diff options
author | Loïc Hoguin <[email protected]> | 2020-06-25 13:45:04 +0200 |
---|---|---|
committer | Loïc Hoguin <[email protected]> | 2020-06-25 13:45:04 +0200 |
commit | a1e85d3b8d686af2f09f324112baf07bcc472e4c (patch) | |
tree | 366c72e134212b2eeff20bd733465b4b21e9186b | |
parent | e7feea1ec8a65311f9da998605031df77e5d26ea (diff) | |
download | ninenines.eu-a1e85d3b8d686af2f09f324112baf07bcc472e4c.tar.gz ninenines.eu-a1e85d3b8d686af2f09f324112baf07bcc472e4c.tar.bz2 ninenines.eu-a1e85d3b8d686af2f09f324112baf07bcc472e4c.zip |
More Ranch 2.0 doc updates
-rw-r--r-- | docs/en/ranch/2.0/guide/migrating_from_1.7.asciidoc | 2 | ||||
-rw-r--r-- | docs/en/ranch/2.0/guide/migrating_from_1.7/index.html | 2 | ||||
-rw-r--r-- | docs/en/ranch/2.0/manual/ranch_ssl/index.html | 24 | ||||
-rw-r--r-- | docs/index.xml | 2 | ||||
-rw-r--r-- | index.xml | 2 |
5 files changed, 26 insertions, 6 deletions
diff --git a/docs/en/ranch/2.0/guide/migrating_from_1.7.asciidoc b/docs/en/ranch/2.0/guide/migrating_from_1.7.asciidoc index d10d1fdf..3ed6d85d 100644 --- a/docs/en/ranch/2.0/guide/migrating_from_1.7.asciidoc +++ b/docs/en/ranch/2.0/guide/migrating_from_1.7.asciidoc @@ -160,4 +160,4 @@ for Erlang/OTP 19 and 20 has been removed. `ssl:ssl_accept/1,2`. * The `ranch_ssl:ssl_opt()` type has been updated to conform - with Erlang/OTP 22.0. + with Erlang/OTP 23.0. diff --git a/docs/en/ranch/2.0/guide/migrating_from_1.7/index.html b/docs/en/ranch/2.0/guide/migrating_from_1.7/index.html index c943efae..186d66a8 100644 --- a/docs/en/ranch/2.0/guide/migrating_from_1.7/index.html +++ b/docs/en/ranch/2.0/guide/migrating_from_1.7/index.html @@ -138,7 +138,7 @@ </li> <li>Ranch now calls <code>ssl:handshake/1,2,3</code> instead of <code>ssl:ssl_accept/1,2</code>. </li> -<li>The <code>ranch_ssl:ssl_opt()</code> type has been updated to conform with Erlang/OTP 22.0. +<li>The <code>ranch_ssl:ssl_opt()</code> type has been updated to conform with Erlang/OTP 23.0. </li> </ul> diff --git a/docs/en/ranch/2.0/manual/ranch_ssl/index.html b/docs/en/ranch/2.0/manual/ranch_ssl/index.html index f6999be8..fa3b11ad 100644 --- a/docs/en/ranch/2.0/manual/ranch_ssl/index.html +++ b/docs/en/ranch/2.0/manual/ranch_ssl/index.html @@ -92,6 +92,7 @@ by Lorenzo Bettini http://www.lorenzobettini.it http://www.gnu.org/software/src-highlite --> <pre><tt><b><font color="#000000">ssl_opt</font></b>() <font color="#990000">=</font> {<font color="#FF6600">alpn_preferred_protocols</font>, [<b><font color="#000080">binary</font></b>()]} + | {<font color="#FF6600">anti_replay</font>, <font color="#FF6600">'10k'</font> | <font color="#FF6600">'100k'</font> | {<b><font color="#000080">integer</font></b>(), <b><font color="#000080">integer</font></b>(), <b><font color="#000080">integer</font></b>()}} | {<font color="#FF6600">beast_mitigation</font>, <font color="#FF6600">one_n_minus_one</font> | <font color="#FF6600">zero_n</font> | <font color="#FF6600">disabled</font>} | {<font color="#FF6600">cacertfile</font>, <b><font color="#000000">file:filename</font></b>()} | {<font color="#FF6600">cacerts</font>, [<b><font color="#000000">public_key:der_encoded</font></b>()]} @@ -104,17 +105,19 @@ http://www.gnu.org/software/src-highlite --> | {<font color="#FF6600">depth</font>, <b><font color="#000080">integer</font></b>()} | {<font color="#FF6600">dh</font>, <b><font color="#000080">binary</font></b>()} | {<font color="#FF6600">dhfile</font>, <b><font color="#000000">file:filename</font></b>()} - | {<font color="#FF6600">eccs</font>, [<b><font color="#000080">atom</font></b>()]} + | {<font color="#FF6600">eccs</font>, [<b><font color="#000000">ssl:named_curve</font></b>()]} | {<font color="#FF6600">fail_if_no_peer_cert</font>, <b><font color="#000000">boolean</font></b>()} | {<font color="#FF6600">handshake</font>, <font color="#FF6600">hello</font> | <font color="#FF6600">full</font>} | {<font color="#FF6600">hibernate_after</font>, <b><font color="#000000">timeout</font></b>()} | {<font color="#FF6600">honor_cipher_order</font>, <b><font color="#000000">boolean</font></b>()} | {<font color="#FF6600">honor_ecc_order</font>, <b><font color="#000000">boolean</font></b>()} | {<font color="#FF6600">key</font>, <b><font color="#000000">ssl:key</font></b>()} + | {<font color="#FF6600">key_update_at</font>, <b><font color="#000000">pos_integer</font></b>()} | {<font color="#FF6600">keyfile</font>, <b><font color="#000000">file:filename</font></b>()} | {<font color="#FF6600">log_alert</font>, <b><font color="#000000">boolean</font></b>()} | {<font color="#FF6600">log_level</font>, <b><font color="#000000">logger:level</font></b>()} | {<font color="#FF6600">max_handshake_size</font>, <b><font color="#000080">integer</font></b>()} + | {<font color="#FF6600">middlebox_comp_mode</font>, <b><font color="#000000">boolean</font></b>()} | {<font color="#FF6600">next_protocols_advertised</font>, [<b><font color="#000080">binary</font></b>()]} | {<font color="#FF6600">padding_check</font>, <b><font color="#000000">boolean</font></b>()} | {<font color="#FF6600">partial_chain</font>, <b><font color="#0000FF">fun</font></b>()} @@ -124,10 +127,12 @@ http://www.gnu.org/software/src-highlite --> | {<font color="#FF6600">reuse_session</font>, <b><font color="#0000FF">fun</font></b>()} | {<font color="#FF6600">reuse_sessions</font>, <b><font color="#000000">boolean</font></b>()} | {<font color="#FF6600">secure_renegotiate</font>, <b><font color="#000000">boolean</font></b>()} + | {<font color="#FF6600">session_tickets</font>, <font color="#FF6600">disabled</font> | <font color="#FF6600">stateful</font> | <font color="#FF6600">stateless</font>} | {<font color="#FF6600">signature_algs</font>, [{<b><font color="#000000">ssl:hash</font></b>(), <b><font color="#000000">ssl:sign_algo</font></b>()}]} - | {<font color="#FF6600">signature_algs_cert</font>, [<b><font color="#000080">atom</font></b>()]} + | {<font color="#FF6600">signature_algs_cert</font>, [<b><font color="#000000">ssl:sign_scheme</font></b>()]} | {<font color="#FF6600">sni_fun</font>, <b><font color="#0000FF">fun</font></b>()} | {<font color="#FF6600">sni_hosts</font>, [{<b><font color="#000000">string</font></b>(), <b><font color="#000000">ssl_opt</font></b>()}]} + | {<font color="#FF6600">supported_groups</font>, [<b><font color="#000000">ssl:group</font></b>()]} | {<font color="#FF6600">user_lookup_fun</font>, {<b><font color="#0000FF">fun</font></b>(), <b><font color="#000000">any</font></b>()}} | {<font color="#FF6600">verify</font>, <font color="#FF6600">verify_none</font> | <font color="#FF6600">verify_peer</font>} | {<font color="#FF6600">verify_fun</font>, {<b><font color="#0000FF">fun</font></b>(), <b><font color="#000000">any</font></b>()}} @@ -139,6 +144,9 @@ http://www.gnu.org/software/src-highlite --> <dl><dt>alpn_preferred_protocols</dt> <dd><p>Perform Application-Layer Protocol Negotiation with the given list of preferred protocols.</p> </dd> +<dt>anti_replay</dt> +<dd><p>Configures the server's built-in anti replay feature based on Bloom filters.</p> +</dd> <dt>beast_mitigation (one_n_minus_one)</dt> <dd><p>Change the BEAST mitigation strategy for SSL-3.0 and TLS-1.0 to interoperate with legacy software.</p> </dd> @@ -197,6 +205,9 @@ http://www.gnu.org/software/src-highlite --> <dt>key</dt> <dd><p>DER encoded user private key.</p> </dd> +<dt>key_update_at</dt> +<dd><p>Configures the maximum amount of bytes that can be sent on a TLS 1.3 connection before an automatic key update is performed.</p> +</dd> <dt>keyfile</dt> <dd><p>Path to the PEM encoded private key file, if different from the certfile.</p> </dd> @@ -209,6 +220,9 @@ http://www.gnu.org/software/src-highlite --> <dt>max_handshake_size (256*1024)</dt> <dd><p>Used to limit the size of valid TLS handshake packets to avoid DoS attacks.</p> </dd> +<dt>middlebox_comp_mode (true)</dt> +<dd><p>Configures the middlebox compatibility mode on a TLS 1.3 connection.</p> +</dd> <dt>next_protocols_advertised</dt> <dd><p>List of protocols to send to the client if it supports the Next Protocol extension.</p> </dd> @@ -236,6 +250,9 @@ http://www.gnu.org/software/src-highlite --> <dt>secure_renegotiate (false)</dt> <dd><p>Whether to reject renegotiation attempts that do not conform to RFC5746.</p> </dd> +<dt>session_tickets</dt> +<dd><p>Configures the session ticket functionality.</p> +</dd> <dt>signature_algs</dt> <dd><p>The TLS signature algorithm extension may be used, from TLS 1.2, to negotiate which signature algorithm to use during the TLS handshake.</p> </dd> @@ -248,6 +265,9 @@ http://www.gnu.org/software/src-highlite --> <dt>sni_hosts</dt> <dd><p>Options to apply for the host that matches what the client requested with Server Name Indication.</p> </dd> +<dt>supported_groups([x25519, x448, secp256r1, secp384r1])</dt> +<dd><p>TLS 1.3 introduces the <code>supported_groups</code> extension that is used for negotiating the Diffie-Hellman parameters in a TLS 1.3 handshake. Both client and server can specify a list of parameters that they are willing to use.</p> +</dd> <dt>user_lookup_fun</dt> <dd><p>Function called to determine the shared secret when using PSK, or provide parameters when using SRP.</p> </dd> diff --git a/docs/index.xml b/docs/index.xml index 878665ab..b3d14cd6 100644 --- a/docs/index.xml +++ b/docs/index.xml @@ -12164,7 +12164,7 @@ Exports The module ranch_ssl implements the interface defined by ranch_transport Types opt() opt() :: ranch_tcp:opt() | ssl_opt() Listen options. The TCP options are defined in ranch_tcp(3). opts() opts() :: [opt()] List of listen options. -ssl_opt() ssl_opt() = {alpn_preferred_protocols, [binary()]} | {beast_mitigation, one_n_minus_one | zero_n | disabled} | {cacertfile, file:filename()} | {cacerts, [public_key:der_encoded()]} | {cert, public_key:der_encoded()} | {certfile, file:filename()} | {ciphers, ssl:ciphers()} | {client_renegotiation, boolean()} | {crl_cache, [any()]} | {crl_check, boolean() | peer | best_effort} | {depth, integer()} | {dh, binary()} | {dhfile, file:filename()} | {eccs, [atom()]} | {fail_if_no_peer_cert, boolean()} | {handshake, hello | full} | {hibernate_after, timeout()} | {honor_cipher_order, boolean()} | {honor_ecc_order, boolean()} | {key, ssl:key()} | {keyfile, file:filename()} | {log_alert, boolean()} | {log_level, logger:level()} | {max_handshake_size, integer()} | {next_protocols_advertised, [binary()]} | {padding_check, boolean()} | {partial_chain, fun()} | {password, string()} | {protocol, tls | dtls} | {psk_identity, string()} | {reuse_session, fun()} | {reuse_sessions, boolean()} | {secure_renegotiate, boolean()} | {signature_algs, [{ssl:hash(), ssl:sign_algo()}]} | {signature_algs_cert, [atom()]} | {sni_fun, fun()} | {sni_hosts, [{string(), ssl_opt()}]} | {user_lookup_fun, {fun(), any()}} | {verify, verify_none | verify_peer} | {verify_fun, {fun(), any()}} | {versions, [ssl:protocol_version()]} SSL-specific listen options.</description> +ssl_opt() ssl_opt() = {alpn_preferred_protocols, [binary()]} | {anti_replay, '10k' | '100k' | {integer(), integer(), integer()}} | {beast_mitigation, one_n_minus_one | zero_n | disabled} | {cacertfile, file:filename()} | {cacerts, [public_key:der_encoded()]} | {cert, public_key:der_encoded()} | {certfile, file:filename()} | {ciphers, ssl:ciphers()} | {client_renegotiation, boolean()} | {crl_cache, [any()]} | {crl_check, boolean() | peer | best_effort} | {depth, integer()} | {dh, binary()} | {dhfile, file:filename()} | {eccs, [ssl:named_curve()]} | {fail_if_no_peer_cert, boolean()} | {handshake, hello | full} | {hibernate_after, timeout()} | {honor_cipher_order, boolean()} | {honor_ecc_order, boolean()} | {key, ssl:key()} | {key_update_at, pos_integer()} | {keyfile, file:filename()} | {log_alert, boolean()} | {log_level, logger:level()} | {max_handshake_size, integer()} | {middlebox_comp_mode, boolean()} | {next_protocols_advertised, [binary()]} | {padding_check, boolean()} | {partial_chain, fun()} | {password, string()} | {protocol, tls | dtls} | {psk_identity, string()} | {reuse_session, fun()} | {reuse_sessions, boolean()} | {secure_renegotiate, boolean()} | {session_tickets, disabled | stateful | stateless} | {signature_algs, [{ssl:hash(), ssl:sign_algo()}]} | {signature_algs_cert, [ssl:sign_scheme()]} | {sni_fun, fun()} | {sni_hosts, [{string(), ssl_opt()}]} | {supported_groups, [ssl:group()]} | {user_lookup_fun, {fun(), any()}} | {verify, verify_none | verify_peer} | {verify_fun, {fun(), any()}} | {versions, [ssl:protocol_version()]} SSL-specific listen options.</description> </item> <item> @@ -12791,7 +12791,7 @@ Exports The module ranch_ssl implements the interface defined by ranch_transport Types opt() opt() :: ranch_tcp:opt() | ssl_opt() Listen options. The TCP options are defined in ranch_tcp(3). opts() opts() :: [opt()] List of listen options. -ssl_opt() ssl_opt() = {alpn_preferred_protocols, [binary()]} | {beast_mitigation, one_n_minus_one | zero_n | disabled} | {cacertfile, file:filename()} | {cacerts, [public_key:der_encoded()]} | {cert, public_key:der_encoded()} | {certfile, file:filename()} | {ciphers, ssl:ciphers()} | {client_renegotiation, boolean()} | {crl_cache, [any()]} | {crl_check, boolean() | peer | best_effort} | {depth, integer()} | {dh, binary()} | {dhfile, file:filename()} | {eccs, [atom()]} | {fail_if_no_peer_cert, boolean()} | {handshake, hello | full} | {hibernate_after, timeout()} | {honor_cipher_order, boolean()} | {honor_ecc_order, boolean()} | {key, ssl:key()} | {keyfile, file:filename()} | {log_alert, boolean()} | {log_level, logger:level()} | {max_handshake_size, integer()} | {next_protocols_advertised, [binary()]} | {padding_check, boolean()} | {partial_chain, fun()} | {password, string()} | {protocol, tls | dtls} | {psk_identity, string()} | {reuse_session, fun()} | {reuse_sessions, boolean()} | {secure_renegotiate, boolean()} | {signature_algs, [{ssl:hash(), ssl:sign_algo()}]} | {signature_algs_cert, [atom()]} | {sni_fun, fun()} | {sni_hosts, [{string(), ssl_opt()}]} | {user_lookup_fun, {fun(), any()}} | {verify, verify_none | verify_peer} | {verify_fun, {fun(), any()}} | {versions, [ssl:protocol_version()]} SSL-specific listen options.</description> +ssl_opt() ssl_opt() = {alpn_preferred_protocols, [binary()]} | {anti_replay, '10k' | '100k' | {integer(), integer(), integer()}} | {beast_mitigation, one_n_minus_one | zero_n | disabled} | {cacertfile, file:filename()} | {cacerts, [public_key:der_encoded()]} | {cert, public_key:der_encoded()} | {certfile, file:filename()} | {ciphers, ssl:ciphers()} | {client_renegotiation, boolean()} | {crl_cache, [any()]} | {crl_check, boolean() | peer | best_effort} | {depth, integer()} | {dh, binary()} | {dhfile, file:filename()} | {eccs, [ssl:named_curve()]} | {fail_if_no_peer_cert, boolean()} | {handshake, hello | full} | {hibernate_after, timeout()} | {honor_cipher_order, boolean()} | {honor_ecc_order, boolean()} | {key, ssl:key()} | {key_update_at, pos_integer()} | {keyfile, file:filename()} | {log_alert, boolean()} | {log_level, logger:level()} | {max_handshake_size, integer()} | {middlebox_comp_mode, boolean()} | {next_protocols_advertised, [binary()]} | {padding_check, boolean()} | {partial_chain, fun()} | {password, string()} | {protocol, tls | dtls} | {psk_identity, string()} | {reuse_session, fun()} | {reuse_sessions, boolean()} | {secure_renegotiate, boolean()} | {session_tickets, disabled | stateful | stateless} | {signature_algs, [{ssl:hash(), ssl:sign_algo()}]} | {signature_algs_cert, [ssl:sign_scheme()]} | {sni_fun, fun()} | {sni_hosts, [{string(), ssl_opt()}]} | {supported_groups, [ssl:group()]} | {user_lookup_fun, {fun(), any()}} | {verify, verify_none | verify_peer} | {verify_fun, {fun(), any()}} | {versions, [ssl:protocol_version()]} SSL-specific listen options.</description> </item> <item> |