ssl(6)
NAME
ssl - The SSL Application
DESCRIPTION
The Secure Socket Layer (SSL) application provides secure socket communication over TCP/IP.
WARNING
In previous versions of Erlang/OTP SSL it was advised, as a workaround, to set the operating system environment variable SSL_CERT_FILE
to point at a file containing CA certificates. That variable is no
longer needed, and is not recognised by Erlang/OTP SSL any more.
However, the OpenSSL package does interpret that environment variable.
Hence a setting of that variable might have unpredictable effects on
the Erlang/OTP SSL application. It is therefore adviced to not used
that environment variable at all.
ENVIRONMENT
The following application environment configuration parameters are
defined for the SSL application. Refer to application(3erl) for more
information about configuration parameters.
Note that the environment parameters can be set on the command line,
for instance,
- erl ... -ssl protocol_version '[sslv2, sslv3]' ....
- ephemeral_rsa = true | false <optional>:
Enables all SSL servers (those that listen and accept) to use ephemeral RSA key generation when a clients connect with weak handshake cipher specifications, that need equally weak ciphers from the server (i.e. obsolete restrictions on export ciphers). Default is false.
- debug = true | false <optional>:
Causes debug information to be written to standard output. Default is false.
- debugdir = path() | false <optional>:
Causes debug information output controlled by debug and msgdebug to be printed to a file named ssl_esock.<pid>.log in the directory specified by debugdir, where <pid> is the operating system specific textual representation of the process indentifier of the external port program of the SSL application. Default is false, i.e. no log file is produced.
- msgdebug = true | false <optional>:
Sets debug = true and causes also the contents of low level messages to be printed to standard output. Default is false.
- port_program = string() | false <optional>:
Name of port program. The default is ssl_esock.
- protocol_version = [sslv2|sslv3|tlsv1] <optional>.:
Name of protocols to use. If this option is not set, all protocols are assumed, i.e. the default value is [sslv2, sslv3, tlsv1].
- proxylsport = integer() | false <optional>:
Define the port number of the listen port of the SSL port program. Almost never is this option needed.
- proxylsbacklog = integer() | false <optional>:
Set the listen queue size of the listen port of the SSL port program. The default is 128.
OPENSSL LIBRARIES
The current implementation of the Erlang SSL application is based on
the OpenSSL package version 0.9.7 or higher. There are source and
binary releases on the web.
Source releases of OpenSSL can be downloaded from the OpenSSL
<http://www.openssl.org> project home page, or mirror sites listed
there.
The same URL also contains links to some compiled binaries and
libraries of OpenSSL (see the Related/Binaries menu) of which the Shining Light Productions Win32 and OpenSSL <http://www.shininglightpro.com/search.php?searchname=Win32+OpenSSL> pages are of interest for
the Win32 user.
For some Unix flavours there are binary packages available on the net.
If you cannot find a suitable binary OpenSSL package, you have to fetch
an OpenSSL source release and compile it.
You then have to compile and install the libraries libcrypto.so and
libssl.so (Unix), or the libraries libeay32.dll and ssleay32.dll
(Win32).
For Unix The ssl_esock port program is delivered linked to OpenSSL
libraries in /usr/local/lib, but the default dynamic linking will also
accept libraries in /lib and /usr/lib.
If that is not applicable to the particular Unix operating system used,
the example Makefile in the SSL priv/obj directory, should be used as a
guide to relinking the final version of the port program.
For Win32 it is only required that the libraries can be found from the
PATH environment variable, or that they reside in the appropriate SYSTEM32 directory; hence no particular relinking is need. Hence no example Makefile for Win32 is provided.
RESTRICTIONS
Users must be aware of export restrictions and patent rights concerning
cryptographic software.