13
13
compliance with the License. You should have received a copy of the
14
14
Erlang Public License along with this software. If not, it can be
15
15
retrieved online at http://www.erlang.org/.
17
17
Software distributed under the License is distributed on an "AS IS"
18
18
basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
19
19
the License for the specific language governing rights and limitations
25
<prepared>Peter Högfeldt</prepared>
26
<responsible>Peter Högfeldt</responsible>
28
<approved>Peter Högfeldt</approved>
30
<date>2003-03-25</date>
34
26
<module>ssl</module>
35
27
<modulesummary>Interface Functions for Secure Socket Layer</modulesummary>
37
<p>This module contains interface functions to the Secure Socket Layer.</p>
29
<p>This module contains interface functions to the Secure Socket
37
<list type="bulleted">
38
<item>ssl requires the crypto an public_key applications.</item>
39
<item>Supported SSL/TLS-versions are SSL-3.0 and TLS-1.0 </item>
40
<item>For security reasons sslv2 is not supported.</item>
41
<item>Ephemeral Diffie-Hellman cipher suites are supported
42
but not Diffie Hellman Certificates cipher suites.</item>
43
<item>Export cipher suites are not supported as the
44
U.S. lifted its export restrictions in early 2000.</item>
45
<item>CRL and policy certificate
46
extensions are not supported yet. </item>
52
<title>COMMON DATA TYPES</title>
53
<p>The following data types are used in the functions below:
56
<p><c>boolean() = true | false</c></p>
58
<p><c>property() = atom()</c></p>
60
<p><c>option() = socketoption() | ssloption() | transportoption()</c></p>
62
<p><c>socketoption() = [{property(), term()}] - defaults to
63
[{mode,list},{packet, 0},{header, 0},{active, true}].
67
see <seealso marker="kernel:inet">inet(3) </seealso> and
68
<seealso marker="kernel:gen_tcp">gen_tcp(3) </seealso>.
71
<p> <c>ssloption() = {verify, verify_type()} |
72
{verify_fun, {fun(), term()}} |
73
{fail_if_no_peer_cert, boolean()}
75
{cert, der_encoded()}| {certfile, path()} |
76
{key, der_encoded()} | {keyfile, path()} | {password, string()} |
77
{cacerts, [der_encoded()]} | {cacertfile, path()} |
78
|{dh, der_encoded()} | {dhfile, path()} | {ciphers, ciphers()} |
79
{ssl_imp, ssl_imp()} | {reuse_sessions, boolean()} | {reuse_session, fun()}
82
<p><c>transportoption() = {CallbackModule, DataTag, ClosedTag}
83
- defaults to {gen_tcp, tcp, tcp_closed}. Ssl may be
84
run over any reliable transport protocol that has
85
an equivalent API to gen_tcp's.</c></p>
87
<p><c> CallbackModule =
89
</p> <p><c> DataTag =
90
atom() - tag used in socket data message.</c></p>
91
<p><c> ClosedTag = atom() - tag used in
92
socket close message.</c></p>
94
<p><c>verify_type() = verify_none | verify_peer</c></p>
96
<p><c>path() = string() - representing a file path.</c></p>
98
<p><c>der_encoded() = binary() -Asn1 DER encoded entity as an erlang binary.</c></p>
100
<p><c>host() = hostname() | ipaddress()</c></p>
102
<p><c>hostname() = string()</c></p>
105
ip_address() = {N1,N2,N3,N4} % IPv4
106
| {K1,K2,K3,K4,K5,K6,K7,K8} % IPv6 </c></p>
108
<p><c>sslsocket() - opaque to the user. </c></p>
110
<p><c>protocol() = sslv3 | tlsv1 </c></p>
112
<p><c>ciphers() = [ciphersuite()] | string() (according to old API)</c></p>
114
<p><c>ciphersuite() =
115
{key_exchange(), cipher(), hash()}</c></p>
117
<p><c>key_exchange() = rsa | dhe_dss | dhe_rsa | dh_anon
120
<p><c>cipher() = rc4_128 | des_cbc | '3des_ede_cbc'
121
| aes_128_cbc | aes_256_cbc </c></p>
123
<p> <c>hash() = md5 | sha
126
<p><c>ssl_imp() = new | old - default is new.</c></p>
131
<title>SSL OPTION DESCRIPTIONS - COMMON for SERVER and CLIENT</title>
133
<p>Options described here are options that are have the same
134
meaning in the client and the server.
139
<tag>{cert, der_encoded()}</tag>
140
<item> The DER encoded users certificate. If this option
141
is supplied it will override the certfile option.</item>
143
<tag>{certfile, path()}</tag>
144
<item>Path to a file containing the user's certificate.</item>
146
<tag>{key, der_encoded()}</tag>
147
<item> The DER encoded users private key. If this option
148
is supplied it will override the keyfile option.</item>
150
<tag>{keyfile, path()}</tag>
151
<item>Path to file containing user's
152
private PEM encoded key. As PEM-files may contain several
153
entries this option defaults to the same file as given by
154
certfile option.</item>
156
<tag>{password, string()}</tag>
157
<item>String containing the user's password.
158
Only used if the private keyfile is password protected.
161
<tag>{cacerts, [der_encoded()]}</tag>
162
<item> The DER encoded trusted certificates. If this option
163
is supplied it will override the cacertfile option.</item>
165
<tag>{cacertfile, path()}</tag>
166
<item>Path to file containing PEM encoded
167
CA certificates (trusted certificates used for verifying a peer
168
certificate). May be omitted if you do not want to verify
171
<tag>{ciphers, ciphers()}</tag>
172
<item>The cipher suites that should be supported. The function
173
<c>cipher_suites/0</c> can be used to find all available
174
ciphers. Additionally some anonymous cipher suites ({dh_anon,
175
rc4_128, md5}, {dh_anon, des_cbc, sha}, {dh_anon,
176
'3des_ede_cbc', sha}, {dh_anon, aes_128_cbc, sha}, {dh_anon,
177
aes_256_cbc, sha}) are supported for testing purposes and will
178
only work if explicitly enabled by this option and they are supported/enabled
182
<tag>{ssl_imp, ssl_imp()}</tag>
183
<item>Specify which ssl implementation you want to use. Defaults to
187
<tag>{secure_renegotiate, boolean()}</tag>
188
<item>Specifies if to reject renegotiation attempt that does
189
not live up to RFC 5746. By default secure_renegotiate is
190
set to false i.e. secure renegotiation will be used if possible
191
but it will fallback to unsecure renegotiation if the peer
192
does not support RFC 5746.
195
<tag>{depth, integer()}</tag>
196
<item>Specifies the maximum
197
verification depth, i.e. how far in a chain of certificates the
198
verification process can proceed before the verification is
199
considered to fail. Peer certificate = 0, CA certificate = 1,
200
higher level CA certificate = 2, etc. The value 2 thus means
201
that a chain can at most contain peer cert, CA cert, next CA
202
cert, and an additional CA cert. The default value is 1.
205
<tag>{verify_fun, {Verifyfun :: fun(), InitialUserState :: term()}}</tag>
207
<p>The verification fun should be defined as:</p>
210
fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
211
{extension, #'Extension'{}}, InitialUserState :: term()) ->
212
{valid, UserState :: term()} | {valid_peer, UserState :: term()} |
213
{fail, Reason :: term()} | {unknown, UserState :: term()}.
216
<p>The verify fun will be called during the X509-path
217
validation when an error or an extension unknown to the ssl
218
application is encountered. Additionally it will be called
219
when a certificate is considered valid by the path validation
220
to allow access to each certificate in the path to the user
221
application. Note that the it will differentiate between the
222
peer certificate and CA certificates by using valid_peer or
223
valid as the second argument to the verify fun. See <seealso
224
marker="public_key:cert_records">the public_key User's
225
Guide</seealso> for definition of #'OTPCertificate'{} and
228
<p>If the verify callback fun returns {fail, Reason}, the
229
verification process is immediately stopped and an alert is
230
sent to the peer and the TLS/SSL handshake is terminated. If
231
the verify callback fun returns {valid, UserState}, the
232
verification process is continued. If the verify callback fun
233
always returns {valid, UserState}, the TLS/SSL handshake will
234
not be terminated with respect to verification failures and
235
the connection will be established. If called with an
236
extension unknown to the user application the return value
237
{unknown, UserState} should be used.</p>
239
<p>The default verify_fun option in verify_peer mode:</p>
242
{fun(_,{bad_cert, _} = Reason, _) ->
244
(_,{extension, _}, UserState) ->
245
{unknown, UserState};
246
(_, valid, UserState) ->
248
(_, valid_peer, UserState) ->
253
<p>The default verify_fun option in verify_none mode:</p>
256
{fun(_,{bad_cert, _}, UserState) ->
258
(_,{extension, _}, UserState) ->
259
{unknown, UserState};
260
(_, valid, UserState) ->
262
(_, valid_peer, UserState) ->
267
<p>Possible path validation errors: </p>
269
<p> {bad_cert, cert_expired}, {bad_cert, invalid_issuer}, {bad_cert, invalid_signature}, {bad_cert, unknown_ca}, {bad_cert, name_not_permitted}, {bad_cert, missing_basic_constraint}, {bad_cert, invalid_key_usage}</p>
272
<tag>{hibernate_after, integer()|undefined}</tag>
273
<item>When an integer-value is specified, the <code>ssl_connection</code>
274
will go into hibernation after the specified number of milliseconds
275
of inactivity, thus reducing its memory footprint. When
276
<code>undefined</code> is specified (this is the default), the process
277
will never go into hibernation.
284
<title>SSL OPTION DESCRIPTIONS - CLIENT SIDE</title>
286
<p>Options described here are client specific or has a slightly different
287
meaning in the client than in the server.</p>
290
<tag>{verify, verify_type()}</tag>
291
<item> In verify_none mode the default behavior will be to
292
allow all x509-path validation errors. See also the verify_fun
295
<tag>{reuse_sessions, boolean()}</tag>
296
<item>Specifies if client should try to reuse sessions
304
<title>SSL OPTION DESCRIPTIONS - SERVER SIDE</title>
306
<p>Options described here are server specific or has a slightly different
307
meaning in the server than in the client.</p>
311
<tag>{dh, der_encoded()}</tag>
312
<item>The DER encoded Diffie Hellman parameters. If this option
313
is supplied it will override the dhfile option.
316
<tag>{dhfile, path()}</tag>
317
<item>Path to file containing PEM encoded Diffie Hellman parameters,
318
for the server to use if a cipher suite using Diffie Hellman key exchange
319
is negotiated. If not specified default parameters will be used.
322
<tag>{verify, verify_type()}</tag>
323
<item>Servers only do the x509-path validation in verify_peer
324
mode, as it then will send a certificate request to the client
325
(this message is not sent if the verify option is verify_none)
326
and you may then also want to specify the option
327
fail_if_no_peer_cert.
330
<tag>{fail_if_no_peer_cert, boolean()}</tag>
331
<item>Used together with {verify, verify_peer} by a ssl server.
332
If set to true, the server will fail if the client does not have
333
a certificate to send, i.e. sends a empty certificate, if set to
334
false it will only fail if the client sends a invalid
335
certificate (an empty certificate is considered valid).
338
<tag>{reuse_sessions, boolean()}</tag>
339
<item>Specifies if the server should agree to reuse sessions
340
when the clients request to do so. See also the reuse_session
344
<tag>{reuse_session, fun(SuggestedSessionId,
345
PeerCert, Compression, CipherSuite) -> boolean()}</tag>
346
<item>Enables the ssl server to have a local policy
347
for deciding if a session should be reused or not,
348
only meaning full if <c>reuse_sessions</c> is set to true.
349
SuggestedSessionId is a binary(), PeerCert is a DER encoded
350
certificate, Compression is an enumeration integer
351
and CipherSuite of type ciphersuite().
41
358
<title>General</title>
43
<p>There is a new implementation of ssl available in
44
this module but until it is 100 % complete, so that it can replace
45
the old implementation in all aspects it will be
46
described here <seealso marker="new_ssl"> new ssl API </seealso></p>
48
<p>The reader is advised to also read the <c>ssl(6)</c> manual page
49
describing the SSL application.
52
<p>It is strongly advised to seed the random generator after
53
the ssl application has been started (see <c>seed/1</c>
54
below), and before any connections are established. Although
55
the port program interfacing to the ssl libraries does a
56
"random" seeding of its own in order to make everything work
57
properly, that seeding is by no means random for the world
58
since it has a constant value which is known to everyone
59
reading the source code of the port program.</p>
64
<title>Common data types</title>
65
<p>The following datatypes are used in the functions below:
67
<list type="bulleted">
69
<p><c>options() = [option()]</c></p>
72
<p><c>option() = socketoption() | ssloption()</c></p>
75
<p><c>socketoption() = {mode, list} | {mode, binary} | binary | {packet, packettype()} | {header, integer()} | {nodelay, boolean()} | {active, activetype()} | {backlog, integer()} | {ip, ipaddress()} | {port, integer()}</c></p>
78
<p><c>ssloption() = {verify, code()} | {depth, depth()} | {certfile, path()} | {keyfile, path()} | {password, string()} | {cacertfile, path()} | {ciphers, string()}</c></p>
81
<p><c>packettype()</c> (see inet(3))</p>
84
<p><c>activetype()</c> (see inet(3))</p>
87
<p><c>reason() = atom() | {atom(), string()}</c></p>
90
<p><c>bytes() = [byte()]</c></p>
93
<p><c>string() = [byte()]</c></p>
96
<p><c>byte() = 0 | 1 | 2 | ... | 255</c></p>
99
<p><c>code() = 0 | 1 | 2</c></p>
102
<p><c>depth() = byte()</c></p>
105
<p><c>address() = hostname() | ipstring() | ipaddress()</c></p>
108
<p><c>ipaddress() = ipstring() | iptuple()</c></p>
111
<p><c>hostname() = string()</c></p>
114
<p><c>ipstring() = string()</c></p>
117
<p><c>iptuple() = {byte(), byte(), byte(), byte()}</c></p>
120
<p><c>sslsocket()</c></p>
123
<p><c>protocol() = sslv2 | sslv3 | tlsv1</c></p>
129
<p>The socket option <c>{backlog, integer()}</c> is for
130
<c>listen/2</c> only, and the option <c>{port, integer()}</c>
131
is for <c>connect/3/4</c> only.
133
<p>The following socket options are set by default: <c>{mode, list}</c>, <c>{packet, 0}</c>, <c>{header, 0}</c>, <c>{nodelay, false}</c>, <c>{active, true}</c>, <c>{backlog, 5}</c>,
134
<c>{ip, {0,0,0,0}}</c>, and <c>{port, 0}</c>.
136
<p>Note that the options <c>{mode, binary}</c> and <c>binary</c>
137
are equivalent. Similarly <c>{mode, list}</c> and the absence of
138
option <c>binary</c> are equivalent.
140
<p>The ssl options are for setting specific SSL parameters as follows:
142
<list type="bulleted">
144
<p><c>{verify, code()}</c> Specifies type of verification:
145
0 = do not verify peer; 1 = verify peer, 2 = verify peer,
146
fail if no peer certificate. The default value is 0.
150
<p><c>{depth, depth()}</c> Specifies the maximum
151
verification depth, i.e. how far in a chain of certificates
152
the verification process can proceed before the verification
153
is considered to fail.
155
<p>Peer certificate = 0, CA certificate = 1, higher level CA
156
certificate = 2, etc. The value 2 thus means that a chain
157
can at most contain peer cert, CA cert, next CA cert, and an
160
<p>The default value is 1.
164
<p><c>{certfile, path()}</c> Path to a file containing the
166
chain of PEM encoded certificates.</p>
169
<p><c>{keyfile, path()}</c> Path to file containing user's
170
private PEM encoded key.</p>
173
<p><c>{password, string()}</c> String containing the user's
174
password. Only used if the private keyfile is password protected.</p>
177
<p><c>{cacertfile, path()}</c> Path to file containing PEM encoded
178
CA certificates (trusted certificates used for verifying a peer
182
<p><c>{ciphers, string()}</c> String of ciphers as a colon
183
separated list of ciphers. The function <c>ciphers/0</c> can
184
be used to find all available ciphers.</p>
187
<p>The type <c>sslsocket()</c> is opaque to the user.
189
<p>The owner of a socket is the one that created it by a call to
190
<c>transport_accept/[1,2]</c>, <c>connect/[3,4]</c>,
193
<p>When a socket is in active mode (the default), data from the
360
<p>When a ssl socket is in active mode (the default), data from the
194
361
socket is delivered to the owner of the socket in the form of
197
364
<list type="bulleted">
199
<p><c>{ssl, Socket, Data}</c></p>
202
<p><c>{ssl_closed, Socket}</c></p>
205
<p><c>{ssl_error, Socket, Reason}</c></p>
365
<item>{ssl, Socket, Data}
367
<item>{ssl_closed, Socket}
370
{ssl_error, Socket, Reason}
208
374
<p>A <c>Timeout</c> argument specifies a timeout in milliseconds. The
209
375
default value for a <c>Timeout</c> argument is <c>infinity</c>.
211
<p>Functions listed below may return the value <c>{error, closed}</c>, which only indicates that the SSL socket is
212
considered closed for the operation in question. It is for
213
instance possible to have <c>{error, closed}</c> returned from
214
an call to <c>send/2</c>, and a subsequent call to <c>recv/3</c>
215
returning <c>{ok, Data}</c>.
217
<p>Hence a return value of <c>{error, closed}</c> must not be
218
interpreted as if the socket was completely closed. On the
219
contrary, in order to free all resources occupied by an SSL
220
socket, <c>close/1</c> must be called, or else the process owning
221
the socket has to terminate.
223
<p>For each SSL socket there is an Erlang process representing the
224
socket. When a socket is opened, that process links to the
225
calling client process. Implementations that want to detect
226
abnormal exits from the socket process by receiving <c>{'EXIT', Pid, Reason}</c> messages, should use the function <c>pid/1</c>
227
to retrieve the process identifier from the socket, in order to
228
be able to match exit messages properly.</p>
232
<name>ciphers() -> {ok, string()} | {error, enotstarted}</name>
233
<fsummary>Get supported ciphers.</fsummary>
235
<p>Returns a string consisting of colon separated cipher
236
designations that are supported by the current SSL library
239
<p>The SSL application has to be started to return the string
244
<name>close(Socket) -> ok | {error, Reason}</name>
245
<fsummary>Close a socket returned by <c>transport_accept/[1,2]</c>, <c>connect/3/4</c>, or <c>listen/2</c>.</fsummary>
247
<v>Socket = sslsocket()</v>
250
<p>Closes a socket returned by <c>transport_accept/[1,2]</c>,
251
<c>connect/[3,4]</c>, or <c>listen/2</c></p>
255
<name>connect(Address, Port, Options) -> {ok, Socket} | {error, Reason}</name>
256
<name>connect(Address, Port, Options, Timeout) -> {ok, Socket} | {error, Reason}</name>
257
<fsummary>Connect to <c>Port</c>at <c>Address</c>.</fsummary>
259
<v>Address = address()</v>
260
<v>Port = integer()</v>
261
<v>Options = [connect_option()]</v>
262
<v>connect_option() = {mode, list} | {mode, binary} | binary | {packet, packettype()} | {header, integer()} | {nodelay, boolean()} | {active, activetype()} | {ip, ipaddress()} | {port, integer()} | {verify, code()} | {depth, depth()} | {certfile, path()} | {keyfile, path()} | {password, string()} | {cacertfile, path()} | {ciphers, string()}</v>
263
<v>Timeout = integer()</v>
264
<v>Socket = sslsocket()</v>
267
<p>Connects to <c>Port</c> at <c>Address</c>. If the optional
268
<c>Timeout</c> argument is specified, and a connection could not
269
be established within the given time, <c>{error, timeout}</c> is
270
returned. The default value for <c>Timeout</c> is <c>infinity</c>.
272
<p>The <c>ip</c> and <c>port</c> options are for binding to a
273
particular <em>local</em> address and port, respectively.</p>
277
<name>connection_info(Socket) -> {ok, {Protocol, Cipher}} | {error, Reason}</name>
278
<fsummary>Get current protocol version and cipher.</fsummary>
280
<v>Socket = sslsocket()</v>
281
<v>Protocol = protocol()</v>
282
<v>Cipher = string()</v>
285
<p>Gets the chosen protocol version and cipher for an established
286
connection (accepted och connected). </p>
290
<name>controlling_process(Socket, NewOwner) -> ok | {error, Reason}</name>
291
<fsummary>Assign a new controlling process to the socket.</fsummary>
293
<v>Socket = sslsocket()</v>
294
<v>NewOwner = pid()</v>
297
<p>Assigns a new controlling process to <c>Socket</c>. A controlling
298
process is the owner of a socket, and receives all messages from
303
<name>format_error(ErrorCode) -> string()</name>
381
<name>cipher_suites() -></name>
382
<name>cipher_suites(Type) -> ciphers()</name>
383
<fsummary> Returns a list of supported cipher suites</fsummary>
385
<v>Type = erlang | openssl</v>
388
<desc><p>Returns a list of supported cipher suites.
389
cipher_suites() is equivalent to cipher_suites(erlang).
390
Type openssl is provided for backwards compatibility with
391
old ssl that used openssl.
397
<name>connect(Socket, SslOptions) -> </name>
398
<name>connect(Socket, SslOptions, Timeout) -> {ok, SslSocket}
399
| {error, Reason}</name>
400
<fsummary> Upgrades a gen_tcp, or
401
equivalent, connected socket to a ssl socket. </fsummary>
403
<v>Socket = socket()</v>
404
<v>SslOptions = [ssloption()]</v>
405
<v>Timeout = integer() | infinity</v>
406
<v>SslSocket = sslsocket()</v>
407
<v>Reason = term()</v>
409
<desc> <p>Upgrades a gen_tcp, or equivalent,
410
connected socket to a ssl socket i.e. performs the
411
client-side ssl handshake.</p>
416
<name>connect(Host, Port, Options) -></name>
417
<name>connect(Host, Port, Options, Timeout) ->
418
{ok, SslSocket} | {error, Reason}</name>
419
<fsummary>Opens an ssl connection to Host, Port. </fsummary>
422
<v>Port = integer()</v>
423
<v>Options = [option()]</v>
424
<v>Timeout = integer() | infinity</v>
425
<v>SslSocket = sslsocket()</v>
426
<v>Reason = term()</v>
428
<desc> <p>Opens an ssl connection to Host, Port.</p> </desc>
432
<name>close(SslSocket) -> ok | {error, Reason}</name>
433
<fsummary>Close a ssl connection</fsummary>
435
<v>SslSocket = sslsocket()</v>
436
<v>Reason = term()</v>
438
<desc><p>Close a ssl connection.</p>
443
<name>controlling_process(SslSocket, NewOwner) ->
444
ok | {error, Reason}</name>
446
<fsummary>Assigns a new controlling process to the
447
ssl-socket.</fsummary>
450
<v>SslSocket = sslsocket()</v>
451
<v>NewOwner = pid()</v>
452
<v>Reason = term()</v>
454
<desc><p>Assigns a new controlling process to the ssl-socket. A
455
controlling process is the owner of a ssl-socket, and receives
456
all messages from the socket.</p>
461
<name>connection_info(SslSocket) ->
462
{ok, {ProtocolVersion, CipherSuite}} | {error, Reason} </name>
463
<fsummary>Returns the negotiated protocol version and cipher suite.
466
<v>CipherSuite = ciphersuite()</v>
467
<v>ProtocolVersion = protocol()</v>
469
<desc><p>Returns the negotiated protocol version and cipher suite.</p>
474
<name>format_error(Reason) -> string()</name>
304
475
<fsummary>Return an error string.</fsummary>
306
<v>ErrorCode = term()</v>
309
<p>Returns a diagnostic string describing an error.</p>
313
<name>getopts(Socket, OptionsTags) -> {ok, Options} | {error, Reason}</name>
314
<fsummary>Get options set for socket</fsummary>
316
<v>Socket = sslsocket()</v>
317
<v>OptionTags = [optiontag()]()</v>
320
<p>Returns the options the tags of which are <c>OptionTags</c> for
321
for the socket <c>Socket</c>. </p>
325
<name>listen(Port, Options) -> {ok, ListenSocket} | {error, Reason}</name>
326
<fsummary>Set up a socket to listen on a port on the local host.</fsummary>
328
<v>Port = integer()</v>
329
<v>Options = [listen_option()]</v>
330
<v>listen_option() = {mode, list} | {mode, binary} | binary | {packet, packettype()} | {header, integer()} | {active, activetype()} | {backlog, integer()} | {ip, ipaddress()} | {verify, code()} | {depth, depth()} | {certfile, path()} | {keyfile, path()} | {password, string()} | {cacertfile, path()} | {ciphers, string()}</v>
331
<v>ListenSocket = sslsocket()</v>
334
<p>Sets up a socket to listen on port <c>Port</c> at the local host.
335
If <c>Port</c> is zero, <c>listen/2</c> picks an available port
336
number (use <c>port/1</c> to retrieve it).
338
<p>The listen queue size defaults to 5. If a different value is
339
wanted, the option <c>{backlog, Size}</c> should be added to the
342
<p>An empty <c>Options</c> list is considered an error, and
343
<c>{error, enooptions}</c> is returned.
345
<p>The returned <c>ListenSocket</c> can only be used in calls to
346
<c>transport_accept/[1,2]</c>.</p>
350
<name>peercert(Socket) -> </name>
351
<name>peercert(Socket, Opts) -> {ok, Cert} | {ok, Subject} | {error, Reason}</name>
477
<v>Reason = term()</v>
480
<p>Presents the error returned by an ssl function as a printable string.</p>
485
<name>getopts(Socket) -> </name>
486
<name>getopts(Socket, OptionNames) ->
487
{ok, [socketoption()]} | {error, Reason}</name>
488
<fsummary>Get the value of the specified options.</fsummary>
490
<v>Socket = sslsocket()</v>
491
<v>OptionNames = [property()]</v>
494
<p>Get the value of the specified socket options, if no
495
options are specified all options are returned.
501
<name>listen(Port, Options) ->
502
{ok, ListenSocket} | {error, Reason}</name>
503
<fsummary>Creates a ssl listen socket.</fsummary>
505
<v>Port = integer()</v>
506
<v>Options = options()</v>
507
<v>ListenSocket = sslsocket()</v>
510
<p>Creates a ssl listen socket.</p>
515
<name>peercert(Socket) -> {ok, Cert} | {error, Reason}</name>
352
516
<fsummary>Return the peer certificate.</fsummary>
354
518
<v>Socket = sslsocket()</v>
355
<v>Opts = [pkix | ssl | subject]()</v>
356
<v>Cert = term()()</v>
357
<v>Subject = term()()</v>
519
<v>Cert = binary()</v>
360
<p><c>peercert(Cert)</c> is equivalent to <c>peercert(Cert, [])</c>.
362
<p>The form of the returned certificate depends on the
365
<p>If the options list is empty the certificate is returned as
366
a DER encoded binary.
368
<p>The options <c>pkix</c> and <c>ssl</c> implies that the
369
certificate is returned as a parsed ASN.1 structure in the
370
form of an Erlang term.
372
<p>The <c>ssl</c> option gives a more elaborate return
373
structure, with more explicit information. In particular
374
object identifiers are replaced by atoms.
376
<p>The options <c>pkix</c>, and <c>ssl</c> are mutually
379
<p>The option <c>subject</c> implies that only the subject's
380
distinguished name part of the peer certificate is returned.
381
It can only be used together with the option <c>pkix</c> or
382
the option <c>ssl</c>.</p>
522
<p>The peer certificate is returned as a DER encoded binary.
523
The certificate can be decoded with <c>public_key:pkix_decode_cert/2</c>.
386
<name>peername(Socket) -> {ok, {Address, Port}} | {error, Reason}</name>
528
<name>peername(Socket) -> {ok, {Address, Port}} |
529
{error, Reason}</name>
387
530
<fsummary>Return peer address and port.</fsummary>
389
532
<v>Socket = sslsocket()</v>
511
673
<c>Socket</c>.</p>
515
<name>transport_accept(Socket) -> {ok, NewSocket} | {error, Reason}</name>
516
<name>transport_accept(Socket, Timeout) -> {ok, NewSocket} | {error, Reason}</name>
517
<fsummary>Accept an incoming connection and prepare for <c>ssl_accept</c></fsummary>
678
<name>start() -> </name>
679
<name>start(Type) -> ok | {error, Reason}</name>
680
<fsummary>Starts the Ssl application. </fsummary>
682
<v>Type = permanent | transient | temporary</v>
685
<p>Starts the Ssl application. Default type
687
<seealso marker="kernel:application">application(3)</seealso></p>
691
<name>stop() -> ok </name>
692
<fsummary>Stops the Ssl application.</fsummary>
694
<p>Stops the Ssl application.
695
<seealso marker="kernel:application">application(3)</seealso></p>
700
<name>transport_accept(Socket) -></name>
701
<name>transport_accept(Socket, Timeout) ->
702
{ok, NewSocket} | {error, Reason}</name>
703
<fsummary>Accept an incoming connection and
704
prepare for <c>ssl_accept</c></fsummary>
519
706
<v>Socket = NewSocket = sslsocket()</v>
520
707
<v>Timeout = integer()</v>
521
<v>Reason = atom()</v>
708
<v>Reason = reason()</v>
524
711
<p>Accepts an incoming connection request on a listen socket.
525
<c>ListenSocket</c> must be a socket returned from <c>listen/2</c>.
526
The socket returned should be passed to <c>ssl_accept</c> to
527
complete ssl handshaking and establishing the connection.</p>
712
<c>ListenSocket</c> must be a socket returned from
713
<c>listen/2</c>. The socket returned should be passed to
714
<c>ssl_accept</c> to complete ssl handshaking and
715
establishing the connection.</p>
529
717
<p>The socket returned can only be used with <c>ssl_accept</c>,
530
718
no traffic can be sent or received before that call.</p>
532
<p>The accepted socket inherits the options set for <c>ListenSocket</c>
533
in <c>listen/2</c>.</p>
534
<p>The default value for <c>Timeout</c> is <c>infinity</c>. If
535
<c>Timeout</c> is specified, and no connection is accepted within
536
the given time, <c>{error, timeout}</c> is returned.</p>
720
<p>The accepted socket inherits the options set for
721
<c>ListenSocket</c> in <c>listen/2</c>.</p>
723
value for <c>Timeout</c> is <c>infinity</c>. If
724
<c>Timeout</c> is specified, and no connection is accepted
725
within the given time, <c>{error, timeout}</c> is
540
<name>version() -> {ok, {SSLVsn, CompVsn, LibVsn}}</name>
541
<fsummary>Return the version of SSL.</fsummary>
732
[{SslAppVer, SupportedSslVer, AvailableSslVsn}]</name>
733
<fsummary>Returns version information relevant for the
734
ssl application.</fsummary>
543
<v>SSLVsn = CompVsn = LibVsn = string()()</v>
736
<v>SslAppVer = string()</v>
737
<v>SupportedSslVer = [protocol()]</v>
738
<v>AvailableSslVsn = [protocol()]</v>
546
<p>Returns the SSL application version (<c>SSLVsn</c>), the library
547
version used when compiling the SSL application port program
548
(<c>CompVsn</c>), and the actual library version used when
549
dynamically linking in runtime (<c>LibVsn</c>).
551
<p>If the SSL application has not been started, <c>CompVsn</c> and
552
<c>LibVsn</c> are empty strings.
742
Returns version information relevant for the
559
<title>ERRORS</title>
560
<p>The possible error reasons and the corresponding diagnostic strings
561
returned by <c>format_error/1</c> are either the same as those defined
562
in the <c>inet(3)</c> reference manual, or as follows:
565
<tag><c>closed</c></tag>
567
<p>Connection closed for the operation in question.
570
<tag><c>ebadsocket</c></tag>
572
<p>Connection not found (internal error).
575
<tag><c>ebadstate</c></tag>
577
<p>Connection not in connect state (internal error).
580
<tag><c>ebrokertype</c></tag>
582
<p>Wrong broker type (internal error).
585
<tag><c>ecacertfile</c></tag>
587
<p>Own CA certificate file is invalid.
590
<tag><c>ecertfile</c></tag>
592
<p>Own certificate file is invalid.
595
<tag><c>echaintoolong</c></tag>
597
<p>The chain of certificates provided by peer is too long.
600
<tag><c>ecipher</c></tag>
602
<p>Own list of specified ciphers is invalid.
605
<tag><c>ekeyfile</c></tag>
607
<p>Own private key file is invalid.
610
<tag><c>ekeymismatch</c></tag>
612
<p>Own private key does not match own certificate.
615
<tag><c>enoissuercert</c></tag>
617
<p>Cannot find certificate of issuer of certificate provided
621
<tag><c>enoservercert</c></tag>
623
<p>Attempt to do accept without having set own certificate.
626
<tag><c>enotlistener</c></tag>
628
<p>Attempt to accept on a non-listening socket.
631
<tag><c>enoproxysocket</c></tag>
633
<p>No proxy socket found (internal error).
636
<tag><c>enooptions</c></tag>
638
<p>The list of options is empty.
641
<tag><c>enotstarted</c></tag>
643
<p>The SSL application has not been started.
646
<tag><c>eoptions</c></tag>
648
<p>Invalid list of options.
651
<tag><c>epeercert</c></tag>
653
<p>Certificate provided by peer is in error.
656
<tag><c>epeercertexpired</c></tag>
658
<p>Certificate provided by peer has expired.
661
<tag><c>epeercertinvalid</c></tag>
663
<p>Certificate provided by peer is invalid.
666
<tag><c>eselfsignedcert</c></tag>
668
<p>Certificate provided by peer is self signed.
671
<tag><c>esslaccept</c></tag>
673
<p>Server SSL handshake procedure between client and server failed.
676
<tag><c>esslconnect</c></tag>
678
<p>Client SSL handshake procedure between client and server failed.
681
<tag><c>esslerrssl</c></tag>
683
<p>SSL protocol failure. Typically because of a fatal alert
687
<tag><c>ewantconnect</c></tag>
689
<p>Protocol wants to connect, which is not supported in
690
this version of the SSL application.
693
<tag><c>ex509lookup</c></tag>
695
<p>Protocol wants X.509 lookup, which is not supported in
696
this version of the SSL application.
699
<tag><c>{badcall, Call}</c></tag>
701
<p>Call not recognized for current mode (active or passive) and
705
<tag><c>{badcast, Cast}</c></tag>
707
<p>Call not recognized for current mode (active or passive) and
711
<tag><c>{badinfo, Info}</c></tag>
713
<p>Call not recognized for current mode (active or passive) and
721
749
<title>SEE ALSO</title>
722
<p>gen_tcp(3), inet(3)
750
<p><seealso marker="kernel:inet">inet(3) </seealso> and
751
<seealso marker="kernel:gen_tcp">gen_tcp(3) </seealso>