gluegun/tls
gluegun/tls
Section titled “gluegun/tls”Typed TLS client options for Gun and Erlang SSL.
Gluegun applies a secure baseline whenever a connection uses TLS
(connection.Tls, or connection.Auto resolving to TLS): peer and
hostname verification, system CA certificates, TLS 1.2/1.3, SNI for DNS
hosts, and HTTPS hostname matching. See the TLS guide for the canonical
default list and override behavior.
For development against self-signed endpoints, use insecure() —
it returns a TlsOptions that disables verification (and therefore
the rest of the secure baseline). Do not ship insecure() to
production.
Production HTTPS
Section titled “Production HTTPS”The minimal HTTPS setup is just:
import gluegun/connection
pub fn https_options() { connection.options() |> connection.with_transport(transport: connection.Tls)}Gluegun fills in verify_peer, the OS trust store, TLS 1.2/1.3, SNI,
and HTTPS hostname matching automatically when you call
connection.open(host:, port:).
Overriding the baseline
Section titled “Overriding the baseline”import gluegun/connectionimport gluegun/tls
pub fn https_options(host: String) { let tls_opts = tls.options() |> tls.with_versions(versions: [tls.TlsV13]) |> tls.with_cacertfile(cacertfile: "/etc/ssl/cert.pem") |> tls.with_depth(depth: 5)
connection.options() |> connection.with_transport(transport: connection.Tls) |> connection.with_tls_opts(tls_opts: tls_opts)}Any field you set on TlsOptions overrides the corresponding default;
fields you leave unset are filled in by the secure baseline.
ServerNameIndication
Section titled “ServerNameIndication”SNI configuration for a TLS connection.
pub type ServerNameIndication { Disable ServerName(String)}Constructors
Section titled “Constructors”Disable
Section titled “Disable”Disable SNI for this connection.
ServerName(String)
Section titled “ServerName(String)”Send the provided hostname as the SNI value.
TlsOptions
Section titled “TlsOptions”Pure representation of TLS client options before FFI conversion.
Build with options() then chain with_verify, with_versions,
with_ciphers, with_cacerts, with_cacertfile, with_certfile,
with_keyfile, with_server_name_indication, and with_depth. See
the TLS guide for a
production HTTPS baseline.
pub type TlsOptionsTlsVersion
Section titled “TlsVersion”Supported TLS protocol versions.
pub type TlsVersion { TlsV12 TlsV13}Constructors
Section titled “Constructors”TlsV12
Section titled “TlsV12”Allow TLS 1.2.
TlsV13
Section titled “TlsV13”Allow TLS 1.3.
VerifyMode
Section titled “VerifyMode”TLS peer verification mode.
pub type VerifyMode { VerifyPeer VerifyNone}Constructors
Section titled “Constructors”VerifyPeer
Section titled “VerifyPeer”Verify the peer certificate chain and hostname.
VerifyNone
Section titled “VerifyNone”Disable peer certificate verification.
Functions
Section titled “Functions”insecure
Section titled “insecure”Construct TLS options that disable peer verification.
Development only. Returns options with verify_none and SNI
disabled, which suppresses Gluegun's secure TLS defaults (system CA
trust store, hostname verification, TLS 1.2/1.3 floor). This bypasses
the protections that make HTTPS trustworthy — never use it against
untrusted networks or production endpoints.
pub fn insecure() -> TlsOptionsoptions
Section titled “options”Construct empty TLS options.
pub fn options() -> TlsOptionswith_cacertfile
Section titled “with_cacertfile”Set the path to a PEM CA bundle file.
pub fn with_cacertfile( TlsOptions, cacertfile: String) -> TlsOptionswith_cacerts
Section titled “with_cacerts”Set DER-encoded trusted CA certificates.
pub fn with_cacerts( TlsOptions, cacerts: List(BitArray)) -> TlsOptionswith_certfile
Section titled “with_certfile”Set the path to the client certificate file.
pub fn with_certfile( TlsOptions, certfile: String) -> TlsOptionswith_ciphers
Section titled “with_ciphers”Set TLS cipher suite names.
pub fn with_ciphers( TlsOptions, ciphers: List(String)) -> TlsOptionswith_depth
Section titled “with_depth”Set the maximum certificate chain depth.
pub fn with_depth( TlsOptions, depth: Int) -> TlsOptionswith_keyfile
Section titled “with_keyfile”Set the path to the client private key file.
pub fn with_keyfile( TlsOptions, keyfile: String) -> TlsOptionswith_server_name_indication
Section titled “with_server_name_indication”Set the TLS SNI value, or disable it explicitly.
pub fn with_server_name_indication( TlsOptions, server_name_indication: ServerNameIndication) -> TlsOptionswith_verify
Section titled “with_verify”Set the TLS peer verification mode.
pub fn with_verify( TlsOptions, verify: VerifyMode) -> TlsOptionswith_versions
Section titled “with_versions”Set TLS protocol versions in preference order.
pub fn with_versions( TlsOptions, versions: List(TlsVersion)) -> TlsOptions