diff options
Diffstat (limited to 'docs/en/ranch/2.2/manual/ranch_ssl/index.html')
| -rw-r--r-- | docs/en/ranch/2.2/manual/ranch_ssl/index.html | 393 |
1 files changed, 393 insertions, 0 deletions
diff --git a/docs/en/ranch/2.2/manual/ranch_ssl/index.html b/docs/en/ranch/2.2/manual/ranch_ssl/index.html new file mode 100644 index 00000000..cf75cf97 --- /dev/null +++ b/docs/en/ranch/2.2/manual/ranch_ssl/index.html @@ -0,0 +1,393 @@ +<!DOCTYPE html> +<html lang="en"> + +<head> + <meta charset="utf-8"> + <meta name="viewport" content="width=device-width, initial-scale=1.0"> + <meta name="description" content=""> + <meta name="author" content="Loïc Hoguin based on a design from (Soft10) Pol Cámara"> + + <title>Nine Nines: ranch_ssl(3)</title> + + <link href='https://fonts.googleapis.com/css?family=Open+Sans:400,700,400italic' rel='stylesheet' type='text/css'> + <link href="/css/99s.css?r=7" rel="stylesheet"> + + <link rel="shortcut icon" href="/img/ico/favicon.ico"> + <link rel="apple-touch-icon-precomposed" sizes="114x114" href="/img/ico/apple-touch-icon-114.png"> + <link rel="apple-touch-icon-precomposed" sizes="72x72" href="/img/ico/apple-touch-icon-72.png"> + <link rel="apple-touch-icon-precomposed" href="/img/ico/apple-touch-icon-57.png"> + + </head> + + +<body class=""> + <header id="page-head"> + <div id="topbar" class="container"> + <div class="row"> + <div class="span2"> + <h1 id="logo"><a href="/" title="99s">99s</a></h1> + </div> + <div class="span10"> + + <div id="side-header"> + <nav> + <ul> + <li><a title="Hear my thoughts" href="/articles">Articles</a></li> + <li><a title="Watch my talks" href="/talks">Talks</a></li> + <li class="active"><a title="Read the docs" href="/docs">Documentation</a></li> + <li><a title="Request my services" href="/services">Consulting & Training</a></li> + </ul> + </nav> + <ul id="social"> + <li> + <a href="https://github.com/ninenines" title="Check my Github repositories"><img src="/img/ico_github.png" data-hover="/img/ico_github_alt.png" alt="Github"></a> + </li> + <li> + <a title="Contact me" href="mailto:[email protected]"><img src="/img/ico_mail.png" data-hover="/img/ico_mail_alt.png"></a> + </li> + </ul> + </div> + </div> + </div> + </div> + + +</header> + +<div id="contents" class="two_col"> +<div class="container"> +<div class="row"> +<div id="docs" class="span9 maincol"> + +<h1 class="lined-header"><span>ranch_ssl(3)</span></h1> + +<h2 id="_name">Name</h2> +<p>ranch_ssl - SSL transport</p> +<h2 id="_description">Description</h2> +<p>The module <code>ranch_ssl</code> implements an SSL Ranch transport.</p> +<h2 id="_exports">Exports</h2> +<p>The module <code>ranch_ssl</code> implements the interface defined by <a href="../ranch_transport">ranch_transport(3)</a>.</p> +<h2 id="_types">Types</h2> +<h3 id="_opt">opt()</h3> +<div class="listingblock"><div class="content"><!-- Generator: GNU source-highlight 3.1.9 +by Lorenzo Bettini +http://www.lorenzobettini.it +http://www.gnu.org/software/src-highlite --> +<pre><tt><b><font color="#000000">opt</font></b>() <font color="#990000">::</font> <b><font color="#000000">ranch_tcp:opt</font></b>() | <b><font color="#000000">ssl_opt</font></b>()</tt></pre> +</div></div> +<p>Listen options.</p> +<p>The TCP options are defined in <a href="../ranch_tcp">ranch_tcp(3)</a>.</p> +<h3 id="_opts">opts()</h3> +<div class="listingblock"><div class="content"><!-- Generator: GNU source-highlight 3.1.9 +by Lorenzo Bettini +http://www.lorenzobettini.it +http://www.gnu.org/software/src-highlite --> +<pre><tt><b><font color="#000000">opts</font></b>() <font color="#990000">::</font> [<b><font color="#000000">opt</font></b>()]</tt></pre> +</div></div> +<p>List of listen options.</p> +<h3 id="_ssl_opt">ssl_opt()</h3> +<div class="listingblock"><div class="content"><!-- Generator: GNU source-highlight 3.1.9 +by Lorenzo Bettini +http://www.lorenzobettini.it +http://www.gnu.org/software/src-highlite --> +<pre><tt><b><font color="#000000">ssl_opt</font></b>() <font color="#990000">=</font> {<font color="#FF6600">alpn_preferred_protocols</font>, [<b><font color="#000080">binary</font></b>()]} + | {<font color="#FF6600">anti_replay</font>, <font color="#FF6600">'10k'</font> | <font color="#FF6600">'100k'</font> | {<b><font color="#000080">integer</font></b>(), <b><font color="#000080">integer</font></b>(), <b><font color="#000080">integer</font></b>()}} + | {<font color="#FF6600">beast_mitigation</font>, <font color="#FF6600">one_n_minus_one</font> | <font color="#FF6600">zero_n</font> | <font color="#FF6600">disabled</font>} + | {<font color="#FF6600">cacertfile</font>, <b><font color="#000000">file:filename</font></b>()} + | {<font color="#FF6600">cacerts</font>, [<b><font color="#000000">public_key:der_encoded</font></b>()]} + | {<font color="#FF6600">cert</font>, <b><font color="#000000">public_key:der_encoded</font></b>()} + | {<font color="#FF6600">certs_keys</font>, [#{<font color="#0000FF">cert</font> <font color="#990000">=></font> <b><font color="#000000">public_key:der_encoded</font></b>(), + <font color="#0000FF">key</font> <font color="#990000">=></font> <b><font color="#000000">ssl:key</font></b>(), + <font color="#0000FF">certfile</font> <font color="#990000">=></font> <b><font color="#000000">file:filename</font></b>(), + <font color="#0000FF">keyfile</font> <font color="#990000">=></font> <b><font color="#000000">file:filename</font></b>(), + <font color="#0000FF">key_pem_password</font> <font color="#990000">=></font> <b><font color="#000000">iodata</font></b>() | <b><font color="#0000FF">fun</font></b>(() <font color="#990000">-></font> <b><font color="#000000">iodata</font></b>())}]} + | {<font color="#FF6600">certfile</font>, <b><font color="#000000">file:filename</font></b>()} + | {<font color="#FF6600">ciphers</font>, <b><font color="#000000">ssl:ciphers</font></b>()} + | {<font color="#FF6600">client_renegotiation</font>, <b><font color="#000000">boolean</font></b>()} + | {<font color="#FF6600">crl_cache</font>, [<b><font color="#000000">any</font></b>()]} + | {<font color="#FF6600">crl_check</font>, <b><font color="#000000">boolean</font></b>() | <font color="#FF6600">peer</font> | <font color="#FF6600">best_effort</font>} + | {<font color="#FF6600">depth</font>, <b><font color="#000080">integer</font></b>()} + | {<font color="#FF6600">dh</font>, <b><font color="#000080">binary</font></b>()} + | {<font color="#FF6600">dhfile</font>, <b><font color="#000000">file:filename</font></b>()} + | {<font color="#FF6600">eccs</font>, [<b><font color="#000000">ssl:named_curve</font></b>()]} + | {<font color="#FF6600">fail_if_no_peer_cert</font>, <b><font color="#000000">boolean</font></b>()} + | {<font color="#FF6600">handshake</font>, <font color="#FF6600">hello</font> | <font color="#FF6600">full</font>} + | {<font color="#FF6600">hibernate_after</font>, <b><font color="#000000">timeout</font></b>()} + | {<font color="#FF6600">honor_cipher_order</font>, <b><font color="#000000">boolean</font></b>()} + | {<font color="#FF6600">honor_ecc_order</font>, <b><font color="#000000">boolean</font></b>()} + | {<font color="#FF6600">key</font>, <b><font color="#000000">ssl:key</font></b>()} + | {<font color="#FF6600">key_update_at</font>, <b><font color="#000000">pos_integer</font></b>()} + | {<font color="#FF6600">keyfile</font>, <b><font color="#000000">file:filename</font></b>()} + | {<font color="#FF6600">log_alert</font>, <b><font color="#000000">boolean</font></b>()} + | {<font color="#FF6600">log_level</font>, <b><font color="#000000">logger:level</font></b>()} + | {<font color="#FF6600">max_handshake_size</font>, <b><font color="#000080">integer</font></b>()} + | {<font color="#FF6600">middlebox_comp_mode</font>, <b><font color="#000000">boolean</font></b>()} + | {<font color="#FF6600">next_protocols_advertised</font>, [<b><font color="#000080">binary</font></b>()]} + | {<font color="#FF6600">padding_check</font>, <b><font color="#000000">boolean</font></b>()} + | {<font color="#FF6600">partial_chain</font>, <b><font color="#0000FF">fun</font></b>()} + | {<font color="#FF6600">password</font>, <b><font color="#000000">string</font></b>()} + | {<font color="#FF6600">protocol</font>, <font color="#FF6600">tls</font> | <font color="#FF6600">dtls</font>} + | {<font color="#FF6600">psk_identity</font>, <b><font color="#000000">string</font></b>()} + | {<font color="#FF6600">reuse_session</font>, <b><font color="#0000FF">fun</font></b>()} + | {<font color="#FF6600">reuse_sessions</font>, <b><font color="#000000">boolean</font></b>()} + | {<font color="#FF6600">secure_renegotiate</font>, <b><font color="#000000">boolean</font></b>()} + | {<font color="#FF6600">session_tickets</font>, <font color="#FF6600">disabled</font> | <font color="#FF6600">stateful</font> | <font color="#FF6600">stateless</font>} + | {<font color="#FF6600">signature_algs</font>, [{<b><font color="#000000">ssl:hash</font></b>(), <b><font color="#000000">ssl:sign_algo</font></b>()}]} + | {<font color="#FF6600">signature_algs_cert</font>, [<b><font color="#000000">ssl:sign_scheme</font></b>()]} + | {<font color="#FF6600">sni_fun</font>, <b><font color="#0000FF">fun</font></b>()} + | {<font color="#FF6600">sni_hosts</font>, [{<b><font color="#000000">string</font></b>(), <b><font color="#000000">ssl_opt</font></b>()}]} + | {<font color="#FF6600">supported_groups</font>, [<b><font color="#000000">ssl:group</font></b>()]} + | {<font color="#FF6600">user_lookup_fun</font>, {<b><font color="#0000FF">fun</font></b>(), <b><font color="#000000">any</font></b>()}} + | {<font color="#FF6600">verify</font>, <font color="#FF6600">verify_none</font> | <font color="#FF6600">verify_peer</font>} + | {<font color="#FF6600">verify_fun</font>, {<b><font color="#0000FF">fun</font></b>(), <b><font color="#000000">any</font></b>()}} + | {<font color="#FF6600">versions</font>, [<b><font color="#000000">ssl:protocol_version</font></b>()]}</tt></pre> +</div></div> +<p>SSL-specific listen options.</p> +<p>Specifying a certificate is mandatory, either through the <code>cert</code> or <code>certfile</code> option, or by configuring SNI. None of the other options are required.</p> +<p>The default value is given next to the option name:</p> +<dl><dt>alpn_preferred_protocols</dt> +<dd><p>Perform Application-Layer Protocol Negotiation with the given list of preferred protocols.</p> +</dd> +<dt>anti_replay</dt> +<dd><p>Configures the server's built-in anti replay feature based on Bloom filters.</p> +</dd> +<dt>beast_mitigation (one_n_minus_one)</dt> +<dd><p>Change the BEAST mitigation strategy for SSL-3.0 and TLS-1.0 to interoperate with legacy software.</p> +</dd> +<dt>cacertfile</dt> +<dd><p>Path to PEM encoded trusted certificates file used to verify peer certificates.</p> +</dd> +<dt>cacerts</dt> +<dd><p>List of DER encoded trusted certificates.</p> +</dd> +<dt>cert</dt> +<dd><p>DER encoded user certificate.</p> +</dd> +<dt>certs_keys</dt> +<dd><p>A list of a certificate (or possible a certificate and its chain) and the associated key of the certificate, that may be used to authenticate the client or the server.</p> +</dd> +<dt>certfile</dt> +<dd><p>Path to the PEM encoded user certificate file. May also contain the private key.</p> +</dd> +<dt>ciphers</dt> +<dd><p>List of ciphers that clients are allowed to use.</p> +</dd> +<dt>client_renegotiation (true)</dt> +<dd><p>Whether to allow client-initiated renegotiation.</p> +</dd> +<dt>crl_cache ({ssl_crl_cache, {internal, []}})</dt> +<dd><p>Customize the module used to cache Certificate Revocation Lists.</p> +</dd> +<dt>crl_check (false)</dt> +<dd><p>Whether to perform CRL check on all certificates in the chain during validation.</p> +</dd> +<dt>depth (1)</dt> +<dd><p>Maximum of intermediate certificates allowed in the certification path.</p> +</dd> +<dt>dh</dt> +<dd><p>DER encoded Diffie-Hellman parameters.</p> +</dd> +<dt>dhfile</dt> +<dd><p>Path to the PEM encoded Diffie-Hellman parameters file.</p> +</dd> +<dt>eccs</dt> +<dd><p>List of named ECC curves.</p> +</dd> +<dt>fail_if_no_peer_cert (false)</dt> +<dd><p>Whether to refuse the connection if the client sends an empty certificate.</p> +</dd> +<dt>handshake (full)</dt> +<dd><p>If <code>hello</code> is specified for this option, the handshake is paused after receiving the client hello message. The handshake can then be resumed via <code>handshake_continue/3</code>, or cancelled via <code>handshake_cancel/1</code>.</p> +<p>This option cannot be given to <code>ranch:handshake/1,2</code>.</p> +</dd> +<dt>hibernate_after (undefined)</dt> +<dd><p>Time in ms after which SSL socket processes go into hibernation to reduce memory usage.</p> +</dd> +<dt>honor_cipher_order (false)</dt> +<dd><p>If true, use the server's preference for cipher selection. If false, use the client's preference.</p> +</dd> +<dt>honor_ecc_order (false)</dt> +<dd><p>If true, use the server's preference for ECC curve selection. If false, use the client's preference.</p> +</dd> +<dt>key</dt> +<dd><p>DER encoded user private key.</p> +</dd> +<dt>key_update_at</dt> +<dd><p>Configures the maximum amount of bytes that can be sent on a TLS 1.3 connection before an automatic key update is performed.</p> +</dd> +<dt>keyfile</dt> +<dd><p>Path to the PEM encoded private key file, if different from the certfile.</p> +</dd> +<dt>log_alert (true)</dt> +<dd><p>If false, error reports will not be displayed.</p> +</dd> +<dt>log_level</dt> +<dd><p>Specifies the log level for TLS/DTLS.</p> +</dd> +<dt>max_handshake_size (256*1024)</dt> +<dd><p>Used to limit the size of valid TLS handshake packets to avoid DoS attacks.</p> +</dd> +<dt>middlebox_comp_mode (true)</dt> +<dd><p>Configures the middlebox compatibility mode on a TLS 1.3 connection.</p> +</dd> +<dt>next_protocols_advertised</dt> +<dd><p>List of protocols to send to the client if it supports the Next Protocol extension.</p> +</dd> +<dt>padding_check</dt> +<dd><p>Allow disabling the block cipher padding check for TLS-1.0 to be able to interoperate with legacy software.</p> +</dd> +<dt>partial_chain</dt> +<dd><p>Claim an intermediate CA in the chain as trusted.</p> +</dd> +<dt>password</dt> +<dd><p>Password to the private key file, if password protected.</p> +</dd> +<dt>protocol (tls)</dt> +<dd><p>Choose TLS or DTLS protocol for the transport layer security.</p> +</dd> +<dt>psk_identity</dt> +<dd><p>Provide the given PSK identity hint to the client during the handshake.</p> +</dd> +<dt>reuse_session</dt> +<dd><p>Custom policy to decide whether a session should be reused.</p> +</dd> +<dt>reuse_sessions (false)</dt> +<dd><p>Whether to allow session reuse.</p> +</dd> +<dt>secure_renegotiate (false)</dt> +<dd><p>Whether to reject renegotiation attempts that do not conform to RFC5746.</p> +</dd> +<dt>session_tickets</dt> +<dd><p>Configures the session ticket functionality.</p> +</dd> +<dt>signature_algs</dt> +<dd><p>The TLS signature algorithm extension may be used, from TLS 1.2, to negotiate which signature algorithm to use during the TLS handshake.</p> +</dd> +<dt>signature_algs_cert</dt> +<dd><p>List of signature schemes for the signature_algs_cert extension introduced in TLS 1.3, in order to make special requirements on signatures used in certificates.</p> +</dd> +<dt>sni_fun</dt> +<dd><p>Function called when the client requests a host using Server Name Indication. Returns options to apply.</p> +</dd> +<dt>sni_hosts</dt> +<dd><p>Options to apply for the host that matches what the client requested with Server Name Indication.</p> +</dd> +<dt>supported_groups([x25519, x448, secp256r1, secp384r1])</dt> +<dd><p>TLS 1.3 introduces the <code>supported_groups</code> extension that is used for negotiating the Diffie-Hellman parameters in a TLS 1.3 handshake. Both client and server can specify a list of parameters that they are willing to use.</p> +</dd> +<dt>user_lookup_fun</dt> +<dd><p>Function called to determine the shared secret when using PSK, or provide parameters when using SRP.</p> +</dd> +<dt>verify (verify_none)</dt> +<dd><p>Use <code>verify_peer</code> to request a certificate from the client.</p> +</dd> +<dt>verify_fun</dt> +<dd><p>Custom policy to decide whether a client certificate is valid.</p> +</dd> +<dt>versions</dt> +<dd><p>TLS protocol versions that will be supported.</p> +</dd> +</dl> +<p>Note that the client will not send a certificate unless the value for the <code>verify</code> option is set to <code>verify_peer</code>. This means that <code>fail_if_no_peer_cert</code> only applies when combined with the <code>verify</code> option. The <code>verify_fun</code> option allows greater control over the client certificate validation.</p> +<p>The options <code>sni_fun</code> and <code>sni_hosts</code> are mutually exclusive.</p> +<h2 id="_changelog">Changelog</h2> +<ul><li><strong>2.0</strong>: The <code>ssl_opt()</code> type was updated for OTP-23.0. +</li> +</ul> +<h2 id="_see_also">See also</h2> +<p><a href="..">ranch(7)</a>, <a href="../ranch_transport">ranch_transport(3)</a>, <a href="../ranch_tcp">ranch_tcp(3)</a>, ssl(3)</p> + + + + + + +</div> + +<div class="span3 sidecol"> + + +<h3> + Ranch + 2.2 + Function Reference + +</h3> + +<ul> + + <li><a href="/docs/en/ranch/2.2/guide">User Guide</a></li> + + + <li><a href="/docs/en/ranch/2.2/manual">Function Reference</a></li> + + +</ul> + +<h4 id="docs-nav">Navigation</h4> + +<h4>Version select</h4> +<ul> + + + + <li><a href="/docs/en/ranch/2.2/manual">2.2</a></li> + + <li><a href="/docs/en/ranch/2.1/manual">2.1</a></li> + + <li><a href="/docs/en/ranch/2.0/manual">2.0</a></li> + + <li><a href="/docs/en/ranch/1.8/manual">1.8</a></li> + + <li><a href="/docs/en/ranch/1.7/manual">1.7</a></li> + + <li><a href="/docs/en/ranch/1.6/manual">1.6</a></li> + +</ul> + +<h3 id="_like_my_work__donate">Like my work? Donate!</h3> +<p>Donate to Loïc Hoguin because his work on Cowboy, Ranch, Gun and Erlang.mk is fantastic:</p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post" style="display:inline"> +<input type="hidden" name="cmd" value="_donations"> +<input type="hidden" name="business" value="[email protected]"> +<input type="hidden" name="lc" value="FR"> +<input type="hidden" name="item_name" value="Loic Hoguin"> +<input type="hidden" name="item_number" value="99s"> +<input type="hidden" name="currency_code" value="EUR"> +<input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHosted"> +<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!"> +<img alt="" border="0" src="https://www.paypalobjects.com/fr_FR/i/scr/pixel.gif" width="1" height="1"> +</form><p>Recurring payment options are also available via <a href="https://github.com/sponsors/essen">GitHub Sponsors</a>. These funds are used to cover the recurring expenses like food, dedicated servers or domain names.</p> + + + +</div> +</div> +</div> +</div> + + <footer> + <div class="container"> + <div class="row"> + <div class="span6"> + <p id="scroll-top"><a href="#">↑ Scroll to top</a></p> + <nav> + <ul> + <li><a href="mailto:[email protected]" title="Contact us">Contact us</a></li><li><a href="https://github.com/ninenines/ninenines.github.io" title="Github repository">Contribute to this site</a></li> + </ul> + </nav> + </div> + <div class="span6 credits"> + <p><img src="/img/footer_logo.png"></p> + <p>Copyright © Loïc Hoguin 2012-2018</p> + </div> + </div> + </div> + </footer> + + + <script src="/js/custom.js"></script> + </body> +</html> + + |