aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/doc/src/ssl.xml
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl/doc/src/ssl.xml')
-rw-r--r--lib/ssl/doc/src/ssl.xml100
1 files changed, 85 insertions, 15 deletions
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index c448d345de..3aa6e09c2c 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -145,7 +145,11 @@
</datatype>
<datatype>
- <name name="legacy_version"/>
+ <name name="tls_legacy_version"/>
+ </datatype>
+
+ <datatype>
+ <name name="dtls_legacy_version"/>
</datatype>
<datatype>
@@ -195,11 +199,15 @@
<datatype>
<name name="signature_algs"/>
</datatype>
-
+
<datatype>
<name name="sign_algo"/>
</datatype>
-
+
+ <datatype>
+ <name name="sign_scheme"/>
+ </datatype>
+
<datatype>
<name name="kex_algo"/>
</datatype>
@@ -332,7 +340,30 @@
matters.</p>
</desc>
</datatype>
-
+
+ <datatype>
+ <name name="signature_schemes"/>
+ <desc>
+ <p>
+ In addition to the signature_algorithms extension from TLS 1.2,
+ <url href="http://www.ietf.org/rfc/rfc8446.txt#section-4.2.3">TLS 1.3
+ (RFC 5246 Section 4.2.3)</url>adds the signature_algorithms_cert extension
+ which enables having special requirements on the signatures used in the
+ certificates that differs from the requirements on digital signatures as a whole.
+ If this is not required this extension is not needed.
+ </p>
+ <p>
+ The client will send a signature_algorithms_cert extension (ClientHello),
+ if TLS version 1.3 or later is used, and the signature_algs_cert option is
+ explicitly specified. By default, only the signature_algs extension is sent.
+ </p>
+ <p>
+ The signature schemes shall be ordered according to the client's preference
+ (favorite choice first).
+ </p>
+ </desc>
+ </datatype>
+
<datatype>
<name name="secure_renegotiation"/>
<desc><p>Specifies if to reject renegotiation attempt that does
@@ -472,7 +503,7 @@ marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_valid
<item>check is only performed on the peer certificate.</item>
<tag><c>best_effort</c></tag>
- <item>if certificate revocation status can not be determined
+ <item>if certificate revocation status cannot be determined
it will be accepted as valid.</item>
</taglist>
@@ -605,10 +636,19 @@ fun(srp, Username :: string(), UserState :: term()) ->
</desc>
</datatype>
- <datatype>
- <name name="log_alert"/>
- <desc><p>If set to <c>false</c>, error reports are not displayed.</p>
- </desc>
+ <datatype>
+ <name name="log_alert"/>
+ <desc><p>If set to <c>false</c>, error reports are not displayed.
+ Deprecated in OTP 22, use {log_level, <seealso marker="#type-logging_level">logging_level()</seealso>} instead.</p>
+ </desc>
+ </datatype>
+
+ <datatype>
+ <name name="logging_level"/>
+ <desc><p>Specifies the log level for TLS/DTLS. At verbosity level <c>notice</c> and above error reports are
+ displayed in TLS/DTLS. The level <c>debug</c> triggers verbose logging of TLS/DTLS protocol
+ messages.</p>
+ </desc>
</datatype>
<datatype>
@@ -849,7 +889,6 @@ fun(srp, Username :: string(), UserState :: term()) ->
</desc>
</datatype>
-
<datatype_title>TLS/DTLS OPTION DESCRIPTIONS - SERVER </datatype_title>
@@ -863,8 +902,7 @@ fun(srp, Username :: string(), UserState :: term()) ->
is supplied it overrides option <c>cacertfile</c>.</p>
</desc>
</datatype>
-
-
+
<datatype>
<name name="server_cafile"/>
<desc><p>Path to a file containing PEM-encoded CA
@@ -892,7 +930,6 @@ fun(srp, Username :: string(), UserState :: term()) ->
default parameters are used.</p>
</desc>
</datatype>
-
<datatype>
<name name="server_verify_type"/>
@@ -1095,6 +1132,15 @@ fun(srp, Username :: string(), UserState :: term()) ->
</func>
<func>
+ <name name="cipher_suites" arity="3" since="OTP 22.0"/>
+ <fsummary>Returns a list of RFC or OpenSSL names</fsummary>
+ <desc><p>Same as <seealso marker="#cipher_suites-2">cipher_suites/2</seealso>
+ but lists RFC or OpenSSL string names instead of <seealso marker="#type-erl_cipher_suite">erl_cipher_suite()</seealso>
+ </p>
+ </desc>
+ </func>
+
+ <func>
<name name="eccs" arity="0" since="OTP 19.2"/>
<name name="eccs" arity="1" since="OTP 19.2"/>
<fsummary>Returns a list of supported ECCs.</fsummary>
@@ -1526,12 +1572,36 @@ fun(srp, Username :: string(), UserState :: term()) ->
<p>Stops the SSL application.</p>
</desc>
</func>
+
+ <func>
+ <name since="OTP 22.0" name="str_to_suite" arity="1" />
+ <fsummary>Converts an RFC or OpenSSL name string to an erlang cipher suite format</fsummary>
+ <desc>
+ <p>Converts an RFC or OpenSSL name string to an
+ <seealso marker="#type-erl_cipher_suite">erl_cipher_suite()</seealso>
+ Returns an error if the cipher suite is not supported or the name is not a valid cipher suite name.</p>
+ </desc>
+ </func>
<func>
+ <name since="OTP 22.0" name="suite_to_openssl_str" arity="1" />
+ <fsummary>Converts erlang cipher suite format to an OpenSSL name string.
+ </fsummary>
+ <desc>
+ <p>Converts <seealso marker="#type-erl_cipher_suite">erl_cipher_suite()</seealso>
+ to OpenSSL name string. </p>
+
+ <p>PRE TLS-1.3 these names differ for RFC names</p>
+
+ </desc>
+ </func>
+
+ <func>
<name since="OTP 21.0" name="suite_to_str" arity="1" clause_i="1" />
- <fsummary>Returns the string representation of a cipher suite.</fsummary>
+ <fsummary>Converts an erlang cipher suite to an RFC name string.</fsummary>
<desc>
- <p>Returns the string representation of a cipher suite.</p>
+ <p>Converts <seealso marker="#type-erl_cipher_suite">erl_cipher_suite()</seealso>
+ to RFC name string.</p>
</desc>
</func>