Go to main content

man pages section 7: Standards, Environments, Macros, Character Sets, and Miscellany

Exit Print View

Updated: Thursday, June 13, 2019
 
 

ssl (7erl)

Name

ssl - The ssl application provides secure communication over sockets.

Synopsis

Please see following description for synopsis

Description

Erlang Application Definition                                           ssl(7)



NAME
       ssl - The ssl application provides secure communication over
         sockets.

DESCRIPTION
       The  ssl  application is an implementation of the SSL/TLS/DTLS protocol
       in Erlang.

         * Supported  SSL/TLS/DTLS-versions  are  SSL-3.0,  TLS-1.0,  TLS-1.1,
           TLS-1.2, DTLS-1.0 (based on TLS-1.1), DTLS-1.2 (based on TLS-1.2)

         * For  security  reasons  SSL-2.0  is not supported. Interoperability
           with SSL-2.0 enabled clients dropped. (OTP 21)

         * For security reasons SSL-3.0 is no longer supported by default, but
           can be configured. (OTP 19)

         * For  security  reasons RSA key exchange cipher suites are no longer
           supported by default, but can be configured. (OTP 21)

         * For security reasons DES cipher suites are no longer  supported  by
           default, but can be configured. (OTP 20)

         * For  security reasons 3DES cipher suites are no longer supported by
           default, but can be configured. (OTP 21)

         *
            Renegotiation Indication Extension RFC 5746 is supported

         * Ephemeral Diffie-Hellman  cipher  suites  are  supported,  but  not
           Diffie Hellman Certificates cipher suites.

         * Elliptic  Curve  cipher suites are supported if the Crypto applica-
           tion supports it and named curves are used.

         * Export cipher suites are not  supported  as  the  U.S.  lifted  its
           export restrictions in early 2000.

         * IDEA cipher suites are not supported as they have become deprecated
           by the latest TLS specification so it is not motivated to implement
           them.

         * Compression is not supported.

         * CRL validation is supported.

         * Policy certificate extensions are not supported.

         * 'Server Name Indication' extension (RFC 6066) is supported.

         * Application  Layer  Protocol  Negotiation  (ALPN) and its successor
           Next Protocol Negotiation (NPN) are supported.

         * It is possible to use Pre-Shared Key (PSK) and Secure Remote  Pass-
           word (SRP) cipher suites, but they are not enabled by default.

DEPENDENCIES
       The SSL application uses the public_key, asn1 and Crypto application to
       handle public keys and encryption, hence  these  applications  must  be
       loaded for the SSL application to work. In an embedded environment this
       means they must be started with application:start/[1,2] before the  SSL
       application is started.

CONFIGURATION
       The  application  environment  configuration parameters in this section
       are defined for the SSL application. For more information about config-
       uration parameters, see the application(3) manual page in Kernel.

       The environment parameters can be set on the command line, for example:

       erl -ssl protocol_version "['tlsv1.2', 'tlsv1.1']"

         protocol_version = ssl:ssl_tls_protocol()<optional>:
           Protocol  supported  by started clients and servers. If this option
           is not set, it defaults to all TLS protocols currently supported by
           the  SSL  application. This option can be overridden by the version
           option to ssl:connect/[2,3] and ssl:listen/2.

         dtls_protocol_version = ssl:dtls_protocol()<optional>:
           Protocol supported by started clients and servers. If  this  option
           is  not  set, it defaults to all DTLS protocols currently supported
           by the SSL application. This option can be overridden by  the  ver-
           sion option to ssl:connect/[2,3] and ssl:listen/2.

         session_lifetime = integer() <optional>:
           Maximum  lifetime  of  the  session data in seconds. Defaults to 24
           hours which is the maximum recommended lifetime by RFC  5246.  How-
           ever sessions may be invalidated earlier due to the maximum limita-
           tion of the session cache table.

         session_cb = atom() <optional>:
           Name of the session  cache  callback  module  that  implements  the
           ssl_session_cache_api behavior. Defaults to ssl_session_cache.

         session_cb_init_args = proplist:proplist() <optional>:
           List  of  extra  user-defined arguments to the init function in the
           session cache callback module. Defaults to [].

         session_cache_client_max = integer() <optional>
           : Limits the growth of the clients session cache, that is how  many
           sessions  towards  servers that are cached to be used by new client
           connections. If the maximum number of sessions is reached, the cur-
           rent  cache entries will be invalidated regardless of their remain-
           ing lifetime. Defaults to 1000. Recommended ssl-8.2.1 or later  for
           this option to work as intended.

         session_cache_server_max = integer() <optional>:
           Limits  the  growth  of the servers session cache, that is how many
           client sessions are cached by the server. If the maximum number  of
           sessions  is reached, the current cache entries will be invalidated
           regardless of their remaining lifetime. Defaults  to  1000.  Recom-
           mended ssl-8.2.1 or later for this option to work as intended.

         ssl_pem_cache_clean = integer() <optional>:
           Number of milliseconds between PEM cache validations. Defaults to 2
           minutes.ssl:clear_pem_cache/0

         bypass_pem_cache = boolean() <optional>:
           Introduced in ssl-8.0.2. Disables the PEM-cache. Can be used  as  a
           workaround  for the PEM-cache bottleneck before ssl-8.1.1. Defaults
           to false.

         alert_timeout = integer() <optional>:
           Number of milliseconds between sending of a fatal alert and closing
           the  connection.  Waiting a little while improves the peers chances
           to properly receiving the alert  so  it  may  shutdown  gracefully.
           Defaults to 5000 milliseconds.

ERROR LOGGER AND EVENT HANDLERS
       The SSL application uses the default OTP error logger to log unexpected
       errors and TLS/DTLS alerts. The  logging  of  TLS/DTLS  alerts  may  be
       turned off with the log_alert option.

SEE ALSO
       application(3)



Ericsson AB                         ssl 9.0                             ssl(7)