aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl
AgeCommit message (Collapse)Author
2017-02-13ssl: Test case robustnessIngela Anderton Andin
2017-02-08ssl: Avoid SSL/TLS hello format confusionIngela Anderton Andin
Valid SSL 3.0 or TLS hellos might accidentally match SSL 2.0 format (and sometimes the other way around before inspecting data) so we need to match SSL 3.0 and TLS first and only match SSL 2.0 hellos when flag to support it is set.
2017-02-01ssl: Simplify configuration codeIngela Anderton Andin
Use map instead of large tuple, which was not an option when the code was written originally. More simplifications along these lines may be done later to the state record.
2017-02-01ssl: Make sure PEM cache works as intendedIngela Anderton Andin
Move of PEM cache to own process was flawed and not all PEM files where cached properly. We must properly handle both the ditributed and the normal mode of the ssl application.
2017-01-27Merge branch 'ingela/ssl/key-ext-validate/ERL-338/OTP-14141' into maintIngela Anderton Andin
* ingela/ssl/key-ext-validate/ERL-338/OTP-14141: ssl: The certificate path may be used as a source to find intermediate CAs for the CRL ssl: Handle more than one DistributionPoint ssl: Correct ssl_certificate:validate/3
2017-01-26ssl: The certificate path may be used as a source to find intermediate CAs ↵Ingela Anderton Andin
for the CRL
2017-01-25Merge branch 'ingela/ssl/crl-validity' into maintIngela Anderton Andin
* ingela/ssl/crl-validity: ssl: Make crls valid for a week instead of 24 hours
2017-01-24ssl: Handle more than one DistributionPointIngela Anderton Andin
2017-01-24ssl: Correct ssl_certificate:validate/3Ingela Anderton Andin
Changes made to ssl_certificate:validate appear to be preventing CRL validation from happening when an id-ce-extKeyUsage extension is present in the cert before the DistributionPoint extension. https://github.com/erlang/otp/blob/448e8aca77dd29ed5b37d56f0700d24ac26a7243/lib/ssl/src/ssl_certificate.erl#L131 See also ERL-338 and PR-1302
2017-01-19ssl: Move PEM cache to a dedicated processIngela Anderton Andin
The PEM cache handling has proven to be too disruptive of the manager process.
2017-01-17ssl: Handle really big handshake packagesIngela Anderton Andin
If a handshake message is really big it could happen that the ssl process would hang due to failing of requesting more data from the socket. This has been fixed. Also added option to limit max handshake size. It has a default value that should be big enough to handle normal usage and small enough to mitigate DoS attacks.
2017-01-12ssl: Make crls valid for a week instead of 24 hoursIngela Anderton Andin
With the 24 option we might be unlucky and get failing tests just because cert expired before the test is run.
2016-12-19ssl: Correct terminate behaviourIngela Anderton Andin
When the terminate function is called explicitly, to make guarantees that for instance the reuseaddr option works as expected, we must make sure that the clean up code is not run again when gen_statem calls terminate. This check was broken in the rewrite from gen_fsm to gen_statem. Caused PEM cache errors, that in some cases would cause unexpected connection failures.
2016-12-09Prepare releaseErlang/OTP
2016-12-07Update copyright-yearErlang/OTP
2016-12-06Merge branch 'ingela/ssl/next-version' into maintIngela Anderton Andin
* ingela/ssl/next-version: ssl: Prepare for release
2016-12-06Merge branch 'ingela/dtls/statem/OTP-12982' into maintIngela Anderton Andin
* ingela/dtls/statem/OTP-12982: ssl: Implement DTLS state machine
2016-12-05Merge branch 'ingela/ECC-tests' into maintIngela Anderton Andin
* ingela/ECC-tests: ssl: Make sure common-test priv_dir is used for test case generated files
2016-12-05ssl: Prepare for releaseIngela Anderton Andin
2016-12-05ssl: Implement DTLS state machineIngela Anderton Andin
Beta DTLS, not production ready. Only very basically tested, and not everything in the SPEC is implemented and some things are hard coded that should not be, so this implementation can not be consider secure. Refactor "TLS connection state" and socket handling, to facilitate DTLS implementation. Create dtls "listner" (multiplexor) process that spawns DTLS connection process handlers. Handle DTLS fragmentation. Framework for handling retransmissions. Replay Detection is not implemented yet. Alerts currently always handled as in TLS.
2016-11-10ssl: Use SHA2 for signing ECC certs if possibleIngela Anderton Andin
ECC certs should preferably use SHA2, this is what we want to be testing. Also assembling of all available test suites must consider TLS version.
2016-11-09Merge branch 'ingela/ssl/tune-timeouts-packet_SUITE' into maintIngela Anderton Andin
* ingela/ssl/tune-timeouts-packet_SUITE: ssl: Change to more modest timeouts
2016-11-09ssl: Remove faulty workaroundIngela Anderton Andin
We where never really satisfied with this workaround it was a bit far fetched, so we are pleased to be able to remove it.
2016-11-07ssl: Make sure common-test priv_dir is used for test case generated filesIngela Anderton Andin
2016-11-07Merge branch 'ferd/ssl-allow-ecc-config/PR-1210/OTP-13959' into maintIngela Anderton Andin
* ferd/ssl-allow-ecc-config/PR-1210/OTP-13959: Add ECC curve selection order config in TLS server
2016-11-02Add ECC curve selection order config in TLS serverFred Hebert
As per RFC 4492 Sec 5.1, the preferred order of selection of named curves is based on client preferences. Currently, the SSL application only picks entries according to the absolute order of entries as tracked in a hardcoded list in code. This patch changes things so that the client-specified order is preferred. It also allows a mode where the server can be configured to override the client's preferred order with its own, although the chosen ECC must still be within both lists. The configuration is done through the following options: - `eccs`, shared by clients and servers alike, allows the specification of the supported named curves, in their preferred order, and may eventually support more values for explicit primes and so on. - `honor_ecc_order`, a server-only option, is similar to `honor_cipher_order` and will, by default let the server pick the client-preferred ECC, and otherwise pick the server-preferred one. The default value for `eccs` is the same as before, although the server-chosen ECC now defaults to the client rather than previous choice. A function `ssl:eccs()` has been added that returns the highest supported ECCs for the library.
2016-10-27Correct spelling error in ssl_distribution.xmlTrevor Brown
Correct "...an exra distribution..." to "...an extra distribution...".
2016-10-21ssl: Change to more modest timeoutsIngela Anderton Andin
This should be fine as timeout problem was due to test case bug that treated a stream as if it was packet oriented.
2016-10-14ssl: Tune timeout for old solaris machineIngela Anderton Andin
2016-10-11Merge branch 'ingela/ssl/algo-check/OTP-13959' into maintIngela Anderton Andin
* ingela/ssl/algo-check/OTP-13959: Properly filter ssl cipher suites reported as supported
2016-10-11Merge branch 'ingela/ssl/crl_SUITE' into maintIngela Anderton Andin
* ingela/ssl/crl_SUITE: ssl: Make sure test has correct input
2016-10-10Properly filter ssl cipher suites reported as supportedDániel Szoboszlay
Adapted from commit 675ee6860d2c273bcc6c6a0536634a107e2a3d9f. Conflicts: lib/ssl/src/ssl_cipher.erl
2016-10-07Merge branch 'ingela/ssl/cipher-type-spec' into maintIngela Anderton Andin
* ingela/ssl/cipher-type-spec: ssl: Adjust cipher type to conform to implementation
2016-10-05ssl: Adjust cipher type to conform to implementationIngela Anderton Andin
2016-10-04Merge branch 'RoadRunnr/crypto/no-rc4/PR-1169/OTP-13896' into maintRaimo Niskanen
* RoadRunnr/crypto/no-rc4/PR-1169/OTP-13896: disable RC4 in SSL when crypto doesn't support it Fix compilation when OpenSSL doesn't support RC4 Conflicts: lib/crypto/c_src/crypto.c
2016-10-04ssl: Correct tests tcp stream handlingIngela Anderton Andin
Data collection function active_once_raw/4 did not handle streamed data correctly (it assumed the stream was "packet oriented"), which could result in that the test case perceived that it did not receive all data even though it did.
2016-09-30ssl: Correct anonymous suite handlingIngela Anderton Andin
Test suite did not take TLS-version in to account. Also some anonymous suites where included incorrectly in some TLS versions.
2016-09-28Update release notesErlang/OTP
2016-09-28Merge branch 'ingela/ssl/prepare-patch' into maint-19Erlang/OTP
* ingela/ssl/prepare-patch: ssl: Prepare for release
2016-09-28Merge branch 'ingela/ssl/ECC-selection-fix/OTP-13918' into maint-19Erlang/OTP
* ingela/ssl/ECC-selection-fix/OTP-13918: ssl: Correct ECC curve selection, the error could cause default to always be selected.
2016-09-28ssl: Correct ECC curve selection, the error could cause default to always be ↵Ingela Anderton Andin
selected.
2016-09-27ssl: Prepare for releaseIngela Anderton Andin
2016-09-27ssl: Avoid event reorderingIngela Anderton Andin
Several handshake events may be received in the same TLS packet. Then there will be several events pushed to the gen_statems internal queue. New events already in the socket-buffer should not be processed if there are more unprocessed handshake events in next_event queue. We need to handle this in the next_record/1 function.
2016-09-22disable RC4 in SSL when crypto doesn't support itAndreas Schultz
2016-09-21ssl: Make sure test has correct inputIngela Anderton Andin
2016-09-20Prepare releaseErlang/OTP
2016-09-14Merge branch 'ingela/ssl/packet-tests' into maintIngela Anderton Andin
* ingela/ssl/packet-tests: ssl: Add timetrap scale calls ssl: Add nodelay to packet=0|raw tests
2016-09-13ssl: Add timetrap scale callsIngela Anderton Andin
2016-09-12Merge branch 'ferd/bypass-pem-cache/PR-1143/OTP-13883' into maintIngela Anderton Andin
* ferd/bypass-pem-cache/PR-1143/OTP-13883: ssl: Add documentation of bypass_pem_cache application environment configuration ssl: Add new benchmarks to skip file for normal testing Adding PEM cache bypass benchmark entries Fixing CRL searching in cache bypass Add option to bypass SSL PEM cache
2016-09-12ssl: Add documentation of bypass_pem_cache application environment configurationIngela Anderton Andin