aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl
AgeCommit message (Collapse)Author
2018-09-25Merge branch 'maint'Henrik Nord
2018-09-24Prepare releaseErlang/OTP
2018-09-21Merge branch 'maint'Henrik Nord
2018-09-21Update copyright yearHenrik Nord
2018-09-20Merge branch 'maint'Ingela Anderton Andin
2018-09-20ssl: Improve interop checksIngela Anderton Andin
2018-09-20Merge branch 'maint'Ingela Anderton Andin
2018-09-20ssl: Move link to correct processIngela Anderton Andin
The link should be between the connection process and the tls_sender process. But the start of the tls_sender process needs to be done by the process that also starts the connection process in order to correctly create the opaque #ssl_socket{}.
2018-09-12Merge branch 'peterdmv/ssl/property_test_client_hello'Péter Dimitrov
* peterdmv/ssl/property_test_client_hello: ssl: Property test hello extensions Change-Id: I78f5cdef8702141b78e9123efe34e381a5e5d12c
2018-09-12Merge branch 'maint'Ingela Anderton Andin
2018-09-12ssl: Handle incomplete and unorded chainsIngela Anderton Andin
If the peer sends an incomplete chain that we can reconstruct with our known CA-certs it will be accepted. We will assume that the peer honors the protocol and sends an orded chain, however if validation fails we will try to order the chain in case it was unorded. Will also handle that extraneous cert where present. See Note form RFC 8446 Note: Prior to TLS 1.3, "certificate_list" ordering required each certificate to certify the one immediately preceding it; however, some implementations allowed some flexibility. Servers sometimes send both a current and deprecated intermediate for transitional purposes, and others are simply configured incorrectly, but these cases can nonetheless be validated properly. For maximum compatibility, all implementations SHOULD be prepared to handle potentially extraneous certificates and arbitrary orderings from any TLS version, with the exception of the end-entity certificate which MUST be first.
2018-09-11ssl: Property test hello extensionsPéter Dimitrov
Extend test generators with ClientHello extensions: - TLS 1.2: supported_version - TLs 1.3: supported_version and signature_scheme_list Change-Id: I43356a2a921edade124eceb004f20411c7e92619
2018-09-11Merge branch 'peterdmv/ssl/tls13_ciphers'Péter Dimitrov
* peterdmv/ssl/tls13_ciphers: ssl: Fix cipher suite handling ssl: Add TLS 1.3 cipher suites Change-Id: I6b306d29642ba38639157ed1afea8b8df38af30e
2018-09-11Merge branch 'maint'Ingela Anderton Andin
2018-09-11ssl: Correct handling of all PSK cipher suitesIngela Anderton Andin
Before only some PSK suites would be correctly negotiated and most PSK ciphers suites would fail the connection. PSK cipher suites are anonymous in the sense that they do not use certificates except for rsa_psk.
2018-09-07ssl: Fix cipher suite handlingPéter Dimitrov
Implementations of TLS 1.3 which choose to support prior versions of TLS SHOULD support TLS 1.2. That is, a TLS 1.3 ClientHello shall advertise support for TLS 1.2 ciphers in order to be able to connect to TLS 1.2 servers. This commit changes the list of the advertised cipher suites to include old TLS 1.2 ciphers. Change-Id: Iaece3ac4b66a59dfbe97068b682d6010d74522b8
2018-09-07ssl: Add TLS 1.3 cipher suitesPéter Dimitrov
TLS_AES_128_GCM_SHA256 = {0x13,0x01} TLS_AES_256_GCM_SHA384 = {0x13,0x02} TLS_CHACHA20_POLY1305_SHA256 = {0x13,0x03} Change-Id: I3406aaedac812fc43519ff31e5f00d26e375c5d5
2018-09-07Merge branch 'peterdmv/ssl/add_signature_algorithms'Péter Dimitrov
* peterdmv/ssl/add_signature_algorithms: ssl: Use 'HighestVersion' instead of extra function call ssl: Add new extension with encode/decode functions ssl: Format code in handle options Change-Id: Iba3600edc86dc646a7bbabf550d88e7884877e18
2018-09-07Merge branch 'ingela/ssl/property-tests'Ingela Anderton Andin
* ingela/ssl/property-tests: ssl: Correct compression decoding ssl: Add property tests framework ssl: Fix typo
2018-09-06Merge branch 'maint'Ingela Anderton Andin
2018-09-06ssl: Correct compression decodingIngela Anderton Andin
Property testing revealed an decoding error of "compression_methods" in the client hello. As we do not implement any compression methods this has no practical impact.
2018-09-06ssl: Add property tests frameworkErland Schönbeck
2018-09-06ssl: Use 'HighestVersion' instead of extra function callPéter Dimitrov
Change-Id: I7521cd4e83f881d3caeae8faf2dd8108db15aa7e
2018-09-06ssl: Add new extension with encode/decode functionsPéter Dimitrov
Change-Id: I8a5c11b3503b44cfc6cbd6e4fd8ff3005a8669dd
2018-09-06ssl: Fix typoIngela Anderton Andin
2018-09-05ssl: Format code in handle optionsPéter Dimitrov
Change-Id: I997fa8808eaf48aad24a7097b82571be9f0ee252
2018-09-04ssl: Initial cipher suites adoption for TLS-1.3Ingela Anderton Andin
This commit filters out cipher suites not to be used in TLS-1.3 We still need to add new cipher suites for TLS-1.3 and possible add new information to the suite data structure.
2018-09-04ssl: Add new TLS-1.3 AlertsIngela Anderton Andin
2018-09-04ssl: Add initial TLS 1.3 hanshake encode/decode supportIngela Anderton Andin
2018-09-04Fixed ssl_options typespec for keyLasse Skindstad Ebert
2018-08-30Merge branch 'maint'Ingela Anderton Andin
Conflicts: lib/ssl/src/ssl_connection.erl lib/ssl/src/tls_connection.erl
2018-08-30Merge branch 'ingela/ssl/send-recv-dead-lock/ERL-622' into maintIngela Anderton Andin
* ingela/ssl/send-recv-dead-lock/ERL-622: ssl: Improve close handling ssl: Adopt distribution over TLS to use new sender process ssl: Add new sender process for TLS state machine
2018-08-27Merge branch 'maint'Hans Nilsson
* maint: ssl: Fix dialyzer errors detected when crypto.erl is typed
2018-08-27Merge branch 'hans/ssl/dialyzer_crypto_typed/OTP-15271' into maintHans Nilsson
* hans/ssl/dialyzer_crypto_typed/OTP-15271: ssl: Fix dialyzer errors detected when crypto.erl is typed
2018-08-27ssl: Improve close handlingIngela Anderton Andin
We want to make sure that the sender process that may get stuck in prim_inet:send will die if the tls_connection process is terminated. And we also like to make sure that it terminates as gracefully as possible. So when the tls_connection process dies it spawns a killer process that will brutaly kill the sender if it is unresponsive and does not terminate due to its monitor of the tls_connetion process triggering. When the sender process also acts as distribution controller it may also have other processess that it is linked with that it should bring down or that could bring the connection down.
2018-08-27ssl: Adopt distribution over TLS to use new sender processIngela Anderton Andin
2018-08-27ssl: Add new sender process for TLS state machineIngela Anderton Andin
Separate sending and receiving when using TCP as transport as prim_inet:send may block which in turn may result in a deadlock between two Erlang processes communicating over TLS, this is especially likely to happen when running Erlang distribution over TLS.
2018-08-24ssl: Fix dialyzer errors detected when crypto.erl is typedHans Nilsson
2018-08-24Merge branch 'maint'Lars Thorsen
* maint: Updated OTP version Prepare release Updated the engine load functionality inets: Prepare for release inets: Use status code 501 when no mod_* handles the request ssl: Prepare for release ssl: Make sure that a correct cipher suite is selected ssl: Make sure that a correct cipher suite is selected
2018-08-24Merge branch 'maint-21' into maintLars Thorsen
* maint-21: Updated OTP version Prepare release Updated the engine load functionality inets: Prepare for release inets: Use status code 501 when no mod_* handles the request ssl: Prepare for release ssl: Make sure that a correct cipher suite is selected ssl: Make sure that a correct cipher suite is selected
2018-08-23Merge branch 'maint'Ingela Anderton Andin
Conflicts: lib/ssl/src/tls_v1.erl
2018-08-23ssl: Correct dialyzer specsIngela Anderton Andin
2018-08-23Prepare releaseErlang/OTP
2018-08-22Merge branch 'maint'Ingela Anderton Andin
Conflicts: lib/ssl/src/ssl_cipher.erl
2018-08-21ssl: Move formatting code to own moduleIngela Anderton Andin
The conversion code for different representations of cipher suites is long an repetitive. We want to hide it in a module that does not have other functions that we like to look at.
2018-08-21ssl: Remove legacy filesIngela Anderton Andin
When starting to implement DTLS, it was assumed that the APIs for TLS and DTLS would differ more. This assumption turned out to be wrong.
2018-08-20Merge branch 'maint'Rickard Green
* maint: erts/time_correction.xml: remove extra closing parenthesis use ssl:handshake/1 function
2018-08-20Merge pull request #1901 from getong/fix_ssl_exampleIngela Andin
Modernized example
2018-08-14Merge branch 'maint'Ingela Anderton Andin
2018-08-14Merge branch 'ingela/ssl/ERL-668/improve-err-msg/OTP-15234' into maintIngela Anderton Andin
* ingela/ssl/ERL-668/improve-err-msg/OTP-15234: ssl: Improve error message