| Age | Commit message (Collapse) | Author |
|---|
|
Update hello state to handle the "supported_versions" extension
defined by TLS 1.3:
- If "supported_versions" is present in ServerHello, the client
will aboirt the handshake with an "illegal_parameter" alert.
- If "supported_versions" is present in ClientHello, the server
will select a version from "supported_versions" and ignore
ClientHello.legacy_version. If it only supports versions
greater than "supported_versions", the server aborts the
handshake with a "protocol_version" alert.
- If "supported_versions" is absent in ClientHello, the server
negotiates the minimum of ClientHello.legacy_version and
TLS 1.2. If it only supports version greater than
ClientHello.legacy_version, the server aborts the handshake
with a "protocol_version" alert.
Change-Id: I16eef15d77bf21209c6cc103546ddddca518483b
|
|
Change-Id: I8bb015e97ab4c317ef380123cf94350ed509c36f
|
|
Sort supported versions (highest first) in handle options to
reflect the order expected by TLS 1.3.
Change-Id: I06bb43ac81eeaca681c122d815a024c8444e3726
|
|
- Add 'tlsv1.3' to the available versions. It can be used to
trigger experimental behavior while implementing TLS 1.3.
- Add dummy clauses for handling version {3,4} of TLS.
- Update ssl_logger to handle unknown versions of TLS.
Change-Id: I564ffa47dca18b59f0dc16c9809dfd7adaf2d333
|
|
|
|
IngelaAndin/ingela/ssl/unexpected-call/ERL-664/OTP-15174
ssl: Improve error handling
|
|
|
|
When doing ssl:controlling_process on a ssl socket that has not
performed the TLS/DTLS handshake that call will succeed even though
the documentation stated otherwise. However if some other ssl option
was incorrect the call would hang. Now {error, closed} will be
returned in the latter case, which is logical independent on if it
should succeed or not in the former case. The former case will continue
to succeed, as it is not dependent of the TLS/DTLS connection being
established, and the documentation is altered slightly to not
explicitly disallow it. If the TLS/DTLS connection later fails and
the socket mode is active, the new controlling process will be
notified as expected.
|
|
|
|
IngelaAndin/ingela/ssl/no-ca-sign-restriction-TLS-1.2/ERL-381/OTP-15173
Ingela/ssl/no ca sign restriction tls 1.2/erl 381/otp 15173
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Failing to recognize psk as an anonymous key exchange would fail the connection
when trying to decode an undefined certificate.
|
|
Change-Id: I40b13b3dce5c70b65cb0963c6ce4175268174e02
|
|
Change-Id: Ibbb66f62c122cac2b1b6bd7f09cdaede4a86bd97
|
|
- Introduce stateful logging levels to the ssl application:
The SSL option 'log_alert' sets log level to notice/warning
if it is set to true/false. Default log level is notice.
- Add new SSL option 'log_level' that overrides the value of
'log_alert'. Default value is notice.
- 'log_level' debug triggers verbose logging of TLS protocol
messages and logging of ignored alerts in DTLS.
Change-Id: I28d3f4029a5d504ec612abe4b9ae0b7d9b115197
|
|
- Add utility function for setting log level of ssl application
modules.
Change-Id: Iee278ada17b4d872a9891094b96ce5343bf0ade4
|
|
Change-Id: I4aff56c95d7ea8c46db40b0fa0f6f9b43f00bf8a
|
|
Change-Id: Id52990a105c81373c7c6034df9a2675f9d0e429a
|
|
- Add logging for TLS Handshake messages.
- Remove version from the input map used in format/2.
Change-Id: I1a8a3dbe5854d3b25cca33e9a6634ac9a53d5867
|
|
Change-Id: I18786a9a8523d0ec3d9ca37ad5b2284721c5c4a1
|
|
Change-Id: I04cb8e4c09b05fc9d7ead0dfae0d83286decdb74
|
|
Change-Id: I649a686ee72fa8bbe1e1dbc44ed5ec2df9662b10
|
|
Define VSN macro in source to remove syntax errors while editing
the code.
Change-Id: I508d16641cb65ec954fc3fcae90183fa297770da
|
|
|
|
* origin/henrik/Update-copyright:
Update copyright year
|
|
|
|
|
|
* ingela/ssl/21-enhanchment:
ssl: Add handle_continue/2 and document enhancements
|
|
* deprecation of ssl:ssl_accept/[1,2,3]
* deprecation of ssl:cipher_suites/[0,1]
* More consistent naming
|
|
* ingela/ssl/test-ecdh-check:
ssl: Update interop conditions
|
|
|
|
* peterdmv/ssl/suite_to_str/ERL-600/OTP-15106:
ssl: Add new API function suite_to_str/1
Change-Id: Icf214ece4e1d281da12b02dadc63d4a2ca346563
|
|
Add new API function for converting cipher suite maps
to their textual representation.
Change-Id: I43681930b38e0f3bdb4dfccbf9e8895aa2d6a281
|
|
* raimo/better-TLS-distribution/OTP-15058:
Test nodename whitelist
Use public_key to verify client hostname
|
|
|
|
|
|
|
|
This reverts commit fd8e49b5bddceaae803670121b603b5eee8c5c08.
|
|
|
|
ssl: Generalize DTLS packet multiplexing
OTP-14888
|
|
We want to prepare the code for more advanced DTLS usage and possibility
to run over SCTP. First assumption was that the demultiplexer process
"dtls listener" was needed for UDP only and SCTP could be made more TLS
like. However the assumption seems not to hold. This commit prepares
for customization possibilities.
|
|
* ingela/ssl/openssl-test-cuddle:
ssl: anon test should use dh or ecdh anon keyexchange
ssl: Cuddle no delivery guarantee at application level
ssl: Cuddle timeout
ssl: Correct option handling to OpenSSL
|
|
* lukas/ssl/fix_erl_epmd_usage/OTP-15086:
ssl: Fix usage of erl_epmd in tls dist
|
|
Fixes: 662f3c7ba50ff8ec13d8
|
