1<?xml version="1.0" encoding="utf-8" ?> 2<!DOCTYPE chapter SYSTEM "chapter.dtd"> 3 4<chapter> 5 <header> 6 <copyright> 7 <year>1999</year><year>2018</year> 8 <holder>Ericsson AB. All Rights Reserved.</holder> 9 </copyright> 10 <legalnotice> 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 23 </legalnotice> 24 25 <title>SSL Release Notes</title> 26 <file>notes.xml</file> 27 </header> 28 <p>This document describes the changes made to the SSL application.</p> 29 30<section><title>SSL 9.2.3.7</title> 31 32 <section><title>Fixed Bugs and Malfunctions</title> 33 <list> 34 <item> 35 <p> 36 Data deliver with ssl:recv/2,3 could fail for when using 37 packet mode. This has been fixed by correcting the flow 38 control handling of passive sockets when packet mode is 39 used.</p> 40 <p> 41 Own Id: OTP-16764</p> 42 </item> 43 </list> 44 </section> 45 46</section> 47 48<section><title>SSL 9.2.3.6</title> 49 50 <section><title>Fixed Bugs and Malfunctions</title> 51 <list> 52 <item> 53 <p> 54 Fix timing bug that could cause ssl sockets to become 55 unresponsive after an ssl:recv/3 call timed out</p> 56 <p> 57 Own Id: OTP-16619 Aux Id: ERL-1213 </p> 58 </item> 59 </list> 60 </section> 61 62</section> 63 64<section><title>SSL 9.2.3.5</title> 65 66 <section><title>Fixed Bugs and Malfunctions</title> 67 <list> 68 <item> 69 <p> 70 Handling of zero size fragments in TLS could cause an 71 infinite loop. This has now been corrected.</p> 72 <p> 73 Own Id: OTP-15328 Aux Id: ERIERL-379 </p> 74 </item> 75 </list> 76 </section> 77 78</section> 79 80<section><title>SSL 9.2.3.4</title> 81 82 <section><title>Fixed Bugs and Malfunctions</title> 83 <list> 84 <item> 85 <p> 86 Hibernation now works as expected in all cases, was 87 accidently broken by optimization efforts.</p> 88 <p> 89 Own Id: OTP-15910</p> 90 </item> 91 </list> 92 </section> 93 94</section> 95 96<section><title>SSL 9.2.3.3</title> 97 98 <section><title>Fixed Bugs and Malfunctions</title> 99 <list> 100 <item> 101 <p> 102 Correct handshake handling, might cause strange symptoms 103 such as ASN.1 certificate decoding issues.</p> 104 <p> 105 Own Id: OTP-15879 Aux Id: ERL-968 </p> 106 </item> 107 </list> 108 </section> 109 110</section> 111 112<section><title>SSL 9.2.3.2</title> 113 114 <section><title>Fixed Bugs and Malfunctions</title> 115 <list> 116 <item> 117 <p> 118 Returned "alert error string" is now same as logged alert 119 string</p> 120 <p> 121 Own Id: OTP-15844</p> 122 </item> 123 </list> 124 </section> 125 126</section> 127 128<section><title>SSL 9.2.3.1</title> 129 130 <section><title>Fixed Bugs and Malfunctions</title> 131 <list> 132 <item> 133 <p> 134 Correct solution for retaining tcp flow control OTP-15802 135 (ERL-934) as to not break ssl:recv as reported in 136 (ERL-938)</p> 137 <p> 138 Own Id: OTP-15823 Aux Id: ERL-934, ERL-938 </p> 139 </item> 140 </list> 141 </section> 142 143</section> 144 145<section><title>SSL 9.2.3</title> 146 147 <section><title>Fixed Bugs and Malfunctions</title> 148 <list> 149 <item> 150 <p> 151 Missing check of size of user_data_buffer made internal 152 socket behave as an active socket instead of active N. 153 This could cause memory problems.</p> 154 <p> 155 Own Id: OTP-15802 Aux Id: ERL-934 </p> 156 </item> 157 </list> 158 </section> 159 160 161 <section><title>Improvements and New Features</title> 162 <list> 163 <item> 164 <p> 165 Back port of bug fix ERL-893 from OTP-22 and document 166 enhancements that will solve dialyzer warnings for users 167 of the ssl application.</p> 168 <p> 169 This change also affects public_key, eldap (and inet 170 doc).</p> 171 <p> 172 Own Id: OTP-15785 Aux Id: ERL-929, ERL-893, PR-2215 </p> 173 </item> 174 </list> 175 </section> 176 177</section> 178 179<section><title>SSL 9.2.2</title> 180 181 <section><title>Fixed Bugs and Malfunctions</title> 182 <list> 183 <item> 184 <p> 185 With the default BEAST Mitigation strategy for TLS 1.0 an 186 empty TLS fragment could be sent after a one-byte 187 fragment. This glitch has been fixed.</p> 188 <p> 189 Own Id: OTP-15054 Aux Id: ERIERL-346 </p> 190 </item> 191 </list> 192 </section> 193 194</section> 195 196<section><title>SSL 9.2.1</title> 197 198 <section><title>Fixed Bugs and Malfunctions</title> 199 <list> 200 <item> 201 <p> 202 The timeout for a passive receive was sometimes not 203 cancelled and later caused a server crash. This bug has 204 now been corrected.</p> 205 <p> 206 Own Id: OTP-14701 Aux Id: ERL-883, ERL-884 </p> 207 </item> 208 <item> 209 <p> 210 Add tag for passive message (active N) in cb_info to 211 retain transport transparency.</p> 212 <p> 213 Own Id: OTP-15679 Aux Id: ERL-861 </p> 214 </item> 215 </list> 216 </section> 217 218</section> 219 220<section><title>SSL 9.2</title> 221 222 <section><title>Fixed Bugs and Malfunctions</title> 223 <list> 224 <item> 225 <p> 226 Fix bug that an incorrect return value for gen_statem 227 could be created when alert was a result of handling 228 renegotiation info extension</p> 229 <p> 230 Own Id: OTP-15502</p> 231 </item> 232 <item> 233 <p> 234 Correct check for 3des_ede_cbc, could cause ssl to claim 235 to support 3des_ede_cbc when cryptolib does not.</p> 236 <p> 237 Own Id: OTP-15539</p> 238 </item> 239 <item> 240 <p> 241 Improved DTLS error handling, avoids unexpected 242 connection failure in rare cases.</p> 243 <p> 244 Own Id: OTP-15561</p> 245 </item> 246 <item> 247 <p> 248 Corrected active once emulation bug that could cause the 249 ssl_closed meassage to not be sent. Bug introduced by 250 OTP-15449</p> 251 <p> 252 Own Id: OTP-15666 Aux Id: ERIERL-316, </p> 253 </item> 254 </list> 255 </section> 256 257 258 <section><title>Improvements and New Features</title> 259 <list> 260 <item> 261 <p> 262 Add client option {reuse_session, SessionID::binary()} 263 that can be used together with new option value 264 {reuse_sessions, save}. This makes it possible to reuse a 265 session from a specific connection establishment.</p> 266 <p> 267 Own Id: OTP-15369</p> 268 </item> 269 <item> 270 <p> 271 The Reason part of of the error return from the functions 272 connect and handshake has a better and documented format. 273 This will sometimes differ from previous returned 274 reasons, however those where only documented as term() 275 and should for that reason not be relied on.</p> 276 <p> 277 *** POTENTIAL INCOMPATIBILITY ***</p> 278 <p> 279 Own Id: OTP-15423</p> 280 </item> 281 <item> 282 <p> 283 Refactor of state handling to improve TLS application 284 data throughput and reduce CPU overhead</p> 285 <p> 286 Own Id: OTP-15445</p> 287 </item> 288 <item> 289 <p> 290 The SSL code has been optimized in many small ways to 291 reduce CPU load for encryption/decryption, especially for 292 Erlang's distribution protocol over TLS.</p> 293 <p> 294 Own Id: OTP-15529</p> 295 </item> 296 <item> 297 <p> 298 Add support for active N</p> 299 <p> 300 Own Id: OTP-15665 Aux Id: ERL-811, PR-2072 </p> 301 </item> 302 </list> 303 </section> 304 305</section> 306 307<section><title>SSL 9.1.2</title> 308 309 <section><title>Fixed Bugs and Malfunctions</title> 310 <list> 311 <item> 312 <p> 313 Fix encoding of the SRP extension length field in ssl. 314 The old encoding of the SRP extension length could cause 315 interoperability problems with third party SSL 316 implementations when SRP was used.</p> 317 <p> 318 Own Id: OTP-15477 Aux Id: ERL-790 </p> 319 </item> 320 <item> 321 <p> 322 Guarantee active once data delivery, handling TCP stream 323 properly.</p> 324 <p> 325 Own Id: OTP-15504 Aux Id: ERL-371 </p> 326 </item> 327 <item> 328 <p> 329 Correct gen_statem returns for some error cases</p> 330 <p> 331 Own Id: OTP-15505</p> 332 </item> 333 </list> 334 </section> 335 336</section> 337 338<section><title>SSL 9.1.1</title> 339 340 <section><title>Fixed Bugs and Malfunctions</title> 341 <list> 342 <item> 343 <p> 344 Fixed renegotiation bug. Client did not handle server 345 initiated renegotiation correctly after rewrite to two 346 connection processes, due to ERL-622 commit 347 d87ac1c55188f5ba5cdf72384125d94d42118c18. This could 348 manifest it self as a " bad_record_mac" alert.</p> 349 <p> 350 Also included are some optimizations</p> 351 <p> 352 Own Id: OTP-15489 Aux Id: ERL-308 </p> 353 </item> 354 </list> 355 </section> 356 357</section> 358 359<section><title>SSL 9.1</title> 360 361 <section><title>Fixed Bugs and Malfunctions</title> 362 <list> 363 <item> 364 <p> 365 PEM cache was not evicting expired entries due to due to 366 timezone confusion.</p> 367 <p> 368 Own Id: OTP-15368</p> 369 </item> 370 <item> 371 <p> 372 Make sure an error is returned if a "transport_accept 373 socket" is used in some other call than ssl:handshake* or 374 ssl:controlling_process</p> 375 <p> 376 Own Id: OTP-15384 Aux Id: ERL-756 </p> 377 </item> 378 <item> 379 <p> 380 Fix timestamp handling in the PEM-cache could cause 381 entries to not be invalidated at the correct time.</p> 382 <p> 383 Own Id: OTP-15402</p> 384 </item> 385 <item> 386 <p> 387 Extend check for undelivered data at closing, could under 388 some circumstances fail to deliver all data that was 389 actually received.</p> 390 <p> 391 Own Id: OTP-15412 Aux Id: ERL-731 </p> 392 </item> 393 <item> 394 <p> 395 Correct signature check for TLS-1.2 that allows different 396 algorithms for signature of peer cert and peer cert key. 397 Not all allowed combinations where accepted.</p> 398 <p> 399 Own Id: OTP-15415 Aux Id: ERL-763 </p> 400 </item> 401 <item> 402 <p> 403 Correct gen_statem return value, could cause 404 renegotiation to fail.</p> 405 <p> 406 Own Id: OTP-15418 Aux Id: ERL-770 </p> 407 </item> 408 </list> 409 </section> 410 411 412 <section><title>Improvements and New Features</title> 413 <list> 414 <item> 415 <p> 416 Add engine support for RSA key exchange</p> 417 <p> 418 Own Id: OTP-15420 Aux Id: ERIERL-268 </p> 419 </item> 420 <item> 421 <p> 422 ssl now uses active n internally to boost performance. 423 Old active once behavior can be restored by setting 424 application variable see manual page for ssl application 425 (man 6).</p> 426 <p> 427 *** POTENTIAL INCOMPATIBILITY ***</p> 428 <p> 429 Own Id: OTP-15449</p> 430 </item> 431 </list> 432 </section> 433 434</section> 435 436<section><title>SSL 9.0.3</title> 437 438 <section><title>Fixed Bugs and Malfunctions</title> 439 <list> 440 <item> 441 <p> 442 Correct alert handling with new TLS sender process, from 443 ssl-9.0.2. CLOSE ALERTS could under some circumstances be 444 encoded using an incorrect cipher state. This would cause 445 the peer to regard them as unknown messages.</p> 446 <p> 447 Own Id: OTP-15337 Aux Id: ERL-738 </p> 448 </item> 449 <item> 450 <p> 451 Correct handling of socket packet option with new TLS 452 sender process, from ssl-9.0.2. When changing the socket 453 option {packet, 1|2|3|4} with ssl:setopts/2 the option 454 must internally be propagated to the sender process as 455 well as the reader process as this particular option also 456 affects the data to be sent.</p> 457 <p> 458 Own Id: OTP-15348 Aux Id: ERL-747 </p> 459 </item> 460 </list> 461 </section> 462 463</section> 464 465<section><title>SSL 9.0.2</title> 466 467 <section><title>Fixed Bugs and Malfunctions</title> 468 <list> 469 <item> 470 <p> 471 Use separate processes for sending and receiving 472 application data for TLS connections to avoid potential 473 deadlock that was most likely to occur when using TLS for 474 Erlang distribution. Note does not change the API.</p> 475 <p> 476 Own Id: OTP-15122</p> 477 </item> 478 <item> 479 <p> 480 Correct handling of empty server SNI extension</p> 481 <p> 482 Own Id: OTP-15168</p> 483 </item> 484 <item> 485 <p> 486 Correct PSK cipher suite handling and add 487 selected_cipher_suite to connection information</p> 488 <p> 489 Own Id: OTP-15172</p> 490 </item> 491 <item> 492 <p> 493 Adopt to the fact that cipher suite sign restriction are 494 relaxed in TLS-1.2</p> 495 <p> 496 Own Id: OTP-15173</p> 497 </item> 498 <item> 499 <p> 500 Enhance error handling of non existing PEM files</p> 501 <p> 502 Own Id: OTP-15174</p> 503 </item> 504 <item> 505 <p> 506 Correct close handling of transport accepted sockets in 507 the error state</p> 508 <p> 509 Own Id: OTP-15216</p> 510 </item> 511 <item> 512 <p> 513 Correct PEM cache to not add references to empty entries 514 when PEM file does not exist.</p> 515 <p> 516 Own Id: OTP-15224</p> 517 </item> 518 <item> 519 <p> 520 Correct handling of all PSK cipher suites</p> 521 <p> 522 Before only some PSK suites would be correctly negotiated 523 and most PSK ciphers suites would fail the connection.</p> 524 <p> 525 Own Id: OTP-15285</p> 526 </item> 527 </list> 528 </section> 529 530 531 <section><title>Improvements and New Features</title> 532 <list> 533 <item> 534 <p> 535 TLS will now try to order certificate chains if they 536 appear to be unordered. That is prior to TLS 1.3, 537 “certificate_list” ordering was required to be 538 strict, however some implementations already allowed for 539 some flexibility. For maximum compatibility, all 540 implementations SHOULD be prepared to handle potentially 541 extraneous certificates and arbitrary orderings from any 542 TLS version.</p> 543 <p> 544 Own Id: OTP-12983</p> 545 </item> 546 <item> 547 <p> 548 TLS will now try to reconstructed an incomplete 549 certificate chains from its local CA-database and use 550 that data for the certificate path validation. This 551 especially makes sense for partial chains as then the 552 peer might not send an intermediate CA as it is 553 considered the trusted root in that case.</p> 554 <p> 555 Own Id: OTP-15060</p> 556 </item> 557 <item> 558 <p> 559 Option keyfile defaults to certfile and should be trumped 560 with key. This failed for engine keys.</p> 561 <p> 562 Own Id: OTP-15193</p> 563 </item> 564 <item> 565 <p> 566 Error message improvement when own certificate has 567 decoding issues, see also issue ERL-668.</p> 568 <p> 569 Own Id: OTP-15234</p> 570 </item> 571 <item> 572 <p> 573 Correct dialyzer spec for key option</p> 574 <p> 575 Own Id: OTP-15281</p> 576 </item> 577 </list> 578 </section> 579 580</section> 581 582<section><title>SSL 9.0.1</title> 583 584 <section><title>Fixed Bugs and Malfunctions</title> 585 <list> 586 <item> 587 <p> 588 Correct cipher suite handling for ECDHE_*, the incorrect 589 handling could cause an incorrrect suite to be selected 590 and most likly fail the handshake.</p> 591 <p> 592 Own Id: OTP-15203</p> 593 </item> 594 </list> 595 </section> 596 597</section> 598 599<section><title>SSL 9.0</title> 600 601 <section><title>Fixed Bugs and Malfunctions</title> 602 <list> 603 <item> 604 <p> 605 Correct handling of ECDH suites.</p> 606 <p> 607 Own Id: OTP-14974</p> 608 </item> 609 <item> 610 <p> 611 Proper handling of clients that choose to send an empty 612 answer to a certificate request</p> 613 <p> 614 Own Id: OTP-15050</p> 615 </item> 616 </list> 617 </section> 618 619 620 <section><title>Improvements and New Features</title> 621 <list> 622 <item> 623 <p> 624 Distribution over SSL (inet_tls) has, to improve 625 performance, been rewritten to not use intermediate 626 processes and ports.</p> 627 <p> 628 Own Id: OTP-14465</p> 629 </item> 630 <item> 631 <p> 632 Add suport for ECDHE_PSK cipher suites</p> 633 <p> 634 Own Id: OTP-14547</p> 635 </item> 636 <item> 637 <p> 638 For security reasons no longer support 3-DES cipher 639 suites by default</p> 640 <p> 641 *** INCOMPATIBILITY with possibly ***</p> 642 <p> 643 Own Id: OTP-14768</p> 644 </item> 645 <item> 646 <p> 647 For security reasons RSA-key exchange cipher suites are 648 no longer supported by default</p> 649 <p> 650 *** INCOMPATIBILITY with possible ***</p> 651 <p> 652 Own Id: OTP-14769</p> 653 </item> 654 <item> 655 <p> 656 The interoperability option to fallback to insecure 657 renegotiation now has to be explicitly turned on.</p> 658 <p> 659 *** INCOMPATIBILITY with possibly ***</p> 660 <p> 661 Own Id: OTP-14789</p> 662 </item> 663 <item> 664 <p> 665 Drop support for SSLv2 enabled clients. SSLv2 has been 666 broken for decades and never supported by the Erlang 667 SSL/TLS implementation. This option was by default 668 disabled and enabling it has proved to sometimes break 669 connections not using SSLv2 enabled clients.</p> 670 <p> 671 *** POTENTIAL INCOMPATIBILITY ***</p> 672 <p> 673 Own Id: OTP-14824</p> 674 </item> 675 <item> 676 <p> 677 Remove CHACHA20_POLY1305 ciphers form default for now. We 678 have discovered interoperability problems, ERL-538, that 679 we believe needs to be solved in crypto.</p> 680 <p> 681 *** INCOMPATIBILITY with possibly ***</p> 682 <p> 683 Own Id: OTP-14882</p> 684 </item> 685 <item> 686 <p> 687 Generalize DTLS packet multiplexing to make it easier to 688 add future DTLS features and uses.</p> 689 <p> 690 Own Id: OTP-14888</p> 691 </item> 692 <item> 693 <p> 694 Use uri_string module instead of http_uri.</p> 695 <p> 696 Own Id: OTP-14902</p> 697 </item> 698 <item> 699 <p> 700 The SSL distribution protocol <c>-proto inet_tls</c> has 701 stopped setting the SSL option 702 <c>server_name_indication</c>. New verify funs for client 703 and server in <c>inet_tls_dist</c> has been added, not 704 documented yet, that checks node name if present in peer 705 certificate. Usage is still also yet to be documented.</p> 706 <p> 707 Own Id: OTP-14969 Aux Id: OTP-14465, ERL-598 </p> 708 </item> 709 <item> 710 <p> 711 Deprecate ssl:ssl_accept/[1,2,3] in favour of 712 ssl:handshake/[1,2,3]</p> 713 <p> 714 Own Id: OTP-15056</p> 715 </item> 716 <item> 717 <p> 718 Customizes the hostname verification of the peer 719 certificate, as different protocols that use TLS such as 720 HTTP or LDAP may want to do it differently</p> 721 <p> 722 Own Id: OTP-15102 Aux Id: ERL-542, OTP-14962 </p> 723 </item> 724 <item> 725 <p> 726 Add utility function for converting erlang cipher suites 727 to a string represenation (ERL-600).</p> 728 <p> 729 Own Id: OTP-15106</p> 730 </item> 731 <item> 732 <p> 733 First version with support for DTLS</p> 734 <p> 735 Own Id: OTP-15142</p> 736 </item> 737 </list> 738 </section> 739 740</section> 741 742<section><title>SSL 8.2.6.4</title> 743 744 <section><title>Fixed Bugs and Malfunctions</title> 745 <list> 746 <item> 747 <p> 748 Add engine support for RSA key exchange</p> 749 <p> 750 Own Id: OTP-15420</p> 751 </item> 752 </list> 753 </section> 754 755</section> 756 757<section><title>SSL 8.2.6.3</title> 758 759 <section><title>Fixed Bugs and Malfunctions</title> 760 <list> 761 <item> 762 <p> 763 Extend check for undelivered data at closing, could under 764 some circumstances fail to deliverd all data that was 765 acctualy recivied.</p> 766 <p> 767 Own Id: OTP-15412</p> 768 </item> 769 </list> 770 </section> 771 772</section> 773 774<section><title>SSL 8.2.6.2</title> 775 776 <section><title>Fixed Bugs and Malfunctions</title> 777 <list> 778 <item> 779 <p> 780 Correct handling of empty server SNI extension</p> 781 <p> 782 Own Id: OTP-15168</p> 783 </item> 784 <item> 785 <p> 786 Correct cipher suite handling for ECDHE_*, the incorrect 787 handling could cause an incorrrect suite to be selected 788 and most likly fail the handshake.</p> 789 <p> 790 Own Id: OTP-15203</p> 791 </item> 792 </list> 793 </section> 794 795</section> 796 797<section><title>SSL 8.2.6.1</title> 798 799 <section><title>Fixed Bugs and Malfunctions</title> 800 <list> 801 <item> 802 <p> 803 Improve cipher suite handling correcting ECC and TLS-1.2 804 requierments. Backport of solution for ERL-641</p> 805 <p> 806 Own Id: OTP-15178</p> 807 </item> 808 </list> 809 </section> 810 811 812 <section><title>Improvements and New Features</title> 813 <list> 814 <item> 815 <p> 816 Option keyfile defaults to certfile and should be trumped 817 with key. This failed for engine keys.</p> 818 <p> 819 Own Id: OTP-15193</p> 820 </item> 821 </list> 822 </section> 823 824</section> 825 826<section><title>SSL 8.2.6</title> 827 828 <section><title>Fixed Bugs and Malfunctions</title> 829 <list> 830 <item> 831 <p> 832 Proper handling of clients that choose to send an empty 833 answer to a certificate request</p> 834 <p> 835 Own Id: OTP-15050</p> 836 </item> 837 </list> 838 </section> 839 840</section> 841 842<section><title>SSL 8.2.5</title> 843 844 <section><title>Fixed Bugs and Malfunctions</title> 845 <list> 846 <item> 847 <p> 848 Fix filter function to not incorrectly exclude AEAD 849 cipher suites</p> 850 <p> 851 Own Id: OTP-14981</p> 852 </item> 853 </list> 854 </section> 855 856</section> 857 858<section><title>SSL 8.2.4</title> 859 860 <section><title>Fixed Bugs and Malfunctions</title> 861 <list> 862 <item> 863 <p> 864 Optimization of bad merge conflict resolution causing 865 dubble decode</p> 866 <p> 867 Own Id: OTP-14843</p> 868 </item> 869 <item> 870 <p> 871 Restore error propagation to OTP-19.3 behaviour, in 872 OTP-20.2 implementation adjustments to gen_statem needed 873 some further adjustments to avoid a race condition. This 874 could cause a TLS server to not always report file path 875 errors correctly.</p> 876 <p> 877 Own Id: OTP-14852</p> 878 </item> 879 <item> 880 <p> 881 Corrected RC4 suites listing function to regard TLS 882 version</p> 883 <p> 884 Own Id: OTP-14871</p> 885 </item> 886 <item> 887 <p> 888 Fix alert handling so that unexpected messages are logged 889 and alerted correctly</p> 890 <p> 891 Own Id: OTP-14919</p> 892 </item> 893 <item> 894 <p> 895 Correct handling of anonymous cipher suites</p> 896 <p> 897 Own Id: OTP-14952</p> 898 </item> 899 </list> 900 </section> 901 902 903 <section><title>Improvements and New Features</title> 904 <list> 905 <item> 906 <p> 907 Added new API functions to facilitate cipher suite 908 handling</p> 909 <p> 910 Own Id: OTP-14760</p> 911 </item> 912 <item> 913 <p> 914 Correct TLS_FALLBACK_SCSV handling so that this special 915 flag suite is always placed last in the cipher suite list 916 in accordance with the specs. Also make sure this 917 functionality is used in DTLS.</p> 918 <p> 919 Own Id: OTP-14828</p> 920 </item> 921 <item> 922 <p> 923 Add TLS record version sanity check for early as possible 924 error detection and consistency in ALERT codes generated</p> 925 <p> 926 Own Id: OTP-14892</p> 927 </item> 928 </list> 929 </section> 930 931</section> 932 933<section><title>SSL 8.2.3</title> 934 935 <section><title>Fixed Bugs and Malfunctions</title> 936 <list> 937 <item> 938 <p> 939 Packet options cannot be supported for unreliable 940 transports, that is, packet option for DTLS over udp will 941 not be supported.</p> 942 <p> 943 Own Id: OTP-14664</p> 944 </item> 945 <item> 946 <p> 947 Ensure data delivery before close if possible. This fix 948 is related to fix in PR-1479.</p> 949 <p> 950 Own Id: OTP-14794</p> 951 </item> 952 </list> 953 </section> 954 955 956 <section><title>Improvements and New Features</title> 957 <list> 958 <item> 959 <p> 960 The crypto API is extended to use private/public keys 961 stored in an Engine for sign/verify or encrypt/decrypt 962 operations.</p> 963 <p> 964 The ssl application provides an API to use this new 965 engine concept in TLS.</p> 966 <p> 967 Own Id: OTP-14448</p> 968 </item> 969 <item> 970 <p> 971 Implemented renegotiation for DTLS</p> 972 <p> 973 Own Id: OTP-14563</p> 974 </item> 975 <item> 976 <p> 977 A new command line option <c>-ssl_dist_optfile</c> has 978 been added to facilitate specifying the many options 979 needed when using SSL as the distribution protocol.</p> 980 <p> 981 Own Id: OTP-14657</p> 982 </item> 983 </list> 984 </section> 985 986</section> 987 988<section><title>SSL 8.2.2</title> 989 <section><title>Fixed Bugs and Malfunctions</title> 990 <list> 991 <item> 992 <p> 993 TLS sessions must be registered with SNI if provided, so 994 that sessions where client hostname verification would 995 fail can not connect reusing a session created when the 996 server name verification succeeded.</p> 997 <p> 998 Own Id: OTP-14632</p> 999 </item> 1000 <item> 1001 <p> An erlang TLS server configured with cipher suites 1002 using rsa key exchange, may be vulnerable to an Adaptive 1003 Chosen Ciphertext attack (AKA Bleichenbacher attack) 1004 against RSA, which when exploited, may result in 1005 plaintext recovery of encrypted messages and/or a 1006 Man-in-the-middle (MiTM) attack, despite the attacker not 1007 having gained access to the server’s private key 1008 itself. <url 1009 href="https://nvd.nist.gov/vuln/detail/CVE-2017-1000385">CVE-2017-1000385</url> 1010 </p> <p> Exploiting this vulnerability to perform 1011 plaintext recovery of encrypted messages will, in most 1012 practical cases, allow an attacker to read the plaintext 1013 only after the session has completed. Only TLS sessions 1014 established using RSA key exchange are vulnerable to this 1015 attack. </p> <p> Exploiting this vulnerability to conduct 1016 a MiTM attack requires the attacker to complete the 1017 initial attack, which may require thousands of server 1018 requests, during the handshake phase of the targeted 1019 session within the window of the configured handshake 1020 timeout. This attack may be conducted against any TLS 1021 session using RSA signatures, but only if cipher suites 1022 using RSA key exchange are also enabled on the server. 1023 The limited window of opportunity, limitations in 1024 bandwidth, and latency make this attack significantly 1025 more difficult to execute. </p> <p> RSA key exchange is 1026 enabled by default although least prioritized if server 1027 order is honored. For such a cipher suite to be chosen it 1028 must also be supported by the client and probably the 1029 only shared cipher suite. </p> <p> Captured TLS sessions 1030 encrypted with ephemeral cipher suites (DHE or ECDHE) are 1031 not at risk for subsequent decryption due to this 1032 vulnerability. </p> <p> As a workaround if default cipher 1033 suite configuration was used you can configure the server 1034 to not use vulnerable suites with the ciphers option like 1035 this: </p> <c> {ciphers, [Suite || Suite <- 1036 ssl:cipher_suites(), element(1,Suite) =/= rsa]} </c> <p> 1037 that is your code will look somethingh like this: </p> 1038 <c> ssl:listen(Port, [{ciphers, [Suite || Suite <- 1039 ssl:cipher_suites(), element(1,S) =/= rsa]} | Options]). 1040 </c> <p> Thanks to Hanno Böck, Juraj Somorovsky and 1041 Craig Young for reporting this vulnerability. </p> 1042 <p> 1043 Own Id: OTP-14748</p> 1044 </item> 1045 </list> 1046 </section> 1047 1048 <section><title>Improvements and New Features</title> 1049 <list> 1050 <item> 1051 <p> 1052 If no SNI is available and the hostname is an IP-address 1053 also check for IP-address match. This check is not as 1054 good as a DNS hostname check and certificates using 1055 IP-address are not recommended.</p> 1056 <p> 1057 Own Id: OTP-14655</p> 1058 </item> 1059 </list> 1060 </section> 1061 1062</section> 1063 1064<section><title>SSL 8.2.1</title> 1065 1066 <section><title>Fixed Bugs and Malfunctions</title> 1067 <list> 1068 <item> 1069 <p> 1070 Max session table works correctly again</p> 1071 <p> 1072 Own Id: OTP-14556</p> 1073 </item> 1074 </list> 1075 </section> 1076 1077 1078 <section><title>Improvements and New Features</title> 1079 <list> 1080 <item> 1081 <p> 1082 Customize alert handling for DTLS over UDP to mitigate 1083 DoS attacks</p> 1084 <p> 1085 Own Id: OTP-14078</p> 1086 </item> 1087 <item> 1088 <p> 1089 Improved error propagation and reports</p> 1090 <p> 1091 Own Id: OTP-14236</p> 1092 </item> 1093 </list> 1094 </section> 1095 1096</section> 1097 1098<section><title>SSL 8.2</title> 1099 1100 <section><title>Fixed Bugs and Malfunctions</title> 1101 <list> 1102 <item> 1103 <p> 1104 ECDH-ECDSA key exchange supported, was accidently 1105 dismissed in earlier versions.</p> 1106 <p> 1107 Own Id: OTP-14421</p> 1108 </item> 1109 <item> 1110 <p> 1111 Correct close semantics for active once connections. This 1112 was a timing dependent bug the resulted in the close 1113 message not always reaching the ssl user process.</p> 1114 <p> 1115 Own Id: OTP-14443</p> 1116 </item> 1117 </list> 1118 </section> 1119 1120 1121 <section><title>Improvements and New Features</title> 1122 <list> 1123 <item> 1124 <p> 1125 TLS-1.2 clients will now always send hello messages on 1126 its own format, as opposed to earlier versions that will 1127 send the hello on the lowest supported version, this is a 1128 change supported by the latest RFC.</p> 1129 <p> 1130 This will make interoperability with some newer servers 1131 smoother. Potentially, but unlikely, this could cause a 1132 problem with older servers if they do not adhere to the 1133 RFC and ignore unknown extensions.</p> 1134 <p> 1135 *** POTENTIAL INCOMPATIBILITY ***</p> 1136 <p> 1137 Own Id: OTP-13820</p> 1138 </item> 1139 <item> 1140 <p> 1141 Allow Erlang/OTP to use OpenSSL in FIPS-140 mode, in 1142 order to satisfy specific security requirements (mostly 1143 by different parts of the US federal government). </p> 1144 <p> 1145 See the new crypto users guide "FIPS mode" chapter about 1146 building and using the FIPS support which is disabled by 1147 default.</p> 1148 <p> 1149 (Thanks to dszoboszlay and legoscia)</p> 1150 <p> 1151 Own Id: OTP-13921 Aux Id: PR-1180 </p> 1152 </item> 1153 <item> 1154 <p> 1155 Implemented DTLS cookie generation, required by spec, 1156 instead of using a hardcoded value.</p> 1157 <p> 1158 Own Id: OTP-14076</p> 1159 </item> 1160 <item> 1161 <p> 1162 Implement sliding window replay protection of DTLS 1163 records.</p> 1164 <p> 1165 Own Id: OTP-14077</p> 1166 </item> 1167 <item> 1168 <p> 1169 TLS client processes will by default call 1170 public_key:pkix_verify_hostname/2 to verify the hostname 1171 of the connection with the server certificates specified 1172 hostname during certificate path validation. The user may 1173 explicitly disables it. Also if the hostname can not be 1174 derived from the first argument to connect or is not 1175 supplied by the server name indication option, the check 1176 will not be performed.</p> 1177 <p> 1178 Own Id: OTP-14197</p> 1179 </item> 1180 <item> 1181 <p> 1182 Extend connection_information/[1,2] . The values 1183 session_id, master_secret, client_random and 1184 server_random can no be accessed by 1185 connection_information/2. Note only session_id will be 1186 added to connection_information/1. The rational is that 1187 values concerning the connection security should have to 1188 be explicitly requested.</p> 1189 <p> 1190 Own Id: OTP-14291</p> 1191 </item> 1192 <item> 1193 <p> 1194 Chacha cipher suites are currently not tested enough to 1195 be most preferred ones</p> 1196 <p> 1197 Own Id: OTP-14382</p> 1198 </item> 1199 <item> 1200 <p> 1201 Basic support for DTLS that been tested together with 1202 OpenSSL.</p> 1203 <p> 1204 Test by providing the option {protocol, dtls} to the ssl 1205 API functions connect and listen.</p> 1206 <p> 1207 Own Id: OTP-14388</p> 1208 </item> 1209 </list> 1210 </section> 1211</section> 1212 1213<section><title>SSL 8.1.3.1.1</title> 1214 1215 <section><title>Fixed Bugs and Malfunctions</title> 1216 <list> 1217 <item> 1218 <p> 1219 Fix alert handling so that unexpected messages are logged 1220 and alerted correctly</p> 1221 <p> 1222 Own Id: OTP-14929</p> 1223 </item> 1224 </list> 1225 </section> 1226</section> 1227 1228<section><title>SSL 8.1.3.1</title> 1229 <section><title>Fixed Bugs and Malfunctions</title> 1230 <list> 1231 <item> 1232 <p> An erlang TLS server configured with cipher suites 1233 using rsa key exchange, may be vulnerable to an Adaptive 1234 Chosen Ciphertext attack (AKA Bleichenbacher attack) 1235 against RSA, which when exploited, may result in 1236 plaintext recovery of encrypted messages and/or a 1237 Man-in-the-middle (MiTM) attack, despite the attacker not 1238 having gained access to the server’s private key 1239 itself. <url 1240 href="https://nvd.nist.gov/vuln/detail/CVE-2017-1000385">CVE-2017-1000385</url> 1241 </p> <p> Exploiting this vulnerability to perform 1242 plaintext recovery of encrypted messages will, in most 1243 practical cases, allow an attacker to read the plaintext 1244 only after the session has completed. Only TLS sessions 1245 established using RSA key exchange are vulnerable to this 1246 attack. </p> <p> Exploiting this vulnerability to conduct 1247 a MiTM attack requires the attacker to complete the 1248 initial attack, which may require thousands of server 1249 requests, during the handshake phase of the targeted 1250 session within the window of the configured handshake 1251 timeout. This attack may be conducted against any TLS 1252 session using RSA signatures, but only if cipher suites 1253 using RSA key exchange are also enabled on the server. 1254 The limited window of opportunity, limitations in 1255 bandwidth, and latency make this attack significantly 1256 more difficult to execute. </p> <p> RSA key exchange is 1257 enabled by default although least prioritized if server 1258 order is honored. For such a cipher suite to be chosen it 1259 must also be supported by the client and probably the 1260 only shared cipher suite. </p> <p> Captured TLS sessions 1261 encrypted with ephemeral cipher suites (DHE or ECDHE) are 1262 not at risk for subsequent decryption due to this 1263 vulnerability. </p> <p> As a workaround if default cipher 1264 suite configuration was used you can configure the server 1265 to not use vulnerable suites with the ciphers option like 1266 this: </p> <c> {ciphers, [Suite || Suite <- 1267 ssl:cipher_suites(), element(1,Suite) =/= rsa]} </c> <p> 1268 that is your code will look somethingh like this: </p> 1269 <c> ssl:listen(Port, [{ciphers, [Suite || Suite <- 1270 ssl:cipher_suites(), element(1,S) =/= rsa]} | Options]). 1271 </c> <p> Thanks to Hanno Böck, Juraj Somorovsky and 1272 Craig Young for reporting this vulnerability. </p> 1273 <p> 1274 Own Id: OTP-14748</p> 1275 </item> 1276 </list> 1277 </section> 1278</section> 1279<section><title>SSL 8.1.3</title> 1280 1281 <section><title>Fixed Bugs and Malfunctions</title> 1282 <list> 1283 <item> 1284 <p> 1285 Remove debug printout</p> 1286 <p> 1287 Own Id: OTP-14396</p> 1288 </item> 1289 </list> 1290 </section> 1291 1292</section> 1293 1294<section><title>SSL 8.1.2</title> 1295 1296 <section><title>Fixed Bugs and Malfunctions</title> 1297 <list> 1298 <item> 1299 <p> 1300 Correct active once emulation, for TLS. Now all data 1301 received by the connection process will be delivered 1302 through active once, even when the active once arrives 1303 after that the gen_tcp socket is closed by the peer.</p> 1304 <p> 1305 Own Id: OTP-14300</p> 1306 </item> 1307 </list> 1308 </section> 1309 1310</section> 1311 1312<section><title>SSL 8.1.1</title> 1313 1314 <section><title>Fixed Bugs and Malfunctions</title> 1315 <list> 1316 <item> 1317 <p> 1318 Corrected termination behavior, that caused a PEM cache 1319 bug and sometimes resulted in connection failures.</p> 1320 <p> 1321 Own Id: OTP-14100</p> 1322 </item> 1323 <item> 1324 <p> 1325 Fix bug that could hang ssl connection processes when 1326 failing to require more data for very large handshake 1327 packages. Add option max_handshake_size to mitigate DoS 1328 attacks.</p> 1329 <p> 1330 Own Id: OTP-14138</p> 1331 </item> 1332 <item> 1333 <p> 1334 Improved support for CRL handling that could fail to work 1335 as intended when an id-ce-extKeyUsage was present in the 1336 certificate. Also improvements where needed to 1337 distributionpoint handling so that all revocations 1338 actually are found and not deemed to be not determinable.</p> 1339 <p> 1340 Own Id: OTP-14141</p> 1341 </item> 1342 <item> 1343 <p> 1344 A TLS handshake might accidentally match old sslv2 format 1345 and ssl application would incorrectly aborted TLS 1346 handshake with ssl_v2_client_hello_no_supported. Parsing 1347 was altered to avoid this problem.</p> 1348 <p> 1349 Own Id: OTP-14222</p> 1350 </item> 1351 <item> 1352 <p> 1353 Correct default cipher list to prefer AES 128 before 3DES</p> 1354 <p> 1355 Own Id: OTP-14235</p> 1356 </item> 1357 </list> 1358 </section> 1359 1360 1361 <section><title>Improvements and New Features</title> 1362 <list> 1363 <item> 1364 <p> 1365 Move PEM cache to a dedicated process, to avoid making 1366 the SSL manager process a bottleneck. This improves 1367 scalability of TLS connections.</p> 1368 <p> 1369 Own Id: OTP-13874</p> 1370 </item> 1371 </list> 1372 </section> 1373 1374</section> 1375 1376<section><title>SSL 8.1</title> 1377 1378 <section><title>Fixed Bugs and Malfunctions</title> 1379 <list> 1380 <item> 1381 <p> 1382 List of possible anonymous suites, never supported by 1383 default, where incorrect for some TLS versions.</p> 1384 <p> 1385 Own Id: OTP-13926</p> 1386 </item> 1387 </list> 1388 </section> 1389 1390 1391 <section><title>Improvements and New Features</title> 1392 <list> 1393 <item> 1394 <p> 1395 Experimental version of DTLS. It is runnable but not 1396 complete and cannot be considered reliable for production 1397 usage.</p> 1398 <p> 1399 Own Id: OTP-12982</p> 1400 </item> 1401 <item> 1402 <p> 1403 Add API options to handle ECC curve selection.</p> 1404 <p> 1405 Own Id: OTP-13959</p> 1406 </item> 1407 </list> 1408 </section> 1409 1410</section> 1411 1412<section><title>SSL 8.0.3</title> 1413 1414 <section><title>Fixed Bugs and Malfunctions</title> 1415 <list> 1416 <item> 1417 <p> 1418 A timing related bug in event handling could cause 1419 interoperability problems between an erlang TLS server 1420 and some TLS clients, especially noticed with Firefox as 1421 TLS client.</p> 1422 <p> 1423 Own Id: OTP-13917</p> 1424 </item> 1425 <item> 1426 <p> 1427 Correct ECC curve selection, the error could cause the 1428 default to always be selected.</p> 1429 <p> 1430 Own Id: OTP-13918</p> 1431 </item> 1432 </list> 1433 </section> 1434 1435</section> 1436 1437<section><title>SSL 8.0.2</title> 1438 1439 <section><title>Fixed Bugs and Malfunctions</title> 1440 <list> 1441 <item> 1442 <p> 1443 Correctly formed handshake messages received out of order 1444 will now correctly fail the connection with unexpected 1445 message.</p> 1446 <p> 1447 Own Id: OTP-13853</p> 1448 </item> 1449 1450 <item> 1451 <p>Correct handling of signature algorithm selection</p> 1452 <p> 1453 Own Id: OTP-13711</p> 1454 </item> 1455 1456 </list> 1457 </section> 1458 1459 1460 <section><title>Improvements and New Features</title> 1461 <list> 1462 <item> 1463 <p> 1464 ssl application now behaves gracefully also on partially 1465 incorrect input from peer.</p> 1466 <p> 1467 Own Id: OTP-13834</p> 1468 </item> 1469 <item> 1470 <p> 1471 Add application environment configuration 1472 bypass_pem_cache. This can be used as a workaround for 1473 the current implementation of the PEM-cache that has 1474 proven to be a bottleneck.</p> 1475 <p> 1476 Own Id: OTP-13883</p> 1477 </item> 1478 </list> 1479 </section> 1480 1481</section> 1482 1483<section><title>SSL 8.0.1</title> 1484 1485 <section><title>Fixed Bugs and Malfunctions</title> 1486 <list> 1487 <item> 1488 <p> 1489 The TLS/SSL protocol version selection for the SSL server 1490 has been corrected to follow RFC 5246 Appendix E.1 1491 especially in case where the list of supported versions 1492 has gaps. Now the server selects the highest protocol 1493 version it supports that is not higher than what the 1494 client supports.</p> 1495 <p> 1496 Own Id: OTP-13753 Aux Id: seq13150 </p> 1497 </item> 1498 </list> 1499 </section> 1500 1501</section> 1502 1503<section><title>SSL 8.0</title> 1504 1505 <section><title>Fixed Bugs and Malfunctions</title> 1506 <list> 1507 <item> 1508 <p> 1509 Server now rejects, a not requested client cert, as an 1510 incorrect handshake message and ends the connection.</p> 1511 <p> 1512 Own Id: OTP-13651</p> 1513 </item> 1514 </list> 1515 </section> 1516 1517 1518 <section><title>Improvements and New Features</title> 1519 <list> 1520 <item> 1521 <p> 1522 Remove default support for DES cipher suites</p> 1523 <p> 1524 *** POTENTIAL INCOMPATIBILITY ***</p> 1525 <p> 1526 Own Id: OTP-13195</p> 1527 </item> 1528 <item> 1529 <p> 1530 Deprecate the function <c>crypto:rand_bytes</c> and make 1531 sure that <c>crypto:strong_rand_bytes</c> is used in all 1532 places that are cryptographically significant.</p> 1533 <p> 1534 Own Id: OTP-13214</p> 1535 </item> 1536 <item> 1537 <p> 1538 Better error handling of user error during TLS upgrade. 1539 ERL-69 is solved by gen_statem rewrite of ssl 1540 application.</p> 1541 <p> 1542 Own Id: OTP-13255</p> 1543 </item> 1544 <item> 1545 <p> 1546 Provide user friendly error message when crypto rejects a 1547 key</p> 1548 <p> 1549 Own Id: OTP-13256</p> 1550 </item> 1551 <item> 1552 <p> 1553 Add ssl:getstat/1 and ssl:getstat/2</p> 1554 <p> 1555 Own Id: OTP-13415</p> 1556 </item> 1557 <item> 1558 <p> 1559 TLS distribution connections now allow specifying the 1560 options <c>verify_fun</c>, <c>crl_check</c> and 1561 <c>crl_cache</c>. See the documentation. GitHub pull req 1562 #956 contributed by Magnus Henoch.</p> 1563 <p> 1564 Own Id: OTP-13429 Aux Id: Pull#956 </p> 1565 </item> 1566 <item> 1567 <p> 1568 Remove confusing error message when closing a distributed 1569 erlang node running over TLS</p> 1570 <p> 1571 Own Id: OTP-13431</p> 1572 </item> 1573 <item> 1574 <p> 1575 Remove default support for use of md5 in TLS 1.2 1576 signature algorithms</p> 1577 <p> 1578 Own Id: OTP-13463</p> 1579 </item> 1580 <item> 1581 <p> 1582 ssl now uses gen_statem instead of gen_fsm to implement 1583 the ssl connection process, this solves some timing 1584 issues in addition to making the code more intuitive as 1585 the behaviour can be used cleanly instead of having a lot 1586 of workaround for shortcomings of the behaviour.</p> 1587 <p> 1588 Own Id: OTP-13464</p> 1589 </item> 1590 <item> 1591 <p> 1592 Phase out interoperability with clients that offer SSLv2. 1593 By default they are no longer supported, but an option to 1594 provide interoperability is offered.</p> 1595 <p> 1596 *** POTENTIAL INCOMPATIBILITY ***</p> 1597 <p> 1598 Own Id: OTP-13465</p> 1599 </item> 1600 <item> 1601 <p> 1602 OpenSSL has functions to generate short (eight hex 1603 digits) hashes of issuers of certificates and CRLs. These 1604 hashes are used by the "c_rehash" script to populate 1605 directories of CA certificates and CRLs, e.g. in the 1606 Apache web server. Add functionality to let an Erlang 1607 program find the right CRL for a given certificate in 1608 such a directory.</p> 1609 <p> 1610 Own Id: OTP-13530</p> 1611 </item> 1612 <item> 1613 <p> 1614 Some legacy TLS 1.0 software does not tolerate the 1/n-1 1615 content split BEAST mitigation technique. Add a 1616 beast_mitigation SSL option (defaulting to 1617 one_n_minus_one) to select or disable the BEAST 1618 mitigation technique.</p> 1619 <p> 1620 Own Id: OTP-13629</p> 1621 </item> 1622 <item> 1623 <p> 1624 Enhance error log messages to facilitate for users to 1625 understand the error</p> 1626 <p> 1627 Own Id: OTP-13632</p> 1628 </item> 1629 <item> 1630 <p> 1631 Increased default DH params to 2048-bit</p> 1632 <p> 1633 Own Id: OTP-13636</p> 1634 </item> 1635 <item> 1636 <p> 1637 Propagate CRL unknown CA error so that public_key 1638 validation process continues correctly and determines 1639 what should happen.</p> 1640 <p> 1641 Own Id: OTP-13656</p> 1642 </item> 1643 <item> 1644 <p> 1645 Introduce a flight concept for handshake packages. This 1646 is a preparation for enabling DTLS, however it can also 1647 have a positive effects for TLS on slow and unreliable 1648 networks.</p> 1649 <p> 1650 Own Id: OTP-13678</p> 1651 </item> 1652 </list> 1653 </section> 1654 1655</section> 1656 1657 <section><title>SSL 7.3.3.2</title> 1658 1659 <section><title>Fixed Bugs and Malfunctions</title> 1660 <list> 1661 <item> 1662 <p> An erlang TLS server configured with cipher suites 1663 using rsa key exchange, may be vulnerable to an Adaptive 1664 Chosen Ciphertext attack (AKA Bleichenbacher attack) 1665 against RSA, which when exploited, may result in 1666 plaintext recovery of encrypted messages and/or a 1667 Man-in-the-middle (MiTM) attack, despite the attacker not 1668 having gained access to the server’s private key 1669 itself. <url 1670 href="https://nvd.nist.gov/vuln/detail/CVE-2017-1000385">CVE-2017-1000385</url> 1671 </p> <p> Exploiting this vulnerability to perform 1672 plaintext recovery of encrypted messages will, in most 1673 practical cases, allow an attacker to read the plaintext 1674 only after the session has completed. Only TLS sessions 1675 established using RSA key exchange are vulnerable to this 1676 attack. </p> <p> Exploiting this vulnerability to conduct 1677 a MiTM attack requires the attacker to complete the 1678 initial attack, which may require thousands of server 1679 requests, during the handshake phase of the targeted 1680 session within the window of the configured handshake 1681 timeout. This attack may be conducted against any TLS 1682 session using RSA signatures, but only if cipher suites 1683 using RSA key exchange are also enabled on the server. 1684 The limited window of opportunity, limitations in 1685 bandwidth, and latency make this attack significantly 1686 more difficult to execute. </p> <p> RSA key exchange is 1687 enabled by default although least prioritized if server 1688 order is honored. For such a cipher suite to be chosen it 1689 must also be supported by the client and probably the 1690 only shared cipher suite. </p> <p> Captured TLS sessions 1691 encrypted with ephemeral cipher suites (DHE or ECDHE) are 1692 not at risk for subsequent decryption due to this 1693 vulnerability. </p> <p> As a workaround if default cipher 1694 suite configuration was used you can configure the server 1695 to not use vulnerable suites with the ciphers option like 1696 this: </p> <c> {ciphers, [Suite || Suite <- 1697 ssl:cipher_suites(), element(1,Suite) =/= rsa]} </c> <p> 1698 that is your code will look somethingh like this: </p> 1699 <c> ssl:listen(Port, [{ciphers, [Suite || Suite <- 1700 ssl:cipher_suites(), element(1,S) =/= rsa]} | Options]). 1701 </c> <p> Thanks to Hanno Böck, Juraj Somorovsky and 1702 Craig Young for reporting this vulnerability. </p> 1703 <p> 1704 Own Id: OTP-14748</p> 1705 </item> 1706 </list> 1707 </section> 1708 1709 </section> 1710 1711<section><title>SSL 7.3.3</title> 1712 1713 <section><title>Fixed Bugs and Malfunctions</title> 1714 <list> 1715 <item> 1716 <p> 1717 Correct ssl:prf/5 to use the negotiated cipher suite's 1718 prf function in ssl:prf/5 instead of the default prf.</p> 1719 <p> 1720 Own Id: OTP-13546</p> 1721 </item> 1722 <item> 1723 <p> 1724 Timeouts may have the value 0, guards have been corrected 1725 to allow this</p> 1726 <p> 1727 Own Id: OTP-13635</p> 1728 </item> 1729 <item> 1730 <p> 1731 Change of internal handling of hash sign pairs as the 1732 used one enforced to much restrictions making some valid 1733 combinations unavailable.</p> 1734 <p> 1735 Own Id: OTP-13670</p> 1736 </item> 1737 </list> 1738 </section> 1739 1740 <section><title>SSL 7.3.3.0.1</title> 1741 1742 <section><title>Fixed Bugs and Malfunctions</title> 1743 <list> 1744 <item> 1745 <p> An erlang TLS server configured with cipher suites 1746 using rsa key exchange, may be vulnerable to an Adaptive 1747 Chosen Ciphertext attack (AKA Bleichenbacher attack) 1748 against RSA, which when exploited, may result in 1749 plaintext recovery of encrypted messages and/or a 1750 Man-in-the-middle (MiTM) attack, despite the attacker not 1751 having gained access to the server’s private key 1752 itself. <url 1753 href="https://nvd.nist.gov/vuln/detail/CVE-2017-1000385">CVE-2017-1000385</url> 1754 </p> <p> Exploiting this vulnerability to perform 1755 plaintext recovery of encrypted messages will, in most 1756 practical cases, allow an attacker to read the plaintext 1757 only after the session has completed. Only TLS sessions 1758 established using RSA key exchange are vulnerable to this 1759 attack. </p> <p> Exploiting this vulnerability to conduct 1760 a MiTM attack requires the attacker to complete the 1761 initial attack, which may require thousands of server 1762 requests, during the handshake phase of the targeted 1763 session within the window of the configured handshake 1764 timeout. This attack may be conducted against any TLS 1765 session using RSA signatures, but only if cipher suites 1766 using RSA key exchange are also enabled on the server. 1767 The limited window of opportunity, limitations in 1768 bandwidth, and latency make this attack significantly 1769 more difficult to execute. </p> <p> RSA key exchange is 1770 enabled by default although least prioritized if server 1771 order is honored. For such a cipher suite to be chosen it 1772 must also be supported by the client and probably the 1773 only shared cipher suite. </p> <p> Captured TLS sessions 1774 encrypted with ephemeral cipher suites (DHE or ECDHE) are 1775 not at risk for subsequent decryption due to this 1776 vulnerability. </p> <p> As a workaround if default cipher 1777 suite configuration was used you can configure the server 1778 to not use vulnerable suites with the ciphers option like 1779 this: </p> <c> {ciphers, [Suite || Suite <- 1780 ssl:cipher_suites(), element(1,Suite) =/= rsa]} </c> <p> 1781 that is your code will look somethingh like this: </p> 1782 <c> ssl:listen(Port, [{ciphers, [Suite || Suite <- 1783 ssl:cipher_suites(), element(1,S) =/= rsa]} | Options]). 1784 </c> <p> Thanks to Hanno Böck, Juraj Somorovsky and 1785 Craig Young for reporting this vulnerability. </p> 1786 <p> 1787 Own Id: OTP-14748</p> 1788 </item> 1789 </list> 1790 </section> 1791 1792 </section> 1793 <section><title>Improvements and New Features</title> 1794 <list> 1795 <item> 1796 <p> 1797 Create a little randomness in sending of session 1798 invalidation messages, to mitigate load when whole table 1799 is invalidated.</p> 1800 <p> 1801 Own Id: OTP-13490</p> 1802 </item> 1803 </list> 1804 </section> 1805 1806</section> 1807 1808<section><title>SSL 7.3.2</title> 1809 1810 <section><title>Fixed Bugs and Malfunctions</title> 1811 <list> 1812 <item> 1813 <p> 1814 Correct cipher suites conversion and gaurd expression. 1815 Caused problems with GCM cipher suites and client side 1816 option to set signature_algorithms extention values.</p> 1817 <p> 1818 Own Id: OTP-13525</p> 1819 </item> 1820 </list> 1821 </section> 1822 1823</section> 1824 1825<section><title>SSL 7.3.1</title> 1826 1827 <section><title>Fixed Bugs and Malfunctions</title> 1828 <list> 1829 <item> 1830 <p> 1831 Corrections to cipher suite handling using the 3 and 4 1832 tuple format in addition to commit 1833 89d7e21cf4ae988c57c8ef047bfe85127875c70c</p> 1834 <p> 1835 Own Id: OTP-13511</p> 1836 </item> 1837 </list> 1838 </section> 1839 1840 1841 <section><title>Improvements and New Features</title> 1842 <list> 1843 <item> 1844 <p> 1845 Make values for the TLS-1.2 signature_algorithms 1846 extension configurable</p> 1847 <p> 1848 Own Id: OTP-13261</p> 1849 </item> 1850 </list> 1851 </section> 1852 1853</section> 1854 1855<section><title>SSL 7.3</title> 1856 1857 <section><title>Fixed Bugs and Malfunctions</title> 1858 <list> 1859 <item> 1860 <p> 1861 Make sure there is only one poller validator at a time 1862 for validating the session cache.</p> 1863 <p> 1864 Own Id: OTP-13185</p> 1865 </item> 1866 <item> 1867 <p> 1868 A timing related issue could cause ssl to hang, 1869 especially happened with newer versions of OpenSSL in 1870 combination with ECC ciphers.</p> 1871 <p> 1872 Own Id: OTP-13253</p> 1873 </item> 1874 <item> 1875 <p> 1876 Work around a race condition in the TLS distribution 1877 start.</p> 1878 <p> 1879 Own Id: OTP-13268</p> 1880 </item> 1881 <item> 1882 <p> 1883 Big handshake messages are now correctly fragmented in 1884 the TLS record layer.</p> 1885 <p> 1886 Own Id: OTP-13306</p> 1887 </item> 1888 <item> 1889 <p> 1890 Improve portability of ECC tests in Crypto and SSL for 1891 "exotic" OpenSSL versions.</p> 1892 <p> 1893 Own Id: OTP-13311</p> 1894 </item> 1895 <item> 1896 <p> 1897 Certificate extensions marked as critical are ignored 1898 when using verify_none</p> 1899 <p> 1900 Own Id: OTP-13377</p> 1901 </item> 1902 <item> 1903 <p> 1904 If a certificate doesn't contain a CRL Distribution 1905 Points extension, and the relevant CRL is not in the 1906 cache, and the <c>crl_check</c> option is not set to 1907 <c>best_effort</c> , the revocation check should fail.</p> 1908 <p> 1909 Own Id: OTP-13378</p> 1910 </item> 1911 <item> 1912 <p> 1913 Enable TLS distribution over IPv6</p> 1914 <p> 1915 Own Id: OTP-13391</p> 1916 </item> 1917 </list> 1918 </section> 1919 1920 1921 <section><title>Improvements and New Features</title> 1922 <list> 1923 <item> 1924 <p> 1925 Improve error reporting for TLS distribution</p> 1926 <p> 1927 Own Id: OTP-13219</p> 1928 </item> 1929 <item> 1930 <p> 1931 Include options from connect, listen and accept in 1932 <c>connection_information/1,2</c></p> 1933 <p> 1934 Own Id: OTP-13232</p> 1935 </item> 1936 <item> 1937 <p> 1938 Allow adding extra options for outgoing TLS distribution 1939 connections, as supported for plain TCP connections.</p> 1940 <p> 1941 Own Id: OTP-13285</p> 1942 </item> 1943 <item> 1944 <p> 1945 Use loopback as server option in TLS-distribution module</p> 1946 <p> 1947 Own Id: OTP-13300</p> 1948 </item> 1949 <item> 1950 <p> 1951 Verify certificate signature against original certificate 1952 binary.</p> 1953 <p> 1954 This avoids bugs due to encoding errors when re-encoding 1955 a decode certificate. As there exists several decode step 1956 and using of different ASN.1 specification this is a risk 1957 worth avoiding.</p> 1958 <p> 1959 Own Id: OTP-13334</p> 1960 </item> 1961 <item> 1962 <p> 1963 Use <c>application:ensure_all_started/2</c> instead of 1964 hard-coding dependencies</p> 1965 <p> 1966 Own Id: OTP-13363</p> 1967 </item> 1968 </list> 1969 </section> 1970 1971</section> 1972 1973<section><title>SSL 7.2</title> 1974 1975 <section><title>Fixed Bugs and Malfunctions</title> 1976 <list> 1977 <item> 1978 <p> 1979 Honor distribution port range options</p> 1980 <p> 1981 Own Id: OTP-12838</p> 1982 </item> 1983 <item> 1984 <p> 1985 Correct supervisor specification in TLS distribution.</p> 1986 <p> 1987 Own Id: OTP-13134</p> 1988 </item> 1989 <item> 1990 <p> 1991 Correct cache timeout</p> 1992 <p> 1993 Own Id: OTP-13141</p> 1994 </item> 1995 <item> 1996 <p> 1997 Avoid crash and restart of ssl process when key file does 1998 not exist.</p> 1999 <p> 2000 Own Id: OTP-13144</p> 2001 </item> 2002 <item> 2003 <p> 2004 Enable passing of raw socket options on the format 2005 {raw,_,_,_} to the underlying socket.</p> 2006 <p> 2007 Own Id: OTP-13166</p> 2008 </item> 2009 <item> 2010 <p> 2011 Hibernation with small or a zero timeout will now work as 2012 expected</p> 2013 <p> 2014 Own Id: OTP-13189</p> 2015 </item> 2016 </list> 2017 </section> 2018 2019 2020 <section><title>Improvements and New Features</title> 2021 <list> 2022 <item> 2023 <p> 2024 Add upper limit for session cache, configurable on ssl 2025 application level.</p> 2026 <p> 2027 If upper limit is reached, invalidate the current cache 2028 entries, e.i the session lifetime is the max time a 2029 session will be keept, but it may be invalidated earlier 2030 if the max limit for the table is reached. This will keep 2031 the ssl manager process well behaved, not exhusting 2032 memeory. Invalidating the entries will incrementally 2033 empty the cache to make room for fresh sessions entries.</p> 2034 <p> 2035 Own Id: OTP-12392</p> 2036 </item> 2037 <item> 2038 <p> 2039 Use new time functions to measure passed time.</p> 2040 <p> 2041 Own Id: OTP-12457</p> 2042 </item> 2043 <item> 2044 <p> 2045 Improved error handling in TLS distribution</p> 2046 <p> 2047 Own Id: OTP-13142</p> 2048 </item> 2049 <item> 2050 <p> 2051 Distribution over TLS now honors the nodelay distribution 2052 flag</p> 2053 <p> 2054 Own Id: OTP-13143</p> 2055 </item> 2056 </list> 2057 </section> 2058 2059</section> 2060 2061<section><title>SSL 7.1</title> 2062 <section><title>Fixed Bugs and Malfunctions</title> 2063 <list> 2064 <item> 2065 <p> 2066 Add DER encoded ECPrivateKey as valid input format for 2067 key option.</p> 2068 <p> 2069 Own Id: OTP-12974</p> 2070 </item> 2071 <item> 2072 <p> 2073 Correct return value of default session callback module</p> 2074 <p> 2075 This error had the symptom that the client check for 2076 unique session would always fail, potentially making the 2077 client session table grow a lot and causing long setup 2078 times.</p> 2079 <p> 2080 Own Id: OTP-12980</p> 2081 </item> 2082 </list> 2083 </section> 2084 2085 2086 <section><title>Improvements and New Features</title> 2087 <list> 2088 <item> 2089 <p> 2090 Add possibility to downgrade an SSL/TLS connection to a 2091 tcp connection, and give back the socket control to a 2092 user process.</p> 2093 <p> 2094 This also adds the possibility to specify a timeout to 2095 the ssl:close function.</p> 2096 <p> 2097 Own Id: OTP-11397</p> 2098 </item> 2099 <item> 2100 <p> 2101 Add application setting to be able to change fatal alert 2102 shutdown timeout, also shorten the default timeout. The 2103 fatal alert timeout is the number of milliseconds between 2104 sending of a fatal alert and closing the connection. 2105 Waiting a little while improves the peers chances to 2106 properly receiving the alert so it may shutdown 2107 gracefully.</p> 2108 <p> 2109 Own Id: OTP-12832</p> 2110 </item> 2111 </list> 2112 </section> 2113 2114</section> 2115 2116<section><title>SSL 7.0</title> 2117 2118 <section><title>Fixed Bugs and Malfunctions</title> 2119 <list> 2120 <item> 2121 <p> 2122 Ignore signature_algorithm (TLS 1.2 extension) sent to 2123 TLS 1.0 or TLS 1.1 server</p> 2124 <p> 2125 Own Id: OTP-12670</p> 2126 </item> 2127 <item> 2128 <p> 2129 Improve error handling in TLS distribution module to 2130 avoid lingering sockets.</p> 2131 <p> 2132 Own Id: OTP-12799 Aux Id: Tom Briden </p> 2133 </item> 2134 <item> 2135 <p> 2136 Add option {client_renegotiation, boolean()} option to 2137 the server-side of the SSL application.</p> 2138 <p> 2139 Own Id: OTP-12815</p> 2140 </item> 2141 </list> 2142 </section> 2143 2144 2145 <section><title>Improvements and New Features</title> 2146 <list> 2147 <item> 2148 <p> 2149 Add new API functions to handle CRL-verification</p> 2150 <p> 2151 Own Id: OTP-10362 Aux Id: kunagi-215 [126] </p> 2152 </item> 2153 <item> 2154 <p> 2155 Remove default support for SSL-3.0, due to Poodle 2156 vunrability in protocol specification.</p> 2157 <p> 2158 Add padding check for TLS-1.0 to remove Poodle 2159 vunrability from TLS 1.0, also add the option 2160 padding_check. This option only affects TLS-1.0 2161 connections and if set to false it disables the block 2162 cipher padding check to be able to interoperate with 2163 legacy software.</p> 2164 <p> 2165 Remove default support for RC4 cipher suites, as they are 2166 consider too weak.</p> 2167 <p> 2168 *** POTENTIAL INCOMPATIBILITY ***</p> 2169 <p> 2170 Own Id: OTP-12390</p> 2171 </item> 2172 <item> 2173 <p> 2174 Add support for TLS ALPN (Application-Layer Protocol 2175 Negotiation) extension.</p> 2176 <p> 2177 Own Id: OTP-12580</p> 2178 </item> 2179 <item> 2180 <p> 2181 Add SNI (Server Name Indication) support for the server 2182 side.</p> 2183 <p> 2184 Own Id: OTP-12736</p> 2185 </item> 2186 </list> 2187 </section> 2188 2189</section> 2190 2191<section><title>SSL 6.0.1.1</title> 2192 <section><title>Fixed Bugs and Malfunctions</title> 2193 <list> 2194 <item> 2195 <p> 2196 Gracefully ignore proprietary hash_sign algorithms</p> 2197 <p> 2198 Own Id: OTP-12829</p> 2199 </item> 2200 </list> 2201 </section> 2202</section> 2203 2204 2205<section><title>SSL 6.0.1</title> 2206 2207 <section><title>Fixed Bugs and Malfunctions</title> 2208 <list> 2209 <item> 2210 <p> 2211 Terminate gracefully when receving bad input to premaster 2212 secret calculation</p> 2213 <p> 2214 Own Id: OTP-12783</p> 2215 </item> 2216 </list> 2217 </section> 2218 2219</section> 2220 2221<section><title>SSL 6.0</title> 2222 2223 <section><title>Fixed Bugs and Malfunctions</title> 2224 <list> 2225 <item> 2226 <p> 2227 Exclude self-signed trusted anchor certificates from 2228 certificate prospective certification path according to 2229 RFC 3280.</p> 2230 <p> 2231 This will avoid some unnecessary certificate processing.</p> 2232 <p> 2233 Own Id: OTP-12449</p> 2234 </item> 2235 </list> 2236 </section> 2237 2238 2239 <section><title>Improvements and New Features</title> 2240 <list> 2241 <item> 2242 <p> 2243 Separate client and server session cache internally.</p> 2244 <p> 2245 Avoid session table growth when client starts many 2246 connections in such a manner that many connections are 2247 started before session reuse is possible. Only save a new 2248 session in client if there is no equivalent session 2249 already stored.</p> 2250 <p> 2251 Own Id: OTP-11365</p> 2252 </item> 2253 <item> 2254 <p> 2255 The PEM cache is now validated by a background process, 2256 instead of always keeping it if it is small enough and 2257 clearing it otherwise. That strategy required that small 2258 caches where cleared by API function if a file changes on 2259 disk.</p> 2260 <p> 2261 However export the API function to clear the cache as it 2262 may still be useful.</p> 2263 <p> 2264 Own Id: OTP-12391</p> 2265 </item> 2266 <item> 2267 <p> 2268 Add padding check for TLS-1.0 to remove Poodle 2269 vulnerability from TLS 1.0, also add the option 2270 padding_check. This option only affects TLS-1.0 2271 connections and if set to false it disables the block 2272 cipher padding check to be able to interoperate with 2273 legacy software.</p> 2274 <p> 2275 *** POTENTIAL INCOMPATIBILITY ***</p> 2276 <p> 2277 Own Id: OTP-12420</p> 2278 </item> 2279 <item> 2280 <p> 2281 Add support for TLS_FALLBACK_SCSV used to prevent 2282 undesired TLS version downgrades. If used by a client 2283 that is vulnerable to the POODLE attack, and the server 2284 also supports TLS_FALLBACK_SCSV, the attack can be 2285 prevented.</p> 2286 <p> 2287 Own Id: OTP-12458</p> 2288 </item> 2289 </list> 2290 </section> 2291 2292</section> 2293 2294<section><title>SSL 5.3.8</title> 2295 2296 <section><title>Fixed Bugs and Malfunctions</title> 2297 <list> 2298 <item> 2299 <p> 2300 Make sure the clean rule for ssh, ssl, eunit and otp_mibs 2301 actually removes generated files.</p> 2302 <p> 2303 Own Id: OTP-12200</p> 2304 </item> 2305 </list> 2306 </section> 2307 2308 2309 <section><title>Improvements and New Features</title> 2310 <list> 2311 <item> 2312 <p> 2313 Change code to reflect that state data may be secret to 2314 avoid breaking dialyzer contracts.</p> 2315 <p> 2316 Own Id: OTP-12341</p> 2317 </item> 2318 </list> 2319 </section> 2320 2321</section> 2322 2323<section><title>SSL 5.3.7</title> 2324 2325 <section><title>Fixed Bugs and Malfunctions</title> 2326 <list> 2327 <item> 2328 <p> 2329 Handle the fact that servers may send an empty SNI 2330 extension to the client.</p> 2331 <p> 2332 Own Id: OTP-12198</p> 2333 </item> 2334 </list> 2335 </section> 2336 2337</section> 2338 2339<section><title>SSL 5.3.6</title> 2340 2341 <section><title>Fixed Bugs and Malfunctions</title> 2342 <list> 2343 <item> 2344 <p> 2345 Corrected handling of ECC certificates, there where 2346 several small issues with the handling of such 2347 certificates in the ssl and public_key application. Now 2348 ECC signed ECC certificates shall work and not only RSA 2349 signed ECC certificates.</p> 2350 <p> 2351 Own Id: OTP-12026</p> 2352 </item> 2353 <item> 2354 <p> 2355 Check that the certificate chain ends with a trusted ROOT 2356 CA e.i. a self-signed certificate, but provide an option 2357 partial_chain to enable the application to define an 2358 intermediat CA as trusted.</p> 2359 <p> 2360 Own Id: OTP-12149</p> 2361 </item> 2362 </list> 2363 </section> 2364 2365 2366 <section><title>Improvements and New Features</title> 2367 <list> 2368 <item> 2369 <p> 2370 Add decode functions for SNI (Server Name Indication)</p> 2371 <p> 2372 Own Id: OTP-12048</p> 2373 </item> 2374 </list> 2375 </section> 2376 2377</section> 2378 2379<section><title>SSL 5.3.5</title> 2380 2381 <section><title>Fixed Bugs and Malfunctions</title> 2382 <list> 2383 <item> 2384 <p> 2385 ssl:recv now returns {error, einval} if applied to a non 2386 passive socket, the same as gen_tcp:recv. </p> 2387 <p> 2388 Thanks to Danil Zagoskin for reporting this issue</p> 2389 <p> 2390 Own Id: OTP-11878</p> 2391 </item> 2392 <item> 2393 <p> 2394 Corrected handling of default values for 2395 signature_algorithms extension in TLS-1.2 and 2396 corresponding values used in previous versions that does 2397 not support this extension. </p> 2398 <p> 2399 Thanks to Danil Zagoskin</p> 2400 <p> 2401 Own Id: OTP-11886</p> 2402 </item> 2403 <item> 2404 <p> 2405 Handle socket option inheritance when pooling of accept 2406 sockets is used</p> 2407 <p> 2408 Own Id: OTP-11897</p> 2409 </item> 2410 <item> 2411 <p> 2412 Make sure that the list of versions, possibly supplied in 2413 the versions option, is not order dependent.</p> 2414 <p> 2415 Thanks to Ransom Richardson for reporting this issue</p> 2416 <p> 2417 Own Id: OTP-11912</p> 2418 </item> 2419 <item> 2420 <p> 2421 Reject connection if the next_protocol message is sent 2422 twice.</p> 2423 <p> 2424 Own Id: OTP-11926</p> 2425 </item> 2426 <item> 2427 <p> 2428 Correct options handling when ssl:ssl_accept/3 is called 2429 with new ssl options after calling ssl:listen/2</p> 2430 <p> 2431 Own Id: OTP-11950</p> 2432 </item> 2433 </list> 2434 </section> 2435 2436 2437 <section><title>Improvements and New Features</title> 2438 <list> 2439 <item> 2440 <p> 2441 Gracefully handle unknown alerts</p> 2442 <p> 2443 Thanks to Atul Atri for reporting this issue</p> 2444 <p> 2445 Own Id: OTP-11874</p> 2446 </item> 2447 <item> 2448 <p> 2449 Gracefully ignore cipher suites sent by client not 2450 supported by the SSL/TLS version that the client has 2451 negotiated.</p> 2452 <p> 2453 Thanks to Danil Zagoskin for reporting this issue</p> 2454 <p> 2455 Own Id: OTP-11875</p> 2456 </item> 2457 <item> 2458 <p> 2459 Gracefully handle structured garbage, i.e a client sends 2460 some garbage in a ssl record instead of a valid fragment.</p> 2461 <p> 2462 Thanks to Danil Zagoskin</p> 2463 <p> 2464 Own Id: OTP-11880</p> 2465 </item> 2466 <item> 2467 <p> 2468 Gracefully handle invalid alerts</p> 2469 <p> 2470 Own Id: OTP-11890</p> 2471 </item> 2472 <item> 2473 <p> 2474 Generalize handling of default ciphers</p> 2475 <p> 2476 Thanks to Andreas Schultz</p> 2477 <p> 2478 Own Id: OTP-11966</p> 2479 </item> 2480 <item> 2481 <p> 2482 Make sure change cipher spec is correctly handled</p> 2483 <p> 2484 Own Id: OTP-11975</p> 2485 </item> 2486 </list> 2487 </section> 2488 2489</section> 2490 2491<section><title>SSL 5.3.4</title> 2492 2493 <section><title>Fixed Bugs and Malfunctions</title> 2494 <list> 2495 <item> 2496 <p> 2497 Fix incorrect dialyzer spec and types, also enhance 2498 documentation. </p> 2499 <p> 2500 Thanks to Ayaz Tuncer.</p> 2501 <p> 2502 Own Id: OTP-11627</p> 2503 </item> 2504 <item> 2505 <p> 2506 Fix possible mismatch between SSL/TLS version and default 2507 ciphers. Could happen when you specified SSL/TLS-version 2508 in optionlist to listen or accept.</p> 2509 <p> 2510 Own Id: OTP-11712</p> 2511 </item> 2512 <item> 2513 <p> 2514 Application upgrade (appup) files are corrected for the 2515 following applications: </p> 2516 <p> 2517 <c>asn1, common_test, compiler, crypto, debugger, 2518 dialyzer, edoc, eldap, erl_docgen, et, eunit, gs, hipe, 2519 inets, observer, odbc, os_mon, otp_mibs, parsetools, 2520 percept, public_key, reltool, runtime_tools, ssh, 2521 syntax_tools, test_server, tools, typer, webtool, wx, 2522 xmerl</c></p> 2523 <p> 2524 A new test utility for testing appup files is added to 2525 test_server. This is now used by most applications in 2526 OTP.</p> 2527 <p> 2528 (Thanks to Tobias Schlager)</p> 2529 <p> 2530 Own Id: OTP-11744</p> 2531 </item> 2532 </list> 2533 </section> 2534 2535 2536 <section><title>Improvements and New Features</title> 2537 <list> 2538 <item> 2539 <p> 2540 Moved elliptic curve definition from the crypto 2541 NIF/OpenSSL into Erlang code, adds the RFC-5639 brainpool 2542 curves and makes TLS use them (RFC-7027).</p> 2543 <p> 2544 Thanks to Andreas Schultz</p> 2545 <p> 2546 Own Id: OTP-11578</p> 2547 </item> 2548 <item> 2549 <p> 2550 Unicode adaptations</p> 2551 <p> 2552 Own Id: OTP-11620</p> 2553 </item> 2554 <item> 2555 <p> 2556 Added option honor_cipher_order. This instructs the 2557 server to prefer its own cipher ordering rather than the 2558 client's and can help protect against things like BEAST 2559 while maintaining compatability with clients which only 2560 support older ciphers. </p> 2561 <p> 2562 Thanks to Andrew Thompson for the implementation, and 2563 Andreas Schultz for the test cases.</p> 2564 <p> 2565 Own Id: OTP-11621</p> 2566 </item> 2567 <item> 2568 <p> 2569 Replace boolean checking in validate_option with 2570 is_boolean guard. </p> 2571 <p> 2572 Thanks to Andreas Schultz.</p> 2573 <p> 2574 Own Id: OTP-11634</p> 2575 </item> 2576 <item> 2577 <p> 2578 Some function specs are corrected or moved and some edoc 2579 comments are corrected in order to allow use of edoc. 2580 (Thanks to Pierre Fenoll)</p> 2581 <p> 2582 Own Id: OTP-11702</p> 2583 </item> 2584 <item> 2585 <p> 2586 Correct clean up of certificate database when certs are 2587 inputed in pure DER format.The incorrect code could cause 2588 a memory leek when certs where inputed in DER. Thanks to 2589 Bernard Duggan for reporting this.</p> 2590 <p> 2591 Own Id: OTP-11733</p> 2592 </item> 2593 <item> 2594 <p> 2595 Improved documentation of the cacertfile option</p> 2596 <p> 2597 Own Id: OTP-11759 Aux Id: seq12535 </p> 2598 </item> 2599 <item> 2600 <p> 2601 Avoid next protocol negotiation failure due to incorrect 2602 option format.</p> 2603 <p> 2604 Own Id: OTP-11760</p> 2605 </item> 2606 <item> 2607 <p> 2608 Handle v1 CRLs, with no extensions and fixes issues with 2609 IDP (Issuing Distribution Point) comparison during CRL 2610 validation. </p> 2611 <p> 2612 Thanks to Andrew Thompson</p> 2613 <p> 2614 Own Id: OTP-11761</p> 2615 </item> 2616 <item> 2617 <p> 2618 Server now ignores client ECC curves that it does not 2619 support instead of crashing. </p> 2620 <p> 2621 Thanks to Danil Zagoskin for reporting the issue and 2622 suggesting a solution.</p> 2623 <p> 2624 Own Id: OTP-11780</p> 2625 </item> 2626 <item> 2627 <p> 2628 Handle SNI (Server Name Indication) alert 2629 unrecognized_name and gracefully deal with unexpected 2630 alerts. </p> 2631 <p> 2632 Thanks to Masatake Daimon for reporting this.</p> 2633 <p> 2634 Own Id: OTP-11815</p> 2635 </item> 2636 <item> 2637 <p> 2638 Add possibility to specify ssl options when calling 2639 ssl:ssl_accept</p> 2640 <p> 2641 Own Id: OTP-11837</p> 2642 </item> 2643 </list> 2644 </section> 2645 2646</section> 2647 2648<section><title>SSL 5.3.3</title> 2649 2650 <section><title>Fixed Bugs and Malfunctions</title> 2651 <list> 2652 <item> 2653 <p> 2654 Add missing validation of the server_name_indication 2655 option and test for its explicit use. It was not possible 2656 to set or disable the default server_name_indication as 2657 the validation of the option was missing.</p> 2658 <p> 2659 Own Id: OTP-11567</p> 2660 </item> 2661 <item> 2662 <p> 2663 Elliptic curve selection in server mode now properly 2664 selects a curve suggested by the client, if possible, and 2665 the fallback alternative is changed to a more widely 2666 supported curve.</p> 2667 <p> 2668 Own Id: OTP-11575</p> 2669 </item> 2670 <item> 2671 <p> 2672 Bug in the TLS hello extension handling caused the server 2673 to behave as it did not understand secure renegotiation.</p> 2674 <p> 2675 Own Id: OTP-11595</p> 2676 </item> 2677 </list> 2678 </section> 2679 2680</section> 2681 2682<section><title>SSL 5.3.2</title> 2683 2684 <section><title>Fixed Bugs and Malfunctions</title> 2685 <list> 2686 <item> 2687 <p> 2688 Honors the clients advertised support of elliptic curves 2689 and no longer sends incorrect elliptic curve extension in 2690 server hello.</p> 2691 <p> 2692 Own Id: OTP-11370</p> 2693 </item> 2694 <item> 2695 <p> 2696 Fix initialization of DTLS fragment reassembler, in 2697 previously contributed code, for future support of DTLS . 2698 Thanks to Andreas Schultz.</p> 2699 <p> 2700 Own Id: OTP-11376</p> 2701 </item> 2702 <item> 2703 <p> 2704 Corrected type error in client_preferred_next_protocols 2705 documentation. Thanks to Julien Barbot.</p> 2706 <p> 2707 Own Id: OTP-11457</p> 2708 </item> 2709 </list> 2710 </section> 2711 2712 2713 <section><title>Improvements and New Features</title> 2714 <list> 2715 <item> 2716 <p> 2717 TLS code has been refactored to prepare for future DTLS 2718 support. Also some DTLS code is in place but not yet 2719 runnable, some of it contributed by Andreas Schultz and 2720 some of it written by the OTP team. Thanks to to Andreas 2721 for his participation.</p> 2722 <p> 2723 Own Id: OTP-11292</p> 2724 </item> 2725 <item> 2726 <p> 2727 Remove extraneous dev debug code left in the close 2728 function. Thanks to Ken Key.</p> 2729 <p> 2730 Own Id: OTP-11447</p> 2731 </item> 2732 <item> 2733 <p> 2734 Add SSL Server Name Indication (SNI) client support. 2735 Thanks to Julien Barbot.</p> 2736 <p> 2737 Own Id: OTP-11460</p> 2738 </item> 2739 </list> 2740 </section> 2741 2742</section> 2743 2744<section><title>SSL 5.3.1</title> 2745 2746 <section><title>Fixed Bugs and Malfunctions</title> 2747 <list> 2748 <item> 2749 <p> 2750 Setopts during renegotiation caused the renegotiation to 2751 be unsuccessful.</p> 2752 <p> 2753 If calling setopts during a renegotiation the FSM state 2754 might change during the handling of the setopts messages, 2755 this is now handled correctly.</p> 2756 <p> 2757 Own Id: OTP-11228</p> 2758 </item> 2759 <item> 2760 <p> 2761 Now handles signature_algorithm field in digitally_signed 2762 properly with proper defaults. Prior to this change some 2763 elliptic curve cipher suites could fail reporting the 2764 error "bad certificate".</p> 2765 <p> 2766 Own Id: OTP-11229</p> 2767 </item> 2768 <item> 2769 <p> 2770 The code emulating the inet header option was changed in 2771 the belief that it made it inet compatible. However the 2772 testing is a bit hairy as the inet option is actually 2773 broken, now the tests are corrected and the header option 2774 should work in the same broken way as inet again, 2775 preferably use the bitsyntax instead.</p> 2776 <p> 2777 Own Id: OTP-11230</p> 2778 </item> 2779 </list> 2780 </section> 2781 2782 2783 <section><title>Improvements and New Features</title> 2784 <list> 2785 <item> 2786 <p> 2787 Make the ssl manager name for erlang distribution over 2788 SSL/TLS relative to the module name of the ssl_manager.</p> 2789 <p> 2790 This can be beneficial when making tools that rename 2791 modules for internal processing in the tool.</p> 2792 <p> 2793 Own Id: OTP-11255</p> 2794 </item> 2795 <item> 2796 <p> 2797 Add documentation regarding log_alert option.</p> 2798 <p> 2799 Own Id: OTP-11271</p> 2800 </item> 2801 </list> 2802 </section> 2803 2804</section> 2805 2806<section><title>SSL 5.3</title> 2807 2808 <section><title>Fixed Bugs and Malfunctions</title> 2809 <list> 2810 <item> 2811 <p> 2812 Honor the versions option to ssl:connect and ssl:listen.</p> 2813 <p> 2814 Own Id: OTP-10905</p> 2815 </item> 2816 <item> 2817 <p> 2818 Next protocol negotiation with reused sessions will now 2819 succeed</p> 2820 <p> 2821 Own Id: OTP-10909</p> 2822 </item> 2823 </list> 2824 </section> 2825 2826 2827 <section><title>Improvements and New Features</title> 2828 <list> 2829 <item> 2830 <p> 2831 Add support for PSK (Pre Shared Key) and SRP (Secure 2832 Remote Password) chipher suits, thanks to Andreas 2833 Schultz.</p> 2834 <p> 2835 Own Id: OTP-10450 Aux Id: kunagi-269 [180] </p> 2836 </item> 2837 <item> 2838 <p> 2839 Fix SSL Next Protocol Negotiation documentation. Thanks 2840 to Julien Barbot.</p> 2841 <p> 2842 Own Id: OTP-10955</p> 2843 </item> 2844 <item> 2845 <p> 2846 Fix ssl_connection to support reading proxy/chain 2847 certificates. Thanks to Valentin Kuznetsov.</p> 2848 <p> 2849 Own Id: OTP-10980</p> 2850 </item> 2851 <item> 2852 <p> 2853 Integrate elliptic curve contribution from Andreas 2854 Schultz </p> 2855 <p> 2856 In order to be able to support elliptic curve cipher 2857 suites in SSL/TLS, additions to handle elliptic curve 2858 infrastructure has been added to public_key and crypto.</p> 2859 <p> 2860 This also has resulted in a rewrite of the crypto API to 2861 gain consistency and remove unnecessary overhead. All OTP 2862 applications using crypto has been updated to use the new 2863 API.</p> 2864 <p> 2865 Impact: Elliptic curve cryptography (ECC) offers 2866 equivalent security with smaller key sizes than other 2867 public key algorithms. Smaller key sizes result in 2868 savings for power, memory, bandwidth, and computational 2869 cost that make ECC especially attractive for constrained 2870 environments.</p> 2871 <p> 2872 Own Id: OTP-11009</p> 2873 </item> 2874 </list> 2875 </section> 2876 2877</section> 2878 2879<section><title>SSL 5.2.1</title> 2880 <section><title>Improvements and New Features</title> 2881 <list> 2882 <item> 2883 <p> 2884 Transport callback handling is changed so that gen_tcp is 2885 treated as a special case where inet will be called 2886 directly for functions such as setopts, as gen_tcp does 2887 not have its own setopts. This will enable users to use 2888 the transport callback for other customizations such as 2889 websockets.</p> 2890 <p> 2891 Own Id: OTP-10847</p> 2892 </item> 2893 <item> 2894 <p> 2895 Follow up to OTP-10451 solved in ssl-5.2 R16A. Make sure 2896 format_error return good strings. Replace confusing 2897 legacy atoms with more descriptive atoms.</p> 2898 <p> 2899 Own Id: OTP-10864</p> 2900 </item> 2901 </list> 2902 </section> 2903 2904</section> 2905<section><title>SSL 5.1.2.1</title> 2906<section><title>Improvements and New Features</title> 2907<list> 2908 <item> 2909 <p> 2910 Make log_alert configurable as option in ssl, SSLLogLevel 2911 added as option to inets conf file</p> 2912 <p> 2913 Own Id: OTP-11259</p> 2914 </item> 2915</list> 2916</section> 2917</section> 2918<section><title>SSL 5.2</title> 2919 <section><title>Fixed Bugs and Malfunctions</title> 2920 <list> 2921 <item> 2922 <p> 2923 SSL: TLS 1.2, advertise sha224 support, thanks to Andreas 2924 Schultz.</p> 2925 <p> 2926 Own Id: OTP-10586</p> 2927 </item> 2928 <item> 2929 <p> 2930 If an ssl server is restarted with new options and a 2931 client tries to reuse a session the server must make sure 2932 that it complies to the new options before agreeing to 2933 reuse it.</p> 2934 <p> 2935 Own Id: OTP-10595</p> 2936 </item> 2937 <item> 2938 <p> 2939 Now handles cleaning of CA-certificate database correctly 2940 so that there will be no memory leek, bug was introduced 2941 in ssl- 5.1 when changing implementation to increase 2942 parallel execution.</p> 2943 <p> 2944 Impact: Improved memory usage, especially if you have 2945 many different certificates and upgrade tcp-connections 2946 to TLS-connections.</p> 2947 <p> 2948 Own Id: OTP-10710</p> 2949 </item> 2950 </list> 2951 </section> 2952 2953 2954 <section><title>Improvements and New Features</title> 2955 <list> 2956 <item> 2957 <p> 2958 Support Next Protocol Negotiation in TLS, thanks to Ben 2959 Murphy for the contribution.</p> 2960 <p> 2961 Impact: Could give performance benefit if used as it 2962 saves a round trip.</p> 2963 <p> 2964 Own Id: OTP-10361 Aux Id: kunagi-214 [125] </p> 2965 </item> 2966 <item> 2967 <p> 2968 TLS 1.2 will now be the default TLS version if sufficient 2969 crypto support is available otherwise TLS 1.1 will be 2970 default.</p> 2971 <p> 2972 Impact: A default TLS connection will have higher 2973 security and hence it may be perceived as slower then 2974 before.</p> 2975 <p> 2976 Own Id: OTP-10425 Aux Id: kunagi-275 [186] </p> 2977 </item> 2978 <item> 2979 <p> 2980 It is now possible to call controlling_process on a 2981 listen socket, same as in gen_tcp.</p> 2982 <p> 2983 Own Id: OTP-10447</p> 2984 </item> 2985 <item> 2986 <p> 2987 Remove filter mechanisms that made error messages 2988 backwards compatible with old ssl but hid information 2989 about what actually happened.</p> 2990 <p> 2991 This does not break the documented API however other 2992 reason terms may be returned, so code that matches on the 2993 reason part of {error, Reason} may fail.</p> 2994 <p> 2995 *** POTENTIAL INCOMPATIBILITY ***</p> 2996 <p> 2997 Own Id: OTP-10451 Aux Id: kunagi-270 [181] </p> 2998 </item> 2999 <item> 3000 <p> 3001 Added missing dependencies to Makefile</p> 3002 <p> 3003 Own Id: OTP-10594</p> 3004 </item> 3005 <item> 3006 <p> 3007 Removed deprecated function ssl:pid/0, it has been 3008 pointless since R14 but has been keep for backwards 3009 compatibility.</p> 3010 <p> 3011 *** POTENTIAL INCOMPATIBILITY ***</p> 3012 <p> 3013 Own Id: OTP-10613 Aux Id: kunagi-331 [242] </p> 3014 </item> 3015 <item> 3016 <p> 3017 Refactor to simplify addition of key exchange methods, 3018 thanks to Andreas Schultz.</p> 3019 <p> 3020 Own Id: OTP-10709</p> 3021 </item> 3022 </list> 3023 </section> 3024 3025</section> 3026 3027<section><title>SSL 5.1.2</title> 3028 3029 <section><title>Fixed Bugs and Malfunctions</title> 3030 <list> 3031 <item> 3032 <p> 3033 ssl:ssl_accept/2 timeout is no longer ignored</p> 3034 <p> 3035 Own Id: OTP-10600</p> 3036 </item> 3037 </list> 3038 </section> 3039 3040</section> 3041 3042<section><title>SSL 5.1.1</title> 3043 3044 <section><title>Fixed Bugs and Malfunctions</title> 3045 <list> 3046 <item> 3047 <p> 3048 ssl:recv/3 could "loose" data when the timeout occurs. If 3049 the timout in ssl:connect or ssl:ssl_accept expired the 3050 ssl connection process was not terminated as it should, 3051 this due to gen_fsm:send_all_state_event timout is a 3052 client side time out. These timouts are now handled by 3053 the gen_fsm-procss instead.</p> 3054 <p> 3055 Own Id: OTP-10569</p> 3056 </item> 3057 </list> 3058 </section> 3059 3060 3061 <section><title>Improvements and New Features</title> 3062 <list> 3063 <item> 3064 <p> 3065 Better termination handling that avoids hanging.</p> 3066 <p> 3067 Own Id: OTP-10574</p> 3068 </item> 3069 </list> 3070 </section> 3071 3072</section> 3073 3074<section><title>SSL 5.1</title> 3075 3076 <section><title>Fixed Bugs and Malfunctions</title> 3077 <list> 3078 <item> 3079 <p> 3080 Sometimes the client process could receive an extra 3081 {error, closed} message after ssl:recv had returned 3082 {error, closed}.</p> 3083 <p> 3084 Own Id: OTP-10118</p> 3085 </item> 3086 <item> 3087 <p> 3088 ssl v3 alert number 41 (no_certificate_RESERVED) is now 3089 recognized</p> 3090 <p> 3091 Own Id: OTP-10196</p> 3092 </item> 3093 </list> 3094 </section> 3095 3096 3097 <section><title>Improvements and New Features</title> 3098 <list> 3099 <item> 3100 <p> 3101 Experimental support for TLS 1.1 is now available, will 3102 be officially supported from OTP-R16. Thanks to Andreas 3103 Schultz for implementing the first version.</p> 3104 <p> 3105 Own Id: OTP-8871</p> 3106 </item> 3107 <item> 3108 <p> 3109 Experimental support for TLS 1.2 is now available, will 3110 be officially supported from OTP-R16. Thanks to Andreas 3111 Schultz for implementing the first version.</p> 3112 <p> 3113 Own Id: OTP-8872</p> 3114 </item> 3115 <item> 3116 <p> 3117 Removed some bottlenecks increasing the applications 3118 parallelism especially for the client side.</p> 3119 <p> 3120 Own Id: OTP-10113</p> 3121 </item> 3122 <item> 3123 <p> 3124 Workaround for handling certificates that wrongly encode 3125 X509countryname in utf-8 when the actual value is a valid 3126 ASCCI value of length 2. Such certificates are accepted 3127 by many browsers such as Chrome and Fierfox so for 3128 interoperability reasons we will too.</p> 3129 <p> 3130 Own Id: OTP-10222</p> 3131 </item> 3132 </list> 3133 </section> 3134 3135</section> 3136 3137<section><title>SSL 5.0.1</title> 3138 3139 <section><title>Fixed Bugs and Malfunctions</title> 3140 <list> 3141 <item> 3142 <p> 3143 Robustness and improvement to distribution over SSL</p> 3144 <p> 3145 Fix a bug where ssl_tls_dist_proxy would crash at caller 3146 timeout. Fix a bug where a timeout from the SSL layer 3147 would block the distribution indefinately. Run the proxy 3148 exclusively on the loopback interface. (Thanks to Paul 3149 Guyot)</p> 3150 <p> 3151 Own Id: OTP-9915</p> 3152 </item> 3153 <item> 3154 <p> 3155 Fix setup loop of SSL TLS dist proxy</p> 3156 <p> 3157 Fix potential leak of processes waiting indefinately for 3158 data from closed sockets during socket setup phase. 3159 (Thanks to Paul Guyot)</p> 3160 <p> 3161 Own Id: OTP-9916</p> 3162 </item> 3163 <item> 3164 <p> 3165 Correct spelling of registered (Thanks to Richard 3166 Carlsson)</p> 3167 <p> 3168 Own Id: OTP-9925</p> 3169 </item> 3170 <item> 3171 <p> 3172 Added TLS PRF function to the SSL API for generation of 3173 additional key material from a TLS session. (Thanks to 3174 Andreas Schultz)</p> 3175 <p> 3176 Own Id: OTP-10024</p> 3177 </item> 3178 </list> 3179 </section> 3180 3181</section> 3182 3183<section><title>SSL 5.0</title> 3184 3185 <section><title>Fixed Bugs and Malfunctions</title> 3186 <list> 3187 <item> 3188 <p> 3189 Invalidation handling of sessions could cause the 3190 time_stamp field in the session record to be set to 3191 undefined crashing the session clean up process. This did 3192 not affect the connections but would result in that the 3193 session table would grow.</p> 3194 <p> 3195 Own Id: OTP-9696 Aux Id: seq11947 </p> 3196 </item> 3197 <item> 3198 <p> 3199 Changed code to use ets:foldl and throw instead of 3200 ets:next traversal, avoiding the need to explicitly call 3201 ets:safe_fixtable. It was possible to get a badarg-crash 3202 under special circumstances.</p> 3203 <p> 3204 Own Id: OTP-9703 Aux Id: seq11947 </p> 3205 </item> 3206 <item> 3207 <p> 3208 Send ssl_closed notification to active ssl user when a 3209 tcp error occurs.</p> 3210 <p> 3211 Own Id: OTP-9734 Aux Id: seq11946 </p> 3212 </item> 3213 <item> 3214 <p> 3215 If a passive receive was ongoing during a renegotiation 3216 the process evaluating ssl:recv could be left hanging for 3217 ever.</p> 3218 <p> 3219 Own Id: OTP-9744</p> 3220 </item> 3221 </list> 3222 </section> 3223 3224 3225 <section><title>Improvements and New Features</title> 3226 <list> 3227 <item> 3228 <p> 3229 Support for the old ssl implementation is dropped and the 3230 code is removed.</p> 3231 <p> 3232 Own Id: OTP-7048</p> 3233 </item> 3234 <item> 3235 <p> 3236 The erlang distribution can now be run over the new ssl 3237 implementation. All options can currently not be set but 3238 it is enough to replace to old ssl implementation.</p> 3239 <p> 3240 Own Id: OTP-7053</p> 3241 </item> 3242 <item> 3243 <p> 3244 public_key, ssl and crypto now supports PKCS-8</p> 3245 <p> 3246 Own Id: OTP-9312</p> 3247 </item> 3248 <item> 3249 <p> 3250 Implements a CBC timing attack counter measure. Thanks to 3251 Andreas Schultz for providing the patch.</p> 3252 <p> 3253 Own Id: OTP-9683</p> 3254 </item> 3255 <item> 3256 <p> 3257 Mitigates an SSL/TLS Computational DoS attack by 3258 disallowing the client to renegotiate many times in a row 3259 in a short time interval, thanks to Tuncer Ayaz for 3260 alerting us about this.</p> 3261 <p> 3262 Own Id: OTP-9739</p> 3263 </item> 3264 <item> 3265 <p> 3266 Implements the 1/n-1 splitting countermeasure to the 3267 Rizzo Duong BEAST attack, affects SSL 3.0 and TLS 1.0. 3268 Thanks to Tuncer Ayaz for alerting us about this.</p> 3269 <p> 3270 Own Id: OTP-9750</p> 3271 </item> 3272 </list> 3273 </section> 3274 3275</section> 3276 3277<section><title>SSL 4.1.6</title> 3278 3279 <section><title>Fixed Bugs and Malfunctions</title> 3280 <list> 3281 <item> 3282 <p> 3283 replace "a ssl" with "an ssl" reindent 3284 pkix_path_validation/3 Trivial documentation fixes 3285 (Thanks to Christian von Roques )</p> 3286 <p> 3287 Own Id: OTP-9464</p> 3288 </item> 3289 </list> 3290 </section> 3291 3292 3293 <section><title>Improvements and New Features</title> 3294 <list> 3295 <item> 3296 <p> 3297 Adds function clause to avoid denial of service attack. 3298 Thanks to Vinod for reporting this vulnerability.</p> 3299 <p> 3300 Own Id: OTP-9364</p> 3301 </item> 3302 <item> 3303 <p> 3304 Error handling code now takes care of inet:getopts/2 and 3305 inets:setopts/2 crashes. Thanks to Richard Jones for 3306 reporting this.</p> 3307 <p> 3308 Own Id: OTP-9382</p> 3309 </item> 3310 <item> 3311 <p> 3312 Support explicit use of packet option httph and httph_bin</p> 3313 <p> 3314 Own Id: OTP-9461</p> 3315 </item> 3316 <item> 3317 <p> 3318 Decoding of hello extensions could fail to come to the 3319 correct conclusion due to an error in a binary match 3320 pattern. Thanks to Ben Murphy.</p> 3321 <p> 3322 Own Id: OTP-9589</p> 3323 </item> 3324 </list> 3325 </section> 3326 3327</section> 3328 3329<section> 3330 <title>SSL 4.1.5</title> 3331 3332 <section><title>Improvements and New Features</title> 3333 <list> 3334 <item> 3335 <p>Calling gen_tcp:connect with option {ip, {127,0,0,1}} results in 3336 an exit with reason badarg. Neither SSL nor INETS This was not 3337 catched, resulting in crashes with incomprehensible reasons.</p> 3338 <p>Own Id: OTP-9289 Aux Id: seq11845</p> 3339 </item> 3340 </list> 3341 </section> 3342 3343 </section> 3344 3345 <section> 3346 <title>SSL 4.1.3</title> 3347 3348 <section><title>Fixed Bugs and Malfunctions</title> 3349 <list> 3350 <item> 3351 <p> 3352 Fixed error in cache-handling fix from ssl-4.1.2</p> 3353 <p> 3354 Own Id: OTP-9018 Aux Id: seq11739 </p> 3355 </item> 3356 <item> 3357 <p>Verification of a critical extended_key_usage-extension 3358 corrected</p> 3359 <p>Own Id: OTP-9029 Aux Id: seq11541 </p> 3360 </item> 3361 </list> 3362 </section> 3363 3364 </section> 3365 3366 <section> 3367 <title>SSL 4.1.2</title> 3368 3369 <section><title>Fixed Bugs and Malfunctions</title> 3370 <list> 3371 <item> 3372 <p> 3373 The ssl application caches certificate files, it will now 3374 invalidate cache entries if the diskfile is changed.</p> 3375 <p> 3376 Own Id: OTP-8965 Aux Id: seq11739 </p> 3377 </item> 3378 <item> 3379 <p> 3380 Now runs the terminate function before returning from the 3381 call made by ssl:close/1, as before the caller of 3382 ssl:close/1 could get problems with the reuseaddr option.</p> 3383 <p> 3384 Own Id: OTP-8992</p> 3385 </item> 3386 </list> 3387 </section> 3388 3389</section> 3390 3391<section><title>SSL 4.1.1</title> 3392 3393 <section><title>Fixed Bugs and Malfunctions</title> 3394 <list> 3395 <item> 3396 <p> 3397 Correct handling of client certificate verify message 3398 When checking the client certificate verify message the 3399 server used the wrong algorithm identifier to determine 3400 the signing algorithm, causing a function clause error in 3401 the public_key application when the key-exchange 3402 algorithm and the public key algorithm of the client 3403 certificate happen to differ.</p> 3404 <p> 3405 Own Id: OTP-8897</p> 3406 </item> 3407 </list> 3408 </section> 3409 3410 3411 <section><title>Improvements and New Features</title> 3412 <list> 3413 <item> 3414 <p> 3415 For testing purposes ssl now also support some anonymous 3416 cipher suites when explicitly configured to do so.</p> 3417 <p> 3418 Own Id: OTP-8870</p> 3419 </item> 3420 <item> 3421 <p> 3422 Sends an error alert instead of crashing if a crypto 3423 function for the selected cipher suite fails.</p> 3424 <p> 3425 Own Id: OTP-8930 Aux Id: seq11720 </p> 3426 </item> 3427 </list> 3428 </section> 3429 3430</section> 3431 3432<section><title>SSL 4.1</title> 3433 3434 <section><title>Improvements and New Features</title> 3435 <list> 3436 <item> 3437 <p> 3438 Updated ssl to ignore CA certs that violate the asn1-spec 3439 for a certificate, and updated public key asn1 spec to 3440 handle inherited DSS-params.</p> 3441 <p> 3442 Own Id: OTP-7884</p> 3443 </item> 3444 <item> 3445 <p> 3446 Changed ssl implementation to retain backwards 3447 compatibility for old option {verify, 0} that shall be 3448 equivalent to {verify, verify_none}, also separate the 3449 cases unknown ca and selfsigned peer cert, and restored 3450 return value of deprecated function 3451 public_key:pem_to_der/1.</p> 3452 <p> 3453 Own Id: OTP-8858</p> 3454 </item> 3455 <item> 3456 <p> 3457 Changed the verify fun so that it differentiate between 3458 the peer certificate and CA certificates by using 3459 valid_peer or valid as the second argument to the verify 3460 fun. It may not always be trivial or even possible to 3461 know when the peer certificate is reached otherwise.</p> 3462 <p> 3463 *** POTENTIAL INCOMPATIBILITY ***</p> 3464 <p> 3465 Own Id: OTP-8873</p> 3466 </item> 3467 </list> 3468 </section> 3469 3470</section> 3471 3472<section><title>SSL 4.0.1</title> 3473 3474 <section><title>Fixed Bugs and Malfunctions</title> 3475 <list> 3476 <item> 3477 <p> 3478 The server now verifies the client certificate verify 3479 message correctly, instead of causing a case-clause.</p> 3480 <p> 3481 Own Id: OTP-8721</p> 3482 </item> 3483 <item> 3484 <p> 3485 The client hello message now always include ALL available 3486 cipher suites (or those specified by the ciphers option). 3487 Previous implementation would filter them based on the 3488 client certificate key usage extension (such filtering 3489 only makes sense for the server certificate).</p> 3490 <p> 3491 Own Id: OTP-8772</p> 3492 </item> 3493 <item> 3494 <p> 3495 Fixed handling of the option {mode, list} that was broken 3496 for some packet types for instance line.</p> 3497 <p> 3498 Own Id: OTP-8785</p> 3499 </item> 3500 <item> 3501 <p> 3502 Empty packets were not delivered to the client.</p> 3503 <p> 3504 Own Id: OTP-8790</p> 3505 </item> 3506 <item> 3507 <p> Building in a source tree without prebuilt platform 3508 independent build results failed on the SSL examples 3509 when: </p> <list><item> cross building. This has been 3510 solved by not building the SSL examples during a cross 3511 build. </item><item> building on Windows. </item></list> 3512 <p> 3513 Own Id: OTP-8791</p> 3514 </item> 3515 <item> 3516 <p> 3517 Fixed a handshake error which occurred on some ssl 3518 implementations.</p> 3519 <p> 3520 Own Id: OTP-8793</p> 3521 </item> 3522 </list> 3523 </section> 3524 3525 3526 <section><title>Improvements and New Features</title> 3527 <list> 3528 <item> 3529 <p> 3530 Revise the public_key API - Cleaned up and documented the 3531 public_key API to make it useful for general use, also 3532 changed ssl to use the new API.</p> 3533 <p> 3534 Own Id: OTP-8722</p> 3535 </item> 3536 <item> 3537 <p> 3538 Added support for inputing certificates and keys directly 3539 in DER format these options will override the pem-file 3540 options if specified.</p> 3541 <p> 3542 Own Id: OTP-8723</p> 3543 </item> 3544 <item> 3545 <p> 3546 To gain interoperability ssl will not check for padding 3547 errors when using TLS 1.0. It is first in TLS 1.1 that 3548 checking the padding is an requirement.</p> 3549 <p> 3550 Own Id: OTP-8740</p> 3551 </item> 3552 <item> 3553 <p> 3554 Changed the semantics of the verify_fun option in the 3555 ssl-application so that it takes care of both application 3556 handling of path validation errors and verification of 3557 application specific extensions. This means that it is 3558 now possible for the server application in verify_peer 3559 mode to handle path validation errors. This change moved 3560 some functionality earlier in ssl to the public_key 3561 application.</p> 3562 <p> 3563 Own Id: OTP-8770</p> 3564 </item> 3565 <item> 3566 <p> 3567 Added the functionality so that the verification fun will 3568 be called when a certificate is considered valid by the 3569 path validation to allow access to each certificate in 3570 the path to the user application. Also try to verify 3571 subject-AltName, if unable to verify it let the 3572 application verify it.</p> 3573 <p> 3574 Own Id: OTP-8825</p> 3575 </item> 3576 </list> 3577 </section> 3578 3579</section> 3580 3581<section><title>SSL 4.0</title> 3582 3583 <section><title>Improvements and New Features</title> 3584 <list> 3585 <item> 3586 <p> 3587 New ssl now support client/server-certificates signed by 3588 dsa keys.</p> 3589 <p> 3590 Own Id: OTP-8587</p> 3591 </item> 3592 <item> 3593 <p> 3594 Ssl has now switched default implementation and removed 3595 deprecated certificate handling. All certificate handling 3596 is done by the public_key application.</p> 3597 <p> 3598 Own Id: OTP-8695</p> 3599 </item> 3600 </list> 3601 </section> 3602 </section> 3603</chapter> 3604