From f0dbde23b539999add8754ec84541698419fc8b5 Mon Sep 17 00:00:00 2001 From: Dan Gudmundsson Date: Tue, 20 Apr 2010 12:00:00 +0200 Subject: public_key, ssl: Patch 1112 OTP-7046 Support for Diffie-Hellman. ssl-3.11 requires public_key-0.6. OTP-8553 Moved extended key usage test for ssl values to ssl. OTP-8557 Fixes handling of the option fail_if_no_peer_cert and some undocumented options. Thanks to Rory Byrne. OTP-7046 Support for Diffie-Hellman. ssl-3.11 requires public_key-0.6. OTP-8517 New ssl now properly handles ssl renegotiation, and initiates a renegotiation if ssl/ltls-sequence numbers comes close to the max value. However RFC-5746 is not yet supported, but will be in an upcoming release. OTP-8545 When gen_tcp is configured with the {packet,http} option, it automatically switches to expect HTTP Headers after a HTTP Request/Response line has been received. This update fixes ssl to behave in the same way. Thanks to Rory Byrne. OTP-8554 Ssl now correctly verifies the extended_key_usage extension and also allows the user to verify application specific extensions by supplying an appropriate fun. OTP-8560 Fixed ssl:transport_accept/2 to return properly when socket is closed. Thanks to Rory Byrne. --- lib/ssl/doc/src/new_ssl.xml | 25 ++++++++++++++++--- lib/ssl/doc/src/notes.xml | 61 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+), 4 deletions(-) (limited to 'lib/ssl/doc') diff --git a/lib/ssl/doc/src/new_ssl.xml b/lib/ssl/doc/src/new_ssl.xml index b642280096..08868a1b3c 100644 --- a/lib/ssl/doc/src/new_ssl.xml +++ b/lib/ssl/doc/src/new_ssl.xml @@ -84,8 +84,6 @@ New API functions are ssl:shutdown/2, ssl:cipher_suites/[0,1] and ssl:versions/0 - Diffie-Hellman keyexchange is - not supported yet. CRL and policy certificate extensions are not supported yet. Supported SSL/TLS-versions are SSL-3.0 and TLS-1.0 @@ -118,8 +116,8 @@ {fail_if_no_peer_cert, boolean()} {depth, integer()} | {certfile, path()} | {keyfile, path()} | {password, string()} | - {cacertfile, path()} | {ciphers, ciphers()} | {ssl_imp, ssl_imp()} - | {reuse_sessions, boolean()} | {reuse_session, fun()} + {cacertfile, path()} | {dhfile, path()} | {ciphers, ciphers()} | + {ssl_imp, ssl_imp()} | {reuse_sessions, boolean()} | {reuse_session, fun()}

transportoption() = {CallbackModule, DataTag, ClosedTag} @@ -262,6 +260,12 @@ end CA certificates (trusted certificates used for verifying a peer certificate). May be omitted if you do not want to verify the peer. + + {dhfile, path()} + Path to file containing PEM encoded Diffie Hellman parameters, + for the server to use if a cipher suite using Diffie Hellman key exchange + is negotiated. If not specified hardcode parameters will be used. + {ciphers, ciphers()} The function ciphers_suites/0 can @@ -490,6 +494,19 @@ end + + renegotiate(Socket) -> ok | {error, Reason} + Initiates a new handshake. + + Socket = sslsocket() + +

Initiates a new handshake. A notable return value is + {error, renegotiation_rejected} indicating that the peer + refused to go through with the renegotiation but the connection + is still active using the previously negotiated session.

+ + + send(Socket, Data) -> ok | {error, Reason} Write data to a socket. diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index 2dd11bc88e..9d13427677 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -30,6 +30,67 @@

This document describes the changes made to the SSL application.

+
SSL 3.11 + +
Fixed Bugs and Malfunctions + + +

+ Fixes handling of the option fail_if_no_peer_cert and + some undocumented options. Thanks to Rory Byrne.

+

+ Own Id: OTP-8557

+ + +
+ +
Improvements and New Features + + +

+ Support for Diffie-Hellman. ssl-3.11 requires + public_key-0.6.

+

+ Own Id: OTP-7046

+ + +

+ New ssl now properly handles ssl renegotiation, and + initiates a renegotiation if ssl/ltls-sequence numbers + comes close to the max value. However RFC-5746 is not yet + supported, but will be in an upcoming release.

+

+ Own Id: OTP-8517

+ + +

+ When gen_tcp is configured with the {packet,http} option, + it automatically switches to expect HTTP Headers after a + HTTP Request/Response line has been received. This update + fixes ssl to behave in the same way. Thanks to Rory + Byrne.

+

+ Own Id: OTP-8545

+ + +

+ Ssl now correctly verifies the extended_key_usage + extension and also allows the user to verify application + specific extensions by supplying an appropriate fun.

+

+ Own Id: OTP-8554 Aux Id: OTP-8553

+ + +

+ Fixed ssl:transport_accept/2 to return properly when + socket is closed. Thanks to Rory Byrne.

+

+ Own Id: OTP-8560

+ + +
+ +
SSL 3.10.9 -- cgit v1.2.3