation of the release target of the top Makefile. For more
information see the $ERL_TOP/README file.
make install now by default creates relative symbolic links
instead of absolute ones. For more information see the
$ERL_TOP/README file.
$ERL_TOP/configure --help=recursive now works and prints help for
all applications with configure scripts.
Doing make install, or make release directly after make all no
longer triggers miscellaneous rebuilds.
Existing bootstrap system is now used when doing make install, or
make release without a preceding make all.
The crypto and ssl applications use the same runtime library path
when dynamically linking against libssl.so and libcrypto.so. The
runtime library search path has also been extended.
The configure scripts of erl_interface and odbc now search for
thread libraries and thread library quirks the same way as erts
do.
The configure script of the odbc application now also looks for
odbc libraries in lib64 and lib/64 directories when building on a
64-bit system.
The config.h.in file in the erl_interface application is now
automatically generated in instead of statically updated which
reduces the risk of configure tests without any effect.
|
|
|
|
|
|
|
|
* dgud/ssl-patches-from-Wil:
Added a public_key:pkix_transform/2 instead and used it from ssl.
Minor code cleanup
new_ssl fix session reuse
Code cleanup
Send CA list during Certificate Request in new_ssl
OTP-8372 Fixed session reuse (in new_ssl), thanks Wil Tan.
Send CA list during Certificate Request (in new_ssl) , thanks Wil
Tan.
|
|
|
|
|
|
|
|
|
|
When an SSL client presents a previous session ID, the server should
either honour the request to reuse the parameters previously negotiated
for the given session ID, or ignore the request and generate a new
session ID.
In this situation, new_ssl tries to complete the handshake by sending
the client a "Finished" handshake message, which violates the SSL/TLS
specs. It should instead send a ChangeCipherSpec message before sending
the FInished message. This patch fixes it.
|
|
|
|
When requesting for client certificate, an SSL/TLS server may send a
list of the distinguished names of acceptable certificate authorities.
OpenSSL does this by default.
|
|
|
|
|