From 7cf85926c11d38ce5ebd181f9f98185f359d64a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Hoguin?= Date: Thu, 26 Feb 2015 18:55:16 +0100 Subject: ssl: Add TLS-ALPN support This commit adds support for RFC7301, application-layer protocol negotiation. ALPN is the standard based approach to the NPN extension, and is required for HTTP/2. ALPN lives side by side with NPN and provides an equivalent feature but in this case it is the server that decides what protocol to use, not the client. When both ALPN and NPN are sent by a client, and the server is configured with both ALPN and NPN options, ALPN will always take precedence. This behavior can also be found in the OpenSSL implementation of ALPN. ALPN and NPN share the ssl:negotiated_protocol/1 function for retrieving the negotiated protocol. The previously existing function ssl:negotiated_next_protocol/1 still exists, but has been deprecated and removed from the documentation. The tests against OpenSSL require OpenSSL version 1.0.2+. --- lib/ssl/doc/src/ssl.xml | 38 +++++++++++++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 5 deletions(-) (limited to 'lib/ssl/doc/src') diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index c9b02d44ec..3581a487a2 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -89,6 +89,8 @@ |{dh, der_encoded()} | {dhfile, path()} | {ciphers, ciphers()} | {user_lookup_fun, {fun(), term()}}, {psk_identity, string()}, {srp_identity, {string(), string()}} | {ssl_imp, ssl_imp()} | {reuse_sessions, boolean()} | {reuse_session, fun()} + {alpn_advertised_protocols, [binary()]} | + {alpn_preferred_protocols, [binary()]} | {next_protocols_advertised, [binary()]} | {client_preferred_next_protocols, {client | server, [binary()]} | {client | server, [binary()], binary()}} | {log_alert, boolean()} | {server_name_indication, hostname() | disable} @@ -425,7 +427,20 @@ fun(srp, Username :: string(), UserState :: term()) -> certificates are used during server authentication and when building the client certificate chain. - + + {alpn_advertised_protocols, [binary()]} + +

The list of protocols supported by the client to be sent to the + server to be used for an Application-Layer Protocol Negotiation (ALPN). + If the server supports ALPN then it will choose a protocol from this + list; otherwise it will fail the connection with a "no_application_protocol" + alert. A server that does not support ALPN will ignore this value.

+ +

The list of protocols must not contain an empty binary.

+ +

The negotiated protocol can be retrieved using the negotiated_protocol/1 function.

+
+ {client_preferred_next_protocols, {Precedence :: server | client, ClientPrefs :: [binary()]}} {client_preferred_next_protocols, {Precedence :: server | client, ClientPrefs :: [binary()], Default :: binary()}} @@ -545,12 +560,25 @@ fun(srp, Username :: string(), UserState :: term()) -> and CipherSuite is of type ciphersuite(). + {alpn_preferred_protocols, [binary()]} + +

Indicates the server will try to perform Application-Layer + Protocol Negotiation (ALPN).

+ +

The list of protocols is in order of preference. The protocol + negotiated will be the first in the list that matches one of the + protocols advertised by the client. If no protocol matches, the + server will fail the connection with a "no_application_protocol" alert.

+ +

The negotiated protocol can be retrieved using the negotiated_protocol/1 function.

+
+ {next_protocols_advertised, Protocols :: [binary()]} The list of protocols to send to the client if the client indicates it supports the Next Protocol extension. The client may select a protocol that is not on this list. The list of protocols must not contain an empty binary. If the server negotiates a Next Protocol it can be accessed - using negotiated_next_protocol/1 method. + using negotiated_protocol/1 function. {psk_identity, string()} @@ -1018,15 +1046,15 @@ fun(srp, Username :: string(), UserState :: term()) -> - negotiated_next_protocol(Socket) -> {ok, Protocol} | {error, next_protocol_not_negotiated} - Returns the Next Protocol negotiated. + negotiated_protocol(Socket) -> {ok, Protocol} | {error, protocol_not_negotiated} + Returns the protocol negotiated through ALPN or NPN extensions. Socket = sslsocket() Protocol = binary()

- Returns the Next Protocol negotiated. + Returns the protocol negotiated through ALPN or NPN extensions.

-- cgit v1.2.3