1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
|
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="Loïc Hoguin based on a design from (Soft10) Pol Cámara">
<title>Nine Nines: ranch_ssl(3)</title>
<link href='https://fonts.googleapis.com/css?family=Open+Sans:400,700,400italic' rel='stylesheet' type='text/css'>
<link href="/css/99s.css?r=7" rel="stylesheet">
<link rel="shortcut icon" href="/img/ico/favicon.ico">
<link rel="apple-touch-icon-precomposed" sizes="114x114" href="/img/ico/apple-touch-icon-114.png">
<link rel="apple-touch-icon-precomposed" sizes="72x72" href="/img/ico/apple-touch-icon-72.png">
<link rel="apple-touch-icon-precomposed" href="/img/ico/apple-touch-icon-57.png">
</head>
<body class="">
<header id="page-head">
<div id="topbar" class="container">
<div class="row">
<div class="span2">
<h1 id="logo"><a href="/" title="99s">99s</a></h1>
</div>
<div class="span10">
<div id="side-header">
<nav>
<ul>
<li><a title="Hear my thoughts" href="/articles">Articles</a></li>
<li><a title="Watch my talks" href="/talks">Talks</a></li>
<li class="active"><a title="Read the docs" href="/docs">Documentation</a></li>
<li><a title="Request my services" href="/services">Consulting & Training</a></li>
</ul>
</nav>
<ul id="social">
<li>
<a href="https://github.com/ninenines" title="Check my Github repositories"><img src="/img/ico_github.png" data-hover="/img/ico_github_alt.png" alt="Github"></a>
</li>
<li>
<a title="Contact me" href="mailto:[email protected]"><img src="/img/ico_mail.png" data-hover="/img/ico_mail_alt.png"></a>
</li>
</ul>
</div>
</div>
</div>
</div>
</header>
<div id="contents" class="two_col">
<div class="container">
<div class="row">
<div id="docs" class="span9 maincol">
<h1 class="lined-header"><span>ranch_ssl(3)</span></h1>
<h2 id="_name">Name</h2>
<p>ranch_ssl - SSL transport</p>
<h2 id="_description">Description</h2>
<p>The module <code>ranch_ssl</code> implements an SSL Ranch transport.</p>
<h2 id="_exports">Exports</h2>
<p>The module <code>ranch_ssl</code> implements the interface defined by <a href="../ranch_transport">ranch_transport(3)</a>.</p>
<h2 id="_types">Types</h2>
<h3 id="_opt">opt()</h3>
<div class="listingblock"><div class="content"><!-- Generator: GNU source-highlight 3.1.9
by Lorenzo Bettini
http://www.lorenzobettini.it
http://www.gnu.org/software/src-highlite -->
<pre><tt><b><font color="#000000">opt</font></b>() <font color="#990000">::</font> <b><font color="#000000">ranch_tcp:opt</font></b>() | <b><font color="#000000">ssl_opt</font></b>()</tt></pre>
</div></div>
<p>Listen options.</p>
<p>The TCP options are defined in <a href="../ranch_tcp">ranch_tcp(3)</a>.</p>
<h3 id="_opts">opts()</h3>
<div class="listingblock"><div class="content"><!-- Generator: GNU source-highlight 3.1.9
by Lorenzo Bettini
http://www.lorenzobettini.it
http://www.gnu.org/software/src-highlite -->
<pre><tt><b><font color="#000000">opts</font></b>() <font color="#990000">::</font> [<b><font color="#000000">opt</font></b>()]</tt></pre>
</div></div>
<p>List of listen options.</p>
<h3 id="_ssl_opt">ssl_opt()</h3>
<div class="listingblock"><div class="content"><!-- Generator: GNU source-highlight 3.1.9
by Lorenzo Bettini
http://www.lorenzobettini.it
http://www.gnu.org/software/src-highlite -->
<pre><tt><b><font color="#000000">ssl_opt</font></b>() <font color="#990000">=</font> {<font color="#FF6600">alpn_preferred_protocols</font>, [<b><font color="#000080">binary</font></b>()]}
| {<font color="#FF6600">anti_replay</font>, <font color="#FF6600">'10k'</font> | <font color="#FF6600">'100k'</font> | {<b><font color="#000080">integer</font></b>(), <b><font color="#000080">integer</font></b>(), <b><font color="#000080">integer</font></b>()}}
| {<font color="#FF6600">beast_mitigation</font>, <font color="#FF6600">one_n_minus_one</font> | <font color="#FF6600">zero_n</font> | <font color="#FF6600">disabled</font>}
| {<font color="#FF6600">cacertfile</font>, <b><font color="#000000">file:filename</font></b>()}
| {<font color="#FF6600">cacerts</font>, [<b><font color="#000000">public_key:der_encoded</font></b>()]}
| {<font color="#FF6600">cert</font>, <b><font color="#000000">public_key:der_encoded</font></b>()}
| {<font color="#FF6600">certfile</font>, <b><font color="#000000">file:filename</font></b>()}
| {<font color="#FF6600">ciphers</font>, <b><font color="#000000">ssl:ciphers</font></b>()}
| {<font color="#FF6600">client_renegotiation</font>, <b><font color="#000000">boolean</font></b>()}
| {<font color="#FF6600">crl_cache</font>, [<b><font color="#000000">any</font></b>()]}
| {<font color="#FF6600">crl_check</font>, <b><font color="#000000">boolean</font></b>() | <font color="#FF6600">peer</font> | <font color="#FF6600">best_effort</font>}
| {<font color="#FF6600">depth</font>, <b><font color="#000080">integer</font></b>()}
| {<font color="#FF6600">dh</font>, <b><font color="#000080">binary</font></b>()}
| {<font color="#FF6600">dhfile</font>, <b><font color="#000000">file:filename</font></b>()}
| {<font color="#FF6600">eccs</font>, [<b><font color="#000000">ssl:named_curve</font></b>()]}
| {<font color="#FF6600">fail_if_no_peer_cert</font>, <b><font color="#000000">boolean</font></b>()}
| {<font color="#FF6600">handshake</font>, <font color="#FF6600">hello</font> | <font color="#FF6600">full</font>}
| {<font color="#FF6600">hibernate_after</font>, <b><font color="#000000">timeout</font></b>()}
| {<font color="#FF6600">honor_cipher_order</font>, <b><font color="#000000">boolean</font></b>()}
| {<font color="#FF6600">honor_ecc_order</font>, <b><font color="#000000">boolean</font></b>()}
| {<font color="#FF6600">key</font>, <b><font color="#000000">ssl:key</font></b>()}
| {<font color="#FF6600">key_update_at</font>, <b><font color="#000000">pos_integer</font></b>()}
| {<font color="#FF6600">keyfile</font>, <b><font color="#000000">file:filename</font></b>()}
| {<font color="#FF6600">log_alert</font>, <b><font color="#000000">boolean</font></b>()}
| {<font color="#FF6600">log_level</font>, <b><font color="#000000">logger:level</font></b>()}
| {<font color="#FF6600">max_handshake_size</font>, <b><font color="#000080">integer</font></b>()}
| {<font color="#FF6600">middlebox_comp_mode</font>, <b><font color="#000000">boolean</font></b>()}
| {<font color="#FF6600">next_protocols_advertised</font>, [<b><font color="#000080">binary</font></b>()]}
| {<font color="#FF6600">padding_check</font>, <b><font color="#000000">boolean</font></b>()}
| {<font color="#FF6600">partial_chain</font>, <b><font color="#0000FF">fun</font></b>()}
| {<font color="#FF6600">password</font>, <b><font color="#000000">string</font></b>()}
| {<font color="#FF6600">protocol</font>, <font color="#FF6600">tls</font> | <font color="#FF6600">dtls</font>}
| {<font color="#FF6600">psk_identity</font>, <b><font color="#000000">string</font></b>()}
| {<font color="#FF6600">reuse_session</font>, <b><font color="#0000FF">fun</font></b>()}
| {<font color="#FF6600">reuse_sessions</font>, <b><font color="#000000">boolean</font></b>()}
| {<font color="#FF6600">secure_renegotiate</font>, <b><font color="#000000">boolean</font></b>()}
| {<font color="#FF6600">session_tickets</font>, <font color="#FF6600">disabled</font> | <font color="#FF6600">stateful</font> | <font color="#FF6600">stateless</font>}
| {<font color="#FF6600">signature_algs</font>, [{<b><font color="#000000">ssl:hash</font></b>(), <b><font color="#000000">ssl:sign_algo</font></b>()}]}
| {<font color="#FF6600">signature_algs_cert</font>, [<b><font color="#000000">ssl:sign_scheme</font></b>()]}
| {<font color="#FF6600">sni_fun</font>, <b><font color="#0000FF">fun</font></b>()}
| {<font color="#FF6600">sni_hosts</font>, [{<b><font color="#000000">string</font></b>(), <b><font color="#000000">ssl_opt</font></b>()}]}
| {<font color="#FF6600">supported_groups</font>, [<b><font color="#000000">ssl:group</font></b>()]}
| {<font color="#FF6600">user_lookup_fun</font>, {<b><font color="#0000FF">fun</font></b>(), <b><font color="#000000">any</font></b>()}}
| {<font color="#FF6600">verify</font>, <font color="#FF6600">verify_none</font> | <font color="#FF6600">verify_peer</font>}
| {<font color="#FF6600">verify_fun</font>, {<b><font color="#0000FF">fun</font></b>(), <b><font color="#000000">any</font></b>()}}
| {<font color="#FF6600">versions</font>, [<b><font color="#000000">ssl:protocol_version</font></b>()]}</tt></pre>
</div></div>
<p>SSL-specific listen options.</p>
<p>Specifying a certificate is mandatory, either through the <code>cert</code> or <code>certfile</code> option, or by configuring SNI. None of the other options are required.</p>
<p>The default value is given next to the option name:</p>
<dl><dt>alpn_preferred_protocols</dt>
<dd><p>Perform Application-Layer Protocol Negotiation with the given list of preferred protocols.</p>
</dd>
<dt>anti_replay</dt>
<dd><p>Configures the server's built-in anti replay feature based on Bloom filters.</p>
</dd>
<dt>beast_mitigation (one_n_minus_one)</dt>
<dd><p>Change the BEAST mitigation strategy for SSL-3.0 and TLS-1.0 to interoperate with legacy software.</p>
</dd>
<dt>cacertfile</dt>
<dd><p>Path to PEM encoded trusted certificates file used to verify peer certificates.</p>
</dd>
<dt>cacerts</dt>
<dd><p>List of DER encoded trusted certificates.</p>
</dd>
<dt>cert</dt>
<dd><p>DER encoded user certificate.</p>
</dd>
<dt>certfile</dt>
<dd><p>Path to the PEM encoded user certificate file. May also contain the private key.</p>
</dd>
<dt>ciphers</dt>
<dd><p>List of ciphers that clients are allowed to use.</p>
</dd>
<dt>client_renegotiation (true)</dt>
<dd><p>Whether to allow client-initiated renegotiation.</p>
</dd>
<dt>crl_cache ({ssl_crl_cache, {internal, []}})</dt>
<dd><p>Customize the module used to cache Certificate Revocation Lists.</p>
</dd>
<dt>crl_check (false)</dt>
<dd><p>Whether to perform CRL check on all certificates in the chain during validation.</p>
</dd>
<dt>depth (1)</dt>
<dd><p>Maximum of intermediate certificates allowed in the certification path.</p>
</dd>
<dt>dh</dt>
<dd><p>DER encoded Diffie-Hellman parameters.</p>
</dd>
<dt>dhfile</dt>
<dd><p>Path to the PEM encoded Diffie-Hellman parameters file.</p>
</dd>
<dt>eccs</dt>
<dd><p>List of named ECC curves.</p>
</dd>
<dt>fail_if_no_peer_cert (false)</dt>
<dd><p>Whether to refuse the connection if the client sends an empty certificate.</p>
</dd>
<dt>handshake (full)</dt>
<dd><p>If <code>hello</code> is specified for this option, the handshake is paused after receiving the client hello message. The handshake can then be resumed via <code>handshake_continue/3</code>, or cancelled via <code>handshake_cancel/1</code>.</p>
<p>This option cannot be given to <code>ranch:handshake/1,2</code>.</p>
</dd>
<dt>hibernate_after (undefined)</dt>
<dd><p>Time in ms after which SSL socket processes go into hibernation to reduce memory usage.</p>
</dd>
<dt>honor_cipher_order (false)</dt>
<dd><p>If true, use the server's preference for cipher selection. If false, use the client's preference.</p>
</dd>
<dt>honor_ecc_order (false)</dt>
<dd><p>If true, use the server's preference for ECC curve selection. If false, use the client's preference.</p>
</dd>
<dt>key</dt>
<dd><p>DER encoded user private key.</p>
</dd>
<dt>key_update_at</dt>
<dd><p>Configures the maximum amount of bytes that can be sent on a TLS 1.3 connection before an automatic key update is performed.</p>
</dd>
<dt>keyfile</dt>
<dd><p>Path to the PEM encoded private key file, if different from the certfile.</p>
</dd>
<dt>log_alert (true)</dt>
<dd><p>If false, error reports will not be displayed.</p>
</dd>
<dt>log_level</dt>
<dd><p>Specifies the log level for TLS/DTLS.</p>
</dd>
<dt>max_handshake_size (256*1024)</dt>
<dd><p>Used to limit the size of valid TLS handshake packets to avoid DoS attacks.</p>
</dd>
<dt>middlebox_comp_mode (true)</dt>
<dd><p>Configures the middlebox compatibility mode on a TLS 1.3 connection.</p>
</dd>
<dt>next_protocols_advertised</dt>
<dd><p>List of protocols to send to the client if it supports the Next Protocol extension.</p>
</dd>
<dt>padding_check</dt>
<dd><p>Allow disabling the block cipher padding check for TLS-1.0 to be able to interoperate with legacy software.</p>
</dd>
<dt>partial_chain</dt>
<dd><p>Claim an intermediate CA in the chain as trusted.</p>
</dd>
<dt>password</dt>
<dd><p>Password to the private key file, if password protected.</p>
</dd>
<dt>protocol (tls)</dt>
<dd><p>Choose TLS or DTLS protocol for the transport layer security.</p>
</dd>
<dt>psk_identity</dt>
<dd><p>Provide the given PSK identity hint to the client during the handshake.</p>
</dd>
<dt>reuse_session</dt>
<dd><p>Custom policy to decide whether a session should be reused.</p>
</dd>
<dt>reuse_sessions (false)</dt>
<dd><p>Whether to allow session reuse.</p>
</dd>
<dt>secure_renegotiate (false)</dt>
<dd><p>Whether to reject renegotiation attempts that do not conform to RFC5746.</p>
</dd>
<dt>session_tickets</dt>
<dd><p>Configures the session ticket functionality.</p>
</dd>
<dt>signature_algs</dt>
<dd><p>The TLS signature algorithm extension may be used, from TLS 1.2, to negotiate which signature algorithm to use during the TLS handshake.</p>
</dd>
<dt>signature_algs_cert</dt>
<dd><p>List of signature schemes for the signature_algs_cert extension introduced in TLS 1.3, in order to make special requirements on signatures used in certificates.</p>
</dd>
<dt>sni_fun</dt>
<dd><p>Function called when the client requests a host using Server Name Indication. Returns options to apply.</p>
</dd>
<dt>sni_hosts</dt>
<dd><p>Options to apply for the host that matches what the client requested with Server Name Indication.</p>
</dd>
<dt>supported_groups([x25519, x448, secp256r1, secp384r1])</dt>
<dd><p>TLS 1.3 introduces the <code>supported_groups</code> extension that is used for negotiating the Diffie-Hellman parameters in a TLS 1.3 handshake. Both client and server can specify a list of parameters that they are willing to use.</p>
</dd>
<dt>user_lookup_fun</dt>
<dd><p>Function called to determine the shared secret when using PSK, or provide parameters when using SRP.</p>
</dd>
<dt>verify (verify_none)</dt>
<dd><p>Use <code>verify_peer</code> to request a certificate from the client.</p>
</dd>
<dt>verify_fun</dt>
<dd><p>Custom policy to decide whether a client certificate is valid.</p>
</dd>
<dt>versions</dt>
<dd><p>TLS protocol versions that will be supported.</p>
</dd>
</dl>
<p>Note that the client will not send a certificate unless the value for the <code>verify</code> option is set to <code>verify_peer</code>. This means that <code>fail_if_no_peer_cert</code> only applies when combined with the <code>verify</code> option. The <code>verify_fun</code> option allows greater control over the client certificate validation.</p>
<p>The options <code>sni_fun</code> and <code>sni_hosts</code> are mutually exclusive.</p>
<h2 id="_changelog">Changelog</h2>
<ul><li><strong>2.0</strong>: The <code>ssl_opt()</code> type was updated for OTP-23.0.
</li>
</ul>
<h2 id="_see_also">See also</h2>
<p><a href="..">ranch(7)</a>, <a href="../ranch_transport">ranch_transport(3)</a>, <a href="../ranch_tcp">ranch_tcp(3)</a>, ssl(3)</p>
</div>
<div class="span3 sidecol">
<h3>
Ranch
2.0
Function Reference
</h3>
<ul>
<li><a href="/docs/en/ranch/2.0/guide">User Guide</a></li>
<li><a href="/docs/en/ranch/2.0/manual">Function Reference</a></li>
</ul>
<h4 id="docs-nav">Navigation</h4>
<h4>Version select</h4>
<ul>
<li><a href="/docs/en/ranch/2.0/manual">2.0</a></li>
<li><a href="/docs/en/ranch/1.7/manual">1.7</a></li>
<li><a href="/docs/en/ranch/1.6/manual">1.6</a></li>
<li><a href="/docs/en/ranch/1.5/manual">1.5</a></li>
<li><a href="/docs/en/ranch/1.4/manual">1.4</a></li>
</ul>
<h3 id="_like_my_work__donate">Like my work? Donate!</h3>
<p>Donate to Loïc Hoguin because his work on Cowboy, Ranch, Gun and Erlang.mk is fantastic:</p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" style="display:inline">
<input type="hidden" name="cmd" value="_donations">
<input type="hidden" name="business" value="[email protected]">
<input type="hidden" name="lc" value="FR">
<input type="hidden" name="item_name" value="Loic Hoguin">
<input type="hidden" name="item_number" value="99s">
<input type="hidden" name="currency_code" value="EUR">
<input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHosted">
<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
<img alt="" border="0" src="https://www.paypalobjects.com/fr_FR/i/scr/pixel.gif" width="1" height="1">
</form><p>Recurring payment options are also available via <a href="https://github.com/sponsors/essen">GitHub Sponsors</a>. These funds are used to cover the recurring expenses like food, dedicated servers or domain names.</p>
</div>
</div>
</div>
</div>
<footer>
<div class="container">
<div class="row">
<div class="span6">
<p id="scroll-top"><a href="#">↑ Scroll to top</a></p>
<nav>
<ul>
<li><a href="mailto:[email protected]" title="Contact us">Contact us</a></li><li><a href="https://github.com/ninenines/ninenines.github.io" title="Github repository">Contribute to this site</a></li>
</ul>
</nav>
</div>
<div class="span6 credits">
<p><img src="/img/footer_logo.png"></p>
<p>Copyright © Loïc Hoguin 2012-2018</p>
</div>
</div>
</div>
</footer>
<script src="/js/custom.js"></script>
</body>
</html>
|
