aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--lib/ssl/doc/src/ssl.xml56
-rw-r--r--lib/ssl/src/ssl.erl11
2 files changed, 38 insertions, 29 deletions
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index d78deb3252..2501db858a 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -184,13 +184,16 @@
<tag>{ciphers, ciphers()}</tag>
<item>The cipher suites that should be supported. The function
- <c>cipher_suites/0</c> can be used to find all available
- ciphers. Additionally some anonymous cipher suites ({dh_anon,
- rc4_128, md5}, {dh_anon, des_cbc, sha}, {dh_anon,
- '3des_ede_cbc', sha}, {dh_anon, aes_128_cbc, sha}, {dh_anon,
- aes_256_cbc, sha}) are supported for testing purposes and will
- only work if explicitly enabled by this option and they are supported/enabled
- by the peer also.
+ <c>cipher_suites/0</c> can be used to find all ciphers that are
+ supported by default. <c>cipher_suites(all)</c> may be called
+ to find all available cipher suites.
+ Pre-Shared Key (<url href="http://www.ietf.org/rfc/rfc4279.txt">RFC 4279</url> and
+ <url href="http://www.ietf.org/rfc/rfc5487.txt">RFC 5487</url>),
+ Secure Remote Password (<url href="http://www.ietf.org/rfc/rfc5054.txt">RFC 5054</url>)
+ and anonymous cipher suites only work if explicitly enabled by
+ this option and they are supported/enabled by the peer also.
+ Note that anonymous cipher suites are supported for testing purposes
+ only and should not be used when security matters.
</item>
<tag>{ssl_imp, new | old}</tag>
@@ -200,10 +203,10 @@
<tag>{secure_renegotiate, boolean()}</tag>
<item>Specifies if to reject renegotiation attempt that does
- not live up to RFC 5746. By default secure_renegotiate is
+ not live up to <url href="http://www.ietf.org/rfc/rfc5746.txt">RFC 5746</url>. By default secure_renegotiate is
set to false i.e. secure renegotiation will be used if possible
but it will fallback to unsecure renegotiation if the peer
- does not support RFC 5746.
+ does not support <url href="http://www.ietf.org/rfc/rfc5746.txt">RFC 5746</url>.
</item>
<tag>{depth, integer()}</tag>
@@ -305,25 +308,22 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
fun(psk, PSKIdentity, UserState :: term()) ->
{ok, SharedSecret :: binary()} | error;
fun(srp, Username, UserState :: term()) ->
- {ok, {SRPParams :: srp_param_type(), Salt :: binary(), UserPassHash :: binary()}} | error.
+ {ok, {SRPParams :: srp_param_type(), Salt :: binary(), DerivedKey :: binary()}} | error.
</code>
- <p>For PSK cipher suites, the lookup fun will be called in the client and server the find
- the shared secret. On the client, PSKIdentity will be set to hint presented by the server
- or undefined. On the server, PSKIdentity is the identity presented by the client.
- For SRP cipher suites, the fun will only be used by the server to find the SRP values.
+ <p>For Pre-Shared Key (PSK) cipher suites, the lookup fun will
+ be called by the client and server to determine the shared
+ secret. When called by the client, PSKIdentity will be set to the
+ hint presented by the server or undefined. When called by the
+ server, PSKIdentity is the identity presented by the client.
</p>
- <p>For SRP, the required values on a server will usually be precalculated and kept in a passwd
- like file. A sample SRP lookup fun that calculates the values on the fly for a single user entry
- with a static password could be:</p>
- <code><![CDATA[
-user_lookup(srp, Username, _UserState) ->
- Salt = ssl:random_bytes(16),
- UserPassHash = crypto:sha([Salt, crypto:sha([Username, <<$:>>, <<"secret">>])]),
- {ok, {srp_1024, Salt, UserPassHash}}.
- ]]></code>
-
+ <p>For Secure Remote Password (SRP), the fun will only be used by the server to obtain
+ parameters that it will use to generate its session keys. <c>DerivedKey</c> should be
+ derived according to <url href="http://tools.ietf.org/html/rfc2945#section-3"> RFC 2945</url> and
+ <url href="http://tools.ietf.org/html/rfc5054#section-2.4"> RFC 5054</url>:
+ <c>crypto:sha([Salt, crypto:sha([Username, &lt;&lt;$:&gt;&gt;, Password])]) </c>
+ </p>
</item>
</taglist>
@@ -473,13 +473,16 @@ user_lookup(srp, Username, _UserState) ->
<name>cipher_suites(Type) -> ciphers()</name>
<fsummary> Returns a list of supported cipher suites</fsummary>
<type>
- <v>Type = erlang | openssl</v>
+ <v>Type = erlang | openssl | all</v>
</type>
<desc><p>Returns a list of supported cipher suites.
cipher_suites() is equivalent to cipher_suites(erlang).
Type openssl is provided for backwards compatibility with
- old ssl that used openssl.
+ old ssl that used openssl. cipher_suites(all) returns
+ all available cipher suites. The cipher suites not present
+ in cipher_suites(erlang) but in included in cipher_suites(all)
+ will not be used unless explicitly configured by the user.
</p>
</desc>
</func>
@@ -867,7 +870,6 @@ user_lookup(srp, Username, _UserState) ->
</desc>
</func>
-
</funcs>
<section>
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index d5f5fa6b04..70f3b4f050 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -355,7 +355,7 @@ negotiated_next_protocol(#sslsocket{pid = Pid}) ->
ssl_connection:negotiated_next_protocol(Pid).
-spec cipher_suites() -> [erl_cipher_suite()].
--spec cipher_suites(erlang | openssl) -> [erl_cipher_suite()] | [string()].
+-spec cipher_suites(erlang | openssl | all ) -> [erl_cipher_suite()] | [string()].
%% Description: Returns all supported cipher suites.
%%--------------------------------------------------------------------
@@ -368,8 +368,15 @@ cipher_suites(erlang) ->
cipher_suites(openssl) ->
Version = ssl_record:highest_protocol_version([]),
- [ssl_cipher:openssl_suite_name(S) || S <- ssl_cipher:suites(Version)].
+ [ssl_cipher:openssl_suite_name(S) || S <- ssl_cipher:suites(Version)];
+cipher_suites(all) ->
+ Version = ssl_record:highest_protocol_version([]),
+ Supported = ssl_cipher:suites(Version)
+ ++ ssl_cipher:anonymous_suites()
+ ++ ssl_cipher:psk_suites(Version)
+ ++ ssl_cipher:srp_suites(),
+ [suite_definition(S) || S <- Supported].
%%--------------------------------------------------------------------
-spec getopts(#sslsocket{}, [gen_tcp:option_name()]) ->
{ok, [gen_tcp:option()]} | {error, reason()}.