Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Support for fail_if_no_peer_cert SSL server option. #34

Closed
wants to merge 2 commits into from

2 participants

Alexei Uskov Loïc Hoguin
Alexei Uskov

SSL option verify alone does not gives full security. Client could send empty certificate and happily access your inner API.

Alexei Uskov 0x00F6 Update src/ranch_ssl.erl
Support for fail_if_no_peer_cert SSL server option.
1fef5d1
Loïc Hoguin
Owner

Options in alphabetical order please.

Alexei Uskov

OK, I'll do.
But, in the first place, is ranch:filter_options really needed in ranch_ssl:listen?
Why not pass all Opts directly to ssl:listen?
All ssl server options are well known and documented: http://www.erlang.org/doc/man/ssl.html.
When passing unsupported option programmer will get nice and clear exception exit: badarg.
Is there ssl server option undesirable/unsupported by ranch?

Loïc Hoguin
Owner

Please squash the commits into one and I will merge it.

Alexei Uskov 0x00F6 closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 11, 2013
  1. Alexei Uskov

    Update src/ranch_ssl.erl

    0x00F6 authored
    Support for fail_if_no_peer_cert SSL server option.
Commits on Feb 13, 2013
  1. Alexei Uskov
This page is out of date. Refresh to see the latest.
Showing with 7 additions and 1 deletion.
  1. +7 −1 src/ranch_ssl.erl
8 src/ranch_ssl.erl
View
@@ -61,6 +61,11 @@ messages() -> {ssl, ssl_closed, ssl_error}.
%% <dt>ciphers</dt><dd>Optional. The cipher suites that should be supported.
%% The function ssl:cipher_suites/0 can be used to find all available
%% ciphers.</dd>
+%% <dt>fail_if_no_peer_cert</dt><dd>Optional. Used together with {verify, verify_peer}.
+%% If set to true, the server will fail if the client does not have a certificate
+%% to send, i.e. sends a empty certificate, if set to false (that is by default)
+%% it will only fail if the client sends an invalid certificate (an empty
+%% certificate is considered valid).</dd>
%% <dt>ip</dt><dd>Interface to listen on. Listen on all interfaces
%% by default.</dd>
%% <dt>keyfile</dt><dd>Optional. Path to the file containing the user's
@@ -82,6 +87,7 @@ messages() -> {ssl, ssl_closed, ssl_error}.
%% @see ssl:listen/2
-spec listen([{backlog, non_neg_integer()} | {cacertfile, string()}
| {certfile, string()} | {ciphers, [ssl:erl_cipher_suite()] | string()}
+ | {fail_if_no_peer_cert, boolean()}
| {ip, inet:ip_address()} | {keyfile, string()} | {nodelay, boolean()}
| {password, string()} | {port, inet:port_number()}
| {verify, ssl:verify_type()}])
@@ -94,7 +100,7 @@ listen(Opts) ->
%% The port in the options takes precedence over the one in the
%% first argument.
ssl:listen(0, ranch:filter_options(Opts2,
- [backlog, cacertfile, certfile, ciphers, ip,
+ [backlog, cacertfile, certfile, ciphers, fail_if_no_peer_cert, ip,
keyfile, nodelay, password, port, raw, verify],
[binary, {active, false}, {packet, raw},
{reuseaddr, true}, {nodelay, true}])).
Something went wrong with that request. Please try again.