diff options
author | Jon Carstens <jjcarstens@me.com> | 2022-08-17 16:13:11 -0600 |
---|---|---|
committer | Jon Carstens <jjcarstens@me.com> | 2022-09-23 06:03:54 -0600 |
commit | 909d3a99fbaafbed71dc8f59da24b324631b2ae1 (patch) | |
tree | fe0be5f448f0b018896967bd92149189c5c0c6f7 /lib/ssl/doc/src/ssl.xml | |
parent | ef1ea1a6eb01c7ed67db847ad576bc885970fb80 (diff) | |
download | erlang-909d3a99fbaafbed71dc8f59da24b324631b2ae1.tar.gz |
Allow disabling `certificate_authorities` extension on server with `verify_peer`
Fixes #6106
Based on the discussion from the issue (and #6204), it was decided that adding the
ability to disable the `certificate_authorities` extension on the server would be
the fitting resolution for situations where you do not want that extension forced
in TLS 1.3.
This adds that ability to specify as a server option and defaults to `true` to keep
with existing expected functionality.
Diffstat (limited to 'lib/ssl/doc/src/ssl.xml')
-rw-r--r-- | lib/ssl/doc/src/ssl.xml | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index 024fd4c1be..dc946d6564 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -1033,7 +1033,7 @@ fun(srp, Username :: binary(), UserState :: term()) -> </datatype> <datatype> - <name name="certificate_authorities"/> + <name name="client_certificate_authorities"/> <desc> <p>If set to true, sends the certificate authorities extension in TLS-1.3 client hello. The default is false. Note that setting it to true may result in a big overhead if you @@ -1248,6 +1248,15 @@ fun(srp, Username :: binary(), UserState :: term()) -> is supplied it overrides option <c>cacertfile</c>.</p> </desc> </datatype> + + <datatype> + <name since="OTP 25.2" name="server_certificate_authorities"/> + <desc> + <p>When used with <c>{verify, verify_peer}</c> on the server with TLS-1.3, the certificate + authorities extension will be included or excluded from the certificate request. The Default + is true.</p> + </desc> + </datatype> <datatype> <name name="server_cafile"/> @@ -1287,8 +1296,9 @@ fun(srp, Username :: binary(), UserState :: term()) -> A server only does x509-certificate path validation in mode <c>verify_peer</c>. By default the server is in <c>verify_none</c> mode an hence will not send an certificate request to the client. - When using <c>verify_peer</c> you may also want to specify the option - <seetype marker="#fail_if_no_peer_cert">fail_if_no_peer_cert</seetype>.</p> + When using <c>verify_peer</c> you may also want to specify the options + <seetype marker="#fail_if_no_peer_cert">fail_if_no_peer_cert</seetype> and + <seetype marker="#server_certificate_authorities">certificate_authorities</seetype>.</p> </desc> </datatype> |