1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
= ranch_ssl(3)
== Name
ranch_ssl - SSL transport module
== Description
The `ranch_ssl` module implements an SSL Ranch transport.
== Types
=== ssl_opt()
[source,erlang]
----
ssl_opt() = {alpn_preferred_protocols, [binary()]}
| {beast_mitigation, one_n_minus_one | zero_n | disabled}
| {cacertfile, string()}
| {cacerts, [public_key:der_encoded()]}
| {cert, public_key:der_encoded()}
| {certfile, string()}
| {ciphers, [ssl:erl_cipher_suite()] | string()}
| {client_renegotiation, boolean()}
| {crl_cache, {module(), {internal | any(), list()}}}
| {crl_check, boolean() | peer | best_effort}
| {depth, 0..255}
| {dh, public_key:der_encoded()}
| {dhfile, string()}
| {fail_if_no_peer_cert, boolean()}
| {hibernate_after, integer() | undefined}
| {honor_cipher_order, boolean()}
| {key, {'RSAPrivateKey' | 'DSAPrivateKey' | 'PrivateKeyInfo', public_key:der_encoded()}}
| {keyfile, string()}
| {log_alert, boolean()}
| {next_protocols_advertised, [binary()]}
| {padding_check, boolean()}
| {partial_chain, fun(([public_key:der_encoded()]) -> {trusted_ca, public_key:der_encoded()} | unknown_ca)}
| {password, string()}
| {psk_identity, string()}
| {reuse_session, fun()}
| {reuse_sessions, boolean()}
| {secure_renegotiate, boolean()}
| {signature_algs, [{atom(), atom()}]}
| {sni_fun, fun()}
| {sni_hosts, [{string(), ssl_opt()}]}
| {user_lookup_fun, {fun(), any()}}
| {v2_hello_compatible, boolean()}
| {verify, ssl:verify_type()}
| {verify_fun, {fun(), any()}}
| {versions, [atom()]}.
----
SSL-specific listen options.
=== opt() = ranch_tcp:opt() | ssl_opt()
Listen options.
=== opts() = [opt()]
List of listen options.
== Option descriptions
Specifying a certificate is mandatory, either through the `cert`
or the `certfile` option. None of the other options are required.
The default value is given next to the option name.
alpn_preferred_protocols::
Perform Application-Layer Protocol Negotiation with the given list of preferred protocols.
beast_mitigation::
Change the BEAST mitigation strategy for SSL-3.0 and TLS-1.0 to interoperate with legacy software.
cacertfile::
Path to PEM encoded trusted certificates file used to verify peer certificates.
cacerts::
List of DER encoded trusted certificates.
cert::
DER encoded user certificate.
certfile::
Path to the PEM encoded user certificate file. May also contain the private key.
ciphers::
List of ciphers that clients are allowed to use.
client_renegotiation (true)::
Whether to allow client-initiated renegotiation.
crl_cache ({ssl_crl_cache, {internal, []}})::
Customize the module used to cache Certificate Revocation Lists.
crl_check (false)::
Whether to perform CRL check on all certificates in the chain during validation.
depth (1)::
Maximum of intermediate certificates allowed in the certification path.
dh::
DER encoded Diffie-Hellman parameters.
dhfile::
Path to the PEM encoded Diffie-Hellman parameters file.
fail_if_no_peer_cert (false)::
Whether to refuse the connection if the client sends an empty certificate.
hibernate_after (undefined)::
Time in ms after which SSL socket processes go into hibernation to reduce memory usage.
honor_cipher_order (false)::
If true, use the server's preference for cipher selection. If false, use the client's preference.
key::
DER encoded user private key.
keyfile::
Path to the PEM encoded private key file, if different than the certfile.
log_alert (true)::
If false, error reports will not be displayed.
next_protocols_advertised::
List of protocols to send to the client if it supports the Next Protocol extension.
nodelay (true)::
Whether to enable TCP_NODELAY.
padding_check::
Allow disabling the block cipher padding check for TLS-1.0 to be able to interoperate with legacy software.
partial_chain::
Claim an intermediate CA in the chain as trusted.
password::
Password to the private key file, if password protected.
psk_identity::
Provide the given PSK identity hint to the client during the handshake.
reuse_session::
Custom policy to decide whether a session should be reused.
reuse_sessions (false)::
Whether to allow session reuse.
secure_renegotiate (false)::
Whether to reject renegotiation attempts that do not conform to RFC5746.
signature_algs::
The TLS signature algorithm extension may be used, from TLS 1.2, to negotiate which signature algorithm to use during the TLS handshake.
sni_fun::
Function called when the client requests a host using Server Name Indication. Returns options to apply.
sni_hosts::
Options to apply for the host that matches what the client requested with Server Name Indication.
user_lookup_fun::
Function called to determine the shared secret when using PSK, or provide parameters when using SRP.
v2_hello_compatible::
Accept clients that send hello messages in SSL-2.0 format while offering supported SSL/TLS versions.
verify (verify_none)::
Use `verify_peer` to request a certificate from the client.
verify_fun::
Custom policy to decide whether a client certificate is valid.
versions::
TLS protocol versions that will be supported.
Note that the client will not send a certificate unless the
value for the `verify` option is set to `verify_peer`. This
means that the `fail_if_no_peer_cert` only apply when combined
with the `verify` option. The `verify_fun` option allows
greater control over the client certificate validation.
The options `sni_fun` and `sni_hosts` are mutually exclusive.
== Exports
None.
|
