1<?xml version="1.0" encoding="utf-8" ?> 2<!DOCTYPE appref SYSTEM "appref.dtd"> 3 4<appref> 5 <header> 6 <copyright> 7 <year>1999</year><year>2020</year> 8 <holder>Ericsson AB. All Rights Reserved.</holder> 9 </copyright> 10 <legalnotice> 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 23 </legalnotice> 24 25 <title>ssl</title> 26 <prepared></prepared> 27 <docno></docno> 28 <date></date> 29 <rev></rev> 30 <file>ssl_app.sgml</file> 31 </header> 32 <app>ssl</app> 33 <appsummary>The ssl application provides secure communication over 34 sockets.</appsummary> 35 36 <description> 37 <p> 38 The ssl application is an implementation of the SSL, TLS and DTLS protocols in Erlang. 39 </p> 40 <p>For current statement of standards compliance see the <seeguide marker="standards_compliance">User's Guide</seeguide>.</p> 41 </description> 42 43 <section> 44 <title>DEPENDENCIES</title> 45 <p>The SSL application uses the <c>public_key</c>, <c>asn1</c> and 46 Crypto application to handle public keys and encryption, hence 47 these applications must be loaded for the SSL application to work. 48 In an embedded environment this means they must be started with 49 <c>application:start/[1,2]</c> before the SSL application is 50 started.</p> 51 </section> 52 53 <section> 54 <title>CONFIGURATION</title> 55 <p> 56 The application environment configuration parameters in this section 57 are defined for the SSL application. For more information 58 about configuration parameters, see the 59 <seeerl marker="kernel:application">application(3)</seeerl> 60 manual page in Kernel.</p> 61 62 <p>The environment parameters can be set on the command line, 63 for example:</p> 64 65 <p><c>erl -ssl protocol_version "['tlsv1.2', 'tlsv1.1']"</c></p> 66 67 <taglist> 68 <tag><c>protocol_version = </c><seetype marker="ssl#tls_version">ssl:tls_version()</seetype> | 69 [<seetype marker="ssl#tls_version">ssl:tls_version()</seetype>] <c><![CDATA[<optional>]]></c></tag> 70 <item><p>Protocol supported by started clients and 71 servers. If this option is not set, it defaults to all 72 TLS protocols currently supported, more might be configurable, by the SSL application. 73 This option can be overridden by the version option 74 to <c>ssl:connect/[2,3]</c> and <c>ssl:listen/2</c>.</p></item> 75 76 <tag><c>dtls_protocol_version = </c><seetype marker="ssl#dtls_version">ssl:dtls_version()</seetype> | 77 [<seetype marker="ssl#dtls_version">ssl:dtls_version()</seetype>] <c><![CDATA[<optional>]]></c></tag> 78 <item><p>Protocol supported by started clients and 79 servers. If this option is not set, it defaults to all 80 DTLS protocols currently supported, more might be configurable, by the SSL application. 81 This option can be overridden by the version option 82 to <c>ssl:connect/[2,3]</c> and <c>ssl:listen/2</c>.</p></item> 83 84 <tag><c><![CDATA[session_lifetime = integer() <optional>]]></c></tag> 85 <item><p>Maximum lifetime of the session data in seconds. Defaults to 24 hours which is the maximum 86 recommended lifetime by <url href="http://www.ietf.org/rfc/5246rfc.txt">RFC 5246</url>. However 87 sessions may be invalidated earlier due to the maximum limitation of the session cache table. 88 </p></item> 89 90 <tag><c><![CDATA[session_cb = atom() <optional>]]></c></tag> 91 <item><p> Deprecated Since OTP-23.3 replaced by <c>client_session_cb</c> 92 and <c>server_session_cb</c> 93 </p></item> 94 95 <tag><c><![CDATA[client_session_cb = atom() <optional>]]></c></tag> 96 <item><p> Since OTP-23.3 Name client of the session cache callback module that implements 97 the <c>ssl_session_cache_api</c> behavior. Defaults to 98 <c>ssl_client_session_cache_db</c>.</p></item> 99 100 101 <tag><c><![CDATA[server_session_cb = atom() <optional>]]></c></tag> 102 <item><p>Since OTP-23.3 Name of the server session cache callback module that implements 103 the <c>ssl_session_cache_api</c> behavior. Defaults to 104 <c>ssl_server_session_cache_db</c>.</p></item> 105 106 <tag><c><![CDATA[session_cb_init_args = proplist:proplist() <optional>]]></c></tag> 107 108 <item><p>Deprecated Since OTP-23.3 replaced by <c>client_session_cb_init_args</c> 109 and <c>server_session_cb_init_args</c></p></item> 110 111 <tag><c><![CDATA[client_session_cb_init_args = proplist:proplist() <optional>]]></c></tag> 112 113 <item><p>List of extra user-defined arguments to the <c>init</c> function 114 in the session cache callback module. Defaults to <c>[]</c>.</p></item> 115 116 <tag><c><![CDATA[server_session_cb_init_args = proplist:proplist() <optional>]]></c></tag> 117 118 <item><p>List of extra user-defined arguments to the <c>init</c> function 119 in the session cache callback module. Defaults to <c>[]</c>.</p></item> 120 121 122 <tag><c><![CDATA[session_cache_client_max = integer() <optional>]]></c><br/></tag> 123 <item><p>Limits the growth of the clients session cache, that is 124 how many sessions towards servers that are cached to be used by 125 new client connections. If the maximum number of sessions is 126 reached, the current cache entries will be invalidated 127 regardless of their remaining lifetime. Defaults to 128 1000. Recommended ssl-8.2.1 or later for this option to work as intended.</p></item> 129 130 <tag> <c><![CDATA[session_cache_server_max = integer() <optional>]]></c></tag> 131 <item><p>Limits the growth of the servers session cache, that is 132 how many client sessions are cached by the server. If the 133 maximum number of sessions is reached, the current cache entries 134 will be invalidated regardless of their remaining 135 lifetime. Defaults to 1000. Recommended ssl-8.2.1 or later for this option to work as intended.</p></item> 136 137 <tag><c><![CDATA[ssl_pem_cache_clean = integer() <optional>]]></c></tag> 138 <item> 139 <p> 140 Number of milliseconds between PEM cache validations. Defaults to 2 minutes. 141 </p> 142 <seemfa 143 marker="ssl#clear_pem_cache/0">ssl:clear_pem_cache/0</seemfa> 144 145 </item> 146 147 <tag><c><![CDATA[bypass_pem_cache = boolean() <optional>]]></c></tag> 148 <item> 149 <p>Introduced in ssl-8.0.2. Disables the PEM-cache. 150 Can be used as a workaround for the PEM-cache bottleneck 151 before ssl-8.1.1. Defaults to false. 152 </p> 153 </item> 154 155 <tag><c><![CDATA[alert_timeout = integer() <optional>]]></c></tag> 156 <item> 157 <p> 158 Number of milliseconds between sending of a fatal alert and 159 closing the connection. Waiting a little while improves the 160 peers chances to properly receiving the alert so it may 161 shutdown gracefully. Defaults to 5000 milliseconds. 162 </p> 163 </item> 164 165 <tag><c><![CDATA[internal_active_n = integer() <optional>]]></c></tag> 166 <item> 167 <p> 168 For TLS connections this value is used to handle the 169 internal socket. As the implementation was changed from an 170 active once to an active N behavior (N = 100), for 171 performance reasons, this option exist for possible tweaking 172 or restoring of the old behavior (internal_active_n = 1) in 173 unforeseen scenarios. The option will not affect erlang 174 distribution over TLS that will always run in active N mode. 175 Added in ssl-9.1 (OTP-21.2). 176 </p> 177 </item> 178 179 <tag><c><![CDATA[server_session_tickets_amount = integer() <optional>]]></c></tag> 180 <item> 181 <p> 182 Number of session tickets sent by the server. It must be greater than 0. 183 Defaults to 3. 184 </p> 185 </item> 186 187 <tag><c><![CDATA[server_session_ticket_lifetime = integer() <optional>]]></c></tag> 188 <item> 189 <p> 190 Lifetime of session tickets sent by the server. Servers must not use 191 any value greater than 604800 seconds (7 days). Expired tickets are automatically removed. 192 Defaults to 7200 seconds (2 hours). 193 </p> 194 </item> 195 196 <tag><c><![CDATA[server_session_ticket_store_size = integer() <optional>]]></c></tag> 197 <item> 198 <p> 199 Sets the maximum size of the server session ticket store (stateful tickets). 200 Defaults to 1000. Size limit is enforced by dropping old tickets. 201 </p> 202 </item> 203 204 <tag><c><![CDATA[server_session_ticket_max_early_data = integer() <optional>]]></c></tag> 205 <item> 206 <p> 207 Sets the maximum size of the early data that the server accepts and also configures 208 its NewSessionTicket messages to include this same size limit in their 209 early_data_indication extension. 210 Defaults to 16384. Size limit is enforced by both client and server. 211 </p> 212 </item> 213 214 <tag><c><![CDATA[client_session_ticket_lifetime = integer() <optional>]]></c></tag> 215 <item> 216 <p> 217 Lifetime of session tickets in the client ticket store. Expired tickets are 218 automatically removed. Defaults to 7200 seconds (2 hours). 219 </p> 220 </item> 221 222 <tag><c><![CDATA[client_session_ticket_store_size = integer() <optional>]]></c></tag> 223 <item> 224 <p> 225 Sets the maximum size of the client session ticket store. 226 Defaults to 1000. Size limit is enforced by dropping old tickets. 227 </p> 228 </item> 229 </taglist> 230 </section> 231 232 <section> 233 <title>ERROR LOGGER AND EVENT HANDLERS</title> 234 235 <p>The SSL application uses <seeerl 236 marker="kernel:logger">OTP logger</seeerl>. 237 TLS/DTLS alerts are logged on notice level. Unexpected 238 errors are logged on error level. These log entries 239 will by default end up in the default Erlang log. 240 The option <c>log_level</c> may be used to in run-time to set 241 the log level of a specific TLS connection, which is 242 handy when you want to use level debug to inspect the 243 TLS handshake setup. 244 </p> 245 </section> 246 247 <section> 248 <title>SEE ALSO</title> 249 <p><seeerl marker="kernel:application">application(3)</seeerl></p> 250 </section> 251 252</appref> 253