Age | Commit message (Collapse) | Author |
|
* ferd/ssl-allow-ecc-config/PR-1210/OTP-13959:
Add ECC curve selection order config in TLS server
|
|
As per RFC 4492 Sec 5.1, the preferred order of selection of named
curves is based on client preferences.
Currently, the SSL application only picks entries according to the
absolute order of entries as tracked in a hardcoded list in code.
This patch changes things so that the client-specified order is
preferred. It also allows a mode where the server can be configured to
override the client's preferred order with its own, although the chosen
ECC must still be within both lists.
The configuration is done through the following options:
- `eccs`, shared by clients and servers alike, allows the specification
of the supported named curves, in their preferred order, and may
eventually support more values for explicit primes and so on.
- `honor_ecc_order`, a server-only option, is similar to
`honor_cipher_order` and will, by default let the server pick the
client-preferred ECC, and otherwise pick the server-preferred one.
The default value for `eccs` is the same as before, although the
server-chosen ECC now defaults to the client rather than previous
choice.
A function `ssl:eccs()` has been added that returns the highest
supported ECCs for the library.
|
|
Correct "...an exra distribution..." to "...an extra distribution...".
|
|
|
|
* ingela/ssl/algo-check/OTP-13959:
Properly filter ssl cipher suites reported as supported
|
|
* ingela/ssl/crl_SUITE:
ssl: Make sure test has correct input
|
|
Adapted from commit 675ee6860d2c273bcc6c6a0536634a107e2a3d9f.
Conflicts:
lib/ssl/src/ssl_cipher.erl
|
|
* ingela/ssl/cipher-type-spec:
ssl: Adjust cipher type to conform to implementation
|
|
|
|
* RoadRunnr/crypto/no-rc4/PR-1169/OTP-13896:
disable RC4 in SSL when crypto doesn't support it
Fix compilation when OpenSSL doesn't support RC4
Conflicts:
lib/crypto/c_src/crypto.c
|
|
Data collection function active_once_raw/4 did not handle streamed
data correctly (it assumed the stream was "packet oriented"),
which could result in that the test case perceived that
it did not receive all data even though it did.
|
|
Test suite did not take TLS-version in to account. Also
some anonymous suites where included incorrectly in some TLS versions.
|
|
|
|
* ingela/ssl/prepare-patch:
ssl: Prepare for release
|
|
* ingela/ssl/ECC-selection-fix/OTP-13918:
ssl: Correct ECC curve selection, the error could cause default to always be selected.
|
|
selected.
|
|
|
|
Several handshake events may be received in the same TLS packet. Then there
will be several events pushed to the gen_statems internal queue.
New events already in the socket-buffer should not be processed
if there are more unprocessed handshake events in next_event queue.
We need to handle this in the next_record/1 function.
|
|
|
|
|
|
|
|
* ingela/ssl/packet-tests:
ssl: Add timetrap scale calls
ssl: Add nodelay to packet=0|raw tests
|
|
|
|
* ferd/bypass-pem-cache/PR-1143/OTP-13883:
ssl: Add documentation of bypass_pem_cache application environment configuration
ssl: Add new benchmarks to skip file for normal testing
Adding PEM cache bypass benchmark entries
Fixing CRL searching in cache bypass
Add option to bypass SSL PEM cache
|
|
|
|
|
|
|
|
init_per_testcase timeout for renegotiation tests would be overridden
by local timeout in test case help function.
|
|
* ingela/ssl/dtls-progress/connection-states-as-maps:
dtls: fix encoding of client hello cookie
dtls: Prepare start of DTLS connection manager with SSL app
ssl: Refactor to use maps for the connection states
ssl, dtls: Refactor sni handling
dtls: Add close/5
dtls: Add renegotiate/2
dtls: Add protocol event handling
ssl: Refactor code so that tls and dtls can share more code
ssl, dtls: Disable V2 compatibility clause from ssl_handshake:update_handshake_history
ssl: Make sure common code for TLS and DTLS uses the TLS Version
ssl: remove unused RecordCB argument from master_secret
dtls: Add reinit_handshake_data/1 to dtls
dtls: replace tls_record with RecordCB in connection_info
Fix version numbers and dependencies
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
We want to share more alert and application data handling code.
Some of the application data handling code, packet handling,
will not be relevant for dtls, but this code can be excluded from dtls
by options checking.
|
|
ssl_handshake:update_handshake_history
This proably a much bigger problem for DTLS than TLS, but should be
disabled for both unless explicitly configured for TLS.
|
|
When protocol version is proagated from the DTLS connection processes
state into general ssl functions it must be converted to the corresponding
TLS version.
|
|
Conflicts:
lib/ssl/src/ssl_handshake.erl
|
|
The callback is invoke before entering state 'connection'.
It allows a connection module to remove data from the
connection state that is no longer needed (e.g.
handshake history).
|
|
Conflicts:
lib/ssl/src/ssl_connection.erl
|
|
|
|
|
|
|
|
Even though v2 is never supported v2 hellos can be.
No support for v2 client hellos gives "handshake failiure" alert.
Support for v2 hello but no higher SSL/TLS version offered
gives "protocol version" alert.
|
|
|
|
Avoid to run tests of algorithms not supported by crypto.
|
|
Fix some older errors as well.
|
|
The benchmarks run through the local node only, as an attempt to show
more potential contention on certificate usage.
|