aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjuhlig <[email protected]>2020-06-25 13:27:22 +0200
committerLoïc Hoguin <[email protected]>2020-06-25 13:39:55 +0200
commit7ff57d26daa22ec1947fe02697a20e76abbc9f07 (patch)
tree69c351be8fe64f2fb959b457640d607682f20a85
parentb97f90eb3be8a2c1030e50fe7a9d48612a765e25 (diff)
downloadranch-7ff57d26daa22ec1947fe02697a20e76abbc9f07.tar.gz
ranch-7ff57d26daa22ec1947fe02697a20e76abbc9f07.tar.bz2
ranch-7ff57d26daa22ec1947fe02697a20e76abbc9f07.zip
Add new ssl options introduced with OTP/23
-rw-r--r--doc/src/guide/migrating_from_1.7.asciidoc2
-rw-r--r--doc/src/manual/ranch_ssl.asciidoc35
-rw-r--r--src/ranch_ssl.erl11
3 files changed, 41 insertions, 7 deletions
diff --git a/doc/src/guide/migrating_from_1.7.asciidoc b/doc/src/guide/migrating_from_1.7.asciidoc
index d10d1fd..3ed6d85 100644
--- a/doc/src/guide/migrating_from_1.7.asciidoc
+++ b/doc/src/guide/migrating_from_1.7.asciidoc
@@ -160,4 +160,4 @@ for Erlang/OTP 19 and 20 has been removed.
`ssl:ssl_accept/1,2`.
* The `ranch_ssl:ssl_opt()` type has been updated to conform
- with Erlang/OTP 22.0.
+ with Erlang/OTP 23.0.
diff --git a/doc/src/manual/ranch_ssl.asciidoc b/doc/src/manual/ranch_ssl.asciidoc
index 66f91b1..49dc4d2 100644
--- a/doc/src/manual/ranch_ssl.asciidoc
+++ b/doc/src/manual/ranch_ssl.asciidoc
@@ -40,6 +40,7 @@ List of listen options.
[source,erlang]
----
ssl_opt() = {alpn_preferred_protocols, [binary()]}
+ | {anti_replay, '10k' | '100k' | {integer(), integer(), integer()}}
| {beast_mitigation, one_n_minus_one | zero_n | disabled}
| {cacertfile, file:filename()}
| {cacerts, [public_key:der_encoded()]}
@@ -52,17 +53,19 @@ ssl_opt() = {alpn_preferred_protocols, [binary()]}
| {depth, integer()}
| {dh, binary()}
| {dhfile, file:filename()}
- | {eccs, [atom()]}
+ | {eccs, [ssl:named_curve()]}
| {fail_if_no_peer_cert, boolean()}
| {handshake, hello | full}
| {hibernate_after, timeout()}
| {honor_cipher_order, boolean()}
| {honor_ecc_order, boolean()}
| {key, ssl:key()}
+ | {key_update_at, pos_integer()}
| {keyfile, file:filename()}
| {log_alert, boolean()}
| {log_level, logger:level()}
| {max_handshake_size, integer()}
+ | {middlebox_comp_mode, boolean()}
| {next_protocols_advertised, [binary()]}
| {padding_check, boolean()}
| {partial_chain, fun()}
@@ -72,10 +75,12 @@ ssl_opt() = {alpn_preferred_protocols, [binary()]}
| {reuse_session, fun()}
| {reuse_sessions, boolean()}
| {secure_renegotiate, boolean()}
+ | {session_tickets, disabled | stateful | stateless}
| {signature_algs, [{ssl:hash(), ssl:sign_algo()}]}
- | {signature_algs_cert, [atom()]}
+ | {signature_algs_cert, [ssl:sign_scheme()]}
| {sni_fun, fun()}
| {sni_hosts, [{string(), ssl_opt()}]}
+ | {supported_groups, [ssl:group()]}
| {user_lookup_fun, {fun(), any()}}
| {verify, verify_none | verify_peer}
| {verify_fun, {fun(), any()}}
@@ -95,6 +100,11 @@ alpn_preferred_protocols::
Perform Application-Layer Protocol Negotiation
with the given list of preferred protocols.
+anti_replay::
+
+Configures the server's built-in anti replay feature based on
+Bloom filters.
+
beast_mitigation (one_n_minus_one)::
Change the BEAST mitigation strategy for SSL-3.0 and TLS-1.0
@@ -185,6 +195,11 @@ key::
DER encoded user private key.
+key_update_at::
+
+Configures the maximum amount of bytes that can be sent on a
+TLS 1.3 connection before an automatic key update is performed.
+
keyfile::
Path to the PEM encoded private key file, if different from
@@ -203,6 +218,11 @@ max_handshake_size (256*1024)::
Used to limit the size of valid TLS handshake packets to
avoid DoS attacks.
+middlebox_comp_mode (true)::
+
+Configures the middlebox compatibility mode on a TLS 1.3
+connection.
+
next_protocols_advertised::
List of protocols to send to the client if it supports the
@@ -243,6 +263,10 @@ secure_renegotiate (false)::
Whether to reject renegotiation attempts that do not conform
to RFC5746.
+session_tickets::
+
+Configures the session ticket functionality.
+
signature_algs::
The TLS signature algorithm extension may be used, from TLS 1.2,
@@ -265,6 +289,13 @@ sni_hosts::
Options to apply for the host that matches what the client
requested with Server Name Indication.
+supported_groups([x25519, x448, secp256r1, secp384r1])::
+
+TLS 1.3 introduces the `supported_groups` extension that is
+used for negotiating the Diffie-Hellman parameters in a
+TLS 1.3 handshake. Both client and server can specify a list
+of parameters that they are willing to use.
+
user_lookup_fun::
Function called to determine the shared secret when using PSK,
diff --git a/src/ranch_ssl.erl b/src/ranch_ssl.erl
index 090f43c..bdfd2e4 100644
--- a/src/ranch_ssl.erl
+++ b/src/ranch_ssl.erl
@@ -47,6 +47,7 @@
-export([cleanup/1]).
-type ssl_opt() :: {alpn_preferred_protocols, [binary()]}
+ | {anti_replay, '10k' | '100k' | {integer(), integer(), integer()}}
| {beast_mitigation, one_n_minus_one | zero_n | disabled}
| {cacertfile, file:filename()}
| {cacerts, [public_key:der_encoded()]}
@@ -59,18 +60,19 @@
| {depth, integer()}
| {dh, binary()}
| {dhfile, file:filename()}
- %% @todo Update when ssl exports named_curve().
- | {eccs, [atom()]}
+ | {eccs, [ssl:named_curve()]}
| {fail_if_no_peer_cert, boolean()}
| {handshake, hello | full}
| {hibernate_after, timeout()}
| {honor_cipher_order, boolean()}
| {honor_ecc_order, boolean()}
| {key, ssl:key()}
+ | {key_update_at, pos_integer()}
| {keyfile, file:filename()}
| {log_alert, boolean()}
| {log_level, logger:level()}
| {max_handshake_size, integer()}
+ | {middlebox_comp_mode, boolean()}
| {next_protocols_advertised, [binary()]}
| {padding_check, boolean()}
| {partial_chain, fun()}
@@ -80,11 +82,12 @@
| {reuse_session, fun()}
| {reuse_sessions, boolean()}
| {secure_renegotiate, boolean()}
+ | {session_tickets, disabled | stateful | stateless}
| {signature_algs, [{ssl:hash(), ssl:sign_algo()}]}
- %% @todo Update when ssl exports sign_scheme().
- | {signature_algs_cert, [atom()]}
+ | {signature_algs_cert, [ssl:sign_scheme()]}
| {sni_fun, fun()}
| {sni_hosts, [{string(), ssl_opt()}]}
+ | {supported_groups, [ssl:group()]}
| {user_lookup_fun, {fun(), any()}}
| {verify, verify_none | verify_peer}
| {verify_fun, {fun(), any()}}