Did you know ... | Search Documentation: |
Predicate ssl_context/3 |
client
. Otherwise,
certificate verification may fail when negotiating a
secure connection.key_file(+FileName)
option. A server must have at
least one certificate before clients can connect. A client
must have a certificate only if the server demands the client
to identify itself with a client certificate using the
peer_cert(true)
option. If a certificate is provided, it is
necessary to also provide a matching private key via the
key_file/1 option. To configure multiple certificates, use the
option certificate_key_pairs/1 instead. Alternatively, use
ssl_add_certificate_key/4 to add certificates and keys to an
existing context.password(+Text)
or
pem_password_hook(:Goal)
option.call(Goal, +SSL, -Password)
and typically unifies
Password with a string containing the password.require_crl(true)
and
provide neither of these options, verification will necessarily
failrequire_crl(true)
if you want CRLs to actually be checked by OpenSSL.system(root_certificates)
uses a list of
trusted root certificates as provided by the OS. See
system_root_certificates/1 for details.file(Filename)
: A file containing one or more PEM-encoded
certificatescertificate(Blob)
: A certificate blobsystem(root_certificates)
: A special term which refers to
the certificates trusted by the host OS.Additional verification of the peer certificate as well as accepting certificates that are not trusted by the given set can be realised using the hook cert_verify_hook(:Goal).
call(Goal, +SSL, +ProblemCertificate, +AllCertificates, +FirstCertificate, +Error)
In case the certificate was verified by one of the provided
certifications from the cacert_file
option, Error is unified
with the atom verified
. Otherwise it contains the error
string passed from OpenSSL. Access will be granted iff the
predicate succeeds. See load_certificate/2 for a description
of the certificate terms. See cert_accept_any/5 for a dummy
implementation that accepts any certificate.
prime256v1
is used by default.true
, close the raw streams if the SSL streams are closed.
Default is false
.true
(default is false
), the server sends TLS
close_notify
when closing the connection. In addition,
this mitigates truncation attacks for both client and
server role: If EOF is encountered without having received a
TLS shutdown, an exception is raised. Well-designed
protocols are self-terminating, and this attack is therefore
very rarely a concern.sslv3
, tlsv1
, tlsv1_1
, tlsv1_2
and
tlsv1_3
. This option is available with OpenSSL 1.1.0 and
later, and should be used instead of disable_ssl_methods/1.sslv3
, tlsv1
, tlsv1_1
, tlsv1_2
and
tlsv1_3
. This option is available with OpenSSL 1.1.0 and
later, and should be used instead of disable_ssl_methods/1.sslv2
, sslv3
, sslv23
,
tlsv1
, tlsv1_1
and tlsv1_2
. This option is deprecated
starting with OpenSSL 1.1.0. Use min_protocol_version/1 and
max_protocol_version/1 instead.disable_ssl_methods
above.
Using this option is discouraged. When using OpenSSL 1.1.0
or later, this option is ignored, and a version-flexible method
is used to negotiate the connection. Using version-specific
methods is deprecated in recent OpenSSL versions, and this
option will become obsolete and ignored in the future.call(Goal, +SSL0, +HostName, -SSL)
Given the current context SSL0, and the host name of the client request, the predicate computes SSL which is used as the context for negotiating the connection. The first solution is used. If the predicate fails, the default options are used, which are those of the encompassing ssl_context/3 call. In that case, if no default certificate and key are specified, the client connection is rejected.
===
call(Goal, +SSLCtx0, +ListOfClientProtocols, -SSLCtx1, -SelectedProtocol)
===
If this option is unset and the alpn_protocols/1 option is set, then the first common protocol between client & server will be selected.
Role | - is one of server or client and denotes whether the
SSL instance will have a server or client role in the
established connection. |
SSL | - is a SWI-Prolog blob of type ssl_context , i.e., the
type-test for an SSL context is blob(SSL, ssl_context) . |