More Ranch 2.0 doc updates

author: Loïc Hoguin <[email protected]> 2020-06-25 13:45:04 +0200
committer: Loïc Hoguin <[email protected]> 2020-06-25 13:45:04 +0200
commit: a1e85d3b8d686af2f09f324112baf07bcc472e4c (patch)
tree: 366c72e134212b2eeff20bd733465b4b21e9186b
parent: e7feea1ec8a65311f9da998605031df77e5d26ea (diff)
download: ninenines.eu-a1e85d3b8d686af2f09f324112baf07bcc472e4c.tar.gz
ninenines.eu-a1e85d3b8d686af2f09f324112baf07bcc472e4c.tar.bz2
ninenines.eu-a1e85d3b8d686af2f09f324112baf07bcc472e4c.zip
5 files changed, 26 insertions, 6 deletions
diff --git a/docs/en/ranch/2.0/guide/migrating_from_1.7.asciidoc b/docs/en/ranch/2.0/guide/migrating_from_1.7.asciidoc
index d10d1fdf..3ed6d85d 100644
--- a/docs/en/ranch/2.0/guide/migrating_from_1.7.asciidoc
+++ b/docs/en/ranch/2.0/guide/migrating_from_1.7.asciidoc
@@ -160,4 +160,4 @@ for Erlang/OTP 19 and 20 has been removed.
   `ssl:ssl_accept/1,2`.
 
 * The `ranch_ssl:ssl_opt()` type has been updated to conform
-  with Erlang/OTP 22.0.
+  with Erlang/OTP 23.0.
diff --git a/docs/en/ranch/2.0/guide/migrating_from_1.7/index.html b/docs/en/ranch/2.0/guide/migrating_from_1.7/index.html
index c943efae..186d66a8 100644
--- a/docs/en/ranch/2.0/guide/migrating_from_1.7/index.html
+++ b/docs/en/ranch/2.0/guide/migrating_from_1.7/index.html
@@ -138,7 +138,7 @@
 </li>
 <li>Ranch now calls <code>ssl:handshake/1,2,3</code> instead of <code>ssl:ssl_accept/1,2</code>.
 </li>
-<li>The <code>ranch_ssl:ssl_opt()</code> type has been updated to conform with Erlang/OTP 22.0.
+<li>The <code>ranch_ssl:ssl_opt()</code> type has been updated to conform with Erlang/OTP 23.0.
 </li>
 </ul>
 
diff --git a/docs/en/ranch/2.0/manual/ranch_ssl/index.html b/docs/en/ranch/2.0/manual/ranch_ssl/index.html
index f6999be8..fa3b11ad 100644
--- a/docs/en/ranch/2.0/manual/ranch_ssl/index.html
+++ b/docs/en/ranch/2.0/manual/ranch_ssl/index.html
@@ -92,6 +92,7 @@ by Lorenzo Bettini
 http://www.lorenzobettini.it
 http://www.gnu.org/software/src-highlite -->
 <pre><tt><b><font color="#000000">ssl_opt</font></b>() <font color="#990000">=</font> {<font color="#FF6600">alpn_preferred_protocols</font>, [<b><font color="#000080">binary</font></b>()]}
+          | {<font color="#FF6600">anti_replay</font>, <font color="#FF6600">'10k'</font> | <font color="#FF6600">'100k'</font> | {<b><font color="#000080">integer</font></b>(), <b><font color="#000080">integer</font></b>(), <b><font color="#000080">integer</font></b>()}}
           | {<font color="#FF6600">beast_mitigation</font>, <font color="#FF6600">one_n_minus_one</font> | <font color="#FF6600">zero_n</font> | <font color="#FF6600">disabled</font>}
           | {<font color="#FF6600">cacertfile</font>, <b><font color="#000000">file:filename</font></b>()}
           | {<font color="#FF6600">cacerts</font>, [<b><font color="#000000">public_key:der_encoded</font></b>()]}
@@ -104,17 +105,19 @@ http://www.gnu.org/software/src-highlite -->
           | {<font color="#FF6600">depth</font>, <b><font color="#000080">integer</font></b>()}
           | {<font color="#FF6600">dh</font>, <b><font color="#000080">binary</font></b>()}
           | {<font color="#FF6600">dhfile</font>, <b><font color="#000000">file:filename</font></b>()}
-          | {<font color="#FF6600">eccs</font>, [<b><font color="#000080">atom</font></b>()]}
+          | {<font color="#FF6600">eccs</font>, [<b><font color="#000000">ssl:named_curve</font></b>()]}
           | {<font color="#FF6600">fail_if_no_peer_cert</font>, <b><font color="#000000">boolean</font></b>()}
           | {<font color="#FF6600">handshake</font>, <font color="#FF6600">hello</font> | <font color="#FF6600">full</font>}
           | {<font color="#FF6600">hibernate_after</font>, <b><font color="#000000">timeout</font></b>()}
           | {<font color="#FF6600">honor_cipher_order</font>, <b><font color="#000000">boolean</font></b>()}
           | {<font color="#FF6600">honor_ecc_order</font>, <b><font color="#000000">boolean</font></b>()}
           | {<font color="#FF6600">key</font>, <b><font color="#000000">ssl:key</font></b>()}
+          | {<font color="#FF6600">key_update_at</font>, <b><font color="#000000">pos_integer</font></b>()}
           | {<font color="#FF6600">keyfile</font>, <b><font color="#000000">file:filename</font></b>()}
           | {<font color="#FF6600">log_alert</font>, <b><font color="#000000">boolean</font></b>()}
           | {<font color="#FF6600">log_level</font>, <b><font color="#000000">logger:level</font></b>()}
           | {<font color="#FF6600">max_handshake_size</font>, <b><font color="#000080">integer</font></b>()}
+          | {<font color="#FF6600">middlebox_comp_mode</font>, <b><font color="#000000">boolean</font></b>()}
           | {<font color="#FF6600">next_protocols_advertised</font>, [<b><font color="#000080">binary</font></b>()]}
           | {<font color="#FF6600">padding_check</font>, <b><font color="#000000">boolean</font></b>()}
           | {<font color="#FF6600">partial_chain</font>, <b><font color="#0000FF">fun</font></b>()}
@@ -124,10 +127,12 @@ http://www.gnu.org/software/src-highlite -->
           | {<font color="#FF6600">reuse_session</font>, <b><font color="#0000FF">fun</font></b>()}
           | {<font color="#FF6600">reuse_sessions</font>, <b><font color="#000000">boolean</font></b>()}
           | {<font color="#FF6600">secure_renegotiate</font>, <b><font color="#000000">boolean</font></b>()}
+          | {<font color="#FF6600">session_tickets</font>, <font color="#FF6600">disabled</font> | <font color="#FF6600">stateful</font> | <font color="#FF6600">stateless</font>}
           | {<font color="#FF6600">signature_algs</font>, [{<b><font color="#000000">ssl:hash</font></b>(), <b><font color="#000000">ssl:sign_algo</font></b>()}]}
-          | {<font color="#FF6600">signature_algs_cert</font>, [<b><font color="#000080">atom</font></b>()]}
+          | {<font color="#FF6600">signature_algs_cert</font>, [<b><font color="#000000">ssl:sign_scheme</font></b>()]}
           | {<font color="#FF6600">sni_fun</font>, <b><font color="#0000FF">fun</font></b>()}
           | {<font color="#FF6600">sni_hosts</font>, [{<b><font color="#000000">string</font></b>(), <b><font color="#000000">ssl_opt</font></b>()}]}
+          | {<font color="#FF6600">supported_groups</font>, [<b><font color="#000000">ssl:group</font></b>()]}
           | {<font color="#FF6600">user_lookup_fun</font>, {<b><font color="#0000FF">fun</font></b>(), <b><font color="#000000">any</font></b>()}}
           | {<font color="#FF6600">verify</font>, <font color="#FF6600">verify_none</font> | <font color="#FF6600">verify_peer</font>}
           | {<font color="#FF6600">verify_fun</font>, {<b><font color="#0000FF">fun</font></b>(), <b><font color="#000000">any</font></b>()}}
@@ -139,6 +144,9 @@ http://www.gnu.org/software/src-highlite -->
 <dl><dt>alpn_preferred_protocols</dt>
 <dd><p>Perform Application-Layer Protocol Negotiation with the given list of preferred protocols.</p>
 </dd>
+<dt>anti_replay</dt>
+<dd><p>Configures the server&apos;s built-in anti replay feature based on Bloom filters.</p>
+</dd>
 <dt>beast_mitigation (one_n_minus_one)</dt>
 <dd><p>Change the BEAST mitigation strategy for SSL-3.0 and TLS-1.0 to interoperate with legacy software.</p>
 </dd>
@@ -197,6 +205,9 @@ http://www.gnu.org/software/src-highlite -->
 <dt>key</dt>
 <dd><p>DER encoded user private key.</p>
 </dd>
+<dt>key_update_at</dt>
+<dd><p>Configures the maximum amount of bytes that can be sent on a TLS 1.3 connection before an automatic key update is performed.</p>
+</dd>
 <dt>keyfile</dt>
 <dd><p>Path to the PEM encoded private key file, if different from the certfile.</p>
 </dd>
@@ -209,6 +220,9 @@ http://www.gnu.org/software/src-highlite -->
 <dt>max_handshake_size (256*1024)</dt>
 <dd><p>Used to limit the size of valid TLS handshake packets to avoid DoS attacks.</p>
 </dd>
+<dt>middlebox_comp_mode (true)</dt>
+<dd><p>Configures the middlebox compatibility mode on a TLS 1.3 connection.</p>
+</dd>
 <dt>next_protocols_advertised</dt>
 <dd><p>List of protocols to send to the client if it supports the Next Protocol extension.</p>
 </dd>
@@ -236,6 +250,9 @@ http://www.gnu.org/software/src-highlite -->
 <dt>secure_renegotiate (false)</dt>
 <dd><p>Whether to reject renegotiation attempts that do not conform to RFC5746.</p>
 </dd>
+<dt>session_tickets</dt>
+<dd><p>Configures the session ticket functionality.</p>
+</dd>
 <dt>signature_algs</dt>
 <dd><p>The TLS signature algorithm extension may be used, from TLS 1.2, to negotiate which signature algorithm to use during the TLS handshake.</p>
 </dd>
@@ -248,6 +265,9 @@ http://www.gnu.org/software/src-highlite -->
 <dt>sni_hosts</dt>
 <dd><p>Options to apply for the host that matches what the client requested with Server Name Indication.</p>
 </dd>
+<dt>supported_groups([x25519, x448, secp256r1, secp384r1])</dt>
+<dd><p>TLS 1.3 introduces the <code>supported_groups</code> extension that is used for negotiating the Diffie-Hellman parameters in a TLS 1.3 handshake. Both client and server can specify a list of parameters that they are willing to use.</p>
+</dd>
 <dt>user_lookup_fun</dt>
 <dd><p>Function called to determine the shared secret when using PSK, or provide parameters when using SRP.</p>
 </dd>
diff --git a/docs/index.xml b/docs/index.xml
index 878665ab..b3d14cd6 100644
--- a/docs/index.xml
+++ b/docs/index.xml
@@ -12164,7 +12164,7 @@ Exports The module ranch_ssl implements the interface defined by ranch_transport
 Types opt() opt() :: ranch_tcp:opt() | ssl_opt()  Listen options.
 The TCP options are defined in ranch_tcp(3).
 opts() opts() :: [opt()]  List of listen options.
-ssl_opt() ssl_opt() = {alpn_preferred_protocols, [binary()]} | {beast_mitigation, one_n_minus_one | zero_n | disabled} | {cacertfile, file:filename()} | {cacerts, [public_key:der_encoded()]} | {cert, public_key:der_encoded()} | {certfile, file:filename()} | {ciphers, ssl:ciphers()} | {client_renegotiation, boolean()} | {crl_cache, [any()]} | {crl_check, boolean() | peer | best_effort} | {depth, integer()} | {dh, binary()} | {dhfile, file:filename()} | {eccs, [atom()]} | {fail_if_no_peer_cert, boolean()} | {handshake, hello | full} | {hibernate_after, timeout()} | {honor_cipher_order, boolean()} | {honor_ecc_order, boolean()} | {key, ssl:key()} | {keyfile, file:filename()} | {log_alert, boolean()} | {log_level, logger:level()} | {max_handshake_size, integer()} | {next_protocols_advertised, [binary()]} | {padding_check, boolean()} | {partial_chain, fun()} | {password, string()} | {protocol, tls | dtls} | {psk_identity, string()} | {reuse_session, fun()} | {reuse_sessions, boolean()} | {secure_renegotiate, boolean()} | {signature_algs, [{ssl:hash(), ssl:sign_algo()}]} | {signature_algs_cert, [atom()]} | {sni_fun, fun()} | {sni_hosts, [{string(), ssl_opt()}]} | {user_lookup_fun, {fun(), any()}} | {verify, verify_none | verify_peer} | {verify_fun, {fun(), any()}} | {versions, [ssl:protocol_version()]}  SSL-specific listen options.</description>
+ssl_opt() ssl_opt() = {alpn_preferred_protocols, [binary()]} | {anti_replay, &#39;10k&#39; | &#39;100k&#39; | {integer(), integer(), integer()}} | {beast_mitigation, one_n_minus_one | zero_n | disabled} | {cacertfile, file:filename()} | {cacerts, [public_key:der_encoded()]} | {cert, public_key:der_encoded()} | {certfile, file:filename()} | {ciphers, ssl:ciphers()} | {client_renegotiation, boolean()} | {crl_cache, [any()]} | {crl_check, boolean() | peer | best_effort} | {depth, integer()} | {dh, binary()} | {dhfile, file:filename()} | {eccs, [ssl:named_curve()]} | {fail_if_no_peer_cert, boolean()} | {handshake, hello | full} | {hibernate_after, timeout()} | {honor_cipher_order, boolean()} | {honor_ecc_order, boolean()} | {key, ssl:key()} | {key_update_at, pos_integer()} | {keyfile, file:filename()} | {log_alert, boolean()} | {log_level, logger:level()} | {max_handshake_size, integer()} | {middlebox_comp_mode, boolean()} | {next_protocols_advertised, [binary()]} | {padding_check, boolean()} | {partial_chain, fun()} | {password, string()} | {protocol, tls | dtls} | {psk_identity, string()} | {reuse_session, fun()} | {reuse_sessions, boolean()} | {secure_renegotiate, boolean()} | {session_tickets, disabled | stateful | stateless} | {signature_algs, [{ssl:hash(), ssl:sign_algo()}]} | {signature_algs_cert, [ssl:sign_scheme()]} | {sni_fun, fun()} | {sni_hosts, [{string(), ssl_opt()}]} | {supported_groups, [ssl:group()]} | {user_lookup_fun, {fun(), any()}} | {verify, verify_none | verify_peer} | {verify_fun, {fun(), any()}} | {versions, [ssl:protocol_version()]}  SSL-specific listen options.</description>
     </item>
     
     <item>
diff --git a/index.xml b/index.xml
index 31553ef5..ab2fdb45 100644
--- a/index.xml
+++ b/index.xml
@@ -12791,7 +12791,7 @@ Exports The module ranch_ssl implements the interface defined by ranch_transport
 Types opt() opt() :: ranch_tcp:opt() | ssl_opt()  Listen options.
 The TCP options are defined in ranch_tcp(3).
 opts() opts() :: [opt()]  List of listen options.
-ssl_opt() ssl_opt() = {alpn_preferred_protocols, [binary()]} | {beast_mitigation, one_n_minus_one | zero_n | disabled} | {cacertfile, file:filename()} | {cacerts, [public_key:der_encoded()]} | {cert, public_key:der_encoded()} | {certfile, file:filename()} | {ciphers, ssl:ciphers()} | {client_renegotiation, boolean()} | {crl_cache, [any()]} | {crl_check, boolean() | peer | best_effort} | {depth, integer()} | {dh, binary()} | {dhfile, file:filename()} | {eccs, [atom()]} | {fail_if_no_peer_cert, boolean()} | {handshake, hello | full} | {hibernate_after, timeout()} | {honor_cipher_order, boolean()} | {honor_ecc_order, boolean()} | {key, ssl:key()} | {keyfile, file:filename()} | {log_alert, boolean()} | {log_level, logger:level()} | {max_handshake_size, integer()} | {next_protocols_advertised, [binary()]} | {padding_check, boolean()} | {partial_chain, fun()} | {password, string()} | {protocol, tls | dtls} | {psk_identity, string()} | {reuse_session, fun()} | {reuse_sessions, boolean()} | {secure_renegotiate, boolean()} | {signature_algs, [{ssl:hash(), ssl:sign_algo()}]} | {signature_algs_cert, [atom()]} | {sni_fun, fun()} | {sni_hosts, [{string(), ssl_opt()}]} | {user_lookup_fun, {fun(), any()}} | {verify, verify_none | verify_peer} | {verify_fun, {fun(), any()}} | {versions, [ssl:protocol_version()]}  SSL-specific listen options.</description>
+ssl_opt() ssl_opt() = {alpn_preferred_protocols, [binary()]} | {anti_replay, &#39;10k&#39; | &#39;100k&#39; | {integer(), integer(), integer()}} | {beast_mitigation, one_n_minus_one | zero_n | disabled} | {cacertfile, file:filename()} | {cacerts, [public_key:der_encoded()]} | {cert, public_key:der_encoded()} | {certfile, file:filename()} | {ciphers, ssl:ciphers()} | {client_renegotiation, boolean()} | {crl_cache, [any()]} | {crl_check, boolean() | peer | best_effort} | {depth, integer()} | {dh, binary()} | {dhfile, file:filename()} | {eccs, [ssl:named_curve()]} | {fail_if_no_peer_cert, boolean()} | {handshake, hello | full} | {hibernate_after, timeout()} | {honor_cipher_order, boolean()} | {honor_ecc_order, boolean()} | {key, ssl:key()} | {key_update_at, pos_integer()} | {keyfile, file:filename()} | {log_alert, boolean()} | {log_level, logger:level()} | {max_handshake_size, integer()} | {middlebox_comp_mode, boolean()} | {next_protocols_advertised, [binary()]} | {padding_check, boolean()} | {partial_chain, fun()} | {password, string()} | {protocol, tls | dtls} | {psk_identity, string()} | {reuse_session, fun()} | {reuse_sessions, boolean()} | {secure_renegotiate, boolean()} | {session_tickets, disabled | stateful | stateless} | {signature_algs, [{ssl:hash(), ssl:sign_algo()}]} | {signature_algs_cert, [ssl:sign_scheme()]} | {sni_fun, fun()} | {sni_hosts, [{string(), ssl_opt()}]} | {supported_groups, [ssl:group()]} | {user_lookup_fun, {fun(), any()}} | {verify, verify_none | verify_peer} | {verify_fun, {fun(), any()}} | {versions, [ssl:protocol_version()]}  SSL-specific listen options.</description>
     </item>
     
     <item>
author	Loïc Hoguin <[email protected]>	2020-06-25 13:45:04 +0200
committer	Loïc Hoguin <[email protected]>	2020-06-25 13:45:04 +0200
commit	a1e85d3b8d686af2f09f324112baf07bcc472e4c (patch)
tree	366c72e134212b2eeff20bd733465b4b21e9186b
parent	e7feea1ec8a65311f9da998605031df77e5d26ea (diff)
download	ninenines.eu-a1e85d3b8d686af2f09f324112baf07bcc472e4c.tar.gz ninenines.eu-a1e85d3b8d686af2f09f324112baf07bcc472e4c.tar.bz2 ninenines.eu-a1e85d3b8d686af2f09f324112baf07bcc472e4c.zip