client
.
Otherwise, certificate verification may fail when negotiating a secure
connection.key_file(+FileName)
option. A server must have
at least one certificate before clients can connect. A client
must have a certificate only if the server demands the client to
identify itself with a client certificate using the
peer_cert(true)
option. If a certificate is provided, it is
necessary to also provide a matching private key via the
key_file/1 option. To configure multiple
certificates, use the option certificate_key_pairs/1
instead. Alternatively, use
ssl_add_certificate_key/4
to add certificates and keys to an existing context.password(+Text)
or
pem_password_hook(:Goal)
option.call(Goal, +SSL, -Password)
and typically unifies
Password with a string containing the password.require_crl(true)
and provide neither of these options, verification will necessarily failrequire_crl(true)
if you want
CRLs to actually be checked by OpenSSL.system(root_certificates)
uses a list of trusted root certificates as provided by the OS. See
system_root_certificates/1
for details.
file(Filename)
: A file containing one or more
PEM-encoded certificatescertificate(Blob)
: A certificate blobsystem(root_certificates)
: A special term which refers
to the certificates trusted by the host OS.Additional verification of the peer certificate as well as accepting certificates that are not trusted by the given set can be realised using the hook cert_verify_hook(:Goal).
call(Goal, +SSL, +ProblemCertificate, +AllCertificates, +FirstCertificate, +Error)
In case the certificate was verified by one of the provided
certifications from the cacert_file
option, Error is
unified with the atom verified
. Otherwise it contains the
error string passed from OpenSSL. Access will be granted iff the
predicate succeeds. See load_certificate/2
for a description of the certificate terms. See cert_accept_any/5
for a dummy implementation that accepts any certificate.
prime256v1
is used by default.true
, close the raw streams if the SSL
streams are closed. Default is false
.true
(default is false
), the server sends
TLS
close_notify
when closing the connection. In addition, this
mitigates truncation attacks for both client and server role: If
EOF is encountered without having received a TLS shutdown, an exception
is raised. Well-designed protocols are self-terminating, and this attack
is therefore very rarely a concern.sslv3
, tlsv1
, tlsv1_1
, tlsv1_2
and
tlsv1_3
. This option is available with OpenSSL 1.1.0 and
later, and should be used instead of disable_ssl_methods/1.sslv3
, tlsv1
, tlsv1_1
, tlsv1_2
and
tlsv1_3
. This option is available with OpenSSL 1.1.0 and
later, and should be used instead of disable_ssl_methods/1.sslv2
, sslv3
, sslv23
,
tlsv1
, tlsv1_1
and tlsv1_2
. This
option is deprecated starting with OpenSSL 1.1.0. Use min_protocol_version/1
and
max_protocol_version/1 instead.disable_ssl_methods
above.
Using this option is discouraged. When using OpenSSL 1.1.0 or later,
this option is ignored, and a version-flexible method is used to
negotiate the connection. Using version-specific methods is deprecated
in recent OpenSSL versions, and this option will become obsolete and
ignored in the future.call(Goal, +SSL0, +HostName, -SSL)
Given the current context SSL0, and the host name of the client request, the predicate computes SSL which is used as the context for negotiating the connection. The first solution is used. If the predicate fails, the default options are used, which are those of the encompassing ssl_context/3 call. In that case, if no default certificate and key are specified, the client connection is rejected.
===
call(Goal, +SSLCtx0, +ListOfClientProtocols, -SSLCtx1, -SelectedProtocol)
===
If this option is unset and the alpn_protocols/1 option is set, then the first common protocol between client & server will be selected.
Role | is one of server or client
and denotes whether the
SSL instance will have a server or client role in the
established connection. |
SSL | is a SWI-Prolog blob of type ssl_context ,
i.e., the type-test for an SSL context is blob(SSL, ssl_context) . |