diff options
author | Ingela Andin <[email protected]> | 2018-02-07 13:36:07 +0100 |
---|---|---|
committer | GitHub <[email protected]> | 2018-02-07 13:36:07 +0100 |
commit | 9be186620d86b60791f20ddf5d051c63d576e737 (patch) | |
tree | 5d589dedcce1b6f1336dcae8d6d1e64057015b23 /lib/ssl/doc/src/using_ssl.xml | |
parent | 2e5063371ca21eeabd9c20462c16fac0ee147028 (diff) | |
parent | b16d7d7e4cfa15ab00e5ce43f50619d02bc2f986 (diff) | |
download | otp-9be186620d86b60791f20ddf5d051c63d576e737.tar.gz otp-9be186620d86b60791f20ddf5d051c63d576e737.tar.bz2 otp-9be186620d86b60791f20ddf5d051c63d576e737.zip |
Merge pull request #1698 from IngelaAndin/ingela/ssl/add-ciphers-to-default/OTP-14760
Ingela/ssl/add ciphers to default/otp 14760
Diffstat (limited to 'lib/ssl/doc/src/using_ssl.xml')
-rw-r--r-- | lib/ssl/doc/src/using_ssl.xml | 46 |
1 files changed, 45 insertions, 1 deletions
diff --git a/lib/ssl/doc/src/using_ssl.xml b/lib/ssl/doc/src/using_ssl.xml index 61918a346d..775066ef7d 100644 --- a/lib/ssl/doc/src/using_ssl.xml +++ b/lib/ssl/doc/src/using_ssl.xml @@ -153,7 +153,51 @@ ok</code> </section> </section> - <section> + <section> + <title>Customizing cipher suits</title> + + <p>Fetch default cipher suite list for an TLS/DTLS version. Change default + to all to get all possible cipher suites.</p> + <code type="erl">1> Default = ssl:cipher_suites(default, 'tlsv1.2'). + [#{cipher => aes_256_gcm,key_exchange => ecdhe_ecdsa, + mac => aead,prf => sha384}, ....] +</code> + + <p>In OTP 20 it is desirable to remove all cipher suites + that uses rsa kexchange (removed from default in 21) </p> + <code type="erl">2> NoRSA = + ssl:filter_cipher_suites(Default, + [{key_exchange, fun(rsa) -> false; + (_) -> true end}]). + [...] + </code> + + <p> Pick just a few suites </p> + <code type="erl"> 3> Suites = + ssl:filter_cipher_suites(Default, + [{key_exchange, fun(ecdh_ecdsa) -> true; + (_) -> false end}, + {cipher, fun(aes_128_cbc) ->true; + (_) ->false end}]). + [#{cipher => aes_128_cbc,key_exchange => ecdh_ecdsa, + mac => sha256,prf => sha256}, + #{cipher => aes_128_cbc,key_exchange => ecdh_ecdsa,mac => sha, + prf => default_prf}] + </code> + + <p> Make some particular suites the most preferred, or least + preferred by changing prepend to append.</p> + <code type="erl"> 4>ssl:prepend_cipher_suites(Suites, Default). + [#{cipher => aes_128_cbc,key_exchange => ecdh_ecdsa, + mac => sha256,prf => sha256}, + #{cipher => aes_128_cbc,key_exchange => ecdh_ecdsa,mac => sha, + prf => default_prf}, + #{cipher => aes_256_cbc,key_exchange => ecdhe_ecdsa, + mac => sha384,prf => sha384}, ...] + </code> + </section> + + <section> <title>Using an Engine Stored Key</title> <p>Erlang ssl application is able to use private keys provided |