| Age | Commit message (Collapse) | Author |
|---|
|
Change-Id: Ie60b2a2651ea975cebd0ccf0c7e2953f89986463
|
|
Change-Id: Ifb933d1bad647b941b7324c0712a7bc20ae74efa
|
|
Implement handling of the signature algorithms extension described by
RFC 8446. This commit updates the behavior of legacy TLS versions to
align them with RFC 8446 (TLS 1.3) and RFC 5246 (TLS 1.2).
- TLS 1.0/1.1 clients validate the client certificate against the
certificate_type field of the CertificateRequest message.
- TLS 1.2 client verifies the hash/signature algorithm pair of the
client certificate when processing a CertificateRequest. Old
behavior only checked the signature algorithms.
- TLS 1.2 server verifies that the server certificate is signed by
a hash/signature algorithm pair that appears in the
"singature_algorithms" or "signature_algorithms_cert" (RFC 8446)
extensions of the ClientHello.
Change-Id: I3e0a0d7408984f5e5b1233968934fe34d64eb2b7
|
|
Add documentation to the ssl option "signature_algs_cert"
introduced by TLS 1.3. The client/server will send a
"signature_algorithms_cert" extension, if TLS 1.3 or later
is used.
Change-Id: I17d612f311a1deef7e29473c3998e7f99fa56f02
|
|
|
|
|
|
* maint:
Updated OTP version
Prepare release
erts: Fix UNC path handling on Windows
erts: Fix a compiler warning
eldap: Fix race at socket close
Fix bug for sockopt pktoptions on BSD
erts: Fix memory leak on file read errors
|
|
* maint-21:
Updated OTP version
Prepare release
erts: Fix UNC path handling on Windows
erts: Fix a compiler warning
eldap: Fix race at socket close
Fix bug for sockopt pktoptions on BSD
erts: Fix memory leak on file read errors
|
|
|
|
maint-21
* ingela/maint/ssl/packet-options-to-tls-sender/OTP-15348:
ssl: TLS sender process needs to get updates of the socket option packet
|
|
* ingela/maint/ssl/close-alert-ERL-738/OTP-15337:
ssl: ERL-738 - Correct alert handling with new TLS sender process
|
|
maint-21
* hans/eldap/prevent_EXIT_at_close/OTP-15342/ERIERL-242:
eldap: Fix race at socket close
|
|
* john/erts/fix-unc-paths-windows/OTP-15333/ERL-737:
erts: Fix UNC path handling on Windows
erts: Fix a compiler warning
|
|
maint-21
* bjorn/compiler/fix-binary-matching/ERL-689/OTP-15335:
Fix rare bug in binary matching (again)
|
|
* raimo/BSD-sockopt-pktoptions/ERIERL-187/OTP-14297:
Fix bug for sockopt pktoptions on BSD
|
|
|
|
Added simple multi-accept (multiple acceptors) timeout testcase.
OTP-14831
|
|
Conflicts:
erts/preloaded/ebin/prim_inet.beam
|
|
RaimoNiskanen/raimo/getifaddrs-netns/ERIERL-189/OTP-15121
Implement {netns,NS} option for inet:getifaddrs/1 and friends
|
|
cases(s)
Added simple accept timeout testcase.
Updated timeout test cases(s) with a timeout validation.
OTP-14831
|
|
|
|
|
|
* john/kernel/cuddle-seq_trace-test:
seq_trace: Fix label_capability_mismatch test
|
|
Each test case is wrapped in a try catch in the ttc_try function.
It handles entry, exit and skip.
|
|
* maint:
crypto: Update RSA tests after algorithms doc chapter
crypto: Update RSA options to match specs and different OpenSSL versions - Put rsa_pkcs1_oaep_padding in supports/0 - #ifdef updates - Refine PKCS1_OAEP defines
|
|
|
|
- Put rsa_pkcs1_oaep_padding in supports/0
- #ifdef updates
- Refine PKCS1_OAEP defines
|
|
|
|
|
|
When compiled on OTP 22, the test suite will not load on the
OTP 20 node required for this test.
|
|
* maint:
Run emacs tests from test_suite
Emacs: consider case in erlang-get-identifier-at-point
Emacs: do not accept compiler warnings in selected elisp files
Emacs: add test-erlang-mode
|
|
* pr/1949:
Run emacs tests from test_suite
Emacs: consider case in erlang-get-identifier-at-point
Emacs: do not accept compiler warnings in selected elisp files
Emacs: add test-erlang-mode
|
|
|
|
|
|
|
|
maint
Conflicts:
lib/ssl/src/tls_sender.erl
|
|
* dgud/stdlib/unicode-11/OTP-15111:
Update to Unicode-11
|
|
This is unlikely to be the last of the path problems seen after
OTP 21, and I'm starting to regret my decision to unconditionally
use long paths. The idea to hit all long-path problems all the time
was good in theory as it makes such bugs far more visible, but
there just aren't enough people who test pre-release versions on
Windows, making this the world's slowest game of whack-a-mole.
|
|
|
|
If the socket option is set to {packet, 1|2|3|4} sender process needs to
add a packet length header. If packet is changed with ssl:setopts/2 this needs
to be communicated to tls_sender.
|
|
OTP-14731 Implement 'exsss' (Xorshift116**) as new default 'rand' algorithm
The new algorithm is a combination of the Xorshift116 ('exsp') state update and a new scrambler "StarStar" from the 2018 paper "Scrambled Linear Pseudorandom Number Generators" by David Blackman and Sebastiano Vigna. This combination should not have the caveat of weak low bits that the previous default algorithm(s) have had, with the cost of about 10% lower speed.
|
|
|
|
* ingela/ssl/packet-options-to-tls-sender/OTP-15348:
ssl: TLS sender process needs to get updates of the socket option packet
|
|
This translates to TCP_CORK on Linux and TCP_NOPUSH on
BSD.
In effect, this acts as super-Nagle: no partial TCP segments
are sent out until this option is turned off. Once turned off,
all accumulated unsent data is sent out immediately. The latter
is *not* the case on OSX, hence the implementation ignores
"nopush" on OSX to reduce confusion.
|
|
|
|
|
|
With the new TLS sender process, solving ERL-622, TLS ALERTs sent in
the connection state must be encrypted and sent by the TLS sender
process. This to make sure that the correct encryption state is used
to encode the ALERTS. Care must also be taken to ensure a graceful
close down behavior both for normal shutdown and downgrading from TLS
to TCP.
The original TR ERL-738 is verified by cowboy tests, and close down
behavior by our tests. However we alas have not been able to yet
create a minimal test case for the originating problem.
Also it seems it has become less likely that we run in to the TCP
delivery problem, that is the guarantee is only on transport level,
not application level. Keep work around function in ssl_test_lib but
we can have better test as long as we do not get to much wobbling
tests.
|
|
If the socket option is set to {packet, 1|2|3|4} sender process needs to
add a packet length header. If packet is changed with ssl:setopts/2 this needs
to be communicated to tls_sender.
|
|
# Conflicts:
# erts/emulator/beam/erl_db_tree.c
|
|
* sverker/erts/ets-select_replace-bug/OTP-15346:
erts: Fix bug in ets:select_replace for bound key
|
