aboutsummaryrefslogtreecommitdiffstats
path: root/manual/ranch_ssl.md
blob: af271a51c588552543181795d98f22f5c601f7bf (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
ranch_ssl
=========

The `ranch_ssl` module implements an SSL Ranch transport.

Types
-----

### opts() = [{backlog, non_neg_integer()}
	| {cacertfile, string()}
	| {cacerts, [Der::binary()]}
	| {cert, Der::binary()}
	| {certfile, string()}
	| {ciphers, [ssl:erl_cipher_suite()] | string()}
	| {fail_if_no_peer_cert, boolean()}
	| {hibernate_after, integer() | undefined}
	| {honor_cipher_order, boolean()}
	| {ip, inet:ip_address()}
	| {key, Der::binary()}
	| {keyfile, string()}
	| {linger, {boolean(), non_neg_integer()}}
	| {log_alert, boolean()}
	| {next_protocols_advertised, [binary()]}
	| {nodelay, boolean()}
	| {password, string()}
	| {port, inet:port_number()}
	| {raw, non_neg_integer(), non_neg_integer(), non_neg_integer() | binary()}
	| {reuse_session, fun()}
	| {reuse_sessions, boolean()}
	| {secure_renegotiate, boolean()}
	| {send_timeout, timeout()}
	| {send_timeout_close, boolean()}
	| {verify, ssl:verify_type()}
	| {verify_fun, {fun(), InitialUserState::term()}},
	| {versions, [atom()]}].

> Listen options.
>
> This does not represent the entirety of the options that can
> be set on the socket, but only the options that should be
> set independently of protocol implementation.

Option descriptions
-------------------

Specifying a certificate is mandatory, either through the `cert`
or the `certfile` option. None of the other options are required.

The default value is given next to the option name.

 -  backlog (1024)
   -  Max length of the queue of pending connections.
 -  cacertfile
   -  Path to PEM encoded trusted certificates file used to verify peer certificates.
 -  cacerts
   -  List of DER encoded trusted certificates.
 -  cert
   -  DER encoded user certificate.
 -  certfile
   -  Path to the PEM encoded user certificate file. May also contain the private key.
 -  ciphers
   -  List of ciphers that clients are allowed to use.
 -  fail_if_no_peer_cert (false)
   -  Whether to refuse the connection if the client sends an empty certificate.
 -  hibernate_after (undefined)
   -  Time in ms after which SSL socket processes go into hibernation to reduce memory usage.
 -  honor_cipher_order (false)
   -  If true, use the server's preference for cipher selection. If false (the default), use the client's preference.
 -  ip
   -  Interface to listen on. Listen on all interfaces by default.
 -  key
   -  DER encoded user private key.
 -  keyfile
   -  Path to the PEM encoded private key file, if different than the certfile.
 -  linger ({false, 0})
   -  Whether to wait and how long to flush data sent before closing the socket.
 -  log_alert (true)
   -  If false, error reports will not be displayed.
 -  next_protocols_advertised
   -  List of protocols to send to the client if it supports the Next Protocol extension.
 -  nodelay (true)
   -  Whether to enable TCP_NODELAY.
 -  password
   -  Password to the private key file, if password protected.
 -  port (0)
   -  TCP port number to listen on. 0 means a random port will be used.
 -  reuse_session
   -  Custom policy to decide whether a session should be reused.
 -  reuse_sessions (false)
   -  Whether to allow session reuse.
 -  secure_renegotiate (false)
   -  Whether to reject renegotiation attempts that do not conform to RFC5746.
 -  send_timeout (30000)
   -  How long the send call may wait for confirmation before returning.
 -  send_timeout_close (true)
   -  Whether to close the socket when the confirmation wasn't received.
 -  verify (verify_none)
   -  Use `verify_peer` to request a certificate from the client.
 -  verify_fun
   -  Custom policy to decide whether a client certificate is valid.
 -  versions
   -  TLS protocol versions that will be supported.

Note that the client will not send a certificate unless the
value for the `verify` option is set to `verify_peer`. This
means that the `fail_if_no_peer_cert` only apply when combined
with the `verify` option. The `verify_fun` option allows
greater control over the client certificate validation.

The `raw` option is unsupported.

Exports
-------

None.