aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/doc/src/ssl.xml
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl/doc/src/ssl.xml')
-rw-r--r--lib/ssl/doc/src/ssl.xml64
1 files changed, 51 insertions, 13 deletions
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 24d063e1bd..74a0a0a03e 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -145,8 +145,13 @@
</datatype>
<datatype>
- <name name="legacy_version"/>
+ <name name="tls_legacy_version"/>
</datatype>
+
+ <datatype>
+ <name name="dtls_legacy_version"/>
+ </datatype>
+
<datatype>
<name name="prf_random"/>
@@ -195,11 +200,15 @@
<datatype>
<name name="signature_algs"/>
</datatype>
-
+
<datatype>
<name name="sign_algo"/>
</datatype>
-
+
+ <datatype>
+ <name name="sign_scheme"/>
+ </datatype>
+
<datatype>
<name name="kex_algo"/>
</datatype>
@@ -339,7 +348,30 @@
and to restrict their usage when using a cipher suite supporting them.</p>
</desc>
</datatype>
-
+
+ <datatype>
+ <name name="signature_schemes"/>
+ <desc>
+ <p>
+ In addition to the signature_algorithms extension from TLS 1.2,
+ <url href="http://www.ietf.org/rfc/rfc8446.txt#section-4.2.3">TLS 1.3
+ (RFC 5246 Section 4.2.3)</url>adds the signature_algorithms_cert extension
+ which enables having special requirements on the signatures used in the
+ certificates that differs from the requirements on digital signatures as a whole.
+ If this is not required this extension is not needed.
+ </p>
+ <p>
+ The client will send a signature_algorithms_cert extension (ClientHello),
+ if TLS version 1.3 or later is used, and the signature_algs_cert option is
+ explicitly specified. By default, only the signature_algs extension is sent.
+ </p>
+ <p>
+ The signature schemes shall be ordered according to the client's preference
+ (favorite choice first).
+ </p>
+ </desc>
+ </datatype>
+
<datatype>
<name name="secure_renegotiation"/>
<desc><p>Specifies if to reject renegotiation attempt that does
@@ -479,7 +511,7 @@ marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_valid
<item>check is only performed on the peer certificate.</item>
<tag><c>best_effort</c></tag>
- <item>if certificate revocation status can not be determined
+ <item>if certificate revocation status cannot be determined
it will be accepted as valid.</item>
</taglist>
@@ -612,10 +644,19 @@ fun(srp, Username :: string(), UserState :: term()) ->
</desc>
</datatype>
- <datatype>
- <name name="log_alert"/>
- <desc><p>If set to <c>false</c>, error reports are not displayed.</p>
- </desc>
+ <datatype>
+ <name name="log_alert"/>
+ <desc><p>If set to <c>false</c>, error reports are not displayed.
+ Deprecated in OTP 22, use {log_level, <seealso marker="#type-logging_level">logging_level()</seealso>} instead.</p>
+ </desc>
+ </datatype>
+
+ <datatype>
+ <name name="logging_level"/>
+ <desc><p>Specifies the log level for TLS/DTLS. At verbosity level <c>notice</c> and above error reports are
+ displayed in TLS/DTLS. The level <c>debug</c> triggers verbose logging of TLS/DTLS protocol
+ messages.</p>
+ </desc>
</datatype>
<datatype>
@@ -856,7 +897,6 @@ fun(srp, Username :: string(), UserState :: term()) ->
</desc>
</datatype>
-
<datatype_title>TLS/DTLS OPTION DESCRIPTIONS - SERVER </datatype_title>
@@ -870,8 +910,7 @@ fun(srp, Username :: string(), UserState :: term()) ->
is supplied it overrides option <c>cacertfile</c>.</p>
</desc>
</datatype>
-
-
+
<datatype>
<name name="server_cafile"/>
<desc><p>Path to a file containing PEM-encoded CA
@@ -899,7 +938,6 @@ fun(srp, Username :: string(), UserState :: term()) ->
default parameters are used.</p>
</desc>
</datatype>
-
<datatype>
<name name="server_verify_type"/>