NAME

       ssl - The ssl application provides secure communication over
         sockets.

DESCRIPTION

       The ssl application is an implementation of the SSL/TLS protocol in Erlang.

         * Supported SSL/TLS-versions are SSL-3.0, TLS-1.0, TLS-1.1, and TLS-1.2.

         * For security reasons SSL-2.0 is not supported.

         * For security reasons SSL-3.0 is no longer supported by default, but can be configured.

         * Ephemeral   Diffie-Hellman  cipher  suites  are  supported,  but  not  Diffie  Hellman
           Certificates cipher suites.

         * Elliptic Curve cipher suites are supported if the Crypto application supports  it  and
           named curves are used.

         * Export  cipher  suites are not supported as the U.S. lifted its export restrictions in
           early 2000.

         * IDEA cipher suites are not supported as they have become deprecated by the latest  TLS
           specification so it is not motivated to implement them.

         * CRL validation is supported.

         * Policy certificate extensions are not supported.

         * 'Server Name Indication' extension client side (RFC 6066, Section 3) is supported.

DEPENDENCIES

       The  SSL  application uses the public_key and Crypto application to handle public keys and
       encryption, hence these applications must be loaded for the SSL application to work. In an
       embedded  environment  this means they must be started with application:start/[1,2] before
       the SSL application is started.

CONFIGURATION

       The application environment configuration parameters in this section are defined  for  the
       SSL   application.   For   more   information  about  configuration  parameters,  see  the
       application(3erl) manual page in Kernel.

       The environment parameters can be set on the command line, for example:

       erl -ssl protocol_version "['tlsv1.2', 'tlsv1.1']"

         protocol_version = ssl:protocol()<optional>:
           Protocol supported by started clients and servers. If  this  option  is  not  set,  it
           defaults  to all protocols currently supported by the SSL application. This option can
           be overridden by the version option to ssl:connect/[2,3] and ssl:listen/2.

         session_lifetime = integer() <optional>:
           Maximum lifetime of the session data in seconds.

         session_cb = atom() <optional>:
           Name of the session cache callback module that  implements  the  ssl_session_cache_api
           behavior. Defaults to ssl_session_cache.

         session_cb_init_args = proplist:proplist() <optional>:
           List  of  extra  user-defined  arguments  to  the  init  function in the session cache
           callback module. Defaults to [].

         session_cache_client_max = integer() <optional>
           session_cache_server_max  =  integer()  <optional>:   Limits   the   growth   of   the
           clients/servers  session  cache,  if  the  maximum  number of sessions is reached, the
           current cache entries will be invalidated  regardless  of  their  remaining  lifetime.
           Defaults to 1000.

         ssl_pem_cache_clean = integer() <optional>:
           Number of milliseconds between PEM cache validations.ssl:clear_pem_cache/0

         alert_timeout = integer() <optional>:
           Number  of  milliseconds  between sending of a fatal alert and closing the connection.
           Waiting a little while improves the peers chances to properly receiving the  alert  so
           it may shutdown gracefully. Defaults to 5000 milliseconds.

ERROR LOGGER AND EVENT HANDLERS

       The  SSL  application  uses  the default OTP error logger to log unexpected errors and TLS
       alerts. The logging of TLS alerts may be turned off with the log_alert option.

SEE ALSO

       application(3erl)