[erlang-patches] RFC: experimental TLS-1.2 support

Andreas Schultz <>
Sat Jun 2 15:48:20 CEST 2012


Hi,

I have a new version of the TLS-1.2 support for the SSL application.

The current state of my work can be found here:

  git fetch git://github.com/RoadRunnr/otp.git tls12-to-upstream

  https://github.com/RoadRunnr/otp/compare/dev...tls12-to-upstream

I have split all patches in the way we discussed last time. They should
be much more topic focused and easier to review now.

This version passes all ssl tests except for three test. Two of those
(ssl_to_openssl_SUITE.erlang_server_openssl_client_no_wrap_sequence_number
and ssl2_erlang_server_openssl_client) are related to changes in newer
openssl versions and do occur with a vanilla master checkout as well.

ssl_to_openssl_SUITE.ciphers_dsa_signed_certs is IMHO a openssl bug.
Currently the client hello signature_algorithms extension is not send.
The RFC allows that and prescribes what the server should do. Openssl,
instead of defaulting to sha1 as hash tries to use DSA as hash, which
obviously will fail. It seems that they somehow mess up their defaults
when DSA ciphers are used, RSA works for some reason.
This is with openssl 1.0.1, newer version might have fixed this.

Some things still need to be done:

Tests
=====

Most tests default to the highest available TLS version, however I believe
most should be run for lower versions as well. It might make sense to run
most of them for all supported TLS versions.

That change will require major surgery in the test suite.

Client Hello Signature Algorithms Extensions
============================================

The current default of simply not understanding this extension is allowed
by the RFC, so we should be compliant.

Understanding this extension is simple, applying the results to a ssl session
is not. The basis are there with the hash_sign field in the connection.
Hash selection actually works already, but the signature selection is not
there. I am not yet sure what it will require to implement this.


Andreas

-- 
-- 
Dipl. Inform.
Andreas Schultz

email: 

------------------ managed broadband access ------------------

Travelping GmbH               phone:           +49-391-8190990
Roentgenstr. 13               fax:           +49-391-819099299
D-39108 Magdeburg             email:       
GERMANY                       web:   http://www.travelping.com

Company Registration: HRB21276 Handelsregistergericht Chemnitz
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------
_______________________________________________
erlang-patches mailing list

http://erlang.org/mailman/listinfo/erlang-patches


More information about the erlang-patches mailing list