Implement 'honor_cipher_order' SSL server-side option #111
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Patch has passed first testings and has been assigned to be reviewed |
|
Some review comments below; I think it would be preferable to have a function select_cipher_suite(CipherSuites, Suites, false) -> select_cipher_suite(CipherSuites, Suites); select_cipher_suite(CipherSuites, Suites, true) -> select_cipher_suite(Suites, CipherSuites). to adding a case clause, it provides better trace ability when using Erlang trace and I think makes the code easier to overview as details goes in the helper function. For backwards compatibility reasons OTP code is slow at adapting new OTP features. But it would be nice to use the guard is_boolean in validate_option. It would be ok if the patch changes all validate_option clauses that validates booleans. Test case must be added. |
* maint: erts: Add max alignment posix_memalign configure check
* maint: erts: Add cerl -dump and dumping in z_SUITE
Use observer for the gui part
Pick up --enable-m32-build and --enable-m64-build configure flags from the CONFIG_FLAGS environment variable and pass along to the ts configure script.
* rickard/ts_install_mXX_build: Teach ts_install --enable-mXX-build flag
This is not a clean refactor. It changes the behaviour slightly of E/WSTACK_RESTORE. The allocated stack from E/WSTACK_SAVE is used as-is and not copied into default_stack. This will hopefully fix an illusive memory leak that valgrind is reporting.
* RoadRunnr/ecdh_crypto: crypto: selective support for GF2m curves ssl: add brainpool elliptic curves to TLS (RFC-7027) public_key: add brainpool elliptic curves (RFC-5639) crypto: document ec_curves/0 and ec_curve/1 crypto: add brainpool (RFC 5639) curves crypto: move elitic curve definitions from OpenSSL built-ins to Erlang crypto: add ECDH test vectors for more curves OTP-11578
* fenollp/escript-doc-chmod: Add a chmod call in the CLI example OTP-11577
Because 26940a8 lifted code in the 'after' clause of 'try' to a new function, Dialyzer could produce false warnings for code such as: try ... after file:close(F) end. Mark the the call to the generated function as 'compiler_generated' to silence the warning.
* egil/fix-bs_get_integer/OTP-11581: erts: Fix bs_get_integer instruction
* egil/etp-commands/OTP-11582: erts: Update etp-commands with heap-dump
* bjorn/compiler/fix-lift-after/OTP-11580: compiler: Silence false warning for unmatched return in 'after' clause
* bjorn/fix-line-number-in-bs-exception/OTP-11572: compiler: Correct line number in exception from binary construction
* bjorn/compiler/optimizations/OTP-11584: Generalize optimizations of case statements Ignore warnings when running sys_core_fold after inlining
OTP-11585 * sverk/bin2term-int-size-estimation-bug: erts: Fix useless comparisons in binary_SUITE:external_size erts: Reduce heap usage for binary_SUITE:deep erts: Remove overestimation of heap space in binary_to_term
* sverk/jinterface/unicode-test-bug: jinterface: Fix unicode bug in test code
* rickard/consume_timeslice-testcase-fix: Fix testcase driver_SUITE:consume_timeslice
* sverk/term2bin-simplify: erts: Refactor ESTACK & WSTACK to use a struct easy to "export" erts: Fix benign ESTACK/WSTACK typo erts: Fix compiler warnings for NO_JUMP_TABLE erts: Run binary_SUITE:trapping even for 32bit erts: Extend binary_SUITE:ttb_trap to also cover binary_to_term erts: Remove the extra_root feature from the process structure erts: Simplify term_to_binary by removing saved ESTACK from root set
* josevalim/jv-console-i: Handle binary input in console helpers OTP-11589
* djc/tinfo-ncurses: Add support for the separate tinfo library from ncurses OTP-11590
* hawk/reltool_test_server: Adapted reltool test server to common test usage of tc_status
* hawk/reltool_undefined_regexp: Add missing default value for regexps in reltool It caused a function clause in lists:sort/1: OTP-11591 OTP-11592
…/OTP-11567' into maint * ia/ssl/server-name-indication-missing-option-validation/OTP-11567: ssl: Prepare for release ssl: Add missing options validation of server_name_indication
* ia/ssl/ECC-curve-selection/OTP-11575: ssl: Prepare for release ssl: fix elliptic curve selection in server mode
HonorCipherOrder as implemented in Apache, nginx, lighttpd, etc. This instructs the server to prefer its own cipher ordering rather than the client's and can help protect against things like BEAST while maintaining compatability with clients which only support older ciphers. This code is mostly written by Andrew Thompson, only the test case was added by Andreas Schultz.
|
I rebased this against master, and included Andreas' changes. Closing this PR in favor of one against master. |
|
Reworked as #201. |
sverker
pushed a commit
to sverker/otp
that referenced
this pull request
Dec 12, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
HonorCipherOrder as implemented in Apache, nginx, lighttpd, etc. This
instructs the server to prefer its own cipher ordering rather than the
client's and can help protect against things like BEAST while
maintaining compatability with clients which only support older ciphers.
Currently this branch does not include any tests, due to time constraints on my end, but I would appreciate a code review because we may ship this patch along with the next Riak release.