= ranch_ssl(3) == Name ranch_ssl - SSL transport == Description The module `ranch_ssl` implements an SSL Ranch transport. == Exports The module `ranch_ssl` implements the interface defined by link:man:ranch_transport(3)[ranch_transport(3)]. == Types === opt() [source,erlang] ---- opt() :: ranch_tcp:opt() | ssl_opt() ---- Listen options. The TCP options are defined in link:man:ranch_tcp(3)[ranch_tcp(3)]. === opts() [source,erlang] ---- opts() :: [opt()] ---- List of listen options. === ssl_opt() [source,erlang] ---- ssl_opt() = {alpn_preferred_protocols, [binary()]} | {beast_mitigation, one_n_minus_one | zero_n | disabled} | {cacertfile, file:filename()} | {cacerts, [public_key:der_encoded()]} | {cert, public_key:der_encoded()} | {certfile, file:filename()} | {ciphers, ssl:ciphers()} | {client_renegotiation, boolean()} | {crl_cache, [any()]} | {crl_check, boolean() | peer | best_effort} | {depth, integer()} | {dh, binary()} | {dhfile, file:filename()} | {eccs, [atom()]} | {fail_if_no_peer_cert, boolean()} | {hibernate_after, timeout()} | {honor_cipher_order, boolean()} | {honor_ecc_order, boolean()} | {key, ssl:key()} | {keyfile, file:filename()} | {log_alert, boolean()} | {log_level, logger:level()} | {max_handshake_size, integer()} | {next_protocols_advertised, [binary()]} | {padding_check, boolean()} | {partial_chain, fun()} | {password, string()} | {protocol, tls | dtls} | {psk_identity, string()} | {reuse_session, fun()} | {reuse_sessions, boolean()} | {secure_renegotiate, boolean()} | {signature_algs, [{ssl:hash(), ssl:sign_algo()}]} | {signature_algs_cert, [atom()]} | {sni_fun, fun()} | {sni_hosts, [{string(), ssl_opt()}]} | {user_lookup_fun, {fun(), any()}} | {verify, verify_none | verify_peer} | {verify_fun, {fun(), any()}} | {versions, [ssl:protocol_version()]} ---- SSL-specific listen options. Specifying a certificate is mandatory, either through the `cert` or `certfile` option, or by configuring SNI. None of the other options are required. The default value is given next to the option name: alpn_preferred_protocols:: Perform Application-Layer Protocol Negotiation with the given list of preferred protocols. beast_mitigation (one_n_minus_one):: Change the BEAST mitigation strategy for SSL-3.0 and TLS-1.0 to interoperate with legacy software. cacertfile:: Path to PEM encoded trusted certificates file used to verify peer certificates. cacerts:: List of DER encoded trusted certificates. cert:: DER encoded user certificate. certfile:: Path to the PEM encoded user certificate file. May also contain the private key. ciphers:: List of ciphers that clients are allowed to use. client_renegotiation (true):: Whether to allow client-initiated renegotiation. crl_cache ({ssl_crl_cache, {internal, []}}):: Customize the module used to cache Certificate Revocation Lists. crl_check (false):: Whether to perform CRL check on all certificates in the chain during validation. depth (1):: Maximum of intermediate certificates allowed in the certification path. dh:: DER encoded Diffie-Hellman parameters. dhfile:: Path to the PEM encoded Diffie-Hellman parameters file. eccs:: List of named ECC curves. fail_if_no_peer_cert (false):: Whether to refuse the connection if the client sends an empty certificate. hibernate_after (undefined):: Time in ms after which SSL socket processes go into hibernation to reduce memory usage. honor_cipher_order (false):: If true, use the server's preference for cipher selection. If false, use the client's preference. honor_ecc_order (false):: If true, use the server's preference for ECC curve selection. If false, use the client's preference. key:: DER encoded user private key. keyfile:: Path to the PEM encoded private key file, if different from the certfile. log_alert (true):: If false, error reports will not be displayed. log_level:: Specifies the log level for TLS/DTLS. max_handshake_size (256*1024):: Used to limit the size of valid TLS handshake packets to avoid DoS attacks. next_protocols_advertised:: List of protocols to send to the client if it supports the Next Protocol extension. padding_check:: Allow disabling the block cipher padding check for TLS-1.0 to be able to interoperate with legacy software. partial_chain:: Claim an intermediate CA in the chain as trusted. password:: Password to the private key file, if password protected. protocol (tls):: Choose TLS or DTLS protocol for the transport layer security. psk_identity:: Provide the given PSK identity hint to the client during the handshake. reuse_session:: Custom policy to decide whether a session should be reused. reuse_sessions (false):: Whether to allow session reuse. secure_renegotiate (false):: Whether to reject renegotiation attempts that do not conform to RFC5746. signature_algs:: The TLS signature algorithm extension may be used, from TLS 1.2, to negotiate which signature algorithm to use during the TLS handshake. signature_algs_cert:: List of signature schemes for the signature_algs_cert extension introduced in TLS 1.3, in order to make special requirements on signatures used in certificates. sni_fun:: Function called when the client requests a host using Server Name Indication. Returns options to apply. sni_hosts:: Options to apply for the host that matches what the client requested with Server Name Indication. user_lookup_fun:: Function called to determine the shared secret when using PSK, or provide parameters when using SRP. verify (verify_none):: Use `verify_peer` to request a certificate from the client. verify_fun:: Custom policy to decide whether a client certificate is valid. versions:: TLS protocol versions that will be supported. Note that the client will not send a certificate unless the value for the `verify` option is set to `verify_peer`. This means that `fail_if_no_peer_cert` only applies when combined with the `verify` option. The `verify_fun` option allows greater control over the client certificate validation. The options `sni_fun` and `sni_hosts` are mutually exclusive. == Changelog * *2.0*: The `ssl_opt()` type was updated for OTP-22.0. == See also link:man:ranch(7)[ranch(7)], link:man:ranch_transport(3)[ranch_transport(3)], link:man:ranch_tcp(3)[ranch_tcp(3)], ssl(3)