What is the idea behind the default configuration of the ssl app?

Maas-Maarten Zeeman mmzeeman@REDACTED
Tue Jul 21 14:11:50 CEST 2020


Setting up the ssl application safely for a particular situation can be quite hard. 

For instance, the default PEM cache and session ticket cache is 1000. The session lifetime is 24 hours. This is fine for a server which hardly get any traffic, but not ideal for web-servers which get millions of hits. Also when TLS 1.3 is used, by default no ticket replay mitigation is setup, which is something which is marked as “SHOULD” in the rfc.

    What is the idea behind the current defaults? Are they not meant for busy server applications?

I’m asking because I would like to add a way to easily setup server sockets with safe settings to https://github.com/zotonic/zotonic_ssl <https://github.com/zotonic/zotonic_ssl> so people don’t have to fiddle with all the possible setting. Especially because there are quite some changes between different OTP releases in this area.

Unfortunately not everything can be configured when you setup a socket, but the module could give warnings when the configuration of the ssl application as a whole is not right for a particular class of applications. Because of this I was wondering for what kind of applications the current defaults are meant, and wether I need to give different default options for different situations.

Regards,

Maas-Maarten Zeeman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20200721/140ecb77/attachment.htm>


More information about the erlang-questions mailing list