From 84adefa331c4159d432d22840663c38f155cd4c1 Mon Sep 17 00:00:00 2001 From: Erlang/OTP Date: Fri, 20 Nov 2009 14:54:40 +0000 Subject: The R13B03 release. --- lib/ssl/doc/src/notes.xml | 1132 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1132 insertions(+) create mode 100644 lib/ssl/doc/src/notes.xml (limited to 'lib/ssl/doc/src/notes.xml') diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml new file mode 100644 index 0000000000..14dfe616ba --- /dev/null +++ b/lib/ssl/doc/src/notes.xml @@ -0,0 +1,1132 @@ + + + + +
+ + 19992009 + Ericsson AB. All Rights Reserved. + + + The contents of this file are subject to the Erlang Public License, + Version 1.1, (the "License"); you may not use this file except in + compliance with the License. You should have received a copy of the + Erlang Public License along with this software. If not, it can be + retrieved online at http://www.erlang.org/. + + Software distributed under the License is distributed on an "AS IS" + basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See + the License for the specific language governing rights and limitations + under the License. + + + + SSL Release Notes + Peter Högfeldt + + 2003-08-03 + G + notes.xml +
+

This document describes the changes made to the SSL application. +

+ +
SSL 3.10.7 + +
Fixed Bugs and Malfunctions + + +

+ A ticker process could potentially be blocked + indefinitely trying to send a tick to a node not + responding. If this happened, the connection would not be + brought down as it should.

+

This requires erts-5.7.4 and kernel-2.13.4 or later + to be able to get the erlang distribution over ssl to work.

+

+ Own Id: OTP-8218

+ + +
+ + +
Improvements and New Features + + +

+ The documentation is now built with open source tools + (xsltproc and fop) that exists on most platforms. One + visible change is that the frames are removed.

+

+ Own Id: OTP-8250

+ + +

+ Code cleanup from Kostis.

+

+ Own Id: OTP-8260

+ + +
+ +
+ +
SSL 3.10.6 + +
Fixed Bugs and Malfunctions + + +

+ The ssl:ssl_accept/3 issue was not properly fixed in the + previous patch, see OTP-8244.

+

+ Own Id: OTP-8275 Aux Id: seq11451

+ + +
+ +
+ +
SSL 3.10.5 + +
Fixed Bugs and Malfunctions + + +

+ Allow clients to not send certificates if option + fail_if_no_peer_cert was not set.

+

+ Own Id: OTP-8224

+ + +

A ssl:ssl_accept/3 could crash a connection if the + timing was wrong.

Removed info message if the + socket closed without a proper disconnect from the ssl + layer.

ssl:send/2 is now blocking until the + message is sent.

+

+ Own Id: OTP-8244 Aux Id: seq11420

+ + +
+ +
+ +
SSL 3.10.4 + +
Fixed Bugs and Malfunctions + + +

+ A client could avoid a certificate check if the client + code didn't send the requested certificate.

+

+ Own Id: OTP-8137

+ + +
+ +
+ +
SSL 3.10.3 + +
Improvements and New Features + + +

Packet handling was not implemented correctly.

+

Inet option handling support have been improved.

+

The verify_fun is now invoked even if + verify_peer is used, that implies that by default + {bad_cert,unknown_ca} is an accepted fault during the + client connection phase. The check can still be done by + suppling another verify_fun.

+

+ Own Id: OTP-8011 Aux Id: seq11287

+ + +
+ +
+ + +
SSL 3.10.2 + +
Fixed Bugs and Malfunctions + + +

+ A "new_ssl" socket was not closed if the controlling + process died without calling ssl:close/1.

+

+ Own Id: OTP-7963 Aux Id: seq11276

+ + +
+ +
+ +
SSL 3.10.1 + +
Fixed Bugs and Malfunctions + + +

+ Fixed bug that caused the ssl handshake finished message + to be calculated wrongly under the circumstances that the + server did not send the trusted cert and that the + previous cert did not have the extension telling us the + trusted certs name. This manifested it self as + bad_record_mac alert from the server.

+

+ Own Id: OTP-7878

+ + +
+ + +
Improvements and New Features + + +

+ The cacertsfile option is now optional for ssl servers.

+

+ Own Id: OTP-7656

+ + +

+ For the ssl client the options cacertfile, certfile and + keyfile are now optional as they are not always needed + depending on configuration of the client itself and the + configuration of the server. Also as PEM-files may + contain more than one entry the keyfile option will + default to the same file as given by the certfile option.

+

+ Own Id: OTP-7870

+ + +

+ Added new ssl client option verify_fun.

+

+ Own Id: OTP-7871

+ + +
+ +
+ +
SSL 3.10 + +
Fixed Bugs and Malfunctions + + +

+ Error log entries are now formatted correctly.

+

+ Own Id: OTP-7258

+ + +
+ + +
Improvements and New Features + + +

+ All handling of X509-certificates and public keys have + been moved to the new application public_key.

+

+ Own Id: OTP-6894

+ + +

+ New ssl now supports SSL-3.0 and TLS-1.0

+

+ Own Id: OTP-7037

+ + +

+ New ssl now supports all inet-packet types.

+

+ Own Id: OTP-7039

+ + +

+ The new ssl-server is now able to send a certificate + request to the client. However new options may be + introduced later to fully support all features regarding + certificate requests.

+

+ Own Id: OTP-7150

+ + +
+ + +
Known Bugs and Problems + + +

+ Running erlang distribution over ssl don't work as + described in the documentation.

+

+ Own Id: OTP-7536

+ + +
+ +
+ + +
SSL 3.9 + +
Fixed Bugs and Malfunctions + + +

+ ssl_prim.erl was passing an FD rather than an #sslsocket + to ssl_broker:ssl_accept_prim. This could cause problems + in the deprecated accept function, this will not cause + any more problems however this function is deprecated!

+

+ Own Id: OTP-6926

+ + +

+ Erlang distribution over ssl was broken after R11B-0, + this has now been fixed.

+

+ Own Id: OTP-7004

+ + +
+ + +
Improvements and New Features + + +

+ All inet options are available in the new ssl + implementation that is released as a alfa in ssl-3.9 and + will replace the old implementation in ssl-4.0. This will + not be fixed in the old implementation.

+

+ Own Id: OTP-4677

+ + +

+ The new ssl implementation released as a alfa in this + version supports upgrading of a tcp connection to a ssl + connection so that http client and servers may implement + RFC 2817.

+

+ Own Id: OTP-5510

+ + +

A new implementation of ssl is released as a alfa + version in ssl-3.9 it will later replace the old + implementation in ssl-4.0. The new implementation can be + accessed by providing the option {ssl_imp, new} to the + ssl:connect and ssl:listen functions.

+

The new implementation is Erlang based and all logic + is in Erlang and only payload encryption calculations are + done in C via the crypto application. The main reason for + making a new implementation is that the old solution was + very crippled as the control of the ssl-socket was deep + down in openssl making it hard if not impossible to + support all inet options, ipv6 and upgrade of a tcp + connection to a ssl connection. The alfa version has a + few limitations that will be removed before the ssl-4.0 + release. Main differences and limitations in the alfa are + listed below.

+ + New ssl requires the crypto + application. The option reuseaddr is + supported and the default value is false as in gen_tcp. + Old ssl is patched to accept that the option is set to + true to provide a smoother migration between the + versions. In old ssl the option is hard coded to + true. ssl:version/0 is replaced by + ssl:versions/0 ssl:ciphers/0 is replaced by + ssl:cipher_suites/0 ssl:pid/1 is a + meaningless function in new ssl and will be deprecated in + ssl-4.0 until it is removed it will return a valid but + meaningless pid. New API functions are + ssl:shutdown/2, ssl:cipher_suites/[0,1] and + ssl:versions/0 Diffie-Hellman keyexchange is + not supported. Not all inet packet types are + supported. CRL and policy certificate + extensions are not supported. In this alfa + only sslv3 is enabled, although tlsv1 and tlsv1.1 + versions are implemented and will be supported in future + versions. For security reasons sslv2 is not + supported. +

+ Own Id: OTP-6619

+ + +

+ New ssl implementation, released as alfa in ssl-3.9, + supports ipv6. It will not be supported in the old + implementation.

+

+ Own Id: OTP-6637 Aux Id: OTP-6636

+ + +
+ +
+ +
+ SSL 3.1.1.1 + +
+ Minor Makefile changes + + +

Removed use of erl_flags from Makefile.

+

Own Id: OTP-6689

+ + +
+
+ +
+ SSL 3.1.1 + +
+ Crash on error in ssl_accept + + +

A bug in ssl_accept could cause all ssl + connections to hang when a connection + attempt was closed by the client while + the server was in ssl_accept.

+

Own Id: OTP-6612 Aux Id: seq10599

+ + +
+
+ +
+ SSL 3.1 + +
+ Fixed Bugs and Malfunctions + + +

SSL now uses a two-phase accept, with a separate accept + calls for the socket and the ssl protocol. This avoids + timeouts when a client doesn't initiate ssl handshake.

+

With the old implementation of accept, the server + was locked by a client, if the client didn't do + proper ssl handshake.

+

Own Id: OTP-6418 Aux Id: seq10105

+ + +
+
+ +
+ SSL 3.0.12 + +
+ Fixed Bugs and Malfunctions + + +

An integer array pointing to a struct pollfd array, is + now reset before file descriptors are collected to be + included in a call to poll(). This is to prevent file + descriptors to be mixed up.

+

Own Id: OTP-6084

+ + +

The generation of the module ssl_pkix_oid contained + multiple identifiers, which made the mapping between + atoms and identifiers not one-to-one.

+

Own Id: OTP-6085

+ + +
+
+ +
+ SSL 3.0.11 + +
+ Fixed Bugs and Malfunctions + + +

The state of a connection in active mode could be in a + restrictive state, so that an internal tcp_closed message + was incorrectly considered illegal, resulting in a + premature termination of the connection process.

+

Own Id: OTP-5972 Aux Id: seq10188

+ + +
+
+ +
+ SSL 3.0.10 + +
+ Fixed Bugs and Malfunctions + + +

Erlang distribution over SSL was broken. Corrected. + (Thanks to Fredrik Thulin.)

+

Own Id: OTP-5863

+ + +
+
+ +
+ SSL 3.0.9 + +
+ Fixed Bugs and Malfunctions + + +

The port program for the ssl application could waste huge + amounts of CPU time if a write could not be completed + directly and was put in the write queue. (Only on platforms + where poll() is used, such as Solaris and Linux.)

+

Own Id: OTP-5784

+ + +
+
+ +
+ SSL 3.0.8 + +
+ Fixed Bugs and Malfunctions + + +

A process reading only a portion of a sufficiently large + amount of data from an accepted socket, and then quering + the ssl library (e.g. ssl:getpeername()), would cause a + global deadlock in the esock port program.

+

Own Id: OTP-5702

+ + +

A spelling error in the module ssl_pkix caused the + call to ssl:peercert/2 to fail when the option + subject was used.

+

Own Id: OTP-5708

+ + +

Because fopen() on Solaris 8 can't handle file + descriptor numbers above 255, reading of certificate + files would fail if all file descriptors below 256 were + in use (typically, if many connections were open). This + problem has been worked around.

+

The ssl application's port program used to use + select(), which meant that it could not handle more than + FD_SETSIZE file descriptors (usually 1024). To eliminate + that limitation, poll() is now used on all platforms that + support it.

+

Solaris/Sparc, 64-bit emulator: The SO_REUSEADDR + option was not set for listen sockets, which essentially + made the ssl application unusable. Corrected.

+

The default listen queue size for ssl port program was + changed to 128 (from 5).

+

Own Id: OTP-5755 Aux Id: seq10068

+ + +
+
+ +
+ Ssl 3.0.7 + +
+ Fixed Bugs and Malfunctions + + +

The R/W buffer length i esock.c was too small. It has + been increased from 4k to 32k.

+

Own Id: OTP-5620

+ + +
+
+ +
+ Ssl 3.0.6 + +
+ Improvements and New Features + + +

A configuration option for choosing protocol versions has + been added (sslv2, sslv3, and + tlsv1).

+

Own Id: OTP-5429 Aux Id: seq9755

+ + +
+
+ +
+ Ssl 3.0.5 + +
+ Fixed Bugs and Malfunctions + + +

Linked in drivers in the crypto, and asn1 applications + are now compiled with the -D_THREAD_SAFE and -D_REENTRANT + switches on unix when the emulator has thread support + enabled.

+

Linked in drivers on MacOSX are not compiled with the + undocumented -lbundle1.o switch anymore. Thanks to Sean + Hinde who sent us a patch.

+

Linked in driver in crypto, and port programs in ssl, now + compiles on OSF1.

+

Minor makefile improvements in runtime_tools.

+

Own Id: OTP-5346

+ + +
+
+ +
+ Ssl 3.0.4 + +
+ Fixed Bugs and Malfunctions + + +

ssl:recv/3 with finite timeout value, closed the + connection at timeout.

+

Own Id: OTP-4882

+ + +
+
+ +
+ Ssl 3.0.3 + +
+ Fixed Bugs and Malfunctions + + +

When a file descriptor was marked for closing, and and + end-of-file condition had already been detected, the file + descriptor was never closed.

+

Own Id: OTP-5093 Aux Id: seq8806

+ + +

When the number of open file descriptors reached + FD_SETSIZE, the SSL port program entered a busy loop.

+

Own Id: OTP-5094 Aux Id: seq8806

+ + +
+ +
+ Improvements and New Features + + +

The SSL application now supports SSL sessions for + servers, which typically speeds up HTTP requests from + browsers.

+

Own Id: OTP-5095

+ + +
+
+ +
+ SSL 3.0.2 + +
+ Fixed Bugs and Malfunctions + + +

The UTF8String type is now defined in asn1-1.4.4.2 and + later. Therefore the definitions of UTF8String has been + removed from the ASN.1 modules PKIX1Explicit88.asn1 and + PKIXAttributeCertificate.asn1. The SSL application can now + only be built using asn-1.4.4.2 or later.

+

OwnId: OTP-4971.

+ + +
+ +
+ Known Bugs and Problems +

See SSL-3.0. +

+
+
+ +
+ SSL 3.0.1 + +
+ Fixed Bugs and Malfunctions + + +

An unexpected object identifier would crash ssl:peercert.

+

OwnId: OTP-4771.

+ + +
+ +
+ Known Bugs and Problems +

See SSL-3.0. +

+
+
+ +
+ SSL 3.0 + +
+ Improvements and New Features + + +

The cache_timout option was silently ignored. It had + to do with SSL sessions, where multiple connections can occur. + Since the Erlang SSL application does not support sessions the + option is still ignored, and consequently the documentation + about it has been removed.

+

OwnId: OTP-3146

+ + +

The Erlang SSL application is now based on OpenSSL version + 0.9.7a. OpenSSL 0.9.6 should also work.

+

OwnId: OTP-4002

+ + +

When connecting it is now possible to bind to a local address + and local port.

+

OwnId: OTP-4675

+ + +

The ssl_esock port program is now part of the + distribution and thus does not have to be created + explicitly. It is dynamically linked to OpenSSL + libraries in a "standard" location (typically + /usr/local/lib on UNIX; in the path on Win32).

+

OwnId: + OTP-4676

+ + +

The new functions ssl:peercert/1/2 provide information + from the certificate of a peer of a connection.

+

OwnId: OTP-4680 +

+Aux Id: seq7688

+ + +

The function ssl:port/1 has been removed from the + documentation, but not from the ssl interface module. + The recommendation is to use ssl:peername/1 + instead, which provides both address and port of the peer.

+

OwnId: OTP-4681

+ + +

New User's Guide documentation has been added.

+

OwnId: OTP-4682

+ + +

The old ssl_socket interface has been removed and also + the documentation of it.

+

OwnId: OTP-4683

+ + +

The use of ephemeral RSA keys is now supported. It is + a global configuration option (see the ssl(6) manual page).

+

OwnId: OTP-4691.

+ + +
+ +
+ Fixed Bugs and Malfunctions + + +

The option cacertfile is now in effect, and can + therefore no longer be set with the OS environment + variable SSL_CERT_FILE (which did set the same value for + all connections).

+

OwnId: OTP-3146

+ + +

There was a synchronization error at closing of an SSL + connection.

+

OwnId: OTP-4435 +

+Aux Id: seq7534

+ + +

C macros in debuglog.c were not ANSI C compliant.

+

OwnId: OTP-4674

+ + +

The binary option was not properly handled.

+

OwnId: OTP-4678

+ + +

The ssl:format_error/1 did not consider inet + error codes, nor did it have a catch all for unknown error + codes.

+

OwnId: OTP-4679

+ + +
+ +
+ Known Bugs and Problems + + +

Change of controlling process in not OTP compliant.

+

OwnId; OTP-4712

+ + +

There is still no way to restrict the cipher sizes.

+

OwnId: OTP-4712

+ + +

The keep_alive and reuse_addr options will be + added in a future release.

+

OwnId: OTP-4677

+ + +

There is currently no way to restrict the SSL/TLS + protocol versions to use. In a future release this will be + supported as a configuration option, and as an option for + each connection as well.

+

OwnId: OTP-4711.

+ + +
+
+ +
+ SSL 2.3.6 + +
+ Fixed Bugs and Malfunctions + + +

There was a synchronization error at closing, which could + result in that an SSL socket was removed prematurely, resulting + in that a user process referring to it received an unexpected + exit.

+

OwnId: OTP-4435 +

+Aux Id: seq7600

+ + +
+ +
+ Known Bugs and Problems +

See SSL 2.2 .

+
+
+ +
+ SSL 2.3.5 + +
+ Fixed Bugs and Malfunctions + + +

Setting of the option `nodelay' caused the SSL port program + to dump core.

+

OwnId: OTP-4380 +

+Aux Id: -

+ + +

Setting of the option '{active, once}' in setopts was + wrong, causing a correct socket message to be regarded as + erroneous.

+

OwnId: OTP-4380 +

+Aux Id: -

+ + +

A self-signed peer certificate was always rejected with the + error `eselfsignedcert', irrespective of the `depth' value.

+

OwnId: OTP-4374 +

+Aux Id: seq7417

+ + +
+ +
+ Known Bugs and Problems +

See SSL 2.2 .

+
+
+ +
+ SSL 2.3.4 + +
+ Improvements and New Features + + +

All TCP options allowed in gen_tcp, are now also allowed in + SSL, except the option {reuseaddr, Boolean}. A new + function getopts has been added to the SSL interface + module ssl.

+

OwnId: OTP-4305, OTP-4159

+ + +
+
+ +
+ SSL 2.3.3 + +
+ Fixed Bugs and Malfunctions + + +

The roles of the SSLeay and OpenSSL packages has been + clarified in the ssl(6) application manual page. Also + the URLs from which to download SSLeay has been updated.

+

OwnId: OTP-4002 +

+Aux Id: seq5269

+ + +

A call to ssl:listen(Port, Options) with + Options = [] resulted in the cryptic {error, ebadf} return value. The return value has been changed + to {error, enooptions}, and the behaviour has been + documented in the listen/2 function.

+

OwnId: OTP-4016 +

+Aux Id: seq7006

+ + +

Use of the option {nodelay, boolean()} crashed + the ssl_server.

+

OwnId: OTP-4070 +

+Aux Id:

+ + +

A bug caused the Erlang distribution over ssl to fail. + This bug has now been fixed.

+

OwnId: OTP-4072 +

+Aux Id:

+ + +

On Windows when the SSL port program encountered an + error code not anticipated it crashed.

+

OwnId: OTP-4132 +

+Aux Id:

+ + +
+
+ +
+ SSL 2.3.2 + +
+ Fixed Bugs and Malfunctions + + +

The ssl:accept/1-2 function sometimes returned + {error, {What, Where}} instead of {error, What}, where What is an atom.

+

OwnId: OTP-3775 +

+Aux Id: seq4991

+ + +
+
+ +
+ SSL 2.3.1 + +
+ Fixed Bugs and Malfunctions + + +

Sometimes the SSL portprogram would loop in an accept + loop, without terminating even when the SSL application + was stopped..

+

OwnId: OTP-3691

+ + +
+
+ +
+ SSL 2.3 +

Functions have been added to SSL to experimentally support + Erlang distribution. +

+
+ +
+ SSL 2.2.1 +

The 2.2.1 version of SSL provides code replacement in runtime + by upgrading from, or downgrading to, versions 2.1 and 2.2. +

+
+ +
+ SSL 2.2 + +
+ Improvements and New Features + + +

The restriction that only the creator of an SSL socket can + read from and write to the socket has been lifted.

+

OwnId: OTP-3301

+ + +

The option {packet, cdr} for SSL sockets has been added, + which means that SSL sockets also supports CDR encoded packets.

+

OwnId: OTP-3302

+ + +
+ +
+ Known Bugs and Problems + + +

Setting of a CA certificate file with the cacertfile + option (in calls to ssl:accept/1/2 or + ssl:connect/3/4) does not work due to weaknesses + in the SSLeay package.

+

A work-around is to set the OS environment variable + SSL_CERT_FILE before SSL is started. However, then + the CA certificate file will be global for all connections.

+

OwnId: OTP-3146

+ + +

When changing controlling process of an SSL socket, a + temporary process is started, which is not gen_server + compliant.

+

OwnId: OTP-3146

+ + +

Although there is a cache timeout option, it is + silently ignored.

+

OwnId: OTP-3146

+ + +

There is currently no way to restrict the cipher sizes.

+

OwnId: OTP-3146

+ + +
+
+ +
+ SSL 2.1 + +
+ Improvements and New Features + + +

The set of possible error reasons has been extended to + contain diagnostics on erroneous certificates and failures + to verify certificates.

+

OwnId: OTP-3145

+ + +

The maximum number of simultaneous SSL connections on + Windows has been increased from 31 to 127.

+

OwnId: OTP-3145

+ + +
+ +
+ Fixed Bugs and Malfunctions + + +

A dead-lock occurring when write queues are not empty has + been removed.

+

OwnId: OTP-3145

+ + +

Error reasons have been unified and changed.

+

(** POTENTIAL INCOMPATIBILITY **)

+

OwnId: OTP-3145

+ + +

On Windows a check of the existence of the environment + variable ERLSRV_SERVICE_NAME has been added. If + that variable is defined, the port program of the SSL + application will not terminated when a user logs off.

+

OwnId: OTP-3145

+ + +

An error in the setting of the nodelay option + has been corrected.

+

OwnId: OTP-3145

+ + +

The confounded notions of verify mode and verify depth has + been corrected. The option verifydepth has been + removed, and the two separate options verify and + depth has been added.

+

(** POTENTIAL INCOMPATIBILITY **)

+

OwnId: OTP-3145

+ + +
+ +
+ Known Bugs and Problems + + +

Setting of a CA certificate file with the cacertfile + option (in calls to ssl:accept/1/2 or + ssl:connect/3/4) does not work due to weaknesses + in the SSLeay package.

+

A work-around is to set the OS environment variable + SSL_CERT_FILE before SSL is started. However, then + the CA certificate file will be global for all connections.

+

OwnId: OTP-3146

+ + +

When changing controlling process of an SSL socket, a + temporary process is started, which is not gen_server + compliant.

+

OwnId: OTP-3146

+ + +

Although there is a cache timeout option, it is + silently ignored.

+

OwnId: OTP-3146

+ + +

There is currently no way to restrict the cipher sizes.

+

OwnId: OTP-3146

+ + +
+
+ +
+ SSL 2.0 +

A complete new version of SSL with separate I/O channels + for all connections with non-blocking I/O multiplexing.

+
+ + + -- cgit v1.2.3