From 95e3fbe00e700f1c4ed4735434eafc5ee899111f Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Mon, 11 Feb 2019 12:11:54 +0100 Subject: ssl: Reintroduce documentation of signature_algs_cert and log_level option When changing the ssl application to use type specs in documentation master additions where lost in the merge as we did not want to rewrite the new documentation in a merge commit. --- lib/ssl/doc/src/ssl.xml | 51 +++++++++++++++++++++++++++++++++++++++++-------- lib/ssl/src/ssl.erl | 21 +++++++++++++++++++- 2 files changed, 63 insertions(+), 9 deletions(-) (limited to 'lib/ssl') diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index be5abac7bc..3f643f32e1 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -190,15 +190,18 @@ - - + - + + + + + @@ -334,7 +337,30 @@ and to restrict their usage when using a cipher suite supporting them.

- + + + + +

+ In addition to the signature_algorithms extension from TLS 1.2, + TLS 1.3 + (RFC 5246 Section 4.2.3)adds the signature_algorithms_cert extension + which enables having special requirements on the signatures used in the + certificates that differs from the requirements on digital signatures as a whole. + If this is not required this extension is not needed. +

+

+ The client will send a signature_algorithms_cert extension (ClientHello), + if TLS version 1.3 or later is used, and the signature_algs_cert option is + explicitly specified. By default, only the signature_algs extension is sent. +

+

+ The signature schemes shall be ordered according to the client's preference + (favorite choice first). +

+ + +

Specifies if to reject renegotiation attempt that does @@ -606,10 +632,19 @@ fun(srp, Username :: string(), UserState :: term()) -> - - -

If set to false, error reports are not displayed.

- + + +

If set to false, error reports are not displayed. + Deprecated in OTP 22, use {log_level, logging_level()} instead.

+ + + + + +

Specifies the log level for TLS/DTLS. At verbosity level notice and above error reports are + displayed in TLS. The level debug triggers verbose logging of TLS protocol + messages and logging of ignored alerts in DTLS.

+ diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index 017e06b232..2542c82cc8 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -135,6 +135,22 @@ -type legacy_hash() :: md5. -type sign_algo() :: rsa | dsa | ecdsa. + +-type sign_scheme() :: rsa_pkcs1_sha256 + | rsa_pkcs1_sha384 + | rsa_pkcs1_sha512 + | ecdsa_secp256r1_sha256 + | ecdsa_secp384r1_sha384 + | ecdsa_secp521r1_sha512 + | rsa_pss_rsae_sha256 + | rsa_pss_rsae_sha384 + | rsa_pss_rsae_sha512 + | rsa_pss_pss_sha256 + | rsa_pss_pss_sha384 + | rsa_pss_pss_sha512 + | rsa_pkcs1_sha1 + | ecdsa_sha1. + -type key_algo() :: rsa | dhe_rsa | dhe_dss | ecdhe_ecdsa | ecdh_ecdsa | ecdh_rsa | @@ -228,6 +244,7 @@ {password, key_password()} | {ciphers, cipher_suites()} | {eccs, eccs()} | + {signature_algs_cert, signature_schemes()} | {secure_renegotiate, secure_renegotiation()} | {depth, allowed_cert_chain_length()} | {verify_fun, custom_verify()} | @@ -237,6 +254,7 @@ {partial_chain, root_fun()} | {versions, protocol_versions()} | {user_lookup_fun, custom_user_lookup()} | + {log_level, logging_level()} | {log_alert, log_alert()} | {hibernate_after, hibernate_after()} | {padding_check, padding_check()} | @@ -271,13 +289,14 @@ -type root_fun() :: fun(). -type protocol_versions() :: [protocol_version()]. -type signature_algs() :: [{hash(), sign_algo()}]. +-type signature_schemes() :: [sign_scheme()]. -type custom_user_lookup() :: {Lookupfun :: fun(), UserState :: term()}. -type padding_check() :: boolean(). -type beast_mitigation() :: one_n_minus_one | zero_n | disabled. -type srp_identity() :: {Username :: string(), Password :: string()}. -type psk_identity() :: string(). -type log_alert() :: boolean(). - +-type logging_level() :: logger:level(). %% ------------------------------------------------------------------------------------------------------- -type client_option() :: {verify, client_verify_type()} | -- cgit v1.2.3