From 7ff57d26daa22ec1947fe02697a20e76abbc9f07 Mon Sep 17 00:00:00 2001 From: juhlig Date: Thu, 25 Jun 2020 13:27:22 +0200 Subject: Add new ssl options introduced with OTP/23 --- doc/src/manual/ranch_ssl.asciidoc | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) (limited to 'doc/src/manual/ranch_ssl.asciidoc') diff --git a/doc/src/manual/ranch_ssl.asciidoc b/doc/src/manual/ranch_ssl.asciidoc index 66f91b1..49dc4d2 100644 --- a/doc/src/manual/ranch_ssl.asciidoc +++ b/doc/src/manual/ranch_ssl.asciidoc @@ -40,6 +40,7 @@ List of listen options. [source,erlang] ---- ssl_opt() = {alpn_preferred_protocols, [binary()]} + | {anti_replay, '10k' | '100k' | {integer(), integer(), integer()}} | {beast_mitigation, one_n_minus_one | zero_n | disabled} | {cacertfile, file:filename()} | {cacerts, [public_key:der_encoded()]} @@ -52,17 +53,19 @@ ssl_opt() = {alpn_preferred_protocols, [binary()]} | {depth, integer()} | {dh, binary()} | {dhfile, file:filename()} - | {eccs, [atom()]} + | {eccs, [ssl:named_curve()]} | {fail_if_no_peer_cert, boolean()} | {handshake, hello | full} | {hibernate_after, timeout()} | {honor_cipher_order, boolean()} | {honor_ecc_order, boolean()} | {key, ssl:key()} + | {key_update_at, pos_integer()} | {keyfile, file:filename()} | {log_alert, boolean()} | {log_level, logger:level()} | {max_handshake_size, integer()} + | {middlebox_comp_mode, boolean()} | {next_protocols_advertised, [binary()]} | {padding_check, boolean()} | {partial_chain, fun()} @@ -72,10 +75,12 @@ ssl_opt() = {alpn_preferred_protocols, [binary()]} | {reuse_session, fun()} | {reuse_sessions, boolean()} | {secure_renegotiate, boolean()} + | {session_tickets, disabled | stateful | stateless} | {signature_algs, [{ssl:hash(), ssl:sign_algo()}]} - | {signature_algs_cert, [atom()]} + | {signature_algs_cert, [ssl:sign_scheme()]} | {sni_fun, fun()} | {sni_hosts, [{string(), ssl_opt()}]} + | {supported_groups, [ssl:group()]} | {user_lookup_fun, {fun(), any()}} | {verify, verify_none | verify_peer} | {verify_fun, {fun(), any()}} @@ -95,6 +100,11 @@ alpn_preferred_protocols:: Perform Application-Layer Protocol Negotiation with the given list of preferred protocols. +anti_replay:: + +Configures the server's built-in anti replay feature based on +Bloom filters. + beast_mitigation (one_n_minus_one):: Change the BEAST mitigation strategy for SSL-3.0 and TLS-1.0 @@ -185,6 +195,11 @@ key:: DER encoded user private key. +key_update_at:: + +Configures the maximum amount of bytes that can be sent on a +TLS 1.3 connection before an automatic key update is performed. + keyfile:: Path to the PEM encoded private key file, if different from @@ -203,6 +218,11 @@ max_handshake_size (256*1024):: Used to limit the size of valid TLS handshake packets to avoid DoS attacks. +middlebox_comp_mode (true):: + +Configures the middlebox compatibility mode on a TLS 1.3 +connection. + next_protocols_advertised:: List of protocols to send to the client if it supports the @@ -243,6 +263,10 @@ secure_renegotiate (false):: Whether to reject renegotiation attempts that do not conform to RFC5746. +session_tickets:: + +Configures the session ticket functionality. + signature_algs:: The TLS signature algorithm extension may be used, from TLS 1.2, @@ -265,6 +289,13 @@ sni_hosts:: Options to apply for the host that matches what the client requested with Server Name Indication. +supported_groups([x25519, x448, secp256r1, secp384r1]):: + +TLS 1.3 introduces the `supported_groups` extension that is +used for negotiating the Diffie-Hellman parameters in a +TLS 1.3 handshake. Both client and server can specify a list +of parameters that they are willing to use. + user_lookup_fun:: Function called to determine the shared secret when using PSK, -- cgit v1.2.3