-
Notifications
You must be signed in to change notification settings - Fork 3k
Implement 'honor_cipher_order' SSL server-side option #111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
|
Patch has passed first testings and has been assigned to be reviewed |
|
Some review comments below; I think it would be preferable to have a function select_cipher_suite(CipherSuites, Suites, false) -> select_cipher_suite(CipherSuites, Suites); select_cipher_suite(CipherSuites, Suites, true) -> select_cipher_suite(Suites, CipherSuites). to adding a case clause, it provides better trace ability when using Erlang trace and I think makes the code easier to overview as details goes in the helper function. For backwards compatibility reasons OTP code is slow at adapting new OTP features. But it would be nice to use the guard is_boolean in validate_option. It would be ok if the patch changes all validate_option clauses that validates booleans. Test case must be added. |
* maint: erts: Add max alignment posix_memalign configure check
* maint: erts: Add cerl -dump and dumping in z_SUITE
Use observer for the gui part
Pick up --enable-m32-build and --enable-m64-build configure flags from the CONFIG_FLAGS environment variable and pass along to the ts configure script.
* rickard/ts_install_mXX_build: Teach ts_install --enable-mXX-build flag
This is not a clean refactor. It changes the behaviour slightly of E/WSTACK_RESTORE. The allocated stack from E/WSTACK_SAVE is used as-is and not copied into default_stack. This will hopefully fix an illusive memory leak that valgrind is reporting.
* RoadRunnr/ecdh_crypto: crypto: selective support for GF2m curves ssl: add brainpool elliptic curves to TLS (RFC-7027) public_key: add brainpool elliptic curves (RFC-5639) crypto: document ec_curves/0 and ec_curve/1 crypto: add brainpool (RFC 5639) curves crypto: move elitic curve definitions from OpenSSL built-ins to Erlang crypto: add ECDH test vectors for more curves OTP-11578
* fenollp/escript-doc-chmod: Add a chmod call in the CLI example OTP-11577
Because 26940a8 lifted code in the 'after' clause of 'try' to a new function, Dialyzer could produce false warnings for code such as: try ... after file:close(F) end. Mark the the call to the generated function as 'compiler_generated' to silence the warning.
* egil/fix-bs_get_integer/OTP-11581: erts: Fix bs_get_integer instruction
* egil/etp-commands/OTP-11582: erts: Update etp-commands with heap-dump
* bjorn/compiler/fix-lift-after/OTP-11580: compiler: Silence false warning for unmatched return in 'after' clause
* bjorn/fix-line-number-in-bs-exception/OTP-11572: compiler: Correct line number in exception from binary construction
* bjorn/compiler/optimizations/OTP-11584: Generalize optimizations of case statements Ignore warnings when running sys_core_fold after inlining
OTP-11585 * sverk/bin2term-int-size-estimation-bug: erts: Fix useless comparisons in binary_SUITE:external_size erts: Reduce heap usage for binary_SUITE:deep erts: Remove overestimation of heap space in binary_to_term
* sverk/jinterface/unicode-test-bug: jinterface: Fix unicode bug in test code
* rickard/consume_timeslice-testcase-fix: Fix testcase driver_SUITE:consume_timeslice
* sverk/term2bin-simplify: erts: Refactor ESTACK & WSTACK to use a struct easy to "export" erts: Fix benign ESTACK/WSTACK typo erts: Fix compiler warnings for NO_JUMP_TABLE erts: Run binary_SUITE:trapping even for 32bit erts: Extend binary_SUITE:ttb_trap to also cover binary_to_term erts: Remove the extra_root feature from the process structure erts: Simplify term_to_binary by removing saved ESTACK from root set
* josevalim/jv-console-i: Handle binary input in console helpers OTP-11589
* djc/tinfo-ncurses: Add support for the separate tinfo library from ncurses OTP-11590
* hawk/reltool_test_server: Adapted reltool test server to common test usage of tc_status
* hawk/reltool_undefined_regexp: Add missing default value for regexps in reltool It caused a function clause in lists:sort/1: OTP-11591 OTP-11592
…/OTP-11567' into maint * ia/ssl/server-name-indication-missing-option-validation/OTP-11567: ssl: Prepare for release ssl: Add missing options validation of server_name_indication
* ia/ssl/ECC-curve-selection/OTP-11575: ssl: Prepare for release ssl: fix elliptic curve selection in server mode
HonorCipherOrder as implemented in Apache, nginx, lighttpd, etc. This instructs the server to prefer its own cipher ordering rather than the client's and can help protect against things like BEAST while maintaining compatability with clients which only support older ciphers. This code is mostly written by Andrew Thompson, only the test case was added by Andreas Schultz.
|
I rebased this against master, and included Andreas' changes. Closing this PR in favor of one against master. |
|
Reworked as #201. |
HonorCipherOrder as implemented in Apache, nginx, lighttpd, etc. This
instructs the server to prefer its own cipher ordering rather than the
client's and can help protect against things like BEAST while
maintaining compatability with clients which only support older ciphers.
Currently this branch does not include any tests, due to time constraints on my end, but I would appreciate a code review because we may ship this patch along with the next Riak release.