aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/doc/src/ssl.xml
diff options
context:
space:
mode:
authorErlang/OTP <[email protected]>2016-04-26 12:01:03 +0200
committerErlang/OTP <[email protected]>2016-04-26 12:01:03 +0200
commitfbcbe079db40e63c1d9dc264139e3c4cc08c1cdd (patch)
treec36a5801165fcabec8936876c004cdfa6419d099 /lib/ssl/doc/src/ssl.xml
parent237c335b55d1c18191b0dadde42492a2bea9fd82 (diff)
parent0f3070badc2ae32515cdfbb29ee8a56853e4825d (diff)
downloadotp-fbcbe079db40e63c1d9dc264139e3c4cc08c1cdd.tar.gz
otp-fbcbe079db40e63c1d9dc264139e3c4cc08c1cdd.tar.bz2
otp-fbcbe079db40e63c1d9dc264139e3c4cc08c1cdd.zip
Merge branch 'ingela/ssl/config-signature-algs/OTP-13261' into maint-18
* ingela/ssl/config-signature-algs/OTP-13261: ssl: Prepare for release ssl: Add option signature_algs
Diffstat (limited to 'lib/ssl/doc/src/ssl.xml')
-rw-r--r--lib/ssl/doc/src/ssl.xml49
1 files changed, 46 insertions, 3 deletions
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index a76d46ee9b..e831f73530 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -421,7 +421,6 @@ fun(srp, Username :: string(), UserState :: term()) ->
<warning><p>Using <c>{padding_check, boolean()}</c> makes TLS
vulnerable to the Poodle attack.</p></warning>
-
</section>
<section>
@@ -522,9 +521,45 @@ fun(srp, Username :: string(), UserState :: term()) ->
be supported by the server for the prevention to work.
</p></warning>
</item>
- </taglist>
+ <tag><marker id="client_signature_algs"/><c>{signature_algs, [{hash(), ecdsa | rsa | dsa}]}</c></tag>
+ <item>
+ <p>In addition to the algorithms negotiated by the cipher
+ suite used for key exchange, payload encryption, message
+ authentication and pseudo random calculation, the TLS signature
+ algorithm extension <url
+ href="http://www.ietf.org/rfc/rfc5246.txt">Section 7.4.1.4.1 in RFC 5246</url> may be
+ used, from TLS 1.2, to negotiate which signature algorithm to use during the
+ TLS handshake. If no lower TLS versions than 1.2 are supported,
+ the client will send a TLS signature algorithm extension
+ with the algorithms specified by this option.
+ Defaults to
+
+ <code>[
+%% SHA2
+{sha512, ecdsa},
+{sha512, rsa},
+{sha384, ecdsa},
+{sha384, rsa},
+{sha256, ecdsa},
+{sha256, rsa},
+{sha224, ecdsa},
+{sha224, rsa},
+%% SHA
+{sha, ecdsa},
+{sha, rsa},
+{sha, dsa},
+%% MD5
+{md5, rsa}
+]</code>
+
+ The algorithms should be in the preferred order.
+ Selected signature algorithm can restrict which hash functions
+ that may be selected.
+ </p>
+ </item>
+ </taglist>
</section>
-
+
<section>
<title>SSL OPTION DESCRIPTIONS - SERVER SIDE</title>
@@ -651,6 +686,14 @@ fun(srp, Username :: string(), UserState :: term()) ->
<item>If true, use the server's preference for cipher selection. If false
(the default), use the client's preference.
</item>
+
+ <tag><c>{signature_algs, [{hash(), ecdsa | rsa | dsa}]}</c></tag>
+ <item><p> The algorithms specified by
+ this option will be the ones accepted by the server in a signature algorithm
+ negotiation, introduced in TLS-1.2. The algorithms will also be offered to the client if a
+ client certificate is requested. For more details see the <seealso marker="#client_signature_algs">corresponding client option</seealso>.
+ </p> </item>
+
</taglist>
</section>