Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


Support for fail_if_no_peer_cert SSL server option. #34

wants to merge 2 commits into from

2 participants

Alexei Uskov Loïc Hoguin
Alexei Uskov

SSL option verify alone does not gives full security. Client could send empty certificate and happily access your inner API.

Alexei Uskov 0x00F6 Update src/ranch_ssl.erl
Support for fail_if_no_peer_cert SSL server option.
Loïc Hoguin

Options in alphabetical order please.

Alexei Uskov

OK, I'll do.
But, in the first place, is ranch:filter_options really needed in ranch_ssl:listen?
Why not pass all Opts directly to ssl:listen?
All ssl server options are well known and documented:
When passing unsupported option programmer will get nice and clear exception exit: badarg.
Is there ssl server option undesirable/unsupported by ranch?

Loïc Hoguin

Please squash the commits into one and I will merge it.

Alexei Uskov 0x00F6 closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 11, 2013
  1. Alexei Uskov

    Update src/ranch_ssl.erl

    0x00F6 authored
    Support for fail_if_no_peer_cert SSL server option.
Commits on Feb 13, 2013
  1. Alexei Uskov
This page is out of date. Refresh to see the latest.
Showing with 7 additions and 1 deletion.
  1. +7 −1 src/ranch_ssl.erl
8 src/ranch_ssl.erl
@@ -61,6 +61,11 @@ messages() -> {ssl, ssl_closed, ssl_error}.
%% <dt>ciphers</dt><dd>Optional. The cipher suites that should be supported.
%% The function ssl:cipher_suites/0 can be used to find all available
%% ciphers.</dd>
+%% <dt>fail_if_no_peer_cert</dt><dd>Optional. Used together with {verify, verify_peer}.
+%% If set to true, the server will fail if the client does not have a certificate
+%% to send, i.e. sends a empty certificate, if set to false (that is by default)
+%% it will only fail if the client sends an invalid certificate (an empty
+%% certificate is considered valid).</dd>
%% <dt>ip</dt><dd>Interface to listen on. Listen on all interfaces
%% by default.</dd>
%% <dt>keyfile</dt><dd>Optional. Path to the file containing the user's
@@ -82,6 +87,7 @@ messages() -> {ssl, ssl_closed, ssl_error}.
%% @see ssl:listen/2
-spec listen([{backlog, non_neg_integer()} | {cacertfile, string()}
| {certfile, string()} | {ciphers, [ssl:erl_cipher_suite()] | string()}
+ | {fail_if_no_peer_cert, boolean()}
| {ip, inet:ip_address()} | {keyfile, string()} | {nodelay, boolean()}
| {password, string()} | {port, inet:port_number()}
| {verify, ssl:verify_type()}])
@@ -94,7 +100,7 @@ listen(Opts) ->
%% The port in the options takes precedence over the one in the
%% first argument.
ssl:listen(0, ranch:filter_options(Opts2,
- [backlog, cacertfile, certfile, ciphers, ip,
+ [backlog, cacertfile, certfile, ciphers, fail_if_no_peer_cert, ip,
keyfile, nodelay, password, port, raw, verify],
[binary, {active, false}, {packet, raw},
{reuseaddr, true}, {nodelay, true}])).
Something went wrong with that request. Please try again.