Update ranch_ssl:ssl_opt() to conform with OTP 22 ssl

doc/src/manual/ranch_ssl.asciidoc

@@ -41,41 +41,44 @@ List of listen options.
 ----
 ssl_opt() = {alpn_preferred_protocols, [binary()]}
           | {beast_mitigation, one_n_minus_one | zero_n | disabled}
-          | {cacertfile, string()}
+          | {cacertfile, file:filename()}
           | {cacerts, [public_key:der_encoded()]}
           | {cert, public_key:der_encoded()}
-          | {certfile, string()}
+          | {certfile, file:filename()}
-          | {ciphers, [ssl:erl_cipher_suite()] | string()}
+          | {ciphers, ssl:ciphers()}
           | {client_renegotiation, boolean()}
-          | {crl_cache, {module(), {internal | any(), list()}}}
+          | {crl_cache, [any()]}
           | {crl_check, boolean() | peer | best_effort}
-          | {depth, 0..255}
+          | {depth, integer()}
-          | {dh, public_key:der_encoded()}
+          | {dh, binary()}
-          | {dhfile, string()}
+          | {dhfile, file:filename()}
+          | {eccs, [atom()]}
           | {fail_if_no_peer_cert, boolean()}
-          | {hibernate_after, integer() | undefined}
+          | {hibernate_after, timeout()}
           | {honor_cipher_order, boolean()}
-          | {key, {'RSAPrivateKey' | 'DSAPrivateKey' | 'PrivateKeyInfo',
+          | {honor_ecc_order, boolean()}
-                public_key:der_encoded()}}
+          | {key, ssl:key()}
-          | {keyfile, string()}
+          | {keyfile, file:filename()}
           | {log_alert, boolean()}
+          | {log_level, logger:level()}
+          | {max_handshake_size, integer()}
           | {next_protocols_advertised, [binary()]}
           | {padding_check, boolean()}
-          | {partial_chain, fun(([public_key:der_encoded()])
+          | {partial_chain, fun()}
-                -> {trusted_ca, public_key:der_encoded()} | unknown_ca)}
           | {password, string()}
+          | {protocol, tls | dtls}
           | {psk_identity, string()}
           | {reuse_session, fun()}
           | {reuse_sessions, boolean()}
           | {secure_renegotiate, boolean()}
-          | {signature_algs, [{atom(), atom()}]}
+          | {signature_algs, [{ssl:hash(), ssl:sign_algo()}]}
+          | {signature_algs_cert, [atom()]}
           | {sni_fun, fun()}
           | {sni_hosts, [{string(), ssl_opt()}]}
           | {user_lookup_fun, {fun(), any()}}
-          | {v2_hello_compatible, boolean()}
+          | {verify, verify_none | verify_peer}
-          | {verify, ssl:verify_type()}
           | {verify_fun, {fun(), any()}}
-          | {versions, [atom()]}
+          | {versions, [ssl:protocol_version()]}
 ----
 
 SSL-specific listen options.
@@ -91,7 +94,7 @@ alpn_preferred_protocols::
 Perform Application-Layer Protocol Negotiation
 with the given list of preferred protocols.
 
-beast_mitigation::
+beast_mitigation (one_n_minus_one)::
 
 Change the BEAST mitigation strategy for SSL-3.0 and TLS-1.0
 to interoperate with legacy software.
@@ -144,6 +147,10 @@ dhfile::
 
 Path to the PEM encoded Diffie-Hellman parameters file.
 
+eccs::
+
+List of named ECC curves.
+
 fail_if_no_peer_cert (false)::
 
 Whether to refuse the connection if the client sends an
@@ -159,6 +166,11 @@ honor_cipher_order (false)::
 If true, use the server's preference for cipher selection.
 If false, use the client's preference.
 
+honor_ecc_order (false)::
+
+If true, use the server's preference for ECC curve selection.
+If false, use the client's preference.
+
 key::
 
 DER encoded user private key.
@@ -172,6 +184,15 @@ log_alert (true)::
 
 If false, error reports will not be displayed.
 
+log_level::
+
+Specifies the log level for TLS/DTLS.
+
+max_handshake_size (256*1024)::
+
+Used to limit the size of valid TLS handshake packets to
+avoid DoS attacks.
+
 next_protocols_advertised::
 
 List of protocols to send to the client if it supports the
@@ -190,6 +211,10 @@ password::
 
 Password to the private key file, if password protected.
 
+protocol (tls)::
+
+Choose TLS or DTLS protocol for the transport layer security.
+
 psk_identity::
 
 Provide the given PSK identity hint to the client during the
@@ -214,6 +239,12 @@ The TLS signature algorithm extension may be used, from TLS 1.2,
 to negotiate which signature algorithm to use during the TLS
 handshake.
 
+signature_algs_cert::
+
+List of signature schemes for the signature_algs_cert extension
+introduced in TLS 1.3, in order to make special requirements
+on signatures used in certificates.
+
 sni_fun::
 
 Function called when the client requests a host using Server
@@ -229,11 +260,6 @@ user_lookup_fun::
 Function called to determine the shared secret when using PSK,
 or provide parameters when using SRP.
 
-v2_hello_compatible::
-
-Accept clients that send hello messages in SSL-2.0 format while
-offering supported SSL/TLS versions.
-
 verify (verify_none)::
 
 Use `verify_peer` to request a certificate from the client.
@@ -254,6 +280,10 @@ greater control over the client certificate validation.
 
 The options `sni_fun` and `sni_hosts` are mutually exclusive.
 
+== Changelog
+
+* *2.0*: The `ssl_opt()` type was updated for OTP-22.0.
+
 == See also
 
 link:man:ranch(7)[ranch(7)],

src/ranch_ssl.erl

@@ -42,39 +42,46 @@
 
 -type ssl_opt() :: {alpn_preferred_protocols, [binary()]}
 	| {beast_mitigation, one_n_minus_one | zero_n | disabled}
-	| {cacertfile, string()}
+	| {cacertfile, file:filename()}
 	| {cacerts, [public_key:der_encoded()]}
 	| {cert, public_key:der_encoded()}
-	| {certfile, string()}
+	| {certfile, file:filename()}
-	| {ciphers, [ssl:erl_cipher_suite()]}
+	| {ciphers, ssl:ciphers()}
 	| {client_renegotiation, boolean()}
-	| {crl_cache, {module(), {internal | any(), list()}}}
+	| {crl_cache, [any()]}
 	| {crl_check, boolean() | peer | best_effort}
-	| {depth, 0..255}
+	| {depth, integer()}
-	| {dh, public_key:der_encoded()}
+	| {dh, binary()}
-	| {dhfile, string()}
+	| {dhfile, file:filename()}
+	%% @todo Update when ssl exports named_curve().
+	| {eccs, [atom()]}
 	| {fail_if_no_peer_cert, boolean()}
-	| {hibernate_after, integer() | undefined}
+	| {hibernate_after, timeout()}
 	| {honor_cipher_order, boolean()}
-	| {key, {'RSAPrivateKey' | 'DSAPrivateKey' | 'PrivateKeyInfo', public_key:der_encoded()}}
+	| {honor_ecc_order, boolean()}
-	| {keyfile, string()}
+	| {key, ssl:key()}
+	| {keyfile, file:filename()}
 	| {log_alert, boolean()}
+	| {log_level, logger:level()}
+	| {max_handshake_size, integer()}
 	| {next_protocols_advertised, [binary()]}
 	| {padding_check, boolean()}
-	| {partial_chain, fun(([public_key:der_encoded()]) -> {trusted_ca, public_key:der_encoded()} | unknown_ca)}
+	| {partial_chain, fun()}
 	| {password, string()}
+	| {protocol, tls | dtls}
 	| {psk_identity, string()}
 	| {reuse_session, fun()}
 	| {reuse_sessions, boolean()}
 	| {secure_renegotiate, boolean()}
-	| {signature_algs, [{atom(), atom()}]}
+	| {signature_algs, [{ssl:hash(), ssl:sign_algo()}]}
+	%% @todo Update when ssl exports sign_scheme().
+	| {signature_algs_cert, [atom()]}
 	| {sni_fun, fun()}
 	| {sni_hosts, [{string(), ssl_opt()}]}
 	| {user_lookup_fun, {fun(), any()}}
-	| {v2_hello_compatible, boolean()}
 	| {verify, verify_none | verify_peer}
 	| {verify_fun, {fun(), any()}}
-	| {versions, [atom()]}.
+	| {versions, [ssl:protocol_version()]}.
 -export_type([ssl_opt/0]).
 
 -type opt() :: ranch_tcp:opt() | ssl_opt().