1 SSL Release Notes
This document describes the changes made to the SSL application.
1.1 SSL 3.1.1.1
1.1.1 Minor Makefile changes
-
Removed use of
erl_flags
from Makefile.
Own Id: OTP-6689
1.2 SSL 3.1.1
1.2.1 Crash on error in ssl_accept
-
A bug in ssl_accept could cause all ssl
connections to hang when a connection
attempt was closed by the client while
the server was in
ssl_accept
.
Own Id: OTP-6612 Aux Id: seq10599
1.3 SSL 3.1.1
1.3.1 Known Bugs and Problems
-
A bug in ssl_accept could cause all ssl connections to
hang when a connection attempt was closed by the client
while the server was in ssl_accept
Own Id: OTP-6612 Aux Id: seq10599
1.4 SSL 3.1
1.4.1 Fixed Bugs and Malfunctions
-
SSL now uses a two-phase accept, with a separate accept
calls for the socket and the ssl protocol. This avoids
timeouts when a client doesn't initiate ssl handshake.
With the old implementation of accept, the server
was locked by a client, if the client didn't do
proper ssl handshake.
Own Id: OTP-6418 Aux Id: seq10105
1.5 SSL 3.0.12
1.5.1 Fixed Bugs and Malfunctions
-
An integer array pointing to a struct pollfd array, is
now reset before file descriptors are collected to be
included in a call to poll(). This is to prevent file
descriptors to be mixed up.
Own Id: OTP-6084
-
The generation of the module ssl_pkix_oid contained
multiple identifiers, which made the mapping between
atoms and identifiers not one-to-one.
Own Id: OTP-6085
1.6 SSL 3.0.11
1.6.1 Fixed Bugs and Malfunctions
-
The state of a connection in active mode could be in a
restrictive state, so that an internal tcp_closed message
was incorrectly considered illegal, resulting in a
premature termination of the connection process.
Own Id: OTP-5972 Aux Id: seq10188
1.7 SSL 3.0.10
1.7.1 Fixed Bugs and Malfunctions
-
Erlang distribution over SSL was broken. Corrected.
(Thanks to Fredrik Thulin.)
Own Id: OTP-5863
1.8 SSL 3.0.9
1.8.1 Fixed Bugs and Malfunctions
-
The port program for the ssl application could waste huge
amounts of CPU time if a write could not be completed
directly and was put in the write queue. (Only on platforms
where poll() is used, such as Solaris and Linux.)
Own Id: OTP-5784
1.9 SSL 3.0.8
1.9.1 Fixed Bugs and Malfunctions
-
A process reading only a portion of a sufficiently large
amount of data from an accepted socket, and then quering
the ssl library (e.g. ssl:getpeername()), would cause a
global deadlock in the esock port program.
Own Id: OTP-5702
-
A spelling error in the module
ssl_pkix
caused the
call to ssl:peercert/2
to fail when the option
subject
was used.
Own Id: OTP-5708
-
Because fopen() on Solaris 8 can't handle file
descriptor numbers above 255, reading of certificate
files would fail if all file descriptors below 256 were
in use (typically, if many connections were open). This
problem has been worked around.
The ssl application's port program used to use
select(), which meant that it could not handle more than
FD_SETSIZE file descriptors (usually 1024). To eliminate
that limitation, poll() is now used on all platforms that
support it.
Solaris/Sparc, 64-bit emulator: The SO_REUSEADDR
option was not set for listen sockets, which essentially
made the ssl application unusuable. Corrected.
The default listen queue size for ssl port program was
changed to 128 (from 5).
Own Id: OTP-5755 Aux Id: seq10068
1.10 Ssl 3.0.7
1.10.1 Fixed Bugs and Malfunctions
-
The R/W buffer length i esock.c was too small. It has
been increased from 4k to 32k.
Own Id: OTP-5620
1.11 Ssl 3.0.6
1.11.1 Improvements and New Features
-
A configuration option for choosing protocol versions has
been added (
sslv2
, sslv3
, and
tlsv1
).
Own Id: OTP-5429 Aux Id: seq9755
1.12 Ssl 3.0.5
1.12.1 Fixed Bugs and Malfunctions
-
Linked in drivers in the crypto, and asn1 applications
are now compiled with the -D_THREAD_SAFE and -D_REENTRANT
switches on unix when the emulator has thread support
enabled.
Linked in drivers on MacOSX are not compiled with the
undocumented -lbundle1.o switch anymore. Thanks to Sean
Hinde who sent us a patch.
Linked in driver in crypto, and port programs in ssl, now
compiles on OSF1.
Minor makefile improvements in runtime_tools.
Own Id: OTP-5346
1.13 Ssl 3.0.4
1.13.1 Fixed Bugs and Malfunctions
-
ssl:recv/3
with finite timeout value, closed the
connection at timeout.
Own Id: OTP-4882
1.14 Ssl 3.0.3
1.14.1 Fixed Bugs and Malfunctions
-
When a file descriptor was marked for closing, and and
end-of-file condition had already been detected, the file
descriptor was never closed.
Own Id: OTP-5093 Aux Id: seq8806
-
When the number of open file descriptors reached
FD_SETSIZE, the SSL port program entered a busy loop.
Own Id: OTP-5094 Aux Id: seq8806
1.14.2 Improvements and New Features
-
The SSL application now supports SSL sessions for
servers, which typically speeds up HTTP requests from
browsers.
Own Id: OTP-5095
1.15 SSL 3.0.2
1.15.1 Fixed Bugs and Malfunctions
-
The UTF8String type is now defined in asn1-1.4.4.2 and
later. Therefore the definitions of UTF8String has been
removed from the ASN.1 modules PKIX1Explicit88.asn1 and
PKIXAttributeCertificate.asn1. The SSL application can now
only be built using asn-1.4.4.2 or later.
OwnId: OTP-4971.
1.15.2 Known Bugs and Problems
See SSL-3.0.
1.16 SSL 3.0.1
1.16.1 Fixed Bugs and Malfunctions
-
An unexpected object identifier would crash
ssl:peercert
.
OwnId: OTP-4771.
1.16.2 Known Bugs and Problems
See SSL-3.0.
1.17 SSL 3.0
1.17.1 Improvements and New Features
-
The
cache_timout
option was silently ignored. It had
to do with SSL sessions, where multiple connections can occur.
Since the Erlang SSL applicaton does not support sessions the
option is still ignored, and consequently the documentation
about it has been removed.
OwnId: OTP-3146
-
The Erlang SSL application is now based on OpenSSL version
0.9.7a. OpenSSL 0.9.6 should also work.
OwnId: OTP-4002
-
When connecting it is now possible to bind to a local address
and local port.
OwnId: OTP-4675
-
The
ssl_esock
port program is now part of the
distribution and thus does not have to be created
explicitely. It is dynamically linked to OpenSSL
libraries in a "standard" location (typically
/usr/local/lib
on UNIX; in the path on Win32).
OwnId:
OTP-4676
-
The new functions
ssl:peercert/1/2
provide information
from the certificate of a peer of a connection.
OwnId: OTP-4680
Aux Id: seq7688
-
The function
ssl:port/1
has been removed from the
documentation, but not from the ssl
interface module.
The recommendation is to use ssl:peername/1
instead, which provides both address and port of the peer.
OwnId: OTP-4681
-
New User's Guide documentation has been added.
OwnId: OTP-4682
-
The old
ssl_socket
interface has been removed and also
the documentation of it.
OwnId: OTP-4683
-
The use of ephemeral RSA keys is now supported. It is
a global configuration option (see the ssl(6) manual page).
OwnId: OTP-4691.
1.17.2 Fixed Bugs and Malfunctions
-
The option
cacertfile
is now in effect, and can
therefore no longer be set with the OS environment
variable SSL_CERT_FILE (which did set the same value for
all connections).
OwnId: OTP-3146
-
There was a syncronization error at closing of an SSL
connnection.
OwnId: OTP-4435
Aux Id: seq7534
-
C macros in
debuglog.c
were not ANSI C compliant.
OwnId: OTP-4674
-
The
binary
option was not properly handled.
OwnId: OTP-4678
-
The
ssl:format_error/1
did not consider inet
error codes, nor did it have a catch all for unknown error
codes.
OwnId: OTP-4679
1.17.3 Known Bugs and Problems
-
Change of controlling process in not OTP compliant.
OwnId; OTP-4712
-
There is still no way to restrict the cipher sizes.
OwnId: OTP-4712
-
The
keep_alive
and reuse_addr
options will be
added in a future release.
OwnId: OTP-4677
-
There is currently no way to restrict the SSL/TLS
protocol versions to use. In a future release this will be
supported as a configuration option, and as an option for
each connection as well.
OwnId: OTP-4711.
1.18 SSL 2.3.6
1.18.1 Fixed Bugs and Malfunctions
-
There was a synchronization error at closing, which could
result in that an SSL socket was removed prematurely, resulting
in that a user process referring to it received an unexpected
exit.
OwnId: OTP-4435
Aux Id: seq7600
1.18.2 Known Bugs and Problems
See SSL 2.2 .
1.19 SSL 2.3.5
1.19.1 Fixed Bugs and Malfunctions
-
Setting of the option `nodelay' caused the SSL port program
to dump core.
OwnId: OTP-4380
Aux Id: -
-
Setting of the option '{active, once}' in
setopts
was
wrong, causing a correct socket message to be regarded as
erroneous.
OwnId: OTP-4380
Aux Id: -
-
A self-signed peer certificate was always rejected with the
error `eselfsignedcert', irrespective of the `depth' value.
OwnId: OTP-4374
Aux Id: seq7417
1.19.2 Known Bugs and Problems
See SSL 2.2 .
1.20 SSL 2.3.4
1.20.1 Improvements and New Features
-
All TCP options allowed in gen_tcp, are now also allowed in
SSL, except the option
{reuseaddr, Boolean}
. A new
function getopts
has been added to the SSL interface
module ssl
.
OwnId: OTP-4305, OTP-4159
1.21 SSL 2.3.3
1.21.1 Fixed Bugs and Malfunctions
-
The roles of the SSLeay and OpenSSL packages has been
clarified in the ssl(6) application manual page. Also
the URLs from which to download SSLeay has been updated.
OwnId: OTP-4002
Aux Id: seq5269
-
A call to
ssl:listen(Port, Options)
with
Options = []
resulted in the cryptic {error,
ebadf}
return value. The return value has been changed
to {error, enooptions}
, and the behaviour has been
documented in the listen/2
function.
OwnId: OTP-4016
Aux Id: seq7006
-
Use of the option
{nodelay, boolean()}
crashed
the ssl_server
.
OwnId: OTP-4070
Aux Id:
-
A bug caused the Erlang distribution over ssl to fail.
This bug has now been fixed.
OwnId: OTP-4072
Aux Id:
-
On Windows when the SSL port program encountered an
error code not anticipated it crashed.
OwnId: OTP-4132
Aux Id:
1.22 SSL 2.3.2
1.22.1 Fixed Bugs and Malfunctions
-
The
ssl:accept/1-2
function sometimes returned
{error, {What, Where}}
instead of {error,
What}
, where What
is an atom.
OwnId: OTP-3775
Aux Id: seq4991
1.23 SSL 2.3.1
1.23.1 Fixed Bugs and Malfunctions
-
Sometimes the SSL portprogram would loop in an accept
loop, without terminating even when the SSL application
was stopped..
OwnId: OTP-3691
1.24 SSL 2.3
Functions have been added to SSL to experimentally support
Erlang distribution.
1.25 SSL 2.2.1
The 2.2.1 version of SSL provides code replacement in runtime
by upgrading from, or downgrading to, versions 2.1 and 2.2.
1.26 SSL 2.2
1.26.1 Improvements and New Features
-
The restriction that only the creator of an SSL socket can
read from and write to the socket has been lifted.
OwnId: OTP-3301
-
The option
{packet, cdr}
for SSL sockets has been added,
which means that SSL sockets also supports CDR encoded packets.
OwnId: OTP-3302
1.26.2 Known Bugs and Problems
-
Setting of a CA certificate file with the
cacertfile
option (in calls to ssl:accept/1/2
or
ssl:connect/3/4
) does not work due to weaknesses
in the SSLeay package.
A work-around is to set the OS environment variable
SSL_CERT_FILE
before SSL is started. However, then
the CA certificate file will be global for all connections.
OwnId: OTP-3146
-
When changing controlling process of an SSL socket, a
temporary process is started, which is not gen_server
compliant.
OwnId: OTP-3146
-
Although there is a
cache
timeout option, it is
silently ignored.
OwnId: OTP-3146
-
There is currently no way to restrict the cipher sizes.
OwnId: OTP-3146
1.27 SSL 2.1
1.27.1 Improvements and New Features
-
The set of possible error reasons has been extended to
contain diagnostics on erronous certificates and failures
to verify certificates.
OwnId: OTP-3145
-
The maximum number of simultaneous SSL connections on
Windows has been increased from 31 to 127.
OwnId: OTP-3145
1.27.2 Fixed Bugs and Malfunctions
-
A dead-lock occuring when write queues are not empty has
been removed.
OwnId: OTP-3145
-
Error reasons have been unified and changed.
(** POTENTIAL INCOMPATIBILITY **)
OwnId: OTP-3145
-
On Windows a check of the existence of the environment
variable
ERLSRV_SERVICE_NAME
has been added. If
that variable is defined, the port program of the SSL
application will not terminated when a user logs off.
OwnId: OTP-3145
-
An error in the setting of the
nodelay
option
has been corrected.
OwnId: OTP-3145
-
The confounded notions of verify mode and verify depth has
been corrected. The option
verifydepth
has been
removed, and the two separate options verify
and
depth
has been added.
(** POTENTIAL INCOMPATIBILITY **)
OwnId: OTP-3145
1.27.3 Known Bugs and Problems
-
Setting of a CA certificate file with the
cacertfile
option (in calls to ssl:accept/1/2
or
ssl:connect/3/4
) does not work due to weaknesses
in the SSLeay package.
A work-around is to set the OS environment variable
SSL_CERT_FILE
before SSL is started. However, then
the CA certificate file will be global for all connections.
OwnId: OTP-3146
-
When changing controlling process of an SSL socket, a
temporary process is started, which is not gen_server
compliant.
OwnId: OTP-3146
-
Although there is a
cache
timeout option, it is
silently ignored.
OwnId: OTP-3146
-
There is currently no way to restrict the cipher sizes.
OwnId: OTP-3146
1.28 SSL 2.0
A complete new version of SSL with separate I/O channels
for all connections with non-blocking I/O multiplexing.
ssl 3.1.1.1
Copyright © 1991-2007
Ericsson AB