From acb225d301f6a1bcb02c607295e370471b7834bb Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Tue, 22 Jan 2013 14:14:05 +0100 Subject: ssl: Prepare for R16 release Remove very old and obsolete release notes, update version and appup. --- lib/ssl/doc/src/notes.xml | 1284 +-------------------------------------------- lib/ssl/src/ssl.appup.src | 15 +- lib/ssl/vsn.mk | 2 +- 3 files changed, 4 insertions(+), 1297 deletions(-) (limited to 'lib') diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index 49bbd5d27d..73cda03b2f 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -4,7 +4,7 @@
- 19992012 + 19992013 Ericsson AB. All Rights Reserved. @@ -22,10 +22,6 @@ SSL Release Notes - Peter Högfeldt - - 2003-08-03 - G notes.xml

This document describes the changes made to the SSL application.

@@ -605,1285 +601,7 @@ - - - - -
SSL 3.11.1 - -
Fixed Bugs and Malfunctions - - -

- Fixed handling of several ssl/tls packets arriving at the - same time. This was broken during a refactoring of the - code.

-

- Own Id: OTP-8679

- - -
- - -
Improvements and New Features - - -

- Added missing checks for padding and Mac value. Removed - code for export ciphers and DH certificates as we decided - not to support them.

-

- Own Id: OTP-7047

- - -

- New ssl will no longer return esslerrssl to be backwards - compatible with old ssl as this hids infomation from the - user. format_error/1 has been updated to support new ssl.

-

- *** POTENTIAL INCOMPATIBILITY ***

-

- Own Id: OTP-7049

- - -

- New ssl now supports secure renegotiation as described by - RFC 5746.

-

- Own Id: OTP-8568

- - -

- Alert handling has been improved to better handle - unexpected but valid messages and the implementation is - also changed to avoid timing related issues that could - cause different error messages depending on network - latency. Packet handling was sort of broken but would - mostly work as expected when socket was in binary mode. - This has now been fixed.

-

- Own Id: OTP-8588

- - -
- -
- -
SSL 3.11 - -
Fixed Bugs and Malfunctions - - -

- Fixes handling of the option fail_if_no_peer_cert and - some undocumented options. Thanks to Rory Byrne.

-

- Own Id: OTP-8557

- - -
- -
Improvements and New Features - - -

- Support for Diffie-Hellman. ssl-3.11 requires - public_key-0.6.

-

- Own Id: OTP-7046

- - -

- New ssl now properly handles ssl renegotiation, and - initiates a renegotiation if ssl/ltls-sequence numbers - comes close to the max value. However RFC-5746 is not yet - supported, but will be in an upcoming release.

-

- Own Id: OTP-8517

- - -

- When gen_tcp is configured with the {packet,http} option, - it automatically switches to expect HTTP Headers after a - HTTP Request/Response line has been received. This update - fixes ssl to behave in the same way. Thanks to Rory - Byrne.

-

- Own Id: OTP-8545

- - -

- Ssl now correctly verifies the extended_key_usage - extension and also allows the user to verify application - specific extensions by supplying an appropriate fun.

-

- Own Id: OTP-8554 Aux Id: OTP-8553

- - -

- Fixed ssl:transport_accept/2 to return properly when - socket is closed. Thanks to Rory Byrne.

-

- Own Id: OTP-8560

- - -
- -
- -
SSL 3.10.9 - -
Fixed Bugs and Malfunctions - - -

- Fixed a crash in the certificate certification part.

-

- Own Id: OTP-8510 Aux Id: seq11525

- - -
- -
- -
SSL 3.10.8 - -
Fixed Bugs and Malfunctions - - -

ssl:send/2 ignored packet option, fix provided - by YAMASHINA Hio.

-

Fixed a file cache bug which caused problems when the - same file was used for both cert and cacert.

-

Allow ssl:listen/2 to be called with option - {ssl_imp, old}.

-

Fixed ssl:setopts(Socket, binary) which didn't work - for 'new' ssl.

. -

- Own Id: OTP-8441

- - -

- Do a controlled shutdown if a non ssl packet arrives as - the first packet.

-

- Own Id: OTP-8459 Aux Id: seq11505

- - -
- - -
Improvements and New Features - - -

Fixed session reuse (in new_ssl), thanks Wil Tan.

-

Send CA list during Certificate Request (in new_ssl) , - thanks Wil Tan.

NOTE: SSL (new_ssl) - requires public_key-0.5.

-

- Own Id: OTP-8372

- - -
- -
- -
SSL 3.10.7 - -
Fixed Bugs and Malfunctions - - -

- A ticker process could potentially be blocked - indefinitely trying to send a tick to a node not - responding. If this happened, the connection would not be - brought down as it should.

-

This requires erts-5.7.4 and kernel-2.13.4 or later - to be able to get the erlang distribution over ssl to work.

-

- Own Id: OTP-8218

- - -
- - -
Improvements and New Features - - -

- The documentation is now built with open source tools - (xsltproc and fop) that exists on most platforms. One - visible change is that the frames are removed.

-

- Own Id: OTP-8250

- - -

- Code cleanup from Kostis.

-

- Own Id: OTP-8260

- - -
- -
- -
SSL 3.10.6 - -
Fixed Bugs and Malfunctions - - -

- The ssl:ssl_accept/3 issue was not properly fixed in the - previous patch, see OTP-8244.

-

- Own Id: OTP-8275 Aux Id: seq11451

- - -
- -
- -
SSL 3.10.5 - -
Fixed Bugs and Malfunctions - - -

- Allow clients to not send certificates if option - fail_if_no_peer_cert was not set.

-

- Own Id: OTP-8224

- - -

An ssl:ssl_accept/3 could crash a connection if the - timing was wrong.

Removed info message if the - socket closed without a proper disconnect from the ssl - layer.

ssl:send/2 is now blocking until the - message is sent.

-

- Own Id: OTP-8244 Aux Id: seq11420

- - -
- -
- -
SSL 3.10.4 - -
Fixed Bugs and Malfunctions - - -

- A client could avoid a certificate check if the client - code didn't send the requested certificate.

-

- Own Id: OTP-8137

- - -
- -
- -
SSL 3.10.3 - -
Improvements and New Features - - -

Packet handling was not implemented correctly.

-

Inet option handling support have been improved.

-

The verify_fun is now invoked even if - verify_peer is used, that implies that by default - {bad_cert,unknown_ca} is an accepted fault during the - client connection phase. The check can still be done by - suppling another verify_fun.

-

- Own Id: OTP-8011 Aux Id: seq11287

- - -
- -
- - -
SSL 3.10.2 - -
Fixed Bugs and Malfunctions - - -

- A "new_ssl" socket was not closed if the controlling - process died without calling ssl:close/1.

-

- Own Id: OTP-7963 Aux Id: seq11276

- - -
- -
- -
SSL 3.10.1 - -
Fixed Bugs and Malfunctions - - -

- Fixed bug that caused the ssl handshake finished message - to be calculated wrongly under the circumstances that the - server did not send the trusted cert and that the - previous cert did not have the extension telling us the - trusted certs name. This manifested it self as - bad_record_mac alert from the server.

-

- Own Id: OTP-7878

- - -
- - -
Improvements and New Features - - -

- The cacertsfile option is now optional for ssl servers.

-

- Own Id: OTP-7656

- - -

- For the ssl client the options cacertfile, certfile and - keyfile are now optional as they are not always needed - depending on configuration of the client itself and the - configuration of the server. Also as PEM-files may - contain more than one entry the keyfile option will - default to the same file as given by the certfile option.

-

- Own Id: OTP-7870

- - -

- Added new ssl client option verify_fun.

-

- Own Id: OTP-7871

- - -
- -
- -
SSL 3.10 - -
Fixed Bugs and Malfunctions - - -

- Error log entries are now formatted correctly.

-

- Own Id: OTP-7258

- - -
- - -
Improvements and New Features - - -

- All handling of X509-certificates and public keys have - been moved to the new application public_key.

-

- Own Id: OTP-6894

- - -

- New ssl now supports SSL-3.0 and TLS-1.0

-

- Own Id: OTP-7037

- - -

- New ssl now supports all inet-packet types.

-

- Own Id: OTP-7039

- - -

- The new ssl-server is now able to send a certificate - request to the client. However new options may be - introduced later to fully support all features regarding - certificate requests.

-

- Own Id: OTP-7150

- - -
- - -
Known Bugs and Problems - - -

- Running erlang distribution over ssl don't work as - described in the documentation.

-

- Own Id: OTP-7536

- - -
- -
- - -
SSL 3.9 - -
Fixed Bugs and Malfunctions - - -

- ssl_prim.erl was passing an FD rather than an #sslsocket - to ssl_broker:ssl_accept_prim. This could cause problems - in the deprecated accept function, this will not cause - any more problems however this function is deprecated!

-

- Own Id: OTP-6926

- - -

- Erlang distribution over ssl was broken after R11B-0, - this has now been fixed.

-

- Own Id: OTP-7004

- - -
- - -
Improvements and New Features - - -

- All inet options are available in the new ssl - implementation that is released as a alfa in ssl-3.9 and - will replace the old implementation in ssl-4.0. This will - not be fixed in the old implementation.

-

- Own Id: OTP-4677

- - -

- The new ssl implementation released as a alfa in this - version supports upgrading of a tcp connection to an ssl - connection so that http client and servers may implement - RFC 2817.

-

- Own Id: OTP-5510

- - -

A new implementation of ssl is released as a alfa - version in ssl-3.9 it will later replace the old - implementation in ssl-4.0. The new implementation can be - accessed by providing the option {ssl_imp, new} to the - ssl:connect and ssl:listen functions.

-

The new implementation is Erlang based and all logic - is in Erlang and only payload encryption calculations are - done in C via the crypto application. The main reason for - making a new implementation is that the old solution was - very crippled as the control of the ssl-socket was deep - down in openssl making it hard if not impossible to - support all inet options, ipv6 and upgrade of a tcp - connection to an ssl connection. The alfa version has a - few limitations that will be removed before the ssl-4.0 - release. Main differences and limitations in the alfa are - listed below.

- - New ssl requires the crypto - application. The option reuseaddr is - supported and the default value is false as in gen_tcp. - Old ssl is patched to accept that the option is set to - true to provide a smoother migration between the - versions. In old ssl the option is hard coded to - true. ssl:version/0 is replaced by - ssl:versions/0 ssl:ciphers/0 is replaced by - ssl:cipher_suites/0 ssl:pid/1 is a - meaningless function in new ssl and will be deprecated in - ssl-4.0 until it is removed it will return a valid but - meaningless pid. New API functions are - ssl:shutdown/2, ssl:cipher_suites/[0,1] and - ssl:versions/0 Diffie-Hellman keyexchange is - not supported. Not all inet packet types are - supported. CRL and policy certificate - extensions are not supported. In this alfa - only sslv3 is enabled, although tlsv1 and tlsv1.1 - versions are implemented and will be supported in future - versions. For security reasons sslv2 is not - supported. -

- Own Id: OTP-6619

- - -

- New ssl implementation, released as alfa in ssl-3.9, - supports ipv6. It will not be supported in the old - implementation.

-

- Own Id: OTP-6637 Aux Id: OTP-6636

- - -
- -
- -
- SSL 3.1.1.1 - -
- Minor Makefile changes - - -

Removed use of erl_flags from Makefile.

-

Own Id: OTP-6689

- - -
-
- -
- SSL 3.1.1 - -
- Crash on error in ssl_accept - - -

A bug in ssl_accept could cause all ssl - connections to hang when a connection - attempt was closed by the client while - the server was in ssl_accept.

-

Own Id: OTP-6612 Aux Id: seq10599

- - -
-
- -
- SSL 3.1 - -
- Fixed Bugs and Malfunctions - - -

SSL now uses a two-phase accept, with a separate accept - calls for the socket and the ssl protocol. This avoids - timeouts when a client doesn't initiate ssl handshake.

-

With the old implementation of accept, the server - was locked by a client, if the client didn't do - proper ssl handshake.

-

Own Id: OTP-6418 Aux Id: seq10105

- - -
-
- -
- SSL 3.0.12 - -
- Fixed Bugs and Malfunctions - - -

An integer array pointing to a struct pollfd array, is - now reset before file descriptors are collected to be - included in a call to poll(). This is to prevent file - descriptors to be mixed up.

-

Own Id: OTP-6084

- - -

The generation of the module ssl_pkix_oid contained - multiple identifiers, which made the mapping between - atoms and identifiers not one-to-one.

-

Own Id: OTP-6085

- - -
-
- -
- SSL 3.0.11 - -
- Fixed Bugs and Malfunctions - - -

The state of a connection in active mode could be in a - restrictive state, so that an internal tcp_closed message - was incorrectly considered illegal, resulting in a - premature termination of the connection process.

-

Own Id: OTP-5972 Aux Id: seq10188

- - -
-
- -
- SSL 3.0.10 - -
- Fixed Bugs and Malfunctions - - -

Erlang distribution over SSL was broken. Corrected. - (Thanks to Fredrik Thulin.)

-

Own Id: OTP-5863

- - -
-
- -
- SSL 3.0.9 - -
- Fixed Bugs and Malfunctions - - -

The port program for the ssl application could waste huge - amounts of CPU time if a write could not be completed - directly and was put in the write queue. (Only on platforms - where poll() is used, such as Solaris and Linux.)

-

Own Id: OTP-5784

- -
-
- -
- SSL 3.0.8 - -
- Fixed Bugs and Malfunctions - - -

A process reading only a portion of a sufficiently large - amount of data from an accepted socket, and then quering - the ssl library (e.g. ssl:getpeername()), would cause a - global deadlock in the esock port program.

-

Own Id: OTP-5702

- - -

A spelling error in the module ssl_pkix caused the - call to ssl:peercert/2 to fail when the option - subject was used.

-

Own Id: OTP-5708

- - -

Because fopen() on Solaris 8 can't handle file - descriptor numbers above 255, reading of certificate - files would fail if all file descriptors below 256 were - in use (typically, if many connections were open). This - problem has been worked around.

-

The ssl application's port program used to use - select(), which meant that it could not handle more than - FD_SETSIZE file descriptors (usually 1024). To eliminate - that limitation, poll() is now used on all platforms that - support it.

-

Solaris/Sparc, 64-bit emulator: The SO_REUSEADDR - option was not set for listen sockets, which essentially - made the ssl application unusable. Corrected.

-

The default listen queue size for ssl port program was - changed to 128 (from 5).

-

Own Id: OTP-5755 Aux Id: seq10068

- - -
-
- -
- Ssl 3.0.7 - -
- Fixed Bugs and Malfunctions - - -

The R/W buffer length i esock.c was too small. It has - been increased from 4k to 32k.

-

Own Id: OTP-5620

- - -
-
- -
- Ssl 3.0.6 - -
- Improvements and New Features - - -

A configuration option for choosing protocol versions has - been added (sslv2, sslv3, and - tlsv1).

-

Own Id: OTP-5429 Aux Id: seq9755

- - -
-
- -
- Ssl 3.0.5 - -
- Fixed Bugs and Malfunctions - - -

Linked in drivers in the crypto, and asn1 applications - are now compiled with the -D_THREAD_SAFE and -D_REENTRANT - switches on unix when the emulator has thread support - enabled.

-

Linked in drivers on MacOSX are not compiled with the - undocumented -lbundle1.o switch anymore. Thanks to Sean - Hinde who sent us a patch.

-

Linked in driver in crypto, and port programs in ssl, now - compiles on OSF1.

-

Minor makefile improvements in runtime_tools.

-

Own Id: OTP-5346

- - -
-
- -
- Ssl 3.0.4 - -
- Fixed Bugs and Malfunctions - - -

ssl:recv/3 with finite timeout value, closed the - connection at timeout.

-

Own Id: OTP-4882

- - -
-
- -
- Ssl 3.0.3 - -
- Fixed Bugs and Malfunctions - - -

When a file descriptor was marked for closing, and - end-of-file condition had already been detected, the file - descriptor was never closed.

-

Own Id: OTP-5093 Aux Id: seq8806

- - -

When the number of open file descriptors reached - FD_SETSIZE, the SSL port program entered a busy loop.

-

Own Id: OTP-5094 Aux Id: seq8806

- - -
- -
- Improvements and New Features - - -

The SSL application now supports SSL sessions for - servers, which typically speeds up HTTP requests from - browsers.

-

Own Id: OTP-5095

- - -
-
- -
- SSL 3.0.2 - -
- Fixed Bugs and Malfunctions - - -

The UTF8String type is now defined in asn1-1.4.4.2 and - later. Therefore the definitions of UTF8String has been - removed from the ASN.1 modules PKIX1Explicit88.asn1 and - PKIXAttributeCertificate.asn1. The SSL application can now - only be built using asn-1.4.4.2 or later.

-

OwnId: OTP-4971.

- - -
- -
- Known Bugs and Problems -

See SSL-3.0. -

-
-
- -
- SSL 3.0.1 - -
- Fixed Bugs and Malfunctions - - -

An unexpected object identifier would crash ssl:peercert.

-

OwnId: OTP-4771.

- - -
- -
- Known Bugs and Problems -

See SSL-3.0. -

-
-
- -
- SSL 3.0 - -
- Improvements and New Features - - -

The cache_timout option was silently ignored. It had - to do with SSL sessions, where multiple connections can occur. - Since the Erlang SSL application does not support sessions the - option is still ignored, and consequently the documentation - about it has been removed.

-

OwnId: OTP-3146

- - -

The Erlang SSL application is now based on OpenSSL version - 0.9.7a. OpenSSL 0.9.6 should also work.

-

OwnId: OTP-4002

- - -

When connecting it is now possible to bind to a local address - and local port.

-

OwnId: OTP-4675

- - -

The ssl_esock port program is now part of the - distribution and thus does not have to be created - explicitly. It is dynamically linked to OpenSSL - libraries in a "standard" location (typically - /usr/local/lib on UNIX; in the path on Win32).

-

OwnId: - OTP-4676

- - -

The new functions ssl:peercert/1/2 provide information - from the certificate of a peer of a connection.

-

OwnId: OTP-4680 -

-Aux Id: seq7688

- - -

The function ssl:port/1 has been removed from the - documentation, but not from the ssl interface module. - The recommendation is to use ssl:peername/1 - instead, which provides both address and port of the peer.

-

OwnId: OTP-4681

- - -

New User's Guide documentation has been added.

-

OwnId: OTP-4682

- - -

The old ssl_socket interface has been removed and also - the documentation of it.

-

OwnId: OTP-4683

- - -

The use of ephemeral RSA keys is now supported. It is - a global configuration option (see the ssl(6) manual page).

-

OwnId: OTP-4691.

- - -
- -
- Fixed Bugs and Malfunctions - - -

The option cacertfile is now in effect, and can - therefore no longer be set with the OS environment - variable SSL_CERT_FILE (which did set the same value for - all connections).

-

OwnId: OTP-3146

- - -

There was a synchronization error at closing of an SSL - connection.

-

OwnId: OTP-4435 -

-Aux Id: seq7534

- - -

C macros in debuglog.c were not ANSI C compliant.

-

OwnId: OTP-4674

- - -

The binary option was not properly handled.

-

OwnId: OTP-4678

- - -

The ssl:format_error/1 did not consider inet - error codes, nor did it have a catch all for unknown error - codes.

-

OwnId: OTP-4679

- - -
- -
- Known Bugs and Problems - - -

Change of controlling process in not OTP compliant.

-

OwnId; OTP-4712

- - -

There is still no way to restrict the cipher sizes.

-

OwnId: OTP-4712

- - -

The keep_alive and reuse_addr options will be - added in a future release.

-

OwnId: OTP-4677

- - -

There is currently no way to restrict the SSL/TLS - protocol versions to use. In a future release this will be - supported as a configuration option, and as an option for - each connection as well.

-

OwnId: OTP-4711.

- - -
-
- -
- SSL 2.3.6 - -
- Fixed Bugs and Malfunctions - - -

There was a synchronization error at closing, which could - result in that an SSL socket was removed prematurely, resulting - in that a user process referring to it received an unexpected - exit.

-

OwnId: OTP-4435 -

-Aux Id: seq7600

- - -
- -
- Known Bugs and Problems -

See SSL 2.2 .

-
-
- -
- SSL 2.3.5 - -
- Fixed Bugs and Malfunctions - - -

Setting of the option `nodelay' caused the SSL port program - to dump core.

-

OwnId: OTP-4380 -

-Aux Id: -

- - -

Setting of the option '{active, once}' in setopts was - wrong, causing a correct socket message to be regarded as - erroneous.

-

OwnId: OTP-4380 -

-Aux Id: -

- - -

A self-signed peer certificate was always rejected with the - error `eselfsignedcert', irrespective of the `depth' value.

-

OwnId: OTP-4374 -

-Aux Id: seq7417

- - -
- -
- Known Bugs and Problems -

See SSL 2.2 .

-
-
- -
- SSL 2.3.4 - -
- Improvements and New Features - - -

All TCP options allowed in gen_tcp, are now also allowed in - SSL, except the option {reuseaddr, Boolean}. A new - function getopts has been added to the SSL interface - module ssl.

-

OwnId: OTP-4305, OTP-4159

- - -
-
- -
- SSL 2.3.3 - -
- Fixed Bugs and Malfunctions - - -

The roles of the SSLeay and OpenSSL packages has been - clarified in the ssl(6) application manual page. Also - the URLs from which to download SSLeay has been updated.

-

OwnId: OTP-4002 -

-Aux Id: seq5269

- - -

A call to ssl:listen(Port, Options) with - Options = [] resulted in the cryptic {error, ebadf} return value. The return value has been changed - to {error, enooptions}, and the behaviour has been - documented in the listen/2 function.

-

OwnId: OTP-4016 -

-Aux Id: seq7006

- - -

Use of the option {nodelay, boolean()} crashed - the ssl_server.

-

OwnId: OTP-4070 -

-Aux Id:

- - -

A bug caused the Erlang distribution over ssl to fail. - This bug has now been fixed.

-

OwnId: OTP-4072 -

-Aux Id:

- - -

On Windows when the SSL port program encountered an - error code not anticipated it crashed.

-

OwnId: OTP-4132 -

-Aux Id:

- - -
-
- -
- SSL 2.3.2 - -
- Fixed Bugs and Malfunctions - - -

The ssl:accept/1-2 function sometimes returned - {error, {What, Where}} instead of {error, What}, where What is an atom.

-

OwnId: OTP-3775 -

-Aux Id: seq4991

- - -
-
- -
- SSL 2.3.1 - -
- Fixed Bugs and Malfunctions - - -

Sometimes the SSL portprogram would loop in an accept - loop, without terminating even when the SSL application - was stopped..

-

OwnId: OTP-3691

- - -
-
- -
- SSL 2.3 -

Functions have been added to SSL to experimentally support - Erlang distribution. -

-
- -
- SSL 2.2.1 -

The 2.2.1 version of SSL provides code replacement in runtime - by upgrading from, or downgrading to, versions 2.1 and 2.2. -

-
- -
- SSL 2.2 - -
- Improvements and New Features - - -

The restriction that only the creator of an SSL socket can - read from and write to the socket has been lifted.

-

OwnId: OTP-3301

- - -

The option {packet, cdr} for SSL sockets has been added, - which means that SSL sockets also supports CDR encoded packets.

-

OwnId: OTP-3302

- - -
- -
- Known Bugs and Problems - - -

Setting of a CA certificate file with the cacertfile - option (in calls to ssl:accept/1/2 or - ssl:connect/3/4) does not work due to weaknesses - in the SSLeay package.

-

A work-around is to set the OS environment variable - SSL_CERT_FILE before SSL is started. However, then - the CA certificate file will be global for all connections.

-

OwnId: OTP-3146

- - -

When changing controlling process of an SSL socket, a - temporary process is started, which is not gen_server - compliant.

-

OwnId: OTP-3146

- - -

Although there is a cache timeout option, it is - silently ignored.

-

OwnId: OTP-3146

- - -

There is currently no way to restrict the cipher sizes.

-

OwnId: OTP-3146

- - -
-
- -
- SSL 2.1 - -
- Improvements and New Features - - -

The set of possible error reasons has been extended to - contain diagnostics on erroneous certificates and failures - to verify certificates.

-

OwnId: OTP-3145

- - -

The maximum number of simultaneous SSL connections on - Windows has been increased from 31 to 127.

-

OwnId: OTP-3145

- - -
- -
- Fixed Bugs and Malfunctions - - -

A dead-lock occurring when write queues are not empty has - been removed.

-

OwnId: OTP-3145

- - -

Error reasons have been unified and changed.

-

(** POTENTIAL INCOMPATIBILITY **)

-

OwnId: OTP-3145

- - -

On Windows a check of the existence of the environment - variable ERLSRV_SERVICE_NAME has been added. If - that variable is defined, the port program of the SSL - application will not terminated when a user logs off.

-

OwnId: OTP-3145

- - -

An error in the setting of the nodelay option - has been corrected.

-

OwnId: OTP-3145

- - -

The confounded notions of verify mode and verify depth has - been corrected. The option verifydepth has been - removed, and the two separate options verify and - depth has been added.

-

(** POTENTIAL INCOMPATIBILITY **)

-

OwnId: OTP-3145

- - -
- -
- Known Bugs and Problems - - -

Setting of a CA certificate file with the cacertfile - option (in calls to ssl:accept/1/2 or - ssl:connect/3/4) does not work due to weaknesses - in the SSLeay package.

-

A work-around is to set the OS environment variable - SSL_CERT_FILE before SSL is started. However, then - the CA certificate file will be global for all connections.

-

OwnId: OTP-3146

- - -

When changing controlling process of an SSL socket, a - temporary process is started, which is not gen_server - compliant.

-

OwnId: OTP-3146

- - -

Although there is a cache timeout option, it is - silently ignored.

-

OwnId: OTP-3146

- - -

There is currently no way to restrict the cipher sizes.

-

OwnId: OTP-3146

- - -
-
- -
- SSL 2.0 -

A complete new version of SSL with separate I/O channels - for all connections with non-blocking I/O multiplexing.

-
diff --git a/lib/ssl/src/ssl.appup.src b/lib/ssl/src/ssl.appup.src index 9b1227fa7f..76e14860ec 100644 --- a/lib/ssl/src/ssl.appup.src +++ b/lib/ssl/src/ssl.appup.src @@ -1,24 +1,13 @@ %% -*- erlang -*- {"%VSN%", [ - {"5.1.1", [{restart_application, ssl}] - }, - {"5.1", [ - {load_module, ssl_connection, soft_purge, soft_purge, []} - ] - }, + {<<"5.1\\*">>, [{restart_application, ssl}]}, {<<"5.0\\*">>, [{restart_application, ssl}]}, {<<"4\\.*">>, [{restart_application, ssl}]}, {<<"3\\.*">>, [{restart_application, ssl}]} ], [ - {"5.1.1", [{restart_application, ssl}] - }, - {"5.1", [ - {load_module, ssl_connection, soft_purge, soft_purge, []} - ] - }, - {"5.1", [{restart_application, ssl}]}, + {<<"5.1\\*">>, [{restart_application, ssl}]}, {<<"5.0\\*">>, [{restart_application, ssl}]}, {<<"4\\.*">>, [{restart_application, ssl}]}, {<<"3\\.*">>, [{restart_application, ssl}]} diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk index adfb29e639..cb73e86ede 100644 --- a/lib/ssl/vsn.mk +++ b/lib/ssl/vsn.mk @@ -1 +1 @@ -SSL_VSN = 5.1.2 +SSL_VSN = 5.2 -- cgit v1.2.3