| Age | Commit message (Collapse) | Author |
|---|
|
Implementations of TLS 1.3 which choose to support prior versions of
TLS SHOULD support TLS 1.2. That is, a TLS 1.3 ClientHello shall
advertise support for TLS 1.2 ciphers in order to be able to connect
to TLS 1.2 servers.
This commit changes the list of the advertised cipher suites to
include old TLS 1.2 ciphers.
Change-Id: Iaece3ac4b66a59dfbe97068b682d6010d74522b8
|
|
TLS_AES_128_GCM_SHA256 = {0x13,0x01}
TLS_AES_256_GCM_SHA384 = {0x13,0x02}
TLS_CHACHA20_POLY1305_SHA256 = {0x13,0x03}
Change-Id: I3406aaedac812fc43519ff31e5f00d26e375c5d5
|
|
* peterdmv/ssl/add_signature_algorithms:
ssl: Use 'HighestVersion' instead of extra function call
ssl: Add new extension with encode/decode functions
ssl: Format code in handle options
Change-Id: Iba3600edc86dc646a7bbabf550d88e7884877e18
|
|
* ingela/ssl/property-tests:
ssl: Correct compression decoding
ssl: Add property tests framework
ssl: Fix typo
|
|
|
|
Property testing revealed an decoding error of "compression_methods"
in the client hello. As we do not implement any compression methods
this has no practical impact.
|
|
|
|
Change-Id: I7521cd4e83f881d3caeae8faf2dd8108db15aa7e
|
|
Change-Id: I8a5c11b3503b44cfc6cbd6e4fd8ff3005a8669dd
|
|
|
|
Change-Id: I997fa8808eaf48aad24a7097b82571be9f0ee252
|
|
This commit filters out cipher suites not to be used in TLS-1.3
We still need to add new cipher suites for TLS-1.3 and possible
add new information to the suite data structure.
|
|
|
|
|
|
|
|
Conflicts:
lib/ssl/src/ssl_connection.erl
lib/ssl/src/tls_connection.erl
|
|
* ingela/ssl/send-recv-dead-lock/ERL-622:
ssl: Improve close handling
ssl: Adopt distribution over TLS to use new sender process
ssl: Add new sender process for TLS state machine
|
|
* maint:
ssl: Fix dialyzer errors detected when crypto.erl is typed
|
|
* hans/ssl/dialyzer_crypto_typed/OTP-15271:
ssl: Fix dialyzer errors detected when crypto.erl is typed
|
|
We want to make sure that the sender process that may get stuck in
prim_inet:send will die if the tls_connection process is
terminated. And we also like to make sure that it terminates as
gracefully as possible. So when the tls_connection process dies it
spawns a killer process that will brutaly kill the sender if it is
unresponsive and does not terminate due to its monitor of the
tls_connetion process triggering.
When the sender process also acts as distribution controller it
may also have other processess that it is linked with that it
should bring down or that could bring the connection down.
|
|
|
|
Separate sending and receiving when using TCP as transport
as prim_inet:send may block which in turn may result
in a deadlock between two Erlang processes communicating over
TLS, this is especially likely to happen when running Erlang distribution
over TLS.
|
|
|
|
* maint:
Updated OTP version
Prepare release
Updated the engine load functionality
inets: Prepare for release
inets: Use status code 501 when no mod_* handles the request
ssl: Prepare for release
ssl: Make sure that a correct cipher suite is selected
ssl: Make sure that a correct cipher suite is selected
|
|
* maint-21:
Updated OTP version
Prepare release
Updated the engine load functionality
inets: Prepare for release
inets: Use status code 501 when no mod_* handles the request
ssl: Prepare for release
ssl: Make sure that a correct cipher suite is selected
ssl: Make sure that a correct cipher suite is selected
|
|
Conflicts:
lib/ssl/src/tls_v1.erl
|
|
|
|
|
|
Conflicts:
lib/ssl/src/ssl_cipher.erl
|
|
The conversion code for different representations of cipher suites
is long an repetitive. We want to hide it in a module that does not
have other functions that we like to look at.
|
|
When starting to implement DTLS, it was assumed that the APIs for TLS and
DTLS would differ more. This assumption turned out to be wrong.
|
|
* maint:
erts/time_correction.xml: remove extra closing parenthesis
use ssl:handshake/1 function
|
|
Modernized example
|
|
|
|
* ingela/ssl/ERL-668/improve-err-msg/OTP-15234:
ssl: Improve error message
|
|
|
|
* ingela/ssl/ERL-686/OTP-15224:
ssl: Error handling improvment
|
|
|
|
* maint:
Updated OTP version
Update release notes
Update version numbers
crypto: Fix crash in compute_key(ecdh, ...) on badarg
Relax add_table_copy restriction
Fixed #Ref ordering bug
Test #Ref ordering in lists and ets
Do NOT disc_load from ram_copies when master_node is set
ssl: Make sure that a correct cipher suite is selected
ssl: Correct handling of empty server SNI extension
|
|
* maint-20:
Updated OTP version
Update release notes
Update version numbers
crypto: Fix crash in compute_key(ecdh, ...) on badarg
Relax add_table_copy restriction
Fixed #Ref ordering bug
Test #Ref ordering in lists and ets
Do NOT disc_load from ram_copies when master_node is set
ssl: Make sure that a correct cipher suite is selected
ssl: Correct handling of empty server SNI extension
|
|
|
|
|
|
* ingela/ssl/empty-sni/OTP-15168:
ssl: Correct handling of empty server SNI extension
|
|
|
|
* ingela/maint/ssl/ECC/ERIERL-210/OTP-15203:
ssl: Make sure that a correct cipher suite is selected
|
|
The keyexchange ECDHE-RSA requires an RSA-keyed server cert
(corresponding for ECDHE-ECDSA), the code did not assert this
resulting in that a incorrect cipher suite could be selected.
Alas test code was also wrong hiding the error.
|
|
|
|
|
|
|
|
The keyexchange ECDHE-RSA requires an RSA-keyed server cert
(corresponding for ECDHE-ECDSA), the code did not assert this
resulting in that a incorrect cipher suite could be selected.
Alas test code was also wrong hiding the error.
|
