| Age | Commit message (Collapse) | Author |
|---|
|
Conflicts:
lib/ssh/test/ssh_upgrade_SUITE.erl
|
|
|
|
|
|
* ia/ssl/connection_information/OTP-13232/OTP-13343:
ssl: Newer cipher suites now presented correctly
ssl: Include options form connect/listen/accept in connection_information/[1,2]
|
|
Older SSL/TLS versions have cipher suites
that look like {key_exchange(), cipher(), MAC::hash()}
and the hash function used by the PRF (Pseudo Random function)
is implicit and always the same for that protocol version.
In TLS 1.2 a cipher suite is
{key_exchange(), cipher(), MAC::hash(), PRF::hash()}.
Internally a cipher suite is always a four tuple but
for backwards compatibility older cipher suites
will be presented as a three tuples, however new cipher suites
should be presented as four tuples.
|
|
|
|
* dgud/observer/doc:
Observer: Editorial changes in documentation
|
|
|
|
Make sure that options only relevant for one role (client|server) is set
to undefined when the other role is invoked. As there are many options to
ssl, and many are optional, we choose to filter out all undefined options
to avoid overwhelming the user with not relevant information.
This way there is no need for any special handling of the role specific options
which is also nice.
|
|
|
|
|
|
A peer connection shared from a remote node was regarded as being
available for peer selection (aka up) as long as its peer_fsm process
was alive; that is, for the lifetime of the peer connection. In
particular, it didn't take note of transitions into watchdog state
SUSPECT, when the connection remains. As a result, retransmissions could
select the same peer connection whose watchdog transition caused the
retransmission.
A service process now broadcasts a peer_down event just as it
does a peer_up event.
The fault predates the table rearrangements of commit 8fd4e5f4.
|
|
Not needed as of commit 6c9cbd96.
|
|
The export of diameter_traffic:failover/1 happened with the creation of
the module in commit e49e7acc, but was never needed since the calling
code was also moved into diameter_traffic.
|
|
|
|
If a ssh package contained more than one netconf end tag, then the
second end tag was never detected in ct_netconfc:handle_data. Instead
it was included in the XML data given to the xmerl parser, which then
failed with reason "\"]]>\" is not allowed in content".
This problem was introduced by OTP-13007.
|
|
* legoscia/ssl-doc-typos:
Fix typos in ssl.xml
OTP-13339
|
|
See also http://bugs.erlang.org/browse/ERL-95.
|
|
Previously, if certificate revocation checking was turned on, and a
certificate didn't contain a CRL Distribution Points extension, and
there was no relevant CRL in the cache, then ssl_handshake:crl_check
would accept the certificate even if the crl_check option was set to
reject certificates for which the revocation status could not be
determined. With this change, such certificates will only be accepted
if the crl_check option was set to best_effort.
The process for CRL validation is described in section 6.3 of RFC
5280. The text doesn't mention any special treatment to be given to
certificates without distribution points: it just says "For each
distribution point..." (section 6.3.3), which would leave the
revocation status undetermined, unless there were "any available CRLs
not specified in a distribution point but issued by the certificate
issuer". Thus the result of this algorithm should be UNDETERMINED in
this case, not UNREVOKED, and the crl_check option should govern how
the implementation reacts to this result.
|
|
When establishing a TLS connection with {verify, verify_none}, if the
server has a certificate with a critical extension, for example a
"Netscape Cert Type" extension, certificate verification would fail,
which is surprising given that the name of the option suggests that no
verification would be performed.
With this change, certificate extensions marked as critical are
ignored when using verify_none.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* ia/pr/958/OTP-13334:
ssl: verify cert signature against original cert binary
|
|
|
|
|
|
Before a heartbeat to the port program a responsiveness check of
the schedulers is performed. If the responsiveness check fails,
stalls, the heartbeat will not be performed (as intended).
|
|
* heart:set_callback/2
* heart:get_callback/0
* heart:clear_callback/0
The callback is called before every heartbeat to the heart port.
The callback needs to return 'ok' if the validation is correct.
|
|
|
|
* tuncer/ei-breakage:
ei: fix breakage reported by Sergei Golovan
Revert "musl: fix gethostbyname_r/gethostbyaddr_ selection"
OTP-13328
|
|
The block count is an unsigned 2 byte integer. The common behaviour of
tftp clients and servers is to overflow the block count and wrap the
counter to 0 in order to support files larger than 32M. Modify the tftp
implementation to do the same rollover.
Interoperability was tested by transferring a 1.4G file using the HPA
tftp client.
|
|
|
|
* dgud/mnesia/del_schema_hangs/OTP-13284:
mnesia: let loader check if tablelock is needed
mnesia: Avoid deadlock possibility in mnesia:del_table_copy schema
|
|
Allow IPv6 nodes to register with and query epmd. On systems with
IPv6 support:
* epmd listens on both the IPv4 and IPv6 ANY or loopback sockets
* the epmd cli client connects to epmd over the IPv6 loopback
* distributed nodes started with "-proto_dist inet6_tcp" will register
with epmd over IPv6
To work on IPv6 capable systems that have IPv6 support disabled,
epmd ignores errors opening the socket if the protocol is not
supported. Similarly, the epmd client will fall back to IPv4 if the IPv6
socket is not available.
Update the minimum supported version of Windows to Windows Vista to
support IPv6.
|
|
|
|
* bjorn/compiler/beam_bsm/OTP-13309:
Eliminate crash because of unsafe delaying of sub-binary creation
|
|
* nybek/speed_up_supervisor_count_children:
Speed up supervisor:count_children/1; simple_one_for_one
Add supervisor:get_callback_module/1
OTP-13290
|
|
The current implementation is roughly O(N*M) where N is the number of items to be removed, and M is the number of items in the map. This does not include the cost of `maps:from_list` or `maps:to_list`. This leads to pretty horrifying execution times on large maps regardless of how many or few keys are to be removed.
The new implementation is O(N) where N is the number of items to be removed. For each N there's the cost of removing a key from a map, and but in practice that turns out to be a vast improvement for all map sizes I tested
The new maps:take/2 implementation similarly builds a list of keys and values by iterating only the list of desired keys, and then hands it off to maps:from_list. This turned out to be faster than N maps:put calls.
|
|
move_table_copy needs the lock that was set previously in del_table_copy.
This doesn't work on old nodes, so bump protocol version and check it.
Remove old protocol conversion code, which have been around since OTP-R15.
Checking if lock is needed requires rpc communication via mnesia_gvar
ets table to be backwards compatible.
|
|
The argument of byte_size() is a bitstring().
The code in erl_bif_types that finds cases where comparisons always
return true or false is corrected when it comes to maps and bit
strings.
|
|
Each service process maintains a dictionary of peers, mapping an
application alias to a {pid(), #diameter_caps{}} list of connected
peers. These lists are potentially large, peers were appended to the end
of the list for no particular reason, and these long lists were
constructed/deconstructed when filtering them for pick_peer callbacks.
Many simultaneous outgoing request could then slow the VM to a crawl,
with many scheduled processes mired in list manipulation.
The pseudo-dicts are now replaced by plain ets tables. The reason for
them was (once upon a time) to have an interface interchangeable with a
plain dict for debugging purposes, but strict swapablity hasn't been the
case for some time now, and in practice a swap has never taken place.
Additional tables mapping Origin-Host/Realm have also been introduced,
to minimize the size of the peers lists when peers are filtered on
host/realm. For example, a filter like
{any, [{all, [realm, host]}, realm]}
is probably a very common case: preferring a Destination-Realm/Host
match before falling back on Destination-Realm alone. This is now more
efficiently (but not equivalently) expressed as
{first, [{all, [realm, host]}, realm]}
to stop the search when the best match is made, and extracts peers from
host/realm tables instead of searching through the list of all peers
supporting the application in question. The code to try and start with a
lookup isn't exhaustive, and the 'any' filter is still as inefficient as
previously.
|
|
See commit 862af31d.
|
