summaryrefslogtreecommitdiff
path: root/lib/ssl/src/ssl_config.erl
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl/src/ssl_config.erl')
-rw-r--r--lib/ssl/src/ssl_config.erl145
1 files changed, 132 insertions, 13 deletions
diff --git a/lib/ssl/src/ssl_config.erl b/lib/ssl/src/ssl_config.erl
index 10f95d5b3c..2832d76d42 100644
--- a/lib/ssl/src/ssl_config.erl
+++ b/lib/ssl/src/ssl_config.erl
@@ -26,8 +26,19 @@
-include("ssl_connection.hrl").
-include_lib("public_key/include/public_key.hrl").
--export([init/2]).
+-define(DEFAULT_MAX_SESSION_CACHE, 1000).
+-export([init/2,
+ pre_1_3_session_opts/1,
+ get_max_early_data_size/0,
+ get_ticket_lifetime/0,
+ get_ticket_store_size/0,
+ get_internal_active_n/0
+ ]).
+
+%%====================================================================
+%% Internal application API
+%%====================================================================
init(#{erl_dist := ErlDist,
key := Key,
keyfile := KeyFile,
@@ -44,6 +55,50 @@ init(#{erl_dist := ErlDist,
DHParams = init_diffie_hellman(PemCache, DH, DHFile, Role),
{ok, Config#{private_key => PrivateKey, dh_params => DHParams}}.
+pre_1_3_session_opts(Role) ->
+ {Cb, InitArgs} = session_cb_opts(Role),
+ CbOpts = #{session_cb => Cb,
+ session_cb_init_args => InitArgs},
+ LifeTime = session_lifetime(Role),
+ Max = max_session_cache_size(Role),
+ CbOpts#{lifetime => LifeTime, max => Max}.
+
+get_ticket_lifetime() ->
+ case application:get_env(ssl, server_session_ticket_lifetime) of
+ {ok, Seconds} when is_integer(Seconds) andalso
+ Seconds =< 604800 -> %% MUST be less than 7 days
+ Seconds;
+ _ ->
+ 7200 %% Default 2 hours
+ end.
+
+get_ticket_store_size() ->
+ case application:get_env(ssl, server_session_ticket_store_size) of
+ {ok, Size} when is_integer(Size) ->
+ Size;
+ _ ->
+ 1000
+ end.
+
+get_max_early_data_size() ->
+ case application:get_env(ssl, server_session_ticket_max_early_data) of
+ {ok, Size} when is_integer(Size) ->
+ Size;
+ _ ->
+ ?DEFAULT_MAX_EARLY_DATA_SIZE
+ end.
+
+get_internal_active_n() ->
+ case application:get_env(ssl, internal_active_n) of
+ {ok, N} when is_integer(N) ->
+ N;
+ _ ->
+ ?INTERNAL_ACTIVE_N
+ end.
+
+%%====================================================================
+%% Internal functions
+%%====================================================================
init_manager_name(false) ->
put(ssl_manager, ssl_manager:name(normal)),
put(ssl_pem_cache, ssl_pem_cache:name(normal));
@@ -54,7 +109,7 @@ init_manager_name(true) ->
init_certificates(#{cacerts := CaCerts,
cacertfile := CACertFile,
certfile := CertFile,
- cert := Cert,
+ cert := OwnCerts,
crl_cache := CRLCache
}, Role) ->
{ok, Config} =
@@ -70,31 +125,31 @@ init_certificates(#{cacerts := CaCerts,
_:Reason ->
file_error(CACertFile, {cacertfile, Reason})
end,
- init_certificates(Cert, Config, CertFile, Role).
+ init_certificates(OwnCerts, Config, CertFile, Role).
init_certificates(undefined, Config, <<>>, _) ->
- {ok, Config#{own_certificate => undefined}};
+ {ok, Config#{own_certificates => undefined}};
init_certificates(undefined, #{pem_cache := PemCache} = Config, CertFile, client) ->
try
- %% Ignoring potential proxy-certificates see:
- %% http://dev.globus.org/wiki/Security/ProxyFileFormat
- [OwnCert|_] = ssl_certificate:file_to_certificats(CertFile, PemCache),
- {ok, Config#{own_certificate => OwnCert}}
+ %% OwnCert | [OwnCert | Chain]
+ OwnCerts = ssl_certificate:file_to_certificats(CertFile, PemCache),
+ {ok, Config#{own_certificates => OwnCerts}}
catch _Error:_Reason ->
- {ok, Config#{own_certificate => undefined}}
+ {ok, Config#{own_certificates => undefined}}
end;
init_certificates(undefined, #{pem_cache := PemCache} = Config, CertFile, server) ->
try
- [OwnCert|_] = ssl_certificate:file_to_certificats(CertFile, PemCache),
- {ok, Config#{own_certificate => OwnCert}}
+ %% OwnCert | [OwnCert | Chain]
+ OwnCerts = ssl_certificate:file_to_certificats(CertFile, PemCache),
+ {ok, Config#{own_certificates => OwnCerts}}
catch
_:Reason ->
file_error(CertFile, {certfile, Reason})
end;
-init_certificates(Cert, Config, _, _) ->
- {ok, Config#{own_certificate => Cert}}.
+init_certificates(OwnCerts, Config, _, _) ->
+ {ok, Config#{own_certificates => OwnCerts}}.
init_private_key(_, #{algorithm := Alg} = Key, _, _Password, _Client) when Alg == ecdsa;
Alg == rsa;
Alg == dss ->
@@ -176,3 +231,67 @@ init_diffie_hellman(DbHandle,_, DHParamFile, server) ->
_:Reason ->
file_error(DHParamFile, {dhfile, Reason})
end.
+
+
+session_cb_init_args(client) ->
+ case application:get_env(ssl, client_session_cb_init_args) of
+ undefined ->
+ case application:get_env(ssl, session_cb_init_args) of
+ {ok, Args} when is_list(Args) ->
+ Args;
+ _ ->
+ []
+ end;
+ {ok, Args} ->
+ Args
+ end;
+session_cb_init_args(server) ->
+ case application:get_env(ssl, server_session_cb_init_args) of
+ undefined ->
+ case application:get_env(ssl, session_cb_init_args) of
+ {ok, Args} when is_list(Args) ->
+ Args;
+ _ ->
+ []
+ end;
+ {ok, Args} ->
+ Args
+ end.
+
+session_lifetime(_Role) ->
+ case application:get_env(ssl, session_lifetime) of
+ {ok, Time} when is_integer(Time) ->
+ Time;
+ _ ->
+ ?'24H_in_sec'
+ end.
+
+max_session_cache_size(client) ->
+ case application:get_env(ssl, session_cache_client_max) of
+ {ok, Size} when is_integer(Size) ->
+ Size;
+ _ ->
+ ?DEFAULT_MAX_SESSION_CACHE
+ end;
+max_session_cache_size(server) ->
+ case application:get_env(ssl, session_cache_server_max) of
+ {ok, Size} when is_integer(Size) ->
+ Size;
+ _ ->
+ ?DEFAULT_MAX_SESSION_CACHE
+ end.
+
+session_cb_opts(client = Role)->
+ case application:get_env(ssl, session_cb, ssl_client_session_cache_db) of
+ ssl_client_session_cache_db = ClientCb ->
+ {ClientCb, []};
+ ClientCb ->
+ {ClientCb, session_cb_init_args(Role)}
+ end;
+session_cb_opts(server = Role) ->
+ case application:get_env(ssl, session_cb, ssl_server_session_cache_db) of
+ ssl_server_session_cache_db = ServerCb ->
+ {ServerCb, []};
+ ServerCb ->
+ {ServerCb, session_cb_init_args(Role)}
+ end.
View Lorry Controller Status