1 SSL Release Notes

This document describes the changes made to the SSL application.

1.1 SSL 2.2.1

The 2.2.1 version of SSL provides code replacement in runtime by upgrading from, or downgrading to, versions 2.1 and 2.2.

1.2 SSL 2.2

1.2.1 Improvements and New Features

• The restriction that only the creator of an SSL socket can read from and write to the socket has been lifted.
  OwnId: OTP-3301
  
• The option {packet, cdr} for SSL sockets has been added, which means that SSL sockets also supports CDR encoded packets.
  OwnId: OTP-3302
  

1.2.2 Known Bugs and Problems

• Setting of a CA certificate file with the cacertfile option (in calls to ssl:accept/1/2 or ssl:connect/3/4) does not work due to weaknesses in the SSLeay package.
  A work-around is to set the OS environment variable SSL_CERT_FILE before SSL is started. However, then the CA certificate file will be global for all connections.
  OwnId: OTP-3146
  
• When changing controlling process of an SSL socket, a temporary process is started, which is not gen_server compliant.
  OwnId: OTP-3146
  
• Although there is a cache timeout option, it is silently ignored.
  OwnId: OTP-3146
  
• There is currently no way to restrict the cipher sizes.
  OwnId: OTP-3146
  

1.3 SSL 2.1

1.3.1 Improvements and New Features

• The set of possible error reasons has been extended to contain diagnostics on erronous certificates and failures to verify certificates.
  OwnId: OTP-3145
  
• The maximum number of simultaneous SSL connections on Windows has been increased from 31 to 127.
  OwnId: OTP-3145
  

1.3.2 Fixed Bugs and Malfunctions

• A dead-lock occuring when write queues are not empty has been removed.
  OwnId: OTP-3145
  
• Error reasons have been unified and changed.
  (** POTENTIAL INCOMPATIBILITY **)
  OwnId: OTP-3145
  
• On Windows a check of the existence of the environment variable ERLSRV_SERVICE_NAME has been added. If that variable is defined, the port program of the SSL application will not terminated when a user logs off.
  OwnId: OTP-3145
  
• An error in the setting of the nodelay option has been corrected.
  OwnId: OTP-3145
  
• The confounded notions of verify mode and verify depth has been corrected. The option verifydepth has been removed, and the two separate options verify and depth has been added.
  (** POTENTIAL INCOMPATIBILITY **)
  OwnId: OTP-3145
  

1.3.3 Known Bugs and Problems

• Setting of a CA certificate file with the cacertfile option (in calls to ssl:accept/1/2 or ssl:connect/3/4) does not work due to weaknesses in the SSLeay package.
  A work-around is to set the OS environment variable SSL_CERT_FILE before SSL is started. However, then the CA certificate file will be global for all connections.
  OwnId: OTP-3146
  
• When changing controlling process of an SSL socket, a temporary process is started, which is not gen_server compliant.
  OwnId: OTP-3146
  
• Although there is a cache timeout option, it is silently ignored.
  OwnId: OTP-3146
  
• There is currently no way to restrict the cipher sizes.
  OwnId: OTP-3146
  

1.4 SSL 2.0

A complete new version of SSL with separate I/O channels for all connections with non-blocking I/O multiplexing.