From c18b13d4c8aa31b145703bbbf228fb07d6b2a0a5 Mon Sep 17 00:00:00 2001 From: Erlang/OTP Date: Wed, 21 Jun 2017 10:53:19 +0200 Subject: Prepare release --- lib/ssl/doc/src/notes.xml | 116 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) (limited to 'lib/ssl/doc/src/notes.xml') diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index 29ec3f9d57..5a39cac9bc 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -28,6 +28,122 @@

This document describes the changes made to the SSL application.

+
SSL 8.2 + +
Fixed Bugs and Malfunctions + + +

+ ECDH-ECDSA key exchange supported, was accidently + dismissed in earlier versions.

+

+ Own Id: OTP-14421

+ + +

+ Correct close semantics for active once connections. This + was a timing dependent bug the resulted in the close + message not always reaching the ssl user process.

+

+ Own Id: OTP-14443

+ + +
+ + +
Improvements and New Features + + +

+ TLS-1.2 clients will now always send hello messages on + its own format, as opposed to earlier versions that will + send the hello on the lowest supported version, this is a + change supported by the latest RFC.

+

+ This will make interoperability with some newer servers + smoother. Potentially, but unlikely, this could cause a + problem with older servers if they do not adhere to the + RFC and ignore unknown extensions.

+

+ *** POTENTIAL INCOMPATIBILITY ***

+

+ Own Id: OTP-13820

+ + +

+ Allow Erlang/OTP to use OpenSSL in FIPS-140 mode, in + order to satisfy specific security requirements (mostly + by different parts of the US federal government).

+

+ See the new crypto users guide "FIPS mode" chapter about + building and using the FIPS support which is disabled by + default.

+

+ (Thanks to dszoboszlay and legoscia)

+

+ Own Id: OTP-13921 Aux Id: PR-1180

+ + +

+ Implemented DTLS cookie generation, required by spec, + instead of using a hardcoded value.

+

+ Own Id: OTP-14076

+ + +

+ Implement sliding window replay protection of DTLS + records.

+

+ Own Id: OTP-14077

+ + +

+ TLS client processes will by default call + public_key:pkix_verify_hostname/2 to verify the hostname + of the connection with the server certificates specified + hostname during certificate path validation. The user may + explicitly disables it. Also if the hostname can not be + derived from the first argument to connect or is not + supplied by the server name indication option, the check + will not be performed.

+

+ Own Id: OTP-14197

+ + +

+ Extend connection_information/[1,2] . The values + session_id, master_secret, client_random and + server_random can no be accessed by + connection_information/2. Note only session_id will be + added to connection_information/1. The rational is that + values concerning the connection security should have to + be explicitly requested.

+

+ Own Id: OTP-14291

+ + +

+ Chacha cipher suites are currently not tested enough to + be most preferred ones

+

+ Own Id: OTP-14382

+ + +

+ Basic support for DTLS that been tested together with + OpenSSL.

+

+ Test by providing the option {protocol, dtls} to the ssl + API functions connect and listen.

+

+ Own Id: OTP-14388

+ + +
+ +
+
SSL 8.1.3
Fixed Bugs and Malfunctions -- cgit v1.2.3