| Age | Commit message (Collapse) | Author |
|---|
|
Changed the behavior of the verify_fun option so that
the application can be responsible for handling path validation
errors even on the server side. Also replaced the not yet
documented validate_extensions_fun to be handled by the
verify_fun instead.
If the verify callback fun returns {fail, Reason}, the verification process is
immediately stopped and an alert is sent to the peer and the TLS/SSL
handshake is terminated. If the verify callback fun returns {valid,
UserState}, the verification process is continued. If the verify callback
fun always returns {valid, UserState}, the TLS/SSL handshake will not be
terminated with respect to verification failures and the connection
will be established. The verify callback fun will also be
able to verify application specific extensions.
|
|
Added support for inputing certificates and keys directly in DER format
these options will override the pem-file options if specified.
|
|
* dgud/ssl-commit-example-certs:
Cleanup ssl configure parts
Remove cert building from Makefiles
Checkin example certs instead of generating them.
|
|
* maint-r13:
Remove copyright headers in vsn.mk files
Conflicts:
lib/appmon/vsn.mk
lib/erl_docgen/vsn.mk
lib/inets/vsn.mk
lib/kernel/vsn.mk
lib/reltool/vsn.mk
lib/ssl/vsn.mk
lib/stdlib/vsn.mk
lib/tools/vsn.mk
lib/tv/vsn.mk
lib/xmerl/vsn.mk
|
|
|
|
Copyright notices serve no useful purpose in vsn.mk files, and
only complicate scripts that automatically update version numbers.
|
|
Avoiding cross-compilation and other problems by keeping them in git
instead of generating them each time. I think the reason to generate
them was that a valid date limitation, now that we can specify
the date, I have set them to be valid for 15 years.
|
|
|
|
Handling of unkown CA certificats was changed in ssl and
public_key to work as intended.
In the process of doing this some test cases has been corrected as
they where wrong but happened to work together with the
incorrect unknown CA handling.
|
|
Changed test so that the test cases testing all different ciphers
also sends data so that that the calls to crypto cipher functions
are also tested.
|
|
* dgud/ssl/handskake_client_key/OTP-8793:
Fix handshake problem with multiple messages in one packet
|
|
* dgud/ssl/empty_msg_problem/OTP-8790:
Fix receiving empty packets.
|
|
Building in a source tree without prebuilt platform independent
build results failed on the SSL examples when building on
Windows.
|
|
Empty packets where not delivered from ssl, it incorrectly assumed
there was no data.
|
|
Building in a source tree without prebuilt platform independent
build results failed on the SSL examples when cross building.
This has been solved by not building the SSL examples during a
cross build.
|
|
If hello and client_key_exchange message is sent together in
the same packet, ssl can't handle it and closes the connection.
Also fixed compiler warning.
|
|
Fixed handling of the option {mode, list} that was broken for some
packet types for instance line.
|
|
This corrects the returned data to be in list format, not binary if
both {packet, line} and list are set as option.
|
|
|
|
* ia/ssl-interop/OTP-8740:
Do not check the padding for TLS 1.0
|
|
* ia/public_key_api/OTP-8722:
Revise the public_key API
Resolved, version is now 0.8.
Conflicts:
lib/public_key/vsn.mk
|
|
Cleaned up and documented the public_key API to
make it useful for general use.
|
|
* pg/fix-ssl-handshake-client-certificate:
Fix bug in ssl handshake protocol related to the choice of cipher suites
OTP-8772
|
|
OTP-7046 Support for Diffie-Hellman. ssl-3.11 requires public_key-0.6.
OTP-8553 Moved extended key usage test for ssl values to ssl.
OTP-8557 Fixes handling of the option fail_if_no_peer_cert and some
undocumented options. Thanks to Rory Byrne.
OTP-7046 Support for Diffie-Hellman. ssl-3.11 requires public_key-0.6.
OTP-8517 New ssl now properly handles ssl renegotiation, and initiates
a renegotiation if ssl/ltls-sequence numbers comes close
to the max value. However RFC-5746 is not yet supported,
but will be in an upcoming release.
OTP-8545 When gen_tcp is configured with the {packet,http} option,
it automatically switches to expect HTTP Headers after a
HTTP Request/Response line has been received. This update
fixes ssl to behave in the same way. Thanks to Rory Byrne.
OTP-8554 Ssl now correctly verifies the extended_key_usage extension
and also allows the user to verify application specific
extensions by supplying an appropriate fun.
OTP-8560 Fixed ssl:transport_accept/2 to return properly when socket
is closed. Thanks to Rory Byrne.
|
|
OTP-8510 Fixed a crash in the certificate certification part.
|
|
Some application's vsn.mk files contained a list of the ticket
numbers fixed in each version.
Since that information can be obtained from the notes.xml file or
from the merge commits in the git repository (provided that the
branch name includes the ticket number), there is no reason to
manually maintain that information in the vsn.mk files.
|
|
in client hello message when a client certificate is used
The client hello message now always include ALL available cipher suites
(or those specified by the ciphers option). Previous implementation would
filter them based on the client certificate key usage extension (such
filtering only makes sense for the server certificate).
|
|
For interoperability reasons we do not check the padding in TLS 1.0 as
it is not strictly required and breaks interopability with for
instance Google.
|
|
|
|
|
|
instead of causing a case-clause.
|
|
|
|
|
|
Started to improve code documentation by using -spec directive, and
some small refactorings to avoid ugly code.
|
|
Ssl has now switched default implementation and removed deprecated
certificate handling. All certificate handling is done by the public_key
application.
|
|
Ssl has now switched default implementation and removed deprecated
certificate handling. All certificate handling is done by the public_key
application.
|
|
Ssl has now switched default implementation and removed deprecated
certificate handling. All certificate handling is done by the public_key
application.
|
|
(This is the merge of r13 version to r14_dev)
|
|
|
|
New ssl now support client/server-certificates signed by dsa keys.
|
|
This was broken during a refactoring of the code.
|
|
|
|
|
|
wrong shell!
|
|
|
|
|
|
|
|
|
|
it before sending the fatal alert, even though documentation suggests
the socket will be flushed on linux as an effect of setting the nodelay option.
|
|
|
