diff options
| author | Erlang/OTP <otp@erlang.org> | 2023-03-21 13:23:19 +0100 |
|---|---|---|
| committer | Erlang/OTP <otp@erlang.org> | 2023-03-21 13:23:19 +0100 |
| commit | 1cf126f91eb533783409da95b117207d8c13d9aa (patch) | |
| tree | efb80e7e4849aedd6f96f56b742735d0900a86fa /lib/ssl | |
| parent | 65e4ce9fc89943cb47292084e650c957a6904a8d (diff) | |
| download | erlang-1cf126f91eb533783409da95b117207d8c13d9aa.tar.gz | |
Prepare release
Diffstat (limited to 'lib/ssl')
| -rw-r--r-- | lib/ssl/doc/src/notes.xml | 141 | ||||
| -rw-r--r-- | lib/ssl/src/ssl.app.src | 4 | ||||
| -rw-r--r-- | lib/ssl/vsn.mk | 2 |
3 files changed, 144 insertions, 3 deletions
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index a36ac8d78d..fcaa8b6246 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -27,6 +27,147 @@ </header> <p>This document describes the changes made to the SSL application.</p> +<section><title>SSL 11.0</title> + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + Improved error checking and handling of ssl options.</p> + <p> + Own Id: OTP-15903</p> + </item> + <item> + <p> + With this change, stateless tickets generated by server + with anti_replay option enabled can be used for creating + ClientHello throughout ticket lifetime. Without this + change, usability was limited to WindowSize number of + seconds configured for anti_replay option.</p> + <p> + *** POTENTIAL INCOMPATIBILITY ***</p> + <p> + Own Id: OTP-18168 Aux Id: PR-6019, GH-6014 </p> + </item> + <item> + <p> Support for Kernel TLS (kTLS), has been added to the + SSL application, for TLS distribution (<c>-proto_dist + inet_tls</c>), the SSL option <c>{ktls, true}</c>. Using + this for general SSL sockets is uncomfortable, + undocumented and not recommended since it requires very + platform dependent raw options. </p><p> This, for now, + only works for some not too old Linux distributions. + Roughly, a kernel 5.2.0 or later with support for + UserLand Protocols and the kernel module <c>tls</c> is + required. </p> + <p> + Own Id: OTP-18235 Aux Id: PR-6104, PR-5840 </p> + </item> + <item> + <p> + With this change, TLS 1.3 server can be configured to + include client certificate in session ticket.</p> + <p> + Own Id: OTP-18253</p> + </item> + <item> + <p> + With this change, it is possible to configure encryption + seed to be used with TLS1.3 stateless tickets. This + enables using tickets on different server instances.</p> + <p> + Own Id: OTP-18254 Aux Id: PR-5982 </p> + </item> + <item> + <p> + Debugging enhancements.</p> + <p> + Own Id: OTP-18312</p> + </item> + <item> + <p> + With this change, maybe keyword atom is not used as + function name in ssl code.</p> + <p> + Own Id: OTP-18335</p> + </item> + <item> + <p> + Replace size/1 with either tuple_size/1 or byte_size/1</p> + <p> + The <c>size/1</c> BIF is not optimized by the JIT, and + its use can result in worse types for Dialyzer.</p> + <p> + When one knows that the value being tested must be a + tuple, <c>tuple_size/1</c> should always be preferred.</p> + <p> + When one knows that the value being tested must be a + binary, <c>byte_size/1</c> should be preferred. However, + <c>byte_size/1</c> also accepts a bitstring (rounding up + size to a whole number of bytes), so one must make sure + that the call to <c>byte_size/</c> is preceded by a call + to <c>is_binary/1</c> to ensure that bitstrings are + rejected. Note that the compiler removes redundant calls + to <c>is_binary/1</c>, so if one is not sure whether + previous code had made sure that the argument is a + binary, it does not harm to add an <c>is_binary/1</c> + test immediately before the call to <c>byte_size/1</c>.</p> + <p> + Own Id: OTP-18405 Aux Id: + GH-6672,PR-6702,PR-6768,PR-6700,PR-6769,PR-6812,PR-6814 </p> + </item> + <item> + <p> + For security reasons remove support for SHA1 and DSA + algorithms from default values.</p> + <p> + *** POTENTIAL INCOMPATIBILITY ***</p> + <p> + Own Id: OTP-18438 Aux Id: GH-6679 </p> + </item> + <item> + <p> + Mitigate memory usage from large certificate chains by + lowering the maximum handshake size. This should not + effect the common cases, if needed it can be configured + to a higher value.</p> + <p> + Own Id: OTP-18453</p> + </item> + <item> + <p> + Change the client default verify option to verify_peer. + Note that this makes it mandatory to also supply trusted + CA certificates or explicitly set verify to verify_none. + This also applies when using the so called anonymous test + cipher suites defined in TLS versions pre TLS-1.3.</p> + <p> + *** POTENTIAL INCOMPATIBILITY ***</p> + <p> + Own Id: OTP-18455 Aux Id: GH-5899 </p> + </item> + <item> + <p> + Erlang distribution code in Kernel and SSL has been + refactored a bit to facilitate debugging and + re-usability, which shouldn't have any noticeable effects + on behaviour or performance.</p> + <p> + Own Id: OTP-18456</p> + </item> + <item> + <p> + Add encoding and decoding of use_srtp hello extension to + facilitate for DTLS users to implement SRTP + functionality.</p> + <p> + Own Id: OTP-18459</p> + </item> + </list> + </section> + +</section> + <section><title>SSL 10.9</title> <section><title>Fixed Bugs and Malfunctions</title> diff --git a/lib/ssl/src/ssl.app.src b/lib/ssl/src/ssl.app.src index abc5d278a8..b9f69af6a3 100644 --- a/lib/ssl/src/ssl.app.src +++ b/lib/ssl/src/ssl.app.src @@ -88,6 +88,6 @@ {applications, [crypto, public_key, kernel, stdlib]}, {env, []}, {mod, {ssl_app, []}}, - {runtime_dependencies, ["stdlib-4.1","public_key-1.11.3","kernel-@OTP-18235@", - "erts-@OTP-18248@","crypto-5.0", "inets-5.10.7", + {runtime_dependencies, ["stdlib-4.1","public_key-1.11.3","kernel-9.0", + "erts-14.0","crypto-5.0", "inets-5.10.7", "runtime_tools-1.15.1"]}]}. diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk index 7b821e2bc8..de283ec08a 100644 --- a/lib/ssl/vsn.mk +++ b/lib/ssl/vsn.mk @@ -1 +1 @@ -SSL_VSN = 10.9 +SSL_VSN = 11.0 |