aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/ranch_ssl.erl36
1 files changed, 8 insertions, 28 deletions
diff --git a/src/ranch_ssl.erl b/src/ranch_ssl.erl
index d651e7a..e1dd798 100644
--- a/src/ranch_ssl.erl
+++ b/src/ranch_ssl.erl
@@ -50,7 +50,7 @@
| {cacerts, [public_key:der_encoded()]}
| {cert, public_key:der_encoded()}
| {certfile, string()}
- | {ciphers, [ssl:erl_cipher_suite()] | string()}
+ | {ciphers, [ssl_cipher:erl_cipher_suite()]}
| {client_renegotiation, boolean()}
| {crl_cache, {module(), {internal | any(), list()}}}
| {crl_check, boolean() | peer | best_effort}
@@ -76,7 +76,7 @@
| {sni_hosts, [{string(), ssl_opt()}]}
| {user_lookup_fun, {fun(), any()}}
| {v2_hello_compatible, boolean()}
- | {verify, ssl:verify_type()}
+ | {verify, verify_none | verify_peer}
| {verify_fun, {fun(), any()}}
| {versions, [atom()]}.
-export_type([ssl_opt/0]).
@@ -107,16 +107,15 @@ listen(Opts) ->
{error, no_cert}
end.
-do_listen(Opts) ->
- Opts2 = ranch:set_option_default(Opts, backlog, 1024),
- Opts3 = ranch:set_option_default(Opts2, ciphers, unbroken_cipher_suites()),
- Opts4 = ranch:set_option_default(Opts3, nodelay, true),
- Opts5 = ranch:set_option_default(Opts4, send_timeout, 30000),
- Opts6 = ranch:set_option_default(Opts5, send_timeout_close, true),
+do_listen(Opts0) ->
+ Opts1 = ranch:set_option_default(Opts0, backlog, 1024),
+ Opts2 = ranch:set_option_default(Opts1, nodelay, true),
+ Opts3 = ranch:set_option_default(Opts2, send_timeout, 30000),
+ Opts = ranch:set_option_default(Opts3, send_timeout_close, true),
%% We set the port to 0 because it is given in the Opts directly.
%% The port in the options takes precedence over the one in the
%% first argument.
- ssl:listen(0, ranch:filter_options(Opts6, disallowed_listen_options(),
+ ssl:listen(0, ranch:filter_options(Opts, disallowed_listen_options(),
[binary, {active, false}, {packet, raw}, {reuseaddr, true}])).
%% 'binary' and 'list' are disallowed but they are handled
@@ -240,22 +239,3 @@ shutdown(Socket, How) ->
-spec close(ssl:sslsocket()) -> ok.
close(Socket) ->
ssl:close(Socket).
-
-%% Internal.
-
-%% Unfortunately the implementation of elliptic-curve ciphers that has
-%% been introduced in R16B01 is incomplete. Depending on the particular
-%% client, this can cause the TLS handshake to break during key
-%% agreement. Depending on the ssl application version, this function
-%% returns a list of all cipher suites that are supported by default,
-%% minus the elliptic-curve ones.
--spec unbroken_cipher_suites() -> [ssl:erl_cipher_suite()].
-unbroken_cipher_suites() ->
- case proplists:get_value(ssl_app, ssl:versions()) of
- Version when Version =:= "5.3"; Version =:= "5.3.1" ->
- lists:filter(fun(Suite) ->
- string:left(atom_to_list(element(1, Suite)), 4) =/= "ecdh"
- end, ssl:cipher_suites());
- _ ->
- ssl:cipher_suites()
- end.