aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/doc/src/using_ssl.xml
diff options
context:
space:
mode:
authorIngela Andin <[email protected]>2018-02-07 13:36:07 +0100
committerGitHub <[email protected]>2018-02-07 13:36:07 +0100
commit9be186620d86b60791f20ddf5d051c63d576e737 (patch)
tree5d589dedcce1b6f1336dcae8d6d1e64057015b23 /lib/ssl/doc/src/using_ssl.xml
parent2e5063371ca21eeabd9c20462c16fac0ee147028 (diff)
parentb16d7d7e4cfa15ab00e5ce43f50619d02bc2f986 (diff)
downloadotp-9be186620d86b60791f20ddf5d051c63d576e737.tar.gz
otp-9be186620d86b60791f20ddf5d051c63d576e737.tar.bz2
otp-9be186620d86b60791f20ddf5d051c63d576e737.zip
Merge pull request #1698 from IngelaAndin/ingela/ssl/add-ciphers-to-default/OTP-14760
Ingela/ssl/add ciphers to default/otp 14760
Diffstat (limited to 'lib/ssl/doc/src/using_ssl.xml')
-rw-r--r--lib/ssl/doc/src/using_ssl.xml46
1 files changed, 45 insertions, 1 deletions
diff --git a/lib/ssl/doc/src/using_ssl.xml b/lib/ssl/doc/src/using_ssl.xml
index 61918a346d..775066ef7d 100644
--- a/lib/ssl/doc/src/using_ssl.xml
+++ b/lib/ssl/doc/src/using_ssl.xml
@@ -153,7 +153,51 @@ ok</code>
</section>
</section>
- <section>
+ <section>
+ <title>Customizing cipher suits</title>
+
+ <p>Fetch default cipher suite list for an TLS/DTLS version. Change default
+ to all to get all possible cipher suites.</p>
+ <code type="erl">1> Default = ssl:cipher_suites(default, 'tlsv1.2').
+ [#{cipher => aes_256_gcm,key_exchange => ecdhe_ecdsa,
+ mac => aead,prf => sha384}, ....]
+</code>
+
+ <p>In OTP 20 it is desirable to remove all cipher suites
+ that uses rsa kexchange (removed from default in 21) </p>
+ <code type="erl">2> NoRSA =
+ ssl:filter_cipher_suites(Default,
+ [{key_exchange, fun(rsa) -> false;
+ (_) -> true end}]).
+ [...]
+ </code>
+
+ <p> Pick just a few suites </p>
+ <code type="erl"> 3> Suites =
+ ssl:filter_cipher_suites(Default,
+ [{key_exchange, fun(ecdh_ecdsa) -> true;
+ (_) -> false end},
+ {cipher, fun(aes_128_cbc) ->true;
+ (_) ->false end}]).
+ [#{cipher => aes_128_cbc,key_exchange => ecdh_ecdsa,
+ mac => sha256,prf => sha256},
+ #{cipher => aes_128_cbc,key_exchange => ecdh_ecdsa,mac => sha,
+ prf => default_prf}]
+ </code>
+
+ <p> Make some particular suites the most preferred, or least
+ preferred by changing prepend to append.</p>
+ <code type="erl"> 4>ssl:prepend_cipher_suites(Suites, Default).
+ [#{cipher => aes_128_cbc,key_exchange => ecdh_ecdsa,
+ mac => sha256,prf => sha256},
+ #{cipher => aes_128_cbc,key_exchange => ecdh_ecdsa,mac => sha,
+ prf => default_prf},
+ #{cipher => aes_256_cbc,key_exchange => ecdhe_ecdsa,
+ mac => sha384,prf => sha384}, ...]
+ </code>
+ </section>
+
+ <section>
<title>Using an Engine Stored Key</title>
<p>Erlang ssl application is able to use private keys provided