diff options
author | Erlang/OTP <otp@erlang.org> | 2023-05-15 12:36:07 +0200 |
---|---|---|
committer | Erlang/OTP <otp@erlang.org> | 2023-05-15 12:36:07 +0200 |
commit | 2f361f653d649d002a26d1d2a5c8c3efd1303832 (patch) | |
tree | a1ed8c18d01f94f53ed73d7f12a7de8aaa71aac6 /lib/ssl | |
parent | 47dc52e1189de34f148ca389a7810800a1d9240c (diff) | |
download | erlang-2f361f653d649d002a26d1d2a5c8c3efd1303832.tar.gz |
Prepare release
Diffstat (limited to 'lib/ssl')
-rw-r--r-- | lib/ssl/doc/src/notes.xml | 202 | ||||
-rw-r--r-- | lib/ssl/doc/src/ssl.xml | 2 | ||||
-rw-r--r-- | lib/ssl/src/ssl.app.src | 4 | ||||
-rw-r--r-- | lib/ssl/vsn.mk | 2 |
4 files changed, 206 insertions, 4 deletions
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index 911055d742..5b767d2d01 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -27,6 +27,208 @@ </header> <p>This document describes the changes made to the SSL application.</p> +<section><title>SSL 11.0</title> + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + Remove less that 256 bit ECC from default supported ECC + pre TLS-1.3</p> + <p> + *** POTENTIAL INCOMPATIBILITY ***</p> + <p> + Own Id: OTP-14771</p> + </item> + <item> + <p> + Improved error checking and handling of ssl options.</p> + <p> + Own Id: OTP-15903</p> + </item> + <item> + <p> + With this change, stateless tickets generated by server + with anti_replay option enabled can be used for creating + ClientHello throughout ticket lifetime. Without this + change, usability was limited to WindowSize number of + seconds configured for anti_replay option.</p> + <p> + *** POTENTIAL INCOMPATIBILITY ***</p> + <p> + Own Id: OTP-18168 Aux Id: PR-6019, GH-6014 </p> + </item> + <item> + <p> Support for Kernel TLS (kTLS), has been added to the + SSL application, for TLS distribution (<c>-proto_dist + inet_tls</c>), the SSL option <c>{ktls, true}</c>. Using + this for general SSL sockets is uncomfortable, + undocumented and not recommended since it requires very + platform dependent raw options. </p><p> This, for now, + only works for some not too old Linux distributions. + Roughly, a kernel 5.2.0 or later with support for + UserLand Protocols and the kernel module <c>tls</c> is + required. </p> + <p> + Own Id: OTP-18235 Aux Id: PR-6104, PR-5840 </p> + </item> + <item> + <p> + With this change, TLS 1.3 server can be configured to + include client certificate in session ticket.</p> + <p> + Own Id: OTP-18253</p> + </item> + <item> + <p> + With this change, it is possible to configure encryption + seed to be used with TLS1.3 stateless tickets. This + enables using tickets on different server instances.</p> + <p> + Own Id: OTP-18254 Aux Id: PR-5982 </p> + </item> + <item> + <p> + Debugging enhancements.</p> + <p> + Own Id: OTP-18312</p> + </item> + <item> + <p> + With this change, maybe keyword atom is not used as + function name in ssl code.</p> + <p> + Own Id: OTP-18335</p> + </item> + <item> + <p> + Replace size/1 with either tuple_size/1 or byte_size/1</p> + <p> + The <c>size/1</c> BIF is not optimized by the JIT, and + its use can result in worse types for Dialyzer.</p> + <p> + When one knows that the value being tested must be a + tuple, <c>tuple_size/1</c> should always be preferred.</p> + <p> + When one knows that the value being tested must be a + binary, <c>byte_size/1</c> should be preferred. However, + <c>byte_size/1</c> also accepts a bitstring (rounding up + size to a whole number of bytes), so one must make sure + that the call to <c>byte_size/</c> is preceded by a call + to <c>is_binary/1</c> to ensure that bitstrings are + rejected. Note that the compiler removes redundant calls + to <c>is_binary/1</c>, so if one is not sure whether + previous code had made sure that the argument is a + binary, it does not harm to add an <c>is_binary/1</c> + test immediately before the call to <c>byte_size/1</c>.</p> + <p> + Own Id: OTP-18405 Aux Id: + GH-6672,PR-6702,PR-6768,PR-6700,PR-6769,PR-6812,PR-6814 </p> + </item> + <item> + <p> + For security reasons remove support for SHA1 and DSA + algorithms from default values.</p> + <p> + *** POTENTIAL INCOMPATIBILITY ***</p> + <p> + Own Id: OTP-18438 Aux Id: GH-6679 </p> + </item> + <item> + <p> + Mitigate memory usage from large certificate chains by + lowering the maximum handshake size. This should not + effect the common cases, if needed it can be configured + to a higher value.</p> + <p> + Own Id: OTP-18453</p> + </item> + <item> + <p> + Change the client default verify option to verify_peer. + Note that this makes it mandatory to also supply trusted + CA certificates or explicitly set verify to verify_none. + This also applies when using the so called anonymous test + cipher suites defined in TLS versions pre TLS-1.3.</p> + <p> + *** POTENTIAL INCOMPATIBILITY ***</p> + <p> + Own Id: OTP-18455 Aux Id: GH-5899 </p> + </item> + <item> + <p> + Erlang distribution code in Kernel and SSL has been + refactored a bit to facilitate debugging and + re-usability, which shouldn't have any noticeable effects + on behaviour or performance.</p> + <p> + Own Id: OTP-18456</p> + </item> + <item> + <p> + Add encoding and decoding of use_srtp hello extension to + facilitate for DTLS users to implement SRTP + functionality.</p> + <p> + Own Id: OTP-18459</p> + </item> + <item> + <p> + Refactors the (<c>ssl</c> application to use macros for + TLS and DTLS versions instead of hard-coded tuple + numbers. This change improves the maintainability of + <c>ssl</c></p> + <p> + Own Id: OTP-18465 Aux Id: GH-7065 </p> + </item> + <item> + <p> + If the function ssl:renegotiate/1 is called on connection + that is running TLS-1.3 return an error instead of + hanging or timing out.</p> + <p> + Own Id: OTP-18507</p> + </item> + <item> + <p> + If a user cancel alert with level warning is received + during handshake make it be handled the same regardless + of TLS version. If it is received in connection in + TLS-1.3 regard it as an error as it is inappropriate.</p> + <p> + In TLS-1.3 all error alerts are considered FATAL + regardless of legacy alert type. But make sure legacy + type is printed in logs to not confuse users that are + expecting the same legacy type as sent by peer.</p> + <p> + *** POTENTIAL INCOMPATIBILITY ***</p> + <p> + Own Id: OTP-18531</p> + </item> + <item> + <p> + Make <c>fail_if_no_peer_cert</c> default true if + verify_peer is set on the server, otherwise the server + will accept the connection if verify_peer is set and the + user have forgot to set the fail_if_no_peer_cert and the + client did not send a certificate.</p> + <p> + Own Id: OTP-18567</p> + </item> + <item> + <p> + To make it easier to configure signature algorithms with + algorithms that are moved from the default add the API + function signature_algs/2 that lists possible values. + Also make sha224 a non default value.</p> + <p> + Own Id: OTP-18572</p> + </item> + </list> + </section> + +</section> + <section><title>SSL 10.9.1</title> <section><title>Fixed Bugs and Malfunctions</title> diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index b4a30a68c8..4fda1a3161 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -2175,7 +2175,7 @@ fun(srp, Username :: binary(), UserState :: term()) -> </func> <func> - <name since="OTP @OTP-18572@" name="signature_algs" arity="2" /> + <name since="OTP 26.0" name="signature_algs" arity="2" /> <fsummary>Returns a list of signature algorithms/schemes </fsummary> <desc> <p>Lists all possible signature algorithms corresponding to diff --git a/lib/ssl/src/ssl.app.src b/lib/ssl/src/ssl.app.src index abc5d278a8..b9f69af6a3 100644 --- a/lib/ssl/src/ssl.app.src +++ b/lib/ssl/src/ssl.app.src @@ -88,6 +88,6 @@ {applications, [crypto, public_key, kernel, stdlib]}, {env, []}, {mod, {ssl_app, []}}, - {runtime_dependencies, ["stdlib-4.1","public_key-1.11.3","kernel-@OTP-18235@", - "erts-@OTP-18248@","crypto-5.0", "inets-5.10.7", + {runtime_dependencies, ["stdlib-4.1","public_key-1.11.3","kernel-9.0", + "erts-14.0","crypto-5.0", "inets-5.10.7", "runtime_tools-1.15.1"]}]}. diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk index db6de41e50..de283ec08a 100644 --- a/lib/ssl/vsn.mk +++ b/lib/ssl/vsn.mk @@ -1 +1 @@ -SSL_VSN = 10.9.1 +SSL_VSN = 11.0 |