| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
This commit filters out cipher suites not to be used in TLS-1.3
We still need to add new cipher suites for TLS-1.3 and possible
add new information to the suite data structure.
|
|
|
|
|
|
Conflicts:
lib/ssl/src/ssl_connection.erl
lib/ssl/src/tls_connection.erl
|
|
* ingela/ssl/send-recv-dead-lock/ERL-622:
ssl: Improve close handling
ssl: Adopt distribution over TLS to use new sender process
ssl: Add new sender process for TLS state machine
|
|
* maint:
ssl: Fix dialyzer errors detected when crypto.erl is typed
|
|
* hans/ssl/dialyzer_crypto_typed/OTP-15271:
ssl: Fix dialyzer errors detected when crypto.erl is typed
|
|
We want to make sure that the sender process that may get stuck in
prim_inet:send will die if the tls_connection process is
terminated. And we also like to make sure that it terminates as
gracefully as possible. So when the tls_connection process dies it
spawns a killer process that will brutaly kill the sender if it is
unresponsive and does not terminate due to its monitor of the
tls_connetion process triggering.
When the sender process also acts as distribution controller it
may also have other processess that it is linked with that it
should bring down or that could bring the connection down.
|
|
|
|
Separate sending and receiving when using TCP as transport
as prim_inet:send may block which in turn may result
in a deadlock between two Erlang processes communicating over
TLS, this is especially likely to happen when running Erlang distribution
over TLS.
|
|
|
|
* maint:
Updated OTP version
Prepare release
Updated the engine load functionality
inets: Prepare for release
inets: Use status code 501 when no mod_* handles the request
ssl: Prepare for release
ssl: Make sure that a correct cipher suite is selected
ssl: Make sure that a correct cipher suite is selected
|
|
* maint-21:
Updated OTP version
Prepare release
Updated the engine load functionality
inets: Prepare for release
inets: Use status code 501 when no mod_* handles the request
ssl: Prepare for release
ssl: Make sure that a correct cipher suite is selected
ssl: Make sure that a correct cipher suite is selected
|
|
Conflicts:
lib/ssl/src/tls_v1.erl
|
|
|
|
|
|
Conflicts:
lib/ssl/src/ssl_cipher.erl
|
|
The conversion code for different representations of cipher suites
is long an repetitive. We want to hide it in a module that does not
have other functions that we like to look at.
|
|
When starting to implement DTLS, it was assumed that the APIs for TLS and
DTLS would differ more. This assumption turned out to be wrong.
|
|
* maint:
erts/time_correction.xml: remove extra closing parenthesis
use ssl:handshake/1 function
|
|
Modernized example
|
|
|
|
* ingela/ssl/ERL-668/improve-err-msg/OTP-15234:
ssl: Improve error message
|
|
|
|
* ingela/ssl/ERL-686/OTP-15224:
ssl: Error handling improvment
|
|
|
|
* maint:
Updated OTP version
Update release notes
Update version numbers
crypto: Fix crash in compute_key(ecdh, ...) on badarg
Relax add_table_copy restriction
Fixed #Ref ordering bug
Test #Ref ordering in lists and ets
Do NOT disc_load from ram_copies when master_node is set
ssl: Make sure that a correct cipher suite is selected
ssl: Correct handling of empty server SNI extension
|
|
* maint-20:
Updated OTP version
Update release notes
Update version numbers
crypto: Fix crash in compute_key(ecdh, ...) on badarg
Relax add_table_copy restriction
Fixed #Ref ordering bug
Test #Ref ordering in lists and ets
Do NOT disc_load from ram_copies when master_node is set
ssl: Make sure that a correct cipher suite is selected
ssl: Correct handling of empty server SNI extension
|
|
|
|
|
|
* ingela/ssl/empty-sni/OTP-15168:
ssl: Correct handling of empty server SNI extension
|
|
|
|
* ingela/maint/ssl/ECC/ERIERL-210/OTP-15203:
ssl: Make sure that a correct cipher suite is selected
|
|
The keyexchange ECDHE-RSA requires an RSA-keyed server cert
(corresponding for ECDHE-ECDSA), the code did not assert this
resulting in that a incorrect cipher suite could be selected.
Alas test code was also wrong hiding the error.
|
|
|
|
|
|
|
|
The keyexchange ECDHE-RSA requires an RSA-keyed server cert
(corresponding for ECDHE-ECDSA), the code did not assert this
resulting in that a incorrect cipher suite could be selected.
Alas test code was also wrong hiding the error.
|
|
Transport accepted sockets that are in the error state, was not closed
properly.
|
|
|
|
|
|
The keyexchange ECDHE-RSA requires an RSA-keyed server cert
(corresponding for ECDHE-ECDSA), the code did not assert this
resulting in that a incorrect cipher suite could be selected.
Alas test code was also wrong hiding the error.
|
|
I did not find any legitimate use of "can not", however skipped
changing e.g RFCs archived in the source tree.
|
|
* peterdmv/ssl/version_downgrade_protection/OTP-15189:
ssl: Implement downgrade protection mechanism (TLS 1.3)
Change-Id: I29a281c1278509608fdea9b0346ad91c62f886a8
|
|
* maint:
Fix typo in xmerl_scan:string/1
Updated OTP version
Prepare release
ssl: Engine key trumps certfile option
inets: Prepare for release
inets: Improve error handling
|
|
* maint-20:
Updated OTP version
Prepare release
ssl: Engine key trumps certfile option
inets: Prepare for release
inets: Improve error handling
|
|
* peterdmv/ssl/version_extension_updates/OTP-15059:
ssl: Fix handling of TLS record versions
ssl: Update hello state (TLS 1.3)
ssl: Implement 'supported_versions' extension
ssl: Sort supported versions in handle_options
ssl: Add experimental version 'tlsv1.3'
Change-Id: I071d24242103cc066c5ee8154effc5ee01b04703
|
|
|
