Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Support for fail_if_no_peer_cert SSL server option. #34

wants to merge 2 commits into from

2 participants


SSL option verify alone does not gives full security. Client could send empty certificate and happily access your inner API.

@0x00F6 0x00F6 Update src/ranch_ssl.erl
Support for fail_if_no_peer_cert SSL server option.

Options in alphabetical order please.


OK, I'll do.
But, in the first place, is ranch:filter_options really needed in ranch_ssl:listen?
Why not pass all Opts directly to ssl:listen?
All ssl server options are well known and documented:
When passing unsupported option programmer will get nice and clear exception exit: badarg.
Is there ssl server option undesirable/unsupported by ranch?


Please squash the commits into one and I will merge it.

@0x00F6 0x00F6 closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 11, 2013
  1. @0x00F6

    Update src/ranch_ssl.erl

    0x00F6 committed
    Support for fail_if_no_peer_cert SSL server option.
Commits on Feb 13, 2013
  1. @0x00F6
This page is out of date. Refresh to see the latest.
Showing with 7 additions and 1 deletion.
  1. +7 −1 src/ranch_ssl.erl
8 src/ranch_ssl.erl
@@ -61,6 +61,11 @@ messages() -> {ssl, ssl_closed, ssl_error}.
%% <dt>ciphers</dt><dd>Optional. The cipher suites that should be supported.
%% The function ssl:cipher_suites/0 can be used to find all available
%% ciphers.</dd>
+%% <dt>fail_if_no_peer_cert</dt><dd>Optional. Used together with {verify, verify_peer}.
+%% If set to true, the server will fail if the client does not have a certificate
+%% to send, i.e. sends a empty certificate, if set to false (that is by default)
+%% it will only fail if the client sends an invalid certificate (an empty
+%% certificate is considered valid).</dd>
%% <dt>ip</dt><dd>Interface to listen on. Listen on all interfaces
%% by default.</dd>
%% <dt>keyfile</dt><dd>Optional. Path to the file containing the user's
@@ -82,6 +87,7 @@ messages() -> {ssl, ssl_closed, ssl_error}.
%% @see ssl:listen/2
-spec listen([{backlog, non_neg_integer()} | {cacertfile, string()}
| {certfile, string()} | {ciphers, [ssl:erl_cipher_suite()] | string()}
+ | {fail_if_no_peer_cert, boolean()}
| {ip, inet:ip_address()} | {keyfile, string()} | {nodelay, boolean()}
| {password, string()} | {port, inet:port_number()}
| {verify, ssl:verify_type()}])
@@ -94,7 +100,7 @@ listen(Opts) ->
%% The port in the options takes precedence over the one in the
%% first argument.
ssl:listen(0, ranch:filter_options(Opts2,
- [backlog, cacertfile, certfile, ciphers, ip,
+ [backlog, cacertfile, certfile, ciphers, fail_if_no_peer_cert, ip,
keyfile, nodelay, password, port, raw, verify],
[binary, {active, false}, {packet, raw},
{reuseaddr, true}, {nodelay, true}])).
Something went wrong with that request. Please try again.