| Age | Commit message (Collapse) | Author |
|---|
|
It was working already but the types were wrong and some small
details needed to be corrected.
|
|
|
|
This makes Ranch require OTP-21+. The function ranch:accept_ack/1
was also removed in this commit.
|
|
|
|
* Up until OTP 21.0 it was defined on the ssl_cipher[0] module
* On OTP 21.1 it was moved into ssl_cipher_format[1]
* On OTP 21.3 it was moved into ssl[2]
[0]: https://github.com/erlang/otp/blob/OTP-21.0/lib/ssl/src/ssl_cipher.erl#L56-L60
[1]: https://github.com/erlang/otp/blob/OTP-21.1/lib/ssl/src/ssl_cipher_format.erl#L40-L44
[2]: https://github.com/erlang/otp/blob/OTP-21.3/lib/ssl/src/ssl.erl#L136-L140
|
|
This is the function that should be called regardless of
TCP or TLS being used. The proper usage for this function is:
{ok, ProxyInfo} = ranch:recv_proxy_header(Ref, Timeout),
{ok, Socket} = ranch:handshake(Ref),
...
Ranch takes care of everything else under the hood. Transports
now need to have a Transport:recv_proxy_header/2 function. For
ranch_ssl the function gets the port from the sslsocket() record
and then calls ranch_tcp:recv_proxy_header/2 with it.
This means that two undocumented features are currently used for
this, but the interface is really nice so that's a sacrifice
worth doing. Also worth noting is that OTP 22 should have an
alternative for gen_tcp:unrecv/2 so the only real issue is about
the sslsocket() record at the moment.
|
|
|
|
The "normal" errors are still silenced when calling ranch:handshake.
|
|
Based on the work done by @juhlig.
|
|
Next release will only support 18+.
|
|
This commit deprecates Transport:accept_ack/1 in favor of
a new forward-compatible function. Transport:handshake/1,2
will use ssl:handshake/2,3 from Ranch 2.0 onward.
|
|
|
|
|
|
|
|
|
|
Simplify some return values, improve error messages for
eaddrinuse and no_cert.
Amended to add tests and simpler code. Also hides the
contents of cert and key transport options, if any.
|
|
Cert/certfile is no longer required if SNI options are provided.
|
|
Dialyzer will still complain about unknown options, but at
least users won't be stuck waiting for an upstream update.
|
|
|
|
Added in ssl-7.3.1 (OTP-13261). Documented in ssl-8.0.
|
|
When SSL is stopped before Ranch, the acceptors crash and
Ranch tries to restart them. The problem is that the
ranch_ssl:listen/1 call was trying to start the SSL
application to make sure it works (an old artifact from
when releases were not ubiquitous). Because the application
controller is trying to shutdown Ranch, and Ranch tries to
tell it to start an application, everything would get stuck.
To avoid a breaking change, we move this in the start_listener
call (or child_spec). Note that there are still logs when the
SSL application is closed, because the acceptors crash. But
at least we don't block node shutdown anymore.
In Ranch 2.0, we will implement the proper fix which is to
simply depend on the SSL application normally. Nowadays, it's
not too difficult to build a release that excludes applications
we don't want, although we should document that in the Ranch
user guide.
|
|
|
|
We are now up to date with regard to transport options we should
accept for the listening socket. Documentation of existing options
has been updated with regard to recent changes in the OTP docs
and type specifications.
|
|
Should fix Dialyzer issues. The options are now also
documented in the Ranch module, and there's new ranch:opt(),
ranch_tcp:opt() and ranch_ssl:opt() for use in third party
code.
|
|
|
|
|
|
|
|
SSL socket might be closed on accept_ack, it happens quite often
and it is not a problem, so don't report error on the case.
|
|
Currently Ranch checks if a connection is secure by checking if its name
is 'ssl'. This isn't a very modular solution, adding an API function
that returns whether a connection is secure.
|
|
|
|
|
|
These errors just pollute the logs when garbage is sent to the
socket. Exit the process normally to avoid unwanted logs.
|
|
Allows closing the socket in one or two directions.
|
|
All of it can be found in the manual, which defines what the
code must do, and is always up to date unlike the code comments.
|
|
|
|
|
|
Doing this in the connection process allows us to free acceptors
to start accepting more connections quicker, especially under load.
|
|
|
|
|
|
Adds a transport connect method that takes a timeout, with implementations for both ssl and tcp connections.
|
|
|
|
|
|
The implementation of elliptic-curve ciphers that has been introduced in
R16B01 is still incomplete (and broken). This makes our previous
workaround (see c0c09a1311) work for R16B02 as well.
|
|
Adds offset based sendfile to transports. Same behaviour as
file:sendfile/4,/5 except socket and file arguments are reversed and
either a raw file or a filename can be used.
sendfile/2,/4,/5 now compulsory callbacks in ranch_transport.
ranch_tcp:sendfile/2 now defaults to a chunk_size of 8191 - the default
for ranch_ssl:sendfile/2. The same default is used for both
ranch_tcp:sendfile/4,5 and ranch_ssl:sendfile/4,5.
|
|
Unfortunately the implementation of elliptic-curve ciphers that has
been introduced in R16B01 is incomplete. Depending on the particular
client, this can cause the TLS handshake to break during key agreement.
As it turns out that most popular browsers (e.g. Firefox, Chromium,
and Safari) are affected by this bug, we provide this workaround.
This workaround makes sure that only cipher suite implementations that
are not known to be broken are supported by default.
|
|
|
|
|
|
|
|
The Erlang SSL library allows keys, certs and cacerts to be passed either as DER encoded binaries or in PEM encoded files. This patch allows ranch_ssl to be configured in either manner.
|
|
This should be an acceptable temporary solution to the ssl_accept
problem. We no longer have to worry about acceptors being dead
because ssl_accept never returned.
|
