From 4d487ac60c3a4962a8280acfcf265b2523b2d76e Mon Sep 17 00:00:00 2001 From: Alexandru Munteanu Date: Fri, 28 Oct 2016 04:45:01 +0200 Subject: Add SSL options for legacy software interoperability --- doc/src/manual/ranch_ssl.asciidoc | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'doc/src/manual/ranch_ssl.asciidoc') diff --git a/doc/src/manual/ranch_ssl.asciidoc b/doc/src/manual/ranch_ssl.asciidoc index 07b835a..b809ec1 100644 --- a/doc/src/manual/ranch_ssl.asciidoc +++ b/doc/src/manual/ranch_ssl.asciidoc @@ -15,6 +15,7 @@ The `ranch_ssl` module implements an SSL Ranch transport. [source,erlang] ---- ssl_opt() = {alpn_preferred_protocols, [binary()]} + | {beast_mitigation, one_n_minus_one | zero_n | disabled} | {cacertfile, string()} | {cacerts, [public_key:der_encoded()]} | {cert, public_key:der_encoded()} @@ -33,6 +34,7 @@ ssl_opt() = {alpn_preferred_protocols, [binary()]} | {keyfile, string()} | {log_alert, boolean()} | {next_protocols_advertised, [binary()]} + | {padding_check, boolean()} | {partial_chain, fun(([public_key:der_encoded()]) -> {trusted_ca, public_key:der_encoded()} | unknown_ca)} | {password, string()} | {psk_identity, string()} @@ -43,6 +45,7 @@ ssl_opt() = {alpn_preferred_protocols, [binary()]} | {sni_fun, fun()} | {sni_hosts, [{string(), ssl_opt()}]} | {user_lookup_fun, {fun(), any()}} + | {v2_hello_compatible, boolean()} | {verify, ssl:verify_type()} | {verify_fun, {fun(), any()}} | {versions, [atom()]}. @@ -67,6 +70,8 @@ The default value is given next to the option name. alpn_preferred_protocols:: Perform Application-Layer Protocol Negotiation with the given list of preferred protocols. +beast_mitigation:: + Change the BEAST mitigation strategy for SSL-3.0 and TLS-1.0 to interoperate with legacy software. cacertfile:: Path to PEM encoded trusted certificates file used to verify peer certificates. cacerts:: @@ -105,6 +110,8 @@ next_protocols_advertised:: List of protocols to send to the client if it supports the Next Protocol extension. nodelay (true):: Whether to enable TCP_NODELAY. +padding_check:: + Allow disabling the block cipher padding check for TLS-1.0 to be able to interoperate with legacy software. partial_chain:: Claim an intermediate CA in the chain as trusted. password:: @@ -125,6 +132,8 @@ sni_hosts:: Options to apply for the host that matches what the client requested with Server Name Indication. user_lookup_fun:: Function called to determine the shared secret when using PSK, or provide parameters when using SRP. +v2_hello_compatible:: + Accept clients that send hello messages in SSL-2.0 format while offering supported SSL/TLS versions. verify (verify_none):: Use `verify_peer` to request a certificate from the client. verify_fun:: -- cgit v1.2.3