From cece38b7dccf8563b44eb095ba202f55e07e807f Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Tue, 30 Jan 2018 16:53:54 +0100 Subject: ssl: Add UG examles --- lib/ssl/doc/src/using_ssl.xml | 46 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/lib/ssl/doc/src/using_ssl.xml b/lib/ssl/doc/src/using_ssl.xml index 61918a346d..775066ef7d 100644 --- a/lib/ssl/doc/src/using_ssl.xml +++ b/lib/ssl/doc/src/using_ssl.xml @@ -153,7 +153,51 @@ ok -
+
+ Customizing cipher suits + +

Fetch default cipher suite list for an TLS/DTLS version. Change default + to all to get all possible cipher suites.

+ 1> Default = ssl:cipher_suites(default, 'tlsv1.2'). + [#{cipher => aes_256_gcm,key_exchange => ecdhe_ecdsa, + mac => aead,prf => sha384}, ....] + + +

In OTP 20 it is desirable to remove all cipher suites + that uses rsa kexchange (removed from default in 21)

+ 2> NoRSA = + ssl:filter_cipher_suites(Default, + [{key_exchange, fun(rsa) -> false; + (_) -> true end}]). + [...] + + +

Pick just a few suites

+ 3> Suites = + ssl:filter_cipher_suites(Default, + [{key_exchange, fun(ecdh_ecdsa) -> true; + (_) -> false end}, + {cipher, fun(aes_128_cbc) ->true; + (_) ->false end}]). + [#{cipher => aes_128_cbc,key_exchange => ecdh_ecdsa, + mac => sha256,prf => sha256}, + #{cipher => aes_128_cbc,key_exchange => ecdh_ecdsa,mac => sha, + prf => default_prf}] + + +

Make some particular suites the most preferred, or least + preferred by changing prepend to append.

+ 4>ssl:prepend_cipher_suites(Suites, Default). + [#{cipher => aes_128_cbc,key_exchange => ecdh_ecdsa, + mac => sha256,prf => sha256}, + #{cipher => aes_128_cbc,key_exchange => ecdh_ecdsa,mac => sha, + prf => default_prf}, + #{cipher => aes_256_cbc,key_exchange => ecdhe_ecdsa, + mac => sha384,prf => sha384}, ...] + +
+ +
Using an Engine Stored Key

Erlang ssl application is able to use private keys provided -- cgit v1.2.3