From 202bb737e3deabfebee683266f4b7c42781eb521 Mon Sep 17 00:00:00 2001 From: Erlang/OTP Date: Mon, 30 Apr 2018 10:06:42 +0200 Subject: Update release notes --- lib/ssl/doc/src/notes.xml | 102 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 102 insertions(+) (limited to 'lib/ssl/doc') diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index 4ad7da9486..c45d806420 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -27,6 +27,108 @@

This document describes the changes made to the SSL application.

+
SSL 9.0 + +
Fixed Bugs and Malfunctions + + +

+ Proper handling of clients that choose to send an empty + answer to a certificate request

+

+ Own Id: OTP-15050

+
+
+
+ + +
Improvements and New Features + + +

+ Distribution over SSL (inet_tls) has, to improve + performance, been rewritten to not use intermediate + processes and ports.

+

+ Own Id: OTP-14465

+
+ +

+ Add suport for ECDHE_PSK cipher suites

+

+ Own Id: OTP-14547

+
+ +

+ For security reasons no longer support 3-DES cipher + suites by default

+

+ *** INCOMPATIBILITY with possibly ***

+

+ Own Id: OTP-14768

+
+ +

+ For security reasons RSA-key exchange cipher suites are + no longer supported by default

+

+ *** INCOMPATIBILITY with possible ***

+

+ Own Id: OTP-14769

+
+ +

+ The interoperability option to fallback to insecure + renegotiation now has to be explicitly turned on.

+

+ *** INCOMPATIBILITY with possibly ***

+

+ Own Id: OTP-14789

+
+ +

+ Drop support for SSLv2 enabled clients. SSLv2 has been + broken for decades and never supported by the Erlang + SSL/TLS implementation. This option was by default + disabled and enabling it has proved to sometimes break + connections not using SSLv2 enabled clients.

+

+ *** POTENTIAL INCOMPATIBILITY ***

+

+ Own Id: OTP-14824

+
+ +

+ Remove CHACHA20_POLY1305 ciphers form default for now. We + have discovered interoperability problems, ERL-538, that + we believe needs to be solved in crypto.

+

+ *** INCOMPATIBILITY with possibly ***

+

+ Own Id: OTP-14882

+
+ +

+ Use uri_string module instead of http_uri.

+

+ Own Id: OTP-14902

+
+ +

+ The SSL distribution protocol -proto inet_tls has + stopped setting the SSL option + server_name_indication. New verify funs for client + and server in inet_tls_dist has been added, not + documented yet, that checks node name if present in peer + certificate. Usage is still also yet to be documented.

+

+ Own Id: OTP-14969 Aux Id: OTP-14465, ERL-598

+
+
+
+ +
+
SSL 8.2.5
Fixed Bugs and Malfunctions -- cgit v1.2.3