aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl
AgeCommit message (Collapse)Author
2016-07-08ssl: Correct handling of signature algorithm selectionIngela Anderton Andin
In TLS-1.2 the selection of the servers algorithms and the the possible selection of algorithms for the client certificate verify message have different requirements.
2016-07-08ssl: Simplify and refactor testsIngela Anderton Andin
Tests in ECC_SUITE did not always use the certs implied by the name. Variable naming also confused the intent. ssl_certificate_verify_SUITE did not clean up properly and tests could fail due to cache problems.
2016-06-28ssl: All started test nodes must be cleaned upIngela Anderton Andin
Function to stop SSL/TLS node may not exit as a test case will start more than one node and all nodes must be stopped.
2016-06-22ssl: Do not leave zoombie nodes if tests failIngela Anderton Andin
2016-06-21Prepare releaseErlang/OTP
2016-06-17ssl: Extend list of supported featuresIngela Anderton Andin
Note these where supported before ssl-8.0
2016-06-17Merge branch 'ingela/ssl/runtime-dep'Ingela Anderton Andin
* ingela/ssl/runtime-dep: ssl: Add new public_key to runtime dependencies
2016-06-17Merge branch 'shlonny/add-asn1-app-to-ssl-distribution-doc/PR-1101'Ingela Anderton Andin
* shlonny/add-asn1-app-to-ssl-distribution-doc/PR-1101: added asn1 to applications needed for start_ssl
2016-06-16ssl: Add new public_key to runtime dependenciesIngela Anderton Andin
Due to 5268c7b957c30c31e551f197463cdd55a792ea69
2016-06-16ssl: Fix Xmllint errorsIngela Anderton Andin
2016-06-15ssl: Make sure openssl client does not use sslv2 helloIngela Anderton Andin
This should only be used in legacy test case not in test cases testing other functionality.
2016-06-15Merge branch 'ingela/ssl/packet_SUITE/test-timeouts'Ingela Anderton Andin
* ingela/ssl/packet_SUITE/test-timeouts: ssl: Make diffrent timeouts
2016-06-15ssl: Make diffrent timeoutsIngela Anderton Andin
Some test cases takes really long time on old machines. But normaly all tests are under 15 seconds. Try to avoid long timeouts for all test cases. Although we like to find a better tuning, set timeouts high for now to avoid tests cases failing with timeout.
2016-06-15Merge branch 'ingela/ssl/dtls-next-step-flights/OTP-13678'Ingela Anderton Andin
* ingela/ssl/dtls-next-step-flights/OTP-13678: dtls: Avoid dialyzer errors dtls: add implementation for msg sequence dtls: Remove TODO dtls: sync dtls_record DTLS version and crypto handling with TLS dtls: handle Hello and HelloVerify's in dtls_handshake dtls: rework/simplify DTLS fragment decoder dtls: add support first packet and HelloVerifyRequest dtls: sync handle_info for connection close with TLS dtls: sync handling of ClientHello with TLS dtls: rework handshake flight encodeing dtls: implement next_tls_record dtls: sync init and initial_state with tls_connection dtls: update start_fsm for new ssl_connection API ssl: introduce the notion of flights for dtls and tls ssl: move available_signature_algs to ssl_handshake
2016-06-14added asn1 to applications needed for start_sslJohn
2016-06-14Merge branch 'ingela/ssl_to_openssl_SUITE-timeouts'Ingela Anderton Andin
* ingela/ssl_to_openssl_SUITE-timeouts: ssl: Timeout tuning
2016-06-14Merge branch 'ingela/ssl/ssl_basic_SUITE-timeouts'Ingela Anderton Andin
* ingela/ssl/ssl_basic_SUITE-timeouts: ssl: Tune timeouts
2016-06-14Merge branch 'legoscia/ssl_crl_hash_dir-bis/PR-982/OTP-13530'Ingela Anderton Andin
* legoscia/ssl_crl_hash_dir-bis/PR-982/OTP-13530: Skip crl_hash_dir_expired test for LibreSSL Add ssl_crl_hash_dir module Function for generating OpenSSL-style name hashes Add public_key:pkix_match_dist_point Improve formatting for crl_{check,cache} options Add issuer arg to ssl_crl_cache_api lookup callback Conflicts: lib/public_key/test/public_key_SUITE.erl
2016-06-14Merge branch 'lukas/erts/testfixes-19'Lukas Larsson
* lukas/erts/testfixes-19: erts: Increase bif and nif call_time trace test erts: Fix distribution_SUITE:bulk_send_bigbig on windows erts: Ensure bs_add_overflow test has enough memory kernel: Better explain controlling_process' tcp behaviour kernel: Fix t_recv_delim on bsd os_mon: Make sure to start/stop os_mon in tests correctly ssl: Fix use_interface dist_SSL test erl_interface: Fix signed int overflow tc bug erts: fix atom_roundtrip_r15b tc erts: Require more memory for debug tests
2016-06-14Merge branch 'maint'Henrik Nord
Conflicts: OTP_VERSION lib/inets/vsn.mk lib/ssl/test/ssl_basic_SUITE.erl lib/ssl/vsn.mk
2016-06-14ssl: Fix use_interface dist_SSL testLukas Larsson
Doing inet:port will cause an port_control to be sent to the port, and not all ports in the vm can handle having arbitrary data sent to them.
2016-06-13dtls: Avoid dialyzer errorsIngela Anderton Andin
Make real solution later. For now we want to move forward without dialyzer errors.
2016-06-13dtls: add implementation for msg sequenceAndreas Schultz
Conflicts: lib/ssl/src/dtls_connection.erl lib/ssl/src/ssl_record.erl
2016-06-13dtls: Remove TODOIngela Anderton Andin
2016-06-13dtls: sync dtls_record DTLS version and crypto handling with TLSAndreas Schultz
2016-06-13dtls: handle Hello and HelloVerify's in dtls_handshakeAndreas Schultz
2016-06-13dtls: rework/simplify DTLS fragment decoderAndreas Schultz
changed: * initialize deocder state when needed * remove retransmission indicator support
2016-06-13dtls: add support first packet and HelloVerifyRequestAndreas Schultz
The actual user of this API is the UDP socket multiplexer which will be added later. Conflicts: lib/ssl/src/dtls_connection.erl
2016-06-13dtls: sync handle_info for connection close with TLSAndreas Schultz
2016-06-13dtls: sync handling of ClientHello with TLSAndreas Schultz
2016-06-13dtls: rework handshake flight encodeingAndreas Schultz
The MSS might change between sending the a flight and possible resend. We therefore have to be able to fragment the records differently for resent. Encoding and fragmenting of handshake record therefor needs to be done independently. With this change the handshake is encoded to it's full length first, then queued to a flight. The fragmentation is handled during assembly of the flights datagram. Conflicts: lib/ssl/src/dtls_connection.erl
2016-06-13dtls: implement next_tls_recordAndreas Schultz
Conflicts: lib/ssl/src/dtls_connection.erl
2016-06-13dtls: sync init and initial_state with tls_connectionAndreas Schultz
Sync initial_state overall functionality with TLS and add a few DTLS specific initalizers. Conflicts: lib/ssl/src/dtls_connection.erl
2016-06-13dtls: update start_fsm for new ssl_connection APIAndreas Schultz
2016-06-13ssl: introduce the notion of flights for dtls and tlsAndreas Schultz
The flight concept was introduced by DTLS (RFC 4347) to optimize the packing of DTLS records into UDP packets. This change implments the flight concept in the the generic SSL connection logic and add the queue logic to the TLS and DTLS stack. The DTLS required resend handling is not implemented yet. While the flight handling is only required for DTSL, it turns out that the same mechanism can be usefull to TCP based TLS as well. With the current scheme each TLS record will be mapped into a separate TCP frame. This causes more TCP frames to be generate that necessary. On fast network this will have no impact, but reducing the number of frames and thereby the number of round trips can result in significant speedups on slow and unreliable networks. Conflicts: lib/ssl/src/tls_connection.erl
2016-06-13ssl: move available_signature_algs to ssl_handshakeAndreas Schultz
available_signature_algs is also needed for DTLS, move it into a shared place and export it. Conflicts: lib/ssl/src/tls_handshake.erl
2016-06-13Update release notesErlang/OTP
2016-06-13Merge branch 'ingela/maint/ssl/max-session-table/OTP-13490' into maint-18Erlang/OTP
* ingela/maint/ssl/max-session-table/OTP-13490: ssl: Mitigate load increase when the whole session table is invalidated
2016-06-13Merge branch 'joedevivo/maint/ssl/PR-1063/OTP-13635' into maint-18Erlang/OTP
* joedevivo/maint/ssl/PR-1063/OTP-13635: ssl:recv timeout() can be 0
2016-06-13Merge branch 'ingela/maint/ssl/tls-1.2-available-hashsigns/OTP-13670' into ↵Erlang/OTP
maint-18 * ingela/maint/ssl/tls-1.2-available-hashsigns/OTP-13670: ssl: ordsets:intersection/2 did not give the expected result
2016-06-13Merge branch 'kennethlakin/maint/tls-use-negotiated-prf/PR-1042/OTP-13546' ↵Erlang/OTP
into maint-18 * kennethlakin/maint/tls-use-negotiated-prf/PR-1042/OTP-13546: ssl: Use cipher suite's PRF in prf/5
2016-06-13ssl: Mitigate load increase when the whole session table is invalidatedIngela Anderton Andin
2016-06-13ssl: Prepare for releaseIngela Anderton Andin
2016-06-09ssl: Use cipher suite's PRF in prf/5Kenneth Lakin
Use the negotiated cipher suite's PRF algorithm in calls to ssl:prf/5, rather than a hard-coded one. For TLS 1.0 the PRF algorithm was hard-coded to MD5/SHA1. This was correct 100% of the time. For TLS 1.1 and 1.2 the PRF algorithm was hard-coded to SHA256. This was correct only some of the time for TLS 1.2 and none of the time for TLS 1.1. Because the TLS handshake code calls tls_v1:prf/5 through another path, the handshaking process used the negotiated PRF and did not encounter this bug. A new test (prf) has been added to ssl_basic_SUITE to guard against future breakage.
2016-06-09ssl:recv timeout() can be 0Joe DeVivo
gen_tcp:recv allows this, and if you're doing something like Transport:recv(Socket, 0, 0), TCP will work and SSL will exit with function_clause There were other cases of this throughout the module. This PR cleans them all up.
2016-06-09ssl: ordsets:intersection/2 did not give the expected resultIngela Anderton Andin
Turns out we can not count on the "hashsigns" sent by the client and the supported "hashigns" sets to have required properties of ordsets.
2016-06-09Merge branch 'ingela/ssl/crl-find-issuer/OTP-13656'Ingela Anderton Andin
* ingela/ssl/crl-find-issuer/OTP-13656: ssl: Propagate error so that public_key crl validation process continues correctly and determines what should happen.
2016-06-09ssl: Propagate error so that public_key crl validation process continuesIngela Anderton Andin
correctly and determines what should happen.
2016-06-09Add ssl:getstat/1 and ssl:getstat/2Loïc Hoguin
These functions call getstat on the underlying TCP socket. The only way to do this before now was to use a hack, either by looking inside the #sslsocket{} record directly, or by not using the SSL listen/accept functions and upgrading from a TCP socket that is kept around for the purpose of calling getstat later on.
2016-06-07Merge branch 'ingela/ssl/unexpected-client-cert/OTP-13651'Ingela Anderton Andin
* ingela/ssl/unexpected-client-cert/OTP-13651: ssl: Reject unrequested client cert