1ssl(7) Erlang Application Definition ssl(7)
2
6 ssl - The ssl application provides secure communication over
7 sockets.
8
10 The ssl application is an implementation of the SSL/TLS/DTLS protocol
11 in Erlang.
12 * Supported SSL/TLS/DTLS-versions are SSL-3.0, TLS-1.0, TLS-1.1,
14 TLS-1.2, DTLS-1.0 (based on TLS-1.1), DTLS-1.2 (based on TLS-1.2)
15 * For security reasons SSL-2.0 is not supported. Interoperability
17 with SSL-2.0 enabled clients dropped. (OTP 21)
18 * For security reasons SSL-3.0 is no longer supported by default, but
20 can be configured. (OTP 19)
21 * For security reasons RSA key exchange cipher suites are no longer
23 supported by default, but can be configured. (OTP 21)
24 * For security reasons DES cipher suites are no longer supported by
26 default, but can be configured. (OTP 20)
27 * For security reasons 3DES cipher suites are no longer supported by
29 default, but can be configured. (OTP 21)
30 *
32 Renegotiation Indication Extension RFC 5746 is supported
33 * Ephemeral Diffie-Hellman cipher suites are supported, but not
35 Diffie Hellman Certificates cipher suites.
36 * Elliptic Curve cipher suites are supported if the Crypto applica‐
38 tion supports it and named curves are used.
39 * Export cipher suites are not supported as the U.S. lifted its
41 export restrictions in early 2000.
42 * IDEA cipher suites are not supported as they have become deprecated
44 by the latest TLS specification so it is not motivated to implement
45 them.
46 * Compression is not supported.
48 * CRL validation is supported.
50 * Policy certificate extensions are not supported.
52 * 'Server Name Indication' extension (RFC 6066) is supported.
54 * Application Layer Protocol Negotiation (ALPN) and its successor
56 Next Protocol Negotiation (NPN) are supported.
57 * It is possible to use Pre-Shared Key (PSK) and Secure Remote Pass‐
59 word (SRP) cipher suites, but they are not enabled by default.
60
62 The SSL application uses the public_key, asn1 and Crypto application to
63 handle public keys and encryption, hence these applications must be
64 loaded for the SSL application to work. In an embedded environment this
65 means they must be started with application:start/[1,2] before the SSL
66 application is started.
67
69 The application environment configuration parameters in this section
70 are defined for the SSL application. For more information about config‐
71 uration parameters, see the application(3) manual page in Kernel.
72 The environment parameters can be set on the command line, for example:
74 erl -ssl protocol_version "['tlsv1.2', 'tlsv1.1']"
76 protocol_version = ssl:ssl_tls_protocol()<optional>:
78 Protocol supported by started clients and servers. If this option
79 is not set, it defaults to all TLS protocols currently supported by
80 the SSL application. This option can be overridden by the version
81 option to ssl:connect/[2,3] and ssl:listen/2.
82 dtls_protocol_version = ssl:dtls_protocol()<optional>:
84 Protocol supported by started clients and servers. If this option
85 is not set, it defaults to all DTLS protocols currently supported
86 by the SSL application. This option can be overridden by the ver‐
87 sion option to ssl:connect/[2,3] and ssl:listen/2.
88 session_lifetime = integer() <optional>:
90 Maximum lifetime of the session data in seconds. Defaults to 24
91 hours which is the maximum recommended lifetime by RFC 5246. How‐
92 ever sessions may be invalidated earlier due to the maximum limita‐
93 tion of the session cache table.
94 session_cb = atom() <optional>:
96 Name of the session cache callback module that implements the
97 ssl_session_cache_api behavior. Defaults to ssl_session_cache.
98 session_cb_init_args = proplist:proplist() <optional>:
100 List of extra user-defined arguments to the init function in the
101 session cache callback module. Defaults to [].
102 session_cache_client_max = integer() <optional>
104 : Limits the growth of the clients session cache, that is how many
105 sessions towards servers that are cached to be used by new client
106 connections. If the maximum number of sessions is reached, the cur‐
107 rent cache entries will be invalidated regardless of their remain‐
108 ing lifetime. Defaults to 1000. Recommended ssl-8.2.1 or later for
109 this option to work as intended.
110 session_cache_server_max = integer() <optional>:
112 Limits the growth of the servers session cache, that is how many
113 client sessions are cached by the server. If the maximum number of
114 sessions is reached, the current cache entries will be invalidated
115 regardless of their remaining lifetime. Defaults to 1000. Recom‐
116 mended ssl-8.2.1 or later for this option to work as intended.
117 ssl_pem_cache_clean = integer() <optional>:
119 Number of milliseconds between PEM cache validations. Defaults to 2
120 minutes.ssl:clear_pem_cache/0
121 bypass_pem_cache = boolean() <optional>:
123 Introduced in ssl-8.0.2. Disables the PEM-cache. Can be used as a
124 workaround for the PEM-cache bottleneck before ssl-8.1.1. Defaults
125 to false.
126 alert_timeout = integer() <optional>:
128 Number of milliseconds between sending of a fatal alert and closing
129 the connection. Waiting a little while improves the peers chances
130 to properly receiving the alert so it may shutdown gracefully.
131 Defaults to 5000 milliseconds.
132 internal_active_n = integer() <optional>:
134 For TLS connections this value is used to handle the internal
135 socket. As the implementation was changed from an active once to an
136 active N behavior (N = 100), for performance reasons, this option
137 exist for possible tweaking or restoring of the old behavior
138 (internal_active_n = 1) in unforeseen scenarios. The option will
139 not affect erlang distribution over TLS that will always run in
140 active N mode. Added in ssl-9.1 (OTP-21.2).
141
143 The SSL application uses the default OTP error logger to log unexpected
144 errors and TLS/DTLS alerts. The logging of TLS/DTLS alerts may be
145 turned off with the log_alert option.
146
148 application(3)
149Ericsson AB ssl 9.2.3.2 ssl(7)