File: notes.html

package info (click to toggle)
erlang-doc-html 1%3A10.b.1a-1
links: PTS
area: main
in suites: sarge
size: 22,488 kB
ctags: 9,933
sloc: erlang: 505; ansic: 323; perl: 61; sh: 45; makefile: 39
file content (831 lines) | stat: -rw-r--r-- 15,915 bytes
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<!-- This document was generated using DocBuilder 3.3.2 -->
<HTML>
<HEAD>
  <TITLE>SSL Release Notes
</TITLE>
  <SCRIPT type="text/javascript" src="../../../../doc/erlresolvelinks.js">
</SCRIPT>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#FF00FF"
      ALINK="#FF0000">
<CENTER>
<A HREF="http://www.erlang.se"><IMG BORDER=0 ALT="[Ericsson AB]" SRC="min_head.gif"></A>
</CENTER>
<A NAME="1"><!-- Empty --></A>
<H2>1 SSL Release Notes
</H2>

<P>This document describes the changes made to the SSL application.

<A NAME="1.1"><!-- Empty --></A>
<H3>1.1 Ssl 3.0.4</H3>
<A NAME="1.1.1"><!-- Empty --></A>
<H4>1.1.1 Fixed Bugs and Malfunctions</H4>

<P>
<UL>

<LI>
         <CODE>ssl:recv/3</CODE> with finite timeout value, closed the
         connection at timeout.
<BR>

         Own Id: OTP-4882
<BR>


</LI>


</UL>
<A NAME="1.2"><!-- Empty --></A>
<H3>1.2 Ssl 3.0.3</H3>
<A NAME="1.2.1"><!-- Empty --></A>
<H4>1.2.1 Fixed Bugs and Malfunctions</H4>

<P>
<UL>

<LI>
         When a file descriptor was marked for closing, and and
         end-of-file condition had already been detected, the file
         descriptor was never closed.
<BR>

         Own Id: OTP-5093 Aux Id: seq8806 
<BR>


</LI>


<LI>
         When the number of open file descriptors reached
         FD_SETSIZE, the SSL port program entered a busy loop.
<BR>

         Own Id: OTP-5094 Aux Id: seq8806 
<BR>


</LI>


</UL>
<A NAME="1.2.2"><!-- Empty --></A>
<H4>1.2.2 Improvements and New Features</H4>

<P>
<UL>

<LI>
         The SSL application now supports SSL sessions for
         servers, which typically speeds up HTTP requests from
         browsers.
<BR>

         Own Id: OTP-5095
<BR>


</LI>


</UL>
<A NAME="1.3"><!-- Empty --></A>
<H3>1.3 SSL 3.0.2</H3>
<A NAME="1.3.1"><!-- Empty --></A>
<H4>1.3.1 Fixed Bugs and Malfunctions</H4>

<P>
<UL>

<LI>
         The UTF8String type is now defined in asn1-1.4.4.2 and
         later. Therefore the definitions of UTF8String has been
         removed from the ASN.1 modules PKIX1Explicit88.asn1 and
         PKIXAttributeCertificate.asn1. The SSL application can now
         only be built using asn-1.4.4.2 or later.
         <BR>
OwnId: OTP-4971.
        <BR>

</LI>


</UL>
<A NAME="1.3.2"><!-- Empty --></A>
<H4>1.3.2 Known Bugs and Problems</H4>

<P>See SSL-3.0.

<A NAME="1.4"><!-- Empty --></A>
<H3>1.4 SSL 3.0.1</H3>
<A NAME="1.4.1"><!-- Empty --></A>
<H4>1.4.1 Fixed Bugs and Malfunctions</H4>

<P>
<UL>

<LI>
         An unexpected object identifier would crash <CODE>ssl:peercert</CODE>. 
         <BR>
OwnId: OTP-4771.
        <BR>

</LI>


</UL>
<A NAME="1.4.2"><!-- Empty --></A>
<H4>1.4.2 Known Bugs and Problems</H4>

<P>See SSL-3.0.

<A NAME="1.5"><!-- Empty --></A>
<H3>1.5 SSL 3.0</H3>
<A NAME="1.5.1"><!-- Empty --></A>
<H4>1.5.1 Improvements and New Features</H4>

<P>
<UL>

<LI>
         The <CODE>cache_timout</CODE> option was silently ignored. It had 
         to do with SSL sessions, where multiple connections can occur.
         Since the Erlang SSL applicaton does not support sessions the
         option is still ignored, and consequently the documentation 
         about it has been removed.
         <BR>
OwnId: OTP-3146
        <BR>

</LI>


<LI>
         The Erlang SSL application is now based on OpenSSL version
         0.9.7a. OpenSSL 0.9.6 should also work.
         <BR>
OwnId: OTP-4002
        <BR>

</LI>


<LI>
         When connecting it is now possible to bind to a local address
         and local port. 
         <BR>
OwnId: OTP-4675
        <BR>

</LI>


<LI>
         The <CODE>ssl_esock</CODE> port program is now part of the
         distribution and thus does not have to be created
         explicitely. It is dynamically linked to OpenSSL
         libraries in a &#34;standard&#34; location (typically
         <CODE>/usr/local/lib</CODE> on UNIX; in the path on Win32).
         <BR>
OwnId:
         OTP-4676
        <BR>

</LI>


<LI>
         The new functions <CODE>ssl:peercert/1/2</CODE> provide information
         from the certificate of a peer of a connection.
         <BR>
OwnId: OTP-4680 
         <BR>
Aux Id: seq7688
        <BR>

</LI>


<LI>
         The function <CODE>ssl:port/1</CODE> has been removed from the 
         documentation, but not from the <CODE>ssl</CODE> interface module. 
         The recommendation is to use <CODE>ssl:peername/1</CODE>
         instead, which provides both address and port of the peer.
         <BR>
OwnId: OTP-4681 
        <BR>

</LI>


<LI>
         New User's Guide documentation has been added.
         <BR>
OwnId: OTP-4682 
        <BR>

</LI>


<LI>
         The old <CODE>ssl_socket</CODE> interface has been removed and also
         the documentation of it. 
         <BR>
OwnId: OTP-4683 
        <BR>

</LI>


<LI>
         The use of ephemeral RSA keys is now supported. It is
         a global configuration option (see the ssl(6) manual page).
         <BR>
OwnId: OTP-4691.
        <BR>

</LI>


</UL>
<A NAME="1.5.2"><!-- Empty --></A>
<H4>1.5.2 Fixed Bugs and Malfunctions</H4>

<P>
<UL>

<LI>
         The option <CODE>cacertfile</CODE> is now in effect, and can
         therefore no longer be set with the OS environment
         variable SSL_CERT_FILE (which did set the same value for
         all connections). 
         <BR>
OwnId: OTP-3146
        <BR>

</LI>


<LI>
         There was a syncronization error at closing of an SSL 
         connnection. 
         <BR>
OwnId: OTP-4435
         <BR>
Aux Id: seq7534
        <BR>

</LI>


<LI>
         C macros in <CODE>debuglog.c</CODE> were not ANSI C compliant.
         <BR>
OwnId: OTP-4674
        <BR>

</LI>


<LI>
         The <CODE>binary</CODE> option was not properly handled.
         <BR>
OwnId: OTP-4678
        <BR>

</LI>


<LI>
         The <CODE>ssl:format_error/1</CODE> did not consider <CODE>inet</CODE>
         error codes, nor did it have a catch all for unknown error
         codes.
         <BR>
OwnId: OTP-4679
        <BR>

</LI>


</UL>
<A NAME="1.5.3"><!-- Empty --></A>
<H4>1.5.3 Known Bugs and Problems</H4>

<P>
<UL>

<LI>
         Change of controlling process in not OTP compliant. 
         <BR>
OwnId; OTP-4712
        <BR>

</LI>


<LI>
         There is still no way to restrict the cipher sizes. 
         <BR>
OwnId: OTP-4712
        <BR>

</LI>


<LI>
         The <CODE>keep_alive</CODE> and <CODE>reuse_addr</CODE> options will be
         added in a future release. 
         <BR>
OwnId: OTP-4677
        <BR>

</LI>


<LI>
         There is currently no way to restrict the SSL/TLS
         protocol versions to use. In a future release this will be
         supported as a configuration option, and as an option for
         each connection as well. 
         <BR>
OwnId: OTP-4711.
        <BR>

</LI>


</UL>
<A NAME="1.6"><!-- Empty --></A>
<H3>1.6 SSL 2.3.6</H3>
<A NAME="1.6.1"><!-- Empty --></A>
<H4>1.6.1 Fixed Bugs and Malfunctions</H4>

<P>
<UL>

<LI>
         There was a synchronization error at closing, which could 
         result in that an SSL socket was removed prematurely, resulting
         in that a user process referring to it received an unexpected
         exit.
         <BR>
OwnId: OTP-4435
         <BR>
Aux Id: seq7600
        <BR>

</LI>


</UL>
<A NAME="1.6.2"><!-- Empty --></A>
<H4>1.6.2 Known Bugs and Problems</H4>

<P>See SSL 2.2 . 
<A NAME="1.7"><!-- Empty --></A>
<H3>1.7 SSL 2.3.5</H3>
<A NAME="1.7.1"><!-- Empty --></A>
<H4>1.7.1 Fixed Bugs and Malfunctions</H4>

<P>
<UL>

<LI>
         Setting of the option `nodelay' caused the SSL port program
         to dump core.
         <BR>
OwnId: OTP-4380
         <BR>
Aux Id: -
<BR>

</LI>


<LI>
         Setting of the option '{active, once}' in <CODE>setopts</CODE> was 
         wrong, causing a correct socket message to be regarded as
         erroneous. 
         <BR>
OwnId: OTP-4380 
         <BR>
Aux Id: -
<BR>

</LI>


<LI>
         A self-signed peer certificate was always rejected with the
         error `eselfsignedcert', irrespective of the `depth' value. 
         <BR>
OwnId: OTP-4374
         <BR>
Aux Id: seq7417
<BR>

</LI>


</UL>
<A NAME="1.7.2"><!-- Empty --></A>
<H4>1.7.2 Known Bugs and Problems</H4>

<P>See SSL 2.2 . 
<A NAME="1.8"><!-- Empty --></A>
<H3>1.8 SSL 2.3.4</H3>
<A NAME="1.8.1"><!-- Empty --></A>
<H4>1.8.1 Improvements and New Features</H4>

<P>
<UL>

<LI>
                 All TCP options allowed in gen_tcp, are now also allowed in
         SSL, except the option <CODE>{reuseaddr, Boolean}</CODE>. A new
         function <CODE>getopts</CODE> has been added to the SSL interface
         module <CODE>ssl</CODE>. 
         <BR>

                 OwnId: OTP-4305, OTP-4159
         <BR>


</LI>


</UL>
<A NAME="1.9"><!-- Empty --></A>
<H3>1.9 SSL 2.3.3</H3>
<A NAME="1.9.1"><!-- Empty --></A>
<H4>1.9.1 Fixed Bugs and Malfunctions</H4>

<P>
<UL>

<LI>
         The roles of the SSLeay and OpenSSL packages has been
         clarified in the ssl(6) application manual page. Also
         the URLs from which to download SSLeay has been updated.
         <BR>
OwnId: OTP-4002
         <BR>
Aux Id: seq5269
<BR>

</LI>


<LI>
         A call to <CODE>ssl:listen(Port, Options)</CODE> with
         <CODE>Options = []</CODE> resulted in the cryptic <CODE>{error,
         ebadf}</CODE> return value. The return value has been changed
         to <CODE>{error, enooptions}</CODE>, and the behaviour has been
         documented in the <CODE>listen/2</CODE> function.
         <BR>
OwnId: OTP-4016 
         <BR>
Aux Id: seq7006
<BR>

</LI>


<LI>
         Use of the option <CODE>{nodelay, boolean()}</CODE> crashed
         the <CODE>ssl_server</CODE>.
         <BR>
OwnId: OTP-4070
         <BR>
Aux Id:
<BR>

</LI>


<LI>
         A bug caused the Erlang distribution over ssl to fail.
         This bug has now been fixed.
         <BR>
OwnId: OTP-4072
         <BR>
Aux Id:
<BR>

</LI>


<LI>
         On Windows when the SSL port program encountered an
         error code not anticipated it crashed. 
         <BR>
OwnId: OTP-4132
         <BR>
Aux Id:
<BR>

</LI>


</UL>
<A NAME="1.10"><!-- Empty --></A>
<H3>1.10 SSL 2.3.2</H3>
<A NAME="1.10.1"><!-- Empty --></A>
<H4>1.10.1 Fixed Bugs and Malfunctions</H4>

<P>
<UL>

<LI>
         The <CODE>ssl:accept/1-2</CODE> function sometimes returned
         <CODE>{error, {What, Where}}</CODE> instead of <CODE>{error,
         What}</CODE>, where <CODE>What</CODE> is an atom. 
         <BR>
OwnId: OTP-3775
         <BR>
Aux Id: seq4991
<BR>

</LI>


</UL>
<A NAME="1.11"><!-- Empty --></A>
<H3>1.11 SSL 2.3.1</H3>
<A NAME="1.11.1"><!-- Empty --></A>
<H4>1.11.1 Fixed Bugs and Malfunctions</H4>

<P>
<UL>

<LI>
         Sometimes the SSL portprogram would loop in an accept
         loop, without terminating even when the SSL application
         was stopped.. 
         <BR>
OwnId: OTP-3691
<BR>

</LI>


</UL>
<A NAME="1.12"><!-- Empty --></A>
<H3>1.12 SSL 2.3</H3>

<P>Functions have been added to SSL to experimentally support 
Erlang distribution.

<A NAME="1.13"><!-- Empty --></A>
<H3>1.13 SSL 2.2.1</H3>

<P>The 2.2.1 version of SSL provides code replacement in runtime
by upgrading from, or downgrading to, versions 2.1 and 2.2.

<A NAME="1.14"><!-- Empty --></A>
<H3>1.14 SSL 2.2</H3>
<A NAME="1.14.1"><!-- Empty --></A>
<H4>1.14.1 Improvements and New Features</H4>

<P>
<UL>

<LI>
         The restriction that only the creator of an SSL socket can
         read from and write to the socket has been lifted.
         <BR>
OwnId: OTP-3301
        <BR>

</LI>


<LI>
         The option <CODE>{packet, cdr}</CODE> for SSL sockets has been added,
         which means that SSL sockets also supports CDR encoded packets.
         <BR>
OwnId: OTP-3302
<BR>

</LI>


</UL>
<A NAME="1.14.2"><!-- Empty --></A>
<H4>1.14.2 Known Bugs and Problems</H4>

<P>
<UL>

<LI>
 Setting of a CA certificate file with the <CODE>cacertfile</CODE>
         option (in calls to <CODE>ssl:accept/1/2</CODE> or 
         <CODE>ssl:connect/3/4</CODE>) does not work due to weaknesses
         in the SSLeay package. 
         <BR>
A work-around is to set the OS environment variable
         <CODE>SSL_CERT_FILE</CODE> before SSL is started. However, then
         the CA certificate file will be global for all connections.
         <BR>
OwnId: OTP-3146
        <BR>

</LI>


<LI>
         When changing controlling process of an SSL socket, a 
         temporary process is started, which is not gen_server
         compliant.
         <BR>
OwnId: OTP-3146
        <BR>

</LI>


<LI>
         Although there is a <CODE>cache</CODE> timeout option, it is
         silently ignored.
         <BR>
OwnId: OTP-3146
<BR>

</LI>


<LI>
 There is currently no way to restrict the cipher sizes.
         <BR>
OwnId: OTP-3146
<BR>

</LI>


</UL>
<A NAME="1.15"><!-- Empty --></A>
<H3>1.15 SSL 2.1</H3>
<A NAME="1.15.1"><!-- Empty --></A>
<H4>1.15.1 Improvements and New Features</H4>

<P>
<UL>

<LI>
         The set of possible error reasons has been extended to
         contain diagnostics on erronous certificates and failures
         to verify certificates.
         <BR>
OwnId: OTP-3145
        <BR>

</LI>


<LI>
         The maximum number of simultaneous SSL connections on
         Windows has been increased from 31 to 127.
         <BR>
OwnId: OTP-3145
<BR>

</LI>


</UL>
<A NAME="1.15.2"><!-- Empty --></A>
<H4>1.15.2 Fixed Bugs and Malfunctions</H4>

<P>
<UL>

<LI>
 A dead-lock occuring when write queues are not empty has 
         been removed. 
         <BR>
OwnId: OTP-3145
<BR>

</LI>


<LI>
 Error reasons have been unified and changed.
         <BR>
(** POTENTIAL INCOMPATIBILITY **)
         <BR>
OwnId: OTP-3145
<BR>

</LI>


<LI>
 On Windows a check of the existence of the environment
         variable <CODE>ERLSRV_SERVICE_NAME</CODE> has been added. If
         that variable is defined, the port program of the SSL
         application will not terminated when a user logs off.
         <BR>
OwnId: OTP-3145
<BR>

</LI>


<LI>
 An error in the setting of the <CODE>nodelay</CODE> option 
         has been corrected.
         <BR>
OwnId: OTP-3145
<BR>

</LI>


<LI>
 The confounded notions of verify mode and verify depth has
         been corrected. The option <CODE>verifydepth</CODE> has been 
         removed, and the two separate options <CODE>verify</CODE> and
         <CODE>depth</CODE> has been added.
         <BR>
(** POTENTIAL INCOMPATIBILITY **)
         <BR>
OwnId: OTP-3145
<BR>

</LI>


</UL>
<A NAME="1.15.3"><!-- Empty --></A>
<H4>1.15.3 Known Bugs and Problems</H4>

<P>
<UL>

<LI>
 Setting of a CA certificate file with the <CODE>cacertfile</CODE>
         option (in calls to <CODE>ssl:accept/1/2</CODE> or 
         <CODE>ssl:connect/3/4</CODE>) does not work due to weaknesses
         in the SSLeay package. 
         <BR>
A work-around is to set the OS environment variable
         <CODE>SSL_CERT_FILE</CODE> before SSL is started. However, then
         the CA certificate file will be global for all connections.
         <BR>
OwnId: OTP-3146
        <BR>

</LI>


<LI>
         When changing controlling process of an SSL socket, a 
         temporary process is started, which is not gen_server
         compliant.
         <BR>
OwnId: OTP-3146
        <BR>

</LI>


<LI>
         Although there is a <CODE>cache</CODE> timeout option, it is
         silently ignored.
         <BR>
OwnId: OTP-3146
<BR>

</LI>


<LI>
 There is currently no way to restrict the cipher sizes.
         <BR>
OwnId: OTP-3146
<BR>

</LI>


</UL>
<A NAME="1.16"><!-- Empty --></A>
<H3>1.16 SSL 2.0</H3>

<P>A complete new version of SSL with separate I/O channels
for all connections with non-blocking I/O multiplexing.
<CENTER>
<HR>
<SMALL>
Copyright &copy; 1991-2004
<A HREF="http://www.erlang.se">Ericsson AB</A><BR>
</SMALL>
</CENTER>
</BODY>
</HTML>