Home Explore Help
Sign In
n4u
/
ranch
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Add SSL options for legacy software interoperability

Alexandru Munteanu 8 years ago
parent
eafd62e47e
commit
4d487ac60c
2 changed files with 18 additions and 6 deletions
Unified View Show Diff Stats
  1. 9 0
      doc/src/manual/ranch_ssl.asciidoc
  2. 9 6
      src/ranch_ssl.erl

+ 9 - 0
doc/src/manual/ranch_ssl.asciidoc
View File 

@@ -15,6 +15,7 @@ The `ranch_ssl` module implements an SSL Ranch transport.
 
 [source,erlang]
 
 [source,erlang]
 
 ----
 
 ----
 
 ssl_opt() = {alpn_preferred_protocols, [binary()]}
 
 ssl_opt() = {alpn_preferred_protocols, [binary()]}
 
+	| {beast_mitigation, one_n_minus_one | zero_n | disabled}
 
 	| {cacertfile, string()}
 
 	| {cacertfile, string()}
 
 	| {cacerts, [public_key:der_encoded()]}
 
 	| {cacerts, [public_key:der_encoded()]}
 
 	| {cert, public_key:der_encoded()}
 
 	| {cert, public_key:der_encoded()}
 
@@ -33,6 +34,7 @@ ssl_opt() = {alpn_preferred_protocols, [binary()]}
 
 	| {keyfile, string()}
 
 	| {keyfile, string()}
 
 	| {log_alert, boolean()}
 
 	| {log_alert, boolean()}
 
 	| {next_protocols_advertised, [binary()]}
 
 	| {next_protocols_advertised, [binary()]}
 
+	| {padding_check, boolean()}
 
 	| {partial_chain, fun(([public_key:der_encoded()]) -> {trusted_ca, public_key:der_encoded()} | unknown_ca)}
 
 	| {partial_chain, fun(([public_key:der_encoded()]) -> {trusted_ca, public_key:der_encoded()} | unknown_ca)}
 
 	| {password, string()}
 
 	| {password, string()}
 
 	| {psk_identity, string()}
 
 	| {psk_identity, string()}
 
@@ -43,6 +45,7 @@ ssl_opt() = {alpn_preferred_protocols, [binary()]}
 
 	| {sni_fun, fun()}
 
 	| {sni_fun, fun()}
 
 	| {sni_hosts, [{string(), ssl_opt()}]}
 
 	| {sni_hosts, [{string(), ssl_opt()}]}
 
 	| {user_lookup_fun, {fun(), any()}}
 
 	| {user_lookup_fun, {fun(), any()}}
 
+	| {v2_hello_compatible, boolean()}
 
 	| {verify, ssl:verify_type()}
 
 	| {verify, ssl:verify_type()}
 
 	| {verify_fun, {fun(), any()}}
 
 	| {verify_fun, {fun(), any()}}
 
 	| {versions, [atom()]}.
 
 	| {versions, [atom()]}.
 
@@ -67,6 +70,8 @@ The default value is given next to the option name.
 
 
 
 alpn_preferred_protocols::
 
 alpn_preferred_protocols::
 
 	Perform Application-Layer Protocol Negotiation with the given list of preferred protocols.
 
 	Perform Application-Layer Protocol Negotiation with the given list of preferred protocols.
 
+beast_mitigation::
 
+	Change the BEAST mitigation strategy for SSL-3.0 and TLS-1.0 to interoperate with legacy software.
 
 cacertfile::
 
 cacertfile::
 
 	Path to PEM encoded trusted certificates file used to verify peer certificates.
 
 	Path to PEM encoded trusted certificates file used to verify peer certificates.
 
 cacerts::
 
 cacerts::
 
@@ -105,6 +110,8 @@ next_protocols_advertised::
 
 	List of protocols to send to the client if it supports the Next Protocol extension.
 
 	List of protocols to send to the client if it supports the Next Protocol extension.
 
 nodelay (true)::
 
 nodelay (true)::
 
 	Whether to enable TCP_NODELAY.
 
 	Whether to enable TCP_NODELAY.
 
+padding_check::
 
+	Allow disabling the block cipher padding check for TLS-1.0 to be able to interoperate with legacy software.
 
 partial_chain::
 
 partial_chain::
 
 	Claim an intermediate CA in the chain as trusted.
 
 	Claim an intermediate CA in the chain as trusted.
 
 password::
 
 password::
 
@@ -125,6 +132,8 @@ sni_hosts::
 
 	Options to apply for the host that matches what the client requested with Server Name Indication.
 
 	Options to apply for the host that matches what the client requested with Server Name Indication.
 
 user_lookup_fun::
 
 user_lookup_fun::
 
 	Function called to determine the shared secret when using PSK, or provide parameters when using SRP.
 
 	Function called to determine the shared secret when using PSK, or provide parameters when using SRP.
 
+v2_hello_compatible::
 
+	Accept clients that send hello messages in SSL-2.0 format while offering supported SSL/TLS versions.
 
 verify (verify_none)::
 
 verify (verify_none)::
 
 	Use `verify_peer` to request a certificate from the client.
 
 	Use `verify_peer` to request a certificate from the client.
 
 verify_fun::
 
 verify_fun::

+ 9 - 6
src/ranch_ssl.erl
View File 

@@ -37,6 +37,7 @@
 
 -export([close/1]).
 
 -export([close/1]).
 
 
 
 -type ssl_opt() :: {alpn_preferred_protocols, [binary()]}
 
 -type ssl_opt() :: {alpn_preferred_protocols, [binary()]}
 
+	| {beast_mitigation, one_n_minus_one | zero_n | disabled}
 
 	| {cacertfile, string()}
 
 	| {cacertfile, string()}
 
 	| {cacerts, [public_key:der_encoded()]}
 
 	| {cacerts, [public_key:der_encoded()]}
 
 	| {cert, public_key:der_encoded()}
 
 	| {cert, public_key:der_encoded()}
 
@@ -55,6 +56,7 @@
 
 	| {keyfile, string()}
 
 	| {keyfile, string()}
 
 	| {log_alert, boolean()}
 
 	| {log_alert, boolean()}
 
 	| {next_protocols_advertised, [binary()]}
 
 	| {next_protocols_advertised, [binary()]}
 
+	| {padding_check, boolean()}
 
 	| {partial_chain, fun(([public_key:der_encoded()]) -> {trusted_ca, public_key:der_encoded()} | unknown_ca)}
 
 	| {partial_chain, fun(([public_key:der_encoded()]) -> {trusted_ca, public_key:der_encoded()} | unknown_ca)}
 
 	| {password, string()}
 
 	| {password, string()}
 
 	| {psk_identity, string()}
 
 	| {psk_identity, string()}
 
@@ -65,6 +67,7 @@
 
 	| {sni_fun, fun()}
 
 	| {sni_fun, fun()}
 
 	| {sni_hosts, [{string(), ssl_opt()}]}
 
 	| {sni_hosts, [{string(), ssl_opt()}]}
 
 	| {user_lookup_fun, {fun(), any()}}
 
 	| {user_lookup_fun, {fun(), any()}}
 
+	| {v2_hello_compatible, boolean()}
 
 	| {verify, ssl:verify_type()}
 
 	| {verify, ssl:verify_type()}
 
 	| {verify_fun, {fun(), any()}}
 
 	| {verify_fun, {fun(), any()}}
 
 	| {versions, [atom()]}.
 
 	| {versions, [atom()]}.
 
@@ -101,12 +104,12 @@ listen(Opts) ->
 
 			{reuseaddr, true}, {nodelay, true}])).
 
 			{reuseaddr, true}, {nodelay, true}])).
 
 
 
 listen_options() ->
 
 listen_options() ->
 
-	[alpn_preferred_protocols, cacertfile, cacerts, cert, certfile,
 
-		ciphers, client_renegotiation, crl_cache, crl_check, depth,
 
-		dh, dhfile, fail_if_no_peer_cert, hibernate_after, honor_cipher_order,
 
-		key, keyfile, log_alert, next_protocols_advertised, partial_chain,
 
-		password, psk_identity, reuse_session, reuse_sessions, secure_renegotiate,
 
-		signature_algs, sni_fun, sni_hosts, user_lookup_fun, verify, verify_fun, versions
 
+	[alpn_preferred_protocols, beast_mitigation, cacertfile, cacerts, cert, certfile,
 
+		ciphers, client_renegotiation, crl_cache, crl_check, depth, dh, dhfile,
 
+		fail_if_no_peer_cert, hibernate_after, honor_cipher_order, key, keyfile,
 
+		log_alert, next_protocols_advertised, partial_chain, password, padding_check,
 
+		psk_identity, reuse_session, reuse_sessions, secure_renegotiate, signature_algs,
 
+		sni_fun, sni_hosts, user_lookup_fun, v2_hello_compatible, verify, verify_fun, versions
 
 		|ranch_tcp:listen_options()].
 
 		|ranch_tcp:listen_options()].
 
 
 
 -spec accept(ssl:sslsocket(), timeout())
 
 -spec accept(ssl:sslsocket(), timeout())