Age | Commit message (Collapse) | Author |
|
init_per_testcase timeout for renegotiation tests would be overridden
by local timeout in test case help function.
|
|
* ingela/ssl/dtls-progress/connection-states-as-maps:
dtls: fix encoding of client hello cookie
dtls: Prepare start of DTLS connection manager with SSL app
ssl: Refactor to use maps for the connection states
ssl, dtls: Refactor sni handling
dtls: Add close/5
dtls: Add renegotiate/2
dtls: Add protocol event handling
ssl: Refactor code so that tls and dtls can share more code
ssl, dtls: Disable V2 compatibility clause from ssl_handshake:update_handshake_history
ssl: Make sure common code for TLS and DTLS uses the TLS Version
ssl: remove unused RecordCB argument from master_secret
dtls: Add reinit_handshake_data/1 to dtls
dtls: replace tls_record with RecordCB in connection_info
Fix version numbers and dependencies
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
We want to share more alert and application data handling code.
Some of the application data handling code, packet handling,
will not be relevant for dtls, but this code can be excluded from dtls
by options checking.
|
|
ssl_handshake:update_handshake_history
This proably a much bigger problem for DTLS than TLS, but should be
disabled for both unless explicitly configured for TLS.
|
|
When protocol version is proagated from the DTLS connection processes
state into general ssl functions it must be converted to the corresponding
TLS version.
|
|
Conflicts:
lib/ssl/src/ssl_handshake.erl
|
|
The callback is invoke before entering state 'connection'.
It allows a connection module to remove data from the
connection state that is no longer needed (e.g.
handshake history).
|
|
Conflicts:
lib/ssl/src/ssl_connection.erl
|
|
|
|
|
|
|
|
Even though v2 is never supported v2 hellos can be.
No support for v2 client hellos gives "handshake failiure" alert.
Support for v2 hello but no higher SSL/TLS version offered
gives "protocol version" alert.
|
|
|
|
Avoid to run tests of algorithms not supported by crypto.
|
|
Fix some older errors as well.
|
|
The benchmarks run through the local node only, as an attempt to show
more potential contention on certificate usage.
|
|
* raimo/gen_statem-callback_mode/OTP-13752:
ssl: Upgrade suite testing skipped if stdlib upgrade is required
Fix version numbers and dependencies
Conflicts:
lib/ssl/src/ssl.appup.src
lib/ssl/vsn.mk
|
|
* ingela/ssl/cuddle:
ssl: Test and test suites shall be independent of each other
|
|
|
|
* ingela/ssl/ERL-232/OTP-13853:
ssl: Remove clause that postponed unexpected messages
|
|
Skip some test on really slow solaris machines
|
|
|
|
|
|
|
|
* raimo/gen_statem-callback_mode/OTP-13752:
Include trap_exit in server skeletons
Improve sys debug
Handle exceptions in init/1 and callback_mode/0
Clarify error values
Doc fixes
Rewrite SSH for gen_statem M:callback_mode/0
Rewrite SSL for gen_statem M:callback_mode/0
Rewrite Tools for gen_statem M:callback_mode/0
Rewrite gen_statem docs for M:callback_mode/0
Rewrite gen_statem TCs for M:callback_mode/0
Rewrite gen_statem for M:callback_mode/0
|
|
|
|
The current SSL implementation has a PEM cache running through the ssl
manager process, whose primary role is caching CA chains from files on
disk. This is intended as a way to save on disk operation when the
requested certificates are often the same, and those cache values are
both time-bound and reference-counted. The code path also includes
caching the Erlang-formatted certificate as decoded by the public_key
application
The same code path is used for DER-encoded certificates, which are
passed in memory and do not require file access. These certificates are
cached, but not reference-counted and also not shared across
connections.
For heavy usage of DER-encoded certificates, the PEM cache becomes a
central bottleneck for a server, forcing the decoding of every one of
them individually through a single critical process. It is also not
clear if the cache remains useful for disk certificates in all cases.
This commit adds a configuration variable for the ssl application
(bypass_pem_cache = true | false) which allows to open files and decode
certificates in the calling connection process rather than the manager.
When this action takes place, the operations to cache and return data
are replaced to strictly return data.
To provide a transparent behaviour, the 'CacheDbRef' used to keep track
of the certificates in the cache is replaced by the certificates itself,
and all further lookup functions or folds can be done locally.
This has proven under benchmark to more than triple the performance of
the SSL application under load (once the session cache had also been
disabled).
|
|
|
|
|
|
Conflicts:
lib/ssl/src/ssl.appup.src
|
|
|
|
|
|
maint
* lemenkov/kernel/fix-register_ipv6_epmd/PR-1129/OTP-13770:
Respect -proto_dist switch while connection to EPMD
|
|
Conflicts:
OTP_VERSION
erts/doc/src/notes.xml
erts/vsn.mk
lib/common_test/doc/src/notes.xml
lib/common_test/vsn.mk
lib/ssl/doc/src/notes.xml
lib/ssl/src/ssl.appup.src
lib/ssl/vsn.mk
lib/stdlib/test/ets_SUITE.erl
otp_versions.table
|
|
|
|
raimo/ssl/version-selection/maint-19/OTP-13753
Conflicts:
lib/ssl/vsn.mk
lib/ssl/src/ssl.appup.src
|
|
Use the list of versions that the server allows and among those choose
the highest version that is not higher than the client's version.
Note that this chosen version might be lower than the client's version,
but is used to improve interoperability.
Patch suggested by Dimitry Borisov refering to RFC 5246 appendix E.1.
|
|
Signed-off-by: Peter Lemenkov <[email protected]>
|
|
Make sure ssl application has a fresh start, so that test do
not fail due to that other tests did not clean up properly.
|
|
In TLS-1.2 the selection of the servers algorithms and the the
possible selection of algorithms for the client certificate verify
message have different requirements.
|
|
Tests in ECC_SUITE did not always use the certs implied by the
name. Variable naming also confused the intent.
ssl_certificate_verify_SUITE did not clean up properly and tests could
fail due to cache problems.
|
|
Function to stop SSL/TLS node may not exit as a test case will start more than
one node and all nodes must be stopped.
|
|
|