aboutsummaryrefslogblamecommitdiffstats
path: root/doc/src/manual/ranch_ssl.asciidoc
blob: 3a4a1463f88b2cb601fc285ffcc5b33a9a112ef8 (plain) (tree)
1
2
3
4
5
6
7
8



              
                         


              





                                                         


        
         


               
                                    

    
               
 
                                                                   
 
          
 



                 


                       











































                                                                        

                                                                

                                                              
 
                                                   

                          



                                              
                  



                                                            
            



                                                            
         


                                         
      


                             
          



                                                       
         


                                                
                             


                                                
                                             


                                                                
                   



                                                             
           



                                                   
    


                                      
        


                                                       
                              



                                                       
                             



                                                   
                            



                                                          
     


                             
         



                                                           
                  


                                              
                           



                                                          
               



                                                          
               


                                                 
          


                                                        
              



                                                            
               


                                                           
                        


                               
                            



                                                            
                




                                                                
         



                                                            
           



                                                          
                 



                                                              
                     



                                                               
                      


                                                           
            


                                                              
          

                                             


                                                           
                                                            




                                                             
           
 



                                                
= ranch_ssl(3)

== Name

ranch_ssl - SSL transport

== Description

The module `ranch_ssl` implements an SSL Ranch transport.

== Exports

The module `ranch_ssl` implements the interface defined
by link:man:ranch_transport(3)[ranch_transport(3)].

== Types

=== opt()

[source,erlang]
----
opt() :: ranch_tcp:opt() | ssl_opt()
----

Listen options.

The TCP options are defined in link:man:ranch_tcp(3)[ranch_tcp(3)].

=== opts()

[source,erlang]
----
opts() :: [opt()]
----

List of listen options.

=== ssl_opt()

[source,erlang]
----
ssl_opt() = {alpn_preferred_protocols, [binary()]}
          | {beast_mitigation, one_n_minus_one | zero_n | disabled}
          | {cacertfile, string()}
          | {cacerts, [public_key:der_encoded()]}
          | {cert, public_key:der_encoded()}
          | {certfile, string()}
          | {ciphers, [ssl:erl_cipher_suite()] | string()}
          | {client_renegotiation, boolean()}
          | {crl_cache, {module(), {internal | any(), list()}}}
          | {crl_check, boolean() | peer | best_effort}
          | {depth, 0..255}
          | {dh, public_key:der_encoded()}
          | {dhfile, string()}
          | {fail_if_no_peer_cert, boolean()}
          | {hibernate_after, integer() | undefined}
          | {honor_cipher_order, boolean()}
          | {key, {'RSAPrivateKey' | 'DSAPrivateKey' | 'PrivateKeyInfo',
                public_key:der_encoded()}}
          | {keyfile, string()}
          | {log_alert, boolean()}
          | {next_protocols_advertised, [binary()]}
          | {padding_check, boolean()}
          | {partial_chain, fun(([public_key:der_encoded()])
                -> {trusted_ca, public_key:der_encoded()} | unknown_ca)}
          | {password, string()}
          | {psk_identity, string()}
          | {reuse_session, fun()}
          | {reuse_sessions, boolean()}
          | {secure_renegotiate, boolean()}
          | {signature_algs, [{atom(), atom()}]}
          | {sni_fun, fun()}
          | {sni_hosts, [{string(), ssl_opt()}]}
          | {user_lookup_fun, {fun(), any()}}
          | {v2_hello_compatible, boolean()}
          | {verify, ssl:verify_type()}
          | {verify_fun, {fun(), any()}}
          | {versions, [atom()]}
----

SSL-specific listen options.

Specifying a certificate is mandatory, either through the `cert`
or `certfile` option, or by configuring SNI. None of the other
options are required.

The default value is given next to the option name:

alpn_preferred_protocols::

Perform Application-Layer Protocol Negotiation
with the given list of preferred protocols.

beast_mitigation::

Change the BEAST mitigation strategy for SSL-3.0 and TLS-1.0
to interoperate with legacy software.

cacertfile::

Path to PEM encoded trusted certificates file used to verify
peer certificates.

cacerts::

List of DER encoded trusted certificates.

cert::

DER encoded user certificate.

certfile::

Path to the PEM encoded user certificate file. May also
contain the private key.

ciphers::

List of ciphers that clients are allowed to use.

client_renegotiation (true)::

Whether to allow client-initiated renegotiation.

crl_cache ({ssl_crl_cache, {internal, []}})::

Customize the module used to cache Certificate Revocation Lists.

crl_check (false)::

Whether to perform CRL check on all certificates in the chain
during validation.

depth (1)::

Maximum of intermediate certificates allowed in the
certification path.

dh::

DER encoded Diffie-Hellman parameters.

dhfile::

Path to the PEM encoded Diffie-Hellman parameters file.

fail_if_no_peer_cert (false)::

Whether to refuse the connection if the client sends an
empty certificate.

hibernate_after (undefined)::

Time in ms after which SSL socket processes go into
hibernation to reduce memory usage.

honor_cipher_order (false)::

If true, use the server's preference for cipher selection.
If false, use the client's preference.

key::

DER encoded user private key.

keyfile::

Path to the PEM encoded private key file, if different from
the certfile.

log_alert (true)::

If false, error reports will not be displayed.

next_protocols_advertised::

List of protocols to send to the client if it supports the
Next Protocol extension.

padding_check::

Allow disabling the block cipher padding check for TLS-1.0
to be able to interoperate with legacy software.

partial_chain::

Claim an intermediate CA in the chain as trusted.

password::

Password to the private key file, if password protected.

psk_identity::

Provide the given PSK identity hint to the client during the
handshake.

reuse_session::

Custom policy to decide whether a session should be reused.

reuse_sessions (false)::

Whether to allow session reuse.

secure_renegotiate (false)::

Whether to reject renegotiation attempts that do not conform
to RFC5746.

signature_algs::

The TLS signature algorithm extension may be used, from TLS 1.2,
to negotiate which signature algorithm to use during the TLS
handshake.

sni_fun::

Function called when the client requests a host using Server
Name Indication. Returns options to apply.

sni_hosts::

Options to apply for the host that matches what the client
requested with Server Name Indication.

user_lookup_fun::

Function called to determine the shared secret when using PSK,
or provide parameters when using SRP.

v2_hello_compatible::

Accept clients that send hello messages in SSL-2.0 format while
offering supported SSL/TLS versions.

verify (verify_none)::

Use `verify_peer` to request a certificate from the client.

verify_fun::

Custom policy to decide whether a client certificate is valid.

versions::

TLS protocol versions that will be supported.

Note that the client will not send a certificate unless the
value for the `verify` option is set to `verify_peer`. This
means that `fail_if_no_peer_cert` only applies when combined
with the `verify` option. The `verify_fun` option allows
greater control over the client certificate validation.

The options `sni_fun` and `sni_hosts` are mutually exclusive.

== See also

link:man:ranch(7)[ranch(7)],
link:man:ranch_transport(3)[ranch_transport(3)],
link:man:ranch_tcp(3)[ranch_tcp(3)],
ssl(3)