From f0dbde23b539999add8754ec84541698419fc8b5 Mon Sep 17 00:00:00 2001 From: Dan Gudmundsson Date: Tue, 20 Apr 2010 12:00:00 +0200 Subject: public_key, ssl: Patch 1112 OTP-7046 Support for Diffie-Hellman. ssl-3.11 requires public_key-0.6. OTP-8553 Moved extended key usage test for ssl values to ssl. OTP-8557 Fixes handling of the option fail_if_no_peer_cert and some undocumented options. Thanks to Rory Byrne. OTP-7046 Support for Diffie-Hellman. ssl-3.11 requires public_key-0.6. OTP-8517 New ssl now properly handles ssl renegotiation, and initiates a renegotiation if ssl/ltls-sequence numbers comes close to the max value. However RFC-5746 is not yet supported, but will be in an upcoming release. OTP-8545 When gen_tcp is configured with the {packet,http} option, it automatically switches to expect HTTP Headers after a HTTP Request/Response line has been received. This update fixes ssl to behave in the same way. Thanks to Rory Byrne. OTP-8554 Ssl now correctly verifies the extended_key_usage extension and also allows the user to verify application specific extensions by supplying an appropriate fun. OTP-8560 Fixed ssl:transport_accept/2 to return properly when socket is closed. Thanks to Rory Byrne. --- lib/public_key/src/pubkey_cert.erl | 35 +++++------------------------------ 1 file changed, 5 insertions(+), 30 deletions(-) (limited to 'lib/public_key/src/pubkey_cert.erl') diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl index 0ccc74799c..8f7dfa8352 100644 --- a/lib/public_key/src/pubkey_cert.erl +++ b/lib/public_key/src/pubkey_cert.erl @@ -1,19 +1,19 @@ %% %% %CopyrightBegin% -%% -%% Copyright Ericsson AB 2008-2009. All Rights Reserved. -%% +%% +%% Copyright Ericsson AB 2008-2010. All Rights Reserved. +%% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in %% compliance with the License. You should have received a copy of the %% Erlang Public License along with this software. If not, it can be %% retrieved online at http://www.erlang.org/. -%% +%% %% Software distributed under the License is distributed on an "AS IS" %% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See %% the License for the specific language governing rights and limitations %% under the License. -%% +%% %% %CopyrightEnd% %% @@ -455,24 +455,6 @@ validate_extensions([#'Extension'{extnID = ?'id-ce-keyUsage', AccErr) end; -validate_extensions([#'Extension'{extnID = ?'id-ce-extKeyUsage', - extnValue = KeyUse, - critical = true} | Rest], - #path_validation_state{} = ValidationState, - ExistBasicCon, SelfSigned, UnknownExtensions, Verify, - AccErr0) -> - case is_valid_extkey_usage(KeyUse) of - true -> - validate_extensions(Rest, ValidationState, ExistBasicCon, - SelfSigned, UnknownExtensions, - Verify, AccErr0); - false -> - AccErr = - not_valid({bad_cert, invalid_ext_key_usage}, Verify, AccErr0), - validate_extensions(Rest, ValidationState, ExistBasicCon, - SelfSigned, UnknownExtensions, Verify, AccErr) - end; - validate_extensions([#'Extension'{extnID = ?'id-ce-subjectAltName', extnValue = Names} | Rest], ValidationState, ExistBasicCon, @@ -590,13 +572,6 @@ validate_extensions([Extension | Rest], ValidationState, is_valid_key_usage(KeyUse, Use) -> lists:member(Use, KeyUse). -is_valid_extkey_usage(?'id-kp-clientAuth') -> - true; -is_valid_extkey_usage(?'id-kp-serverAuth') -> - true; -is_valid_extkey_usage(_) -> - false. - validate_subject_alt_names([]) -> true; validate_subject_alt_names([AltName | Rest]) -> -- cgit v1.2.3