diff options
Diffstat (limited to 'lib/ssl/src/ssl_config.erl')
-rw-r--r-- | lib/ssl/src/ssl_config.erl | 145 |
1 files changed, 132 insertions, 13 deletions
diff --git a/lib/ssl/src/ssl_config.erl b/lib/ssl/src/ssl_config.erl index 10f95d5b3c..2832d76d42 100644 --- a/lib/ssl/src/ssl_config.erl +++ b/lib/ssl/src/ssl_config.erl @@ -26,8 +26,19 @@ -include("ssl_connection.hrl"). -include_lib("public_key/include/public_key.hrl"). --export([init/2]). +-define(DEFAULT_MAX_SESSION_CACHE, 1000). +-export([init/2, + pre_1_3_session_opts/1, + get_max_early_data_size/0, + get_ticket_lifetime/0, + get_ticket_store_size/0, + get_internal_active_n/0 + ]). + +%%==================================================================== +%% Internal application API +%%==================================================================== init(#{erl_dist := ErlDist, key := Key, keyfile := KeyFile, @@ -44,6 +55,50 @@ init(#{erl_dist := ErlDist, DHParams = init_diffie_hellman(PemCache, DH, DHFile, Role), {ok, Config#{private_key => PrivateKey, dh_params => DHParams}}. +pre_1_3_session_opts(Role) -> + {Cb, InitArgs} = session_cb_opts(Role), + CbOpts = #{session_cb => Cb, + session_cb_init_args => InitArgs}, + LifeTime = session_lifetime(Role), + Max = max_session_cache_size(Role), + CbOpts#{lifetime => LifeTime, max => Max}. + +get_ticket_lifetime() -> + case application:get_env(ssl, server_session_ticket_lifetime) of + {ok, Seconds} when is_integer(Seconds) andalso + Seconds =< 604800 -> %% MUST be less than 7 days + Seconds; + _ -> + 7200 %% Default 2 hours + end. + +get_ticket_store_size() -> + case application:get_env(ssl, server_session_ticket_store_size) of + {ok, Size} when is_integer(Size) -> + Size; + _ -> + 1000 + end. + +get_max_early_data_size() -> + case application:get_env(ssl, server_session_ticket_max_early_data) of + {ok, Size} when is_integer(Size) -> + Size; + _ -> + ?DEFAULT_MAX_EARLY_DATA_SIZE + end. + +get_internal_active_n() -> + case application:get_env(ssl, internal_active_n) of + {ok, N} when is_integer(N) -> + N; + _ -> + ?INTERNAL_ACTIVE_N + end. + +%%==================================================================== +%% Internal functions +%%==================================================================== init_manager_name(false) -> put(ssl_manager, ssl_manager:name(normal)), put(ssl_pem_cache, ssl_pem_cache:name(normal)); @@ -54,7 +109,7 @@ init_manager_name(true) -> init_certificates(#{cacerts := CaCerts, cacertfile := CACertFile, certfile := CertFile, - cert := Cert, + cert := OwnCerts, crl_cache := CRLCache }, Role) -> {ok, Config} = @@ -70,31 +125,31 @@ init_certificates(#{cacerts := CaCerts, _:Reason -> file_error(CACertFile, {cacertfile, Reason}) end, - init_certificates(Cert, Config, CertFile, Role). + init_certificates(OwnCerts, Config, CertFile, Role). init_certificates(undefined, Config, <<>>, _) -> - {ok, Config#{own_certificate => undefined}}; + {ok, Config#{own_certificates => undefined}}; init_certificates(undefined, #{pem_cache := PemCache} = Config, CertFile, client) -> try - %% Ignoring potential proxy-certificates see: - %% http://dev.globus.org/wiki/Security/ProxyFileFormat - [OwnCert|_] = ssl_certificate:file_to_certificats(CertFile, PemCache), - {ok, Config#{own_certificate => OwnCert}} + %% OwnCert | [OwnCert | Chain] + OwnCerts = ssl_certificate:file_to_certificats(CertFile, PemCache), + {ok, Config#{own_certificates => OwnCerts}} catch _Error:_Reason -> - {ok, Config#{own_certificate => undefined}} + {ok, Config#{own_certificates => undefined}} end; init_certificates(undefined, #{pem_cache := PemCache} = Config, CertFile, server) -> try - [OwnCert|_] = ssl_certificate:file_to_certificats(CertFile, PemCache), - {ok, Config#{own_certificate => OwnCert}} + %% OwnCert | [OwnCert | Chain] + OwnCerts = ssl_certificate:file_to_certificats(CertFile, PemCache), + {ok, Config#{own_certificates => OwnCerts}} catch _:Reason -> file_error(CertFile, {certfile, Reason}) end; -init_certificates(Cert, Config, _, _) -> - {ok, Config#{own_certificate => Cert}}. +init_certificates(OwnCerts, Config, _, _) -> + {ok, Config#{own_certificates => OwnCerts}}. init_private_key(_, #{algorithm := Alg} = Key, _, _Password, _Client) when Alg == ecdsa; Alg == rsa; Alg == dss -> @@ -176,3 +231,67 @@ init_diffie_hellman(DbHandle,_, DHParamFile, server) -> _:Reason -> file_error(DHParamFile, {dhfile, Reason}) end. + + +session_cb_init_args(client) -> + case application:get_env(ssl, client_session_cb_init_args) of + undefined -> + case application:get_env(ssl, session_cb_init_args) of + {ok, Args} when is_list(Args) -> + Args; + _ -> + [] + end; + {ok, Args} -> + Args + end; +session_cb_init_args(server) -> + case application:get_env(ssl, server_session_cb_init_args) of + undefined -> + case application:get_env(ssl, session_cb_init_args) of + {ok, Args} when is_list(Args) -> + Args; + _ -> + [] + end; + {ok, Args} -> + Args + end. + +session_lifetime(_Role) -> + case application:get_env(ssl, session_lifetime) of + {ok, Time} when is_integer(Time) -> + Time; + _ -> + ?'24H_in_sec' + end. + +max_session_cache_size(client) -> + case application:get_env(ssl, session_cache_client_max) of + {ok, Size} when is_integer(Size) -> + Size; + _ -> + ?DEFAULT_MAX_SESSION_CACHE + end; +max_session_cache_size(server) -> + case application:get_env(ssl, session_cache_server_max) of + {ok, Size} when is_integer(Size) -> + Size; + _ -> + ?DEFAULT_MAX_SESSION_CACHE + end. + +session_cb_opts(client = Role)-> + case application:get_env(ssl, session_cb, ssl_client_session_cache_db) of + ssl_client_session_cache_db = ClientCb -> + {ClientCb, []}; + ClientCb -> + {ClientCb, session_cb_init_args(Role)} + end; +session_cb_opts(server = Role) -> + case application:get_env(ssl, session_cb, ssl_server_session_cache_db) of + ssl_server_session_cache_db = ServerCb -> + {ServerCb, []}; + ServerCb -> + {ServerCb, session_cb_init_args(Role)} + end. |