aboutsummaryrefslogtreecommitdiffstats
path: root/doc/src/manual
diff options
context:
space:
mode:
Diffstat (limited to 'doc/src/manual')
-rw-r--r--doc/src/manual/ranch_ssl.asciidoc76
1 files changed, 53 insertions, 23 deletions
diff --git a/doc/src/manual/ranch_ssl.asciidoc b/doc/src/manual/ranch_ssl.asciidoc
index 3a4a146..00f6fad 100644
--- a/doc/src/manual/ranch_ssl.asciidoc
+++ b/doc/src/manual/ranch_ssl.asciidoc
@@ -41,41 +41,44 @@ List of listen options.
----
ssl_opt() = {alpn_preferred_protocols, [binary()]}
| {beast_mitigation, one_n_minus_one | zero_n | disabled}
- | {cacertfile, string()}
+ | {cacertfile, file:filename()}
| {cacerts, [public_key:der_encoded()]}
| {cert, public_key:der_encoded()}
- | {certfile, string()}
- | {ciphers, [ssl:erl_cipher_suite()] | string()}
+ | {certfile, file:filename()}
+ | {ciphers, ssl:ciphers()}
| {client_renegotiation, boolean()}
- | {crl_cache, {module(), {internal | any(), list()}}}
+ | {crl_cache, [any()]}
| {crl_check, boolean() | peer | best_effort}
- | {depth, 0..255}
- | {dh, public_key:der_encoded()}
- | {dhfile, string()}
+ | {depth, integer()}
+ | {dh, binary()}
+ | {dhfile, file:filename()}
+ | {eccs, [atom()]}
| {fail_if_no_peer_cert, boolean()}
- | {hibernate_after, integer() | undefined}
+ | {hibernate_after, timeout()}
| {honor_cipher_order, boolean()}
- | {key, {'RSAPrivateKey' | 'DSAPrivateKey' | 'PrivateKeyInfo',
- public_key:der_encoded()}}
- | {keyfile, string()}
+ | {honor_ecc_order, boolean()}
+ | {key, ssl:key()}
+ | {keyfile, file:filename()}
| {log_alert, boolean()}
+ | {log_level, logger:level()}
+ | {max_handshake_size, integer()}
| {next_protocols_advertised, [binary()]}
| {padding_check, boolean()}
- | {partial_chain, fun(([public_key:der_encoded()])
- -> {trusted_ca, public_key:der_encoded()} | unknown_ca)}
+ | {partial_chain, fun()}
| {password, string()}
+ | {protocol, tls | dtls}
| {psk_identity, string()}
| {reuse_session, fun()}
| {reuse_sessions, boolean()}
| {secure_renegotiate, boolean()}
- | {signature_algs, [{atom(), atom()}]}
+ | {signature_algs, [{ssl:hash(), ssl:sign_algo()}]}
+ | {signature_algs_cert, [atom()]}
| {sni_fun, fun()}
| {sni_hosts, [{string(), ssl_opt()}]}
| {user_lookup_fun, {fun(), any()}}
- | {v2_hello_compatible, boolean()}
- | {verify, ssl:verify_type()}
+ | {verify, verify_none | verify_peer}
| {verify_fun, {fun(), any()}}
- | {versions, [atom()]}
+ | {versions, [ssl:protocol_version()]}
----
SSL-specific listen options.
@@ -91,7 +94,7 @@ alpn_preferred_protocols::
Perform Application-Layer Protocol Negotiation
with the given list of preferred protocols.
-beast_mitigation::
+beast_mitigation (one_n_minus_one)::
Change the BEAST mitigation strategy for SSL-3.0 and TLS-1.0
to interoperate with legacy software.
@@ -144,6 +147,10 @@ dhfile::
Path to the PEM encoded Diffie-Hellman parameters file.
+eccs::
+
+List of named ECC curves.
+
fail_if_no_peer_cert (false)::
Whether to refuse the connection if the client sends an
@@ -159,6 +166,11 @@ honor_cipher_order (false)::
If true, use the server's preference for cipher selection.
If false, use the client's preference.
+honor_ecc_order (false)::
+
+If true, use the server's preference for ECC curve selection.
+If false, use the client's preference.
+
key::
DER encoded user private key.
@@ -172,6 +184,15 @@ log_alert (true)::
If false, error reports will not be displayed.
+log_level::
+
+Specifies the log level for TLS/DTLS.
+
+max_handshake_size (256*1024)::
+
+Used to limit the size of valid TLS handshake packets to
+avoid DoS attacks.
+
next_protocols_advertised::
List of protocols to send to the client if it supports the
@@ -190,6 +211,10 @@ password::
Password to the private key file, if password protected.
+protocol (tls)::
+
+Choose TLS or DTLS protocol for the transport layer security.
+
psk_identity::
Provide the given PSK identity hint to the client during the
@@ -214,6 +239,12 @@ The TLS signature algorithm extension may be used, from TLS 1.2,
to negotiate which signature algorithm to use during the TLS
handshake.
+signature_algs_cert::
+
+List of signature schemes for the signature_algs_cert extension
+introduced in TLS 1.3, in order to make special requirements
+on signatures used in certificates.
+
sni_fun::
Function called when the client requests a host using Server
@@ -229,11 +260,6 @@ user_lookup_fun::
Function called to determine the shared secret when using PSK,
or provide parameters when using SRP.
-v2_hello_compatible::
-
-Accept clients that send hello messages in SSL-2.0 format while
-offering supported SSL/TLS versions.
-
verify (verify_none)::
Use `verify_peer` to request a certificate from the client.
@@ -254,6 +280,10 @@ greater control over the client certificate validation.
The options `sni_fun` and `sni_hosts` are mutually exclusive.
+== Changelog
+
+* *2.0*: The `ssl_opt()` type was updated for OTP-22.0.
+
== See also
link:man:ranch(7)[ranch(7)],