From eaf8ca41dfa4850437ad270d3897399c9358ced0 Mon Sep 17 00:00:00 2001 From: Erlang/OTP Date: Tue, 30 May 2017 16:15:30 +0200 Subject: Prepare release --- lib/ssl/doc/src/notes.xml | 108 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) (limited to 'lib/ssl/doc') diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index 29ec3f9d57..1a93572dc7 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -28,6 +28,114 @@

This document describes the changes made to the SSL application.

+
SSL 8.2 + +
Fixed Bugs and Malfunctions + + +

+ ECDH-ECDSA key exchange supported, was accidently + dismissed in earlier versions.

+

+ Own Id: OTP-14421

+
+
+
+ + +
Improvements and New Features + + +

+ TLS-1.2 clients will now always send hello messages on + its own format, as opposed to earlier versions that will + send the hello on the lowest supported version, this is a + change supported by the latest RFC.

+

+ This will make interoperability with some newer servers + smoother. Potentially, but unlikely, this could cause a + problem with older servers if they do not adhere to the + RFC and ignore unknown extensions.

+

+ *** POTENTIAL INCOMPATIBILITY ***

+

+ Own Id: OTP-13820

+
+ +

+ Allow Erlang/OTP to use OpenSSL in FIPS-140 mode, in + order to satisfy specific security requirements (mostly + by different parts of the US federal government).

+

+ See the new crypto users guide "FIPS mode" chapter about + building and using the FIPS support which is disabled by + default.

+

+ (Thanks to dszoboszlay and legoscia)

+

+ Own Id: OTP-13921 Aux Id: PR-1180

+
+ +

+ Implemented DTLS cookie generation, requiered by spec, + instead of using hardcode value.

+

+ Own Id: OTP-14076

+
+ +

+ Implement sliding window replay protection of DTLS + records.

+

+ Own Id: OTP-14077

+
+ +

+ TLS client processes will by default call + public_key:pkix_verify_hostname/2 to verify the hostname + of the connection with the server certifcates specified + hostname during certificate path validation. The user may + explicitly disables it. Also if the hostname can not be + derived from the first argument to connnect or is not + supplied by the server name indication option, the check + will not be performed.

+

+ Own Id: OTP-14197

+
+ +

+ Extend connection_information/[1,2] . The values + session_id, master_secret, client_random and + server_random can no be accessed by + connection_information/2. Note only session_id will be + added to connection_information/1. The rational is that + values concerning the connection security should have to + be explicitly requested.

+

+ Own Id: OTP-14291

+
+ +

+ Chacha cipher suites are currently not tested enough to + be most prefered ones

+

+ Own Id: OTP-14382

+
+ +

+ Basic support for DTLS that been tested together with + OpenSSL.

+

+ Test by providing the option {protocol, dtls} to the ssl + API functions connect and listen.

+

+ Own Id: OTP-14388

+
+
+
+ +
+
SSL 8.1.3
Fixed Bugs and Malfunctions -- cgit v1.2.3