… Yaws The requirement was added for the autotools (see ff01069), but not for Rebar. This was an oversight on my part.
The old certificat was signed with sha256WithRSAEncryption algorithm, which is not supported by Erlang releases older than R15B01. So the testsuite failed on these releases. The new certificate is signed with sha1WithRSAEncryption.
And update the testsuite accordingly.
Stacktraces have a dump of arguments for function calls nowadays. Without escaping HTML special characters, it is possible to make yaws_outmod:crashmsg/3 dump strings containing something like "</pre><script>alert('Hello, XSS!')</script>" and thus results in a XSS vulnerability.
… to path
For rebar builds, rather than treating ibrowse as a normal dependency even though it's used only for testing, make rebar.config.script check for the existence of a .rebar/YAWS_DEV_MODE file and only if present, add ibrowse as a dependency. This allows projects that use Yaws as a rebar dependency to avoid having to pull in ibrowse. (Credit goes to Seth Falcon for this idea; he added something like this to the Basho webmachine project for a test-only dependency there, and I borrowed his idea for Yaws.)
* Don't ignore SSL protocol_version in embedded mode * Stop setting global default SSL protocol_version * Warning that R16B01 is required to SSL protocol_version After testing R14B02+ with `application:set_env(ssl, protocol_version, X)` and passing `versions` to `ssl:listen`, it looks like only R16B01+ follows the settings. References: - https://travis-ci.org/capflam/otp-ssl-test/builds/44369449 - http://erlang.org/pipermail/erlang-questions/2014-October/081388.html - #192 Fix pull request #193