| Age | Commit message (Collapse) | Author |
|---|
|
Add a test to ensure that a single 'raw' option can be passed to
ssl:listen correctly.
Note: multiple raw options are (incorrectly) handled by
inet:listen_options. See
http://erlang.org/pipermail/erlang-questions/2014-March/078371.html
|
|
In Erlang R16B03-1, I've been passing raw options to ssl:listen as
follows, and it's been working fine:
% The constants are defined elsewhere.
LOpts = [{raw, ?IPPROTO_TCP, ?TCP_MAXSEG, <<MSS:32/native>>} | ...],
{ok, LSocket} = ssl:listen(0, LOpts)
In Erlang 17.3, this fails with
{option_not_a_key_value_tuple,{raw,6,2,<<64,2,0,0>>}}
I originally reported this in
http://erlang.org/pipermail/erlang-questions/2014-October/081226.html
I need to pass this particular raw option to ssl:listen, because it
needs to be applied when the socket is first opened -- between inet:open
and prim_inet:listen -- it cannot be applied later by setopts. This
means that it needs to be done by inet_tcp:listen/2 -- well, actually by
inet:open/8, but...
Otherwise it's racey -- a client could connect between prim_inet:listen
and the setopts call. The MSS option is advertised in the SYN,ACK
packet, and can't be changed later.
|
|
|
|
* ia/ssl/modern-timetrap:
ssl: Make init functions fail if make_certs:all fails
ssl: Avoid sleep
ssl: modernize timetrap handling
|
|
|
|
When possible avoid sleep in test cases.
|
|
Watchdog is legacy test_server use only ct:timetrap/1
|
|
|
|
The test cases does not use any hooks and including the ts_install_cth
trips up the test case setup on some platforms cuasing the test cases
to fail with {error, enoent}
|
|
* ia/ssl/test-fips:
ssl: Filter suites for openssl FIPS if necessary
|
|
* ia/ssl/unknown-hash/OTP-12829:
ssl: Add unassigned values
ssl: Do not crash on proprietary hash_sign algorithms
|
|
|
|
* ferd/deny-client-renegotiation:
Add disable client-initiated renegotiation option
Conflicts:
lib/ssl/doc/src/ssl.xml
lib/ssl/src/ssl.erl
OTP-12815
|
|
|
|
* essen/fix-alpn-test:
ssl: Fix small error in an ALPN test
|
|
TLS hash_sign algorithms may have proprietary values see
http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
We should add callbacks to let applications handle them.
But for now we do not want to crash if they are present and
let other algorithms be negotiated.
|
|
|
|
Client-initiated renegotiation is more costly for the server than the
client, and this feature can be abused in denial of service attempts.
Although the ssl application already takes counter-measure for these
(via cooldown periods between renegotiations), it can be useful to
disable the feature entirely.
This patch adds the `{client_renegotiation, boolean()}' option to the
server-side of the SSL application (defaulting to `true' to be
compatible with the current behaviour).
The option disables the ability to do any renegotiation at all in the
protocol's state, reusing the existing denial code, but without opening
the code path that sets up a timed message to eventually reopen it up.
|
|
|
|
* tombriden/handle_ssl_error:
TLS Dist: Handle ssl_error and close ssl socket
OTP-12799
|
|
Conflicts:
OTP_VERSION
lib/inets/test/httpd_SUITE.erl
lib/inets/vsn.mk
lib/ssh/src/ssh.erl
lib/ssh/vsn.mk
lib/ssl/src/ssl.appup.src
lib/ssl/vsn.mk
|
|
|
|
|
|
alert records needs to be thrown from
ssl_handshake:premaster_secret/[2/3] so that operations will end up in
the catch clause of the invokation of certify_client_key_exchange/3 in
ssl_connection.erl, and hence terminate gracefully and not continue to try
and calculate the master secret with invalid inputs and crash.
|
|
Refactored the code and moved client_check before call to
ssl_test_lib:check_result(Server, ExpectedSNIHostname) as this
call may consume client messages ( which is intentional) but was
missed by the test case writer.
|
|
connection_info -> connection_information
|
|
|
|
|
|
* ia/ssl/sleep-cuddle:
ssl: Adjust sleep time in test case
|
|
Adjust time to make sure "enough" time has elapsed. Will have to do
for now.
|
|
|
|
This reverts commit e09dd66dc4d89c62ddfd8c19791f9678d5d787c6.
|
|
|
|
Dialyzer warned about the incorrect match of Packets. Code
was refactored and the problem avoided in the process.
Dialyzer warned that the empty tuple is not a function as the contract
said it should be. Changed the handling of the sni_fun default value to be
undefined and added it to the contract.
|
|
The newly added function sni_fun allows dynamic update of SSL options
like keys and certificates depending on different SNI hostname, rather
than a predefined rules of SSL options.
|
|
This commit adds tests for SNI server support in:
* ssl_sni_SUITE.erl
* ssl_to_openssl_SUITE.erl
And some more modifications:
* make_certs also makes two certs for SNI, and adds
extra options for SNI.
|
|
|
|
This commit adds a new function, ssl:connection_information/[1,2]
to retrive the connection information from a SSLSocket.
And also, this deprecates a function ssl:connection_info/1, and
reimplements connection_info/1 with the new function.
|
|
|
|
|
|
|
|
Make sure that links from ssl to public_key work.
OTP-12670 - Ignoring 1.2 extension in 1.0 or TLS-1.1
solved by 5edda23ee854038c9d4bcddd0d676ee0ffd20da5
is mentioned here to make the release scripts happy,
as the branch solving this accidently had a name ending 1267
instead of 12670
|
|
|
|
|
|
|
|
ssl SSL
crypto Crypto
stdlib STDLIB
kernel Kernel
public_key Public Key
|
|
|
|
|
|
In some instances, restarting a node causes a fatal SSL error on
the other nodes which isn't handled leaving the socket open. Eventually
the nodes will net tick timeout but the node being restarted never
comes back to life
By handling the fatal error and closing the socket, the restarting
node can restart successfully even when the ssl error occurs
|
|
This reverts commit a3cf4eb4cdd2ce178d81b62faa9f47485fd82331.
This workaround is no longer needed as the, TLS-1.2 extension,
signature_algorithm is now correctly ignored by previous TLS versions.
|
