From 6e51c6d19612d03abc81b86bb70b8d7da678ce5d Mon Sep 17 00:00:00 2001 From: Erlang/OTP Date: Tue, 21 Jun 2016 15:12:41 +0200 Subject: Prepare release --- lib/ssl/doc/src/notes.xml | 154 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 154 insertions(+) (limited to 'lib/ssl') diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index c427db24a4..3b6f988a2d 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -28,6 +28,160 @@

This document describes the changes made to the SSL application.

+
SSL 8.0 + +
Fixed Bugs and Malfunctions + + +

+ Server now rejects, a not requested client cert, as an + incorrect handshake message and ends the connection.

+

+ Own Id: OTP-13651

+ + +
+ + +
Improvements and New Features + + +

+ Remove default support for DES cipher suites

+

+ *** POTENTIAL INCOMPATIBILITY ***

+

+ Own Id: OTP-13195

+ + +

+ Deprecate the function crypto:rand_bytes and make + sure that crypto:strong_rand_bytes is used in all + places that are cryptographically significant.

+

+ Own Id: OTP-13214

+ + +

+ Better error handling of user error during TLS upgrade. + ERL-69 is solved by gen_statem rewrite of ssl + application.

+

+ Own Id: OTP-13255

+ + +

+ Provide user friendly error message when crypto rejects a + key

+

+ Own Id: OTP-13256

+ + +

+ Add ssl:getstat/1 and ssl:getstat/2

+

+ Own Id: OTP-13415

+ + +

+ TLS distribution connections now allow specifying the + options verify_fun, crl_check and + crl_cache. See the documentation. GitHub pull req + #956 contributed by Magnus Henoch.

+

+ Own Id: OTP-13429 Aux Id: Pull#956

+ + +

+ Remove confusing error message when closing a distributed + erlang node running over TLS

+

+ Own Id: OTP-13431

+ + +

+ Remove default support for use of md5 in TLS 1.2 + signature algorithms

+

+ Own Id: OTP-13463

+ + +

+ ssl now uses gen_statem instead of gen_fsm to implement + the ssl connection process, this solves some timing + issues in addition to making the code more intuitive as + the behaviour can be used cleanly instead of having a lot + of workaround for shortcomings of the behaviour.

+

+ Own Id: OTP-13464

+ + +

+ Phase out interoperability with clients that offer SSLv2. + By default they are no longer supported, but an option to + provide interoperability is offered.

+

+ *** POTENTIAL INCOMPATIBILITY ***

+

+ Own Id: OTP-13465

+ + +

+ OpenSSL has functions to generate short (eight hex + digits) hashes of issuers of certificates and CRLs. These + hashes are used by the "c_rehash" script to populate + directories of CA certificates and CRLs, e.g. in the + Apache web server. Add functionality to let an Erlang + program find the right CRL for a given certificate in + such a directory.

+

+ Own Id: OTP-13530

+ + +

+ Some legacy TLS 1.0 software does not tolerate the 1/n-1 + content split BEAST mitigation technique. Add a + beast_mitigation SSL option (defaulting to + one_n_minus_one) to select or disable the BEAST + mitigation technique.

+

+ Own Id: OTP-13629

+ + +

+ Enhance error log messages to facilitate for users to + understand the error

+

+ Own Id: OTP-13632

+ + +

+ Increased default DH params to 2048-bit

+

+ Own Id: OTP-13636

+ + +

+ Propagate CRL unknown CA error so that public_key + validation process continues correctly and determines + what should happen.

+

+ Own Id: OTP-13656

+ + +

+ Introduce a flight concept for handshake packages. This + is a preparation for enabling DTLS, however it can also + have a positive effects for TLS on slow and unreliable + networks.

+

+ Own Id: OTP-13678

+ + +
+ +
+
SSL 7.3.3
Fixed Bugs and Malfunctions -- cgit v1.2.3