diff options
| author | Maxim Molchanov <[email protected]> | 2021-04-01 14:39:09 +0300 |
|---|---|---|
| committer | Loïc Hoguin <[email protected]> | 2021-09-02 11:58:00 +0200 |
| commit | 8c6e0c21b2707777d9091d45cd514a62fcaededd (patch) | |
| tree | 7b236be3c112715a437087fd756c5bb025ecc057 | |
| parent | f0fefa074e5afc3ee0be97ff70f7b85a88c59dea (diff) | |
| download | ranch-8c6e0c21b2707777d9091d45cd514a62fcaededd.tar.gz ranch-8c6e0c21b2707777d9091d45cd514a62fcaededd.tar.bz2 ranch-8c6e0c21b2707777d9091d45cd514a62fcaededd.zip | |
Enable TLS-PSK auth
| -rw-r--r-- | src/ranch_ssl.erl | 3 | ||||
| -rw-r--r-- | test/acceptor_SUITE.erl | 45 |
2 files changed, 47 insertions, 1 deletions
diff --git a/src/ranch_ssl.erl b/src/ranch_ssl.erl index dfaa75c..fbd15d2 100644 --- a/src/ranch_ssl.erl +++ b/src/ranch_ssl.erl @@ -117,7 +117,8 @@ listen(TransOpts) -> case lists:keymember(cert, 1, SocketOpts) orelse lists:keymember(certfile, 1, SocketOpts) orelse lists:keymember(sni_fun, 1, SocketOpts) - orelse lists:keymember(sni_hosts, 1, SocketOpts) of + orelse lists:keymember(sni_hosts, 1, SocketOpts) + orelse lists:keymember(user_lookup_fun, 1, SocketOpts) of true -> Logger = maps:get(logger, TransOpts, logger), do_listen(SocketOpts, Logger); diff --git a/test/acceptor_SUITE.erl b/test/acceptor_SUITE.erl index 335a155..1c2cabd 100644 --- a/test/acceptor_SUITE.erl +++ b/test/acceptor_SUITE.erl @@ -61,6 +61,8 @@ groups() -> ssl_handshake, ssl_sni_echo, ssl_sni_fail, + ssl_tls_psk, + ssl_tls_psk_fail, ssl_upgrade_from_tcp, ssl_getopts_capability, ssl_getstat_capability, @@ -744,6 +746,49 @@ ssl_sni_fail(_) -> {'EXIT', _} = begin catch ranch:get_port(Name) end, ok. +ssl_tls_psk(_) -> + doc("Ensure that TLS-PSK works without certificate."), + Name = name(), + Ciphers = [#{cipher => aes_256_gcm, key_exchange => psk, mac => aead, prf => sha384}], + LookupFun = {fun psk_lookup_helper/3, <<"shared_secret">>}, + {ok, _} = ranch:start_listener(Name, + ranch_ssl, [{ciphers, Ciphers}, {user_lookup_fun, LookupFun}, {versions, ['tlsv1.2']}], + echo_protocol, []), + Port = ranch:get_port(Name), + {ok, Socket} = ssl:connect("localhost", Port, [ + binary, {active, false}, {ciphers, Ciphers}, + {user_lookup_fun, LookupFun}, {versions, ['tlsv1.2']} + ]), + ok = ssl:send(Socket, <<"SSL Ranch is working!">>), + {ok, <<"SSL Ranch is working!">>} = ssl:recv(Socket, 21, 1000), + ok = ranch:stop_listener(Name), + {error, closed} = ssl:recv(Socket, 0, 1000), + %% Make sure the listener stopped. + {'EXIT', _} = begin catch ranch:get_port(Name) end, + ok. + +ssl_tls_psk_fail(_) -> + doc("Ensure that TLS-PSK filed for different shared keys."), + Name = name(), + Ciphers = [#{cipher => aes_256_gcm, key_exchange => psk, mac => aead, prf => sha384}], + ServerLookupFun = {fun psk_lookup_helper/3, <<"server_secret">>}, + ClientLookupFun = {fun psk_lookup_helper/3, <<"client_secret">>}, + {ok, _} = ranch:start_listener(Name, + ranch_ssl, [{ciphers, Ciphers}, {user_lookup_fun, ServerLookupFun}, {versions, ['tlsv1.2']}], + echo_protocol, []), + Port = ranch:get_port(Name), + {error, _} = ssl:connect("localhost", Port, [ + binary, {active, false}, {ciphers, Ciphers}, + {user_lookup_fun, ClientLookupFun}, {versions, ['tlsv1.2']} + ]), + ok = ranch:stop_listener(Name), + %% Make sure the listener stopped. + {'EXIT', _} = begin catch ranch:get_port(Name) end, + ok. + +psk_lookup_helper(psk, _PskIdentity, UserState) -> + {ok, UserState}. + ssl_upgrade_from_tcp(_) -> doc("Ensure a TCP socket can be upgraded to SSL"), Name = name(), |