[e7527b9] | 1 | % `mod_gnutls` Manual |
---|
[4ee45a1] | 2 | |
---|
| 3 | * * * * * |
---|
| 4 | |
---|
[bce7907] | 5 | `mod_gnutls` is a module for the Apache web server that provides HTTPS |
---|
| 6 | (HTTP over Transport Layer Security (TLS) or the older Secure Sockets |
---|
| 7 | Layer (SSL)) using the GnuTLS library. More information about the |
---|
| 8 | module can be found at [the project's website](https://mod.gnutls.org/). |
---|
[4ee45a1] | 9 | |
---|
| 10 | * * * * * |
---|
| 11 | |
---|
| 12 | Compilation & Installation |
---|
[2b16350] | 13 | ========================== |
---|
[4ee45a1] | 14 | |
---|
[e7527b9] | 15 | `mod_gnutls` uses the `./configure && make && make install` mechanism |
---|
| 16 | common to many Open Source programs. Most of the dirty work is |
---|
| 17 | handled by either `./configure` or Apache's `apxs` utility. If you have |
---|
| 18 | built Apache modules before, there shouldn't be any surprises for you. |
---|
| 19 | |
---|
| 20 | The interesting options you can pass to configure are: |
---|
| 21 | |
---|
| 22 | `--with-apxs=PATH` |
---|
| 23 | : This option is used to specify the location of the apxs utility that |
---|
| 24 | was installed as part of apache. Specify the location of the |
---|
| 25 | binary, not the directory it is located in. |
---|
| 26 | |
---|
[dc058b8] | 27 | `--with-apu-config=PATH` |
---|
| 28 | : Path to APR Utility Library config tool (`apu-1-config`) |
---|
[e7527b9] | 29 | |
---|
| 30 | `--help` |
---|
| 31 | : Provides a list of all available configure options. |
---|
[4ee45a1] | 32 | |
---|
[dff57b4] | 33 | It is recommended to run `make check` before installation. If your |
---|
| 34 | system doesn't have a loopback device with IPv6 and IPv4 support or |
---|
| 35 | `localhost` does not resolve to at least one of `[::1]` and |
---|
| 36 | `127.0.0.1`, you may have to set the `TEST_HOST` or `TEST_IP` |
---|
[dc058b8] | 37 | environment variables when running `./configure` to make the test |
---|
| 38 | suite work correctly. |
---|
| 39 | |
---|
[4ee45a1] | 40 | * * * * * |
---|
| 41 | |
---|
| 42 | Integration |
---|
[2b16350] | 43 | =========== |
---|
[4ee45a1] | 44 | |
---|
[2b16350] | 45 | To activate `mod_gnutls` just add the following line to your httpd.conf |
---|
[4ee45a1] | 46 | and restart Apache: |
---|
| 47 | |
---|
[2b16350] | 48 | LoadModule gnutls_module modules/mod_gnutls.so |
---|
[4ee45a1] | 49 | |
---|
| 50 | * * * * * |
---|
| 51 | |
---|
[2b16350] | 52 | Configuration Directives |
---|
| 53 | ======================== |
---|
[4ee45a1] | 54 | |
---|
[df49a2d] | 55 | General Options |
---|
| 56 | --------------- |
---|
| 57 | |
---|
| 58 | ### GnuTLSEnable |
---|
[4ee45a1] | 59 | |
---|
[2b16350] | 60 | Enable GnuTLS for this virtual host |
---|
[4ee45a1] | 61 | |
---|
[2b16350] | 62 | GnuTLSEnable [on|off] |
---|
[4ee45a1] | 63 | |
---|
[2b16350] | 64 | Default: *off*\ |
---|
| 65 | Context: virtual host |
---|
[4ee45a1] | 66 | |
---|
[2b16350] | 67 | This directive enables SSL/TLS Encryption for a Virtual Host. |
---|
[4ee45a1] | 68 | |
---|
[df49a2d] | 69 | ### GnuTLSCache |
---|
[4ee45a1] | 70 | |
---|
[743e31f] | 71 | Configure TLS Session Cache |
---|
[4ee45a1] | 72 | |
---|
[2b16350] | 73 | GnuTLSCache [dbm|gdbm|memcache|none] [PATH|SERVERLIST|-] |
---|
[4ee45a1] | 74 | |
---|
[2b16350] | 75 | Default: `GnuTLSCache none`\ |
---|
| 76 | Context: server config |
---|
[4ee45a1] | 77 | |
---|
[743e31f] | 78 | This directive configures the TLS Session Cache for `mod_gnutls`. |
---|
[c005645] | 79 | This could be shared between machines of different architectures. If a |
---|
| 80 | DBM cache is used, access is serialized using the `gnutls-cache` |
---|
[c22af3a] | 81 | mutex. Which DBM types are available is part of the APR (Apache |
---|
| 82 | Portable Runtime) compile time configuration. |
---|
[4ee45a1] | 83 | |
---|
[2b16350] | 84 | `dbm` (Requires Berkeley DBM) |
---|
[c22af3a] | 85 | : Uses the Berkeley DB backend of APR DBM to cache TLS Session |
---|
| 86 | data. |
---|
[4ee45a1] | 87 | |
---|
[c22af3a] | 88 | The argument is a relative or absolute path to be used as |
---|
| 89 | the DBM Cache file. This is compatible with most operating |
---|
| 90 | systems. |
---|
| 91 | |
---|
| 92 | `gdbm` (Requires GDBM) |
---|
[444e6ed] | 93 | : Uses the GDBM backend of APR DBM to cache TLS Session data. |
---|
[4ee45a1] | 94 | |
---|
[c22af3a] | 95 | The argument is a relative or absolute path to be used as the DBM |
---|
| 96 | Cache file. |
---|
[4ee45a1] | 97 | |
---|
[2b16350] | 98 | `memcache` |
---|
[444e6ed] | 99 | : Uses memcached server(s) to cache TLS Session data. |
---|
[4ee45a1] | 100 | |
---|
[2b16350] | 101 | The argument is a space separated list of servers. If no port |
---|
| 102 | number is supplied, the default of 11211 is used. This can be |
---|
| 103 | used to share a session cache between all servers in a cluster. |
---|
[4ee45a1] | 104 | |
---|
[2b16350] | 105 | `none` |
---|
[743e31f] | 106 | : Turns off all caching of TLS Sessions. |
---|
[4ee45a1] | 107 | |
---|
[2b16350] | 108 | This can significantly reduce the performance of `mod_gnutls` since |
---|
| 109 | even followup connections by a client must renegotiate parameters |
---|
| 110 | instead of reusing old ones. This is the default, since it |
---|
| 111 | requires no configuration. |
---|
[4ee45a1] | 112 | |
---|
[df49a2d] | 113 | ### GnuTLSCacheTimeout |
---|
[4ee45a1] | 114 | |
---|
[743e31f] | 115 | Timeout for TLS Session Cache expiration |
---|
[4ee45a1] | 116 | |
---|
[2b16350] | 117 | GnuTLSCacheTimeout SECONDS |
---|
[4ee45a1] | 118 | |
---|
[2b16350] | 119 | Default: `GnuTLSCacheTimeout 300`\ |
---|
| 120 | Context: server config |
---|
[4ee45a1] | 121 | |
---|
[444e6ed] | 122 | Sets the timeout for TLS Session Cache entries expiration. This value |
---|
| 123 | is also used for OCSP responses if they do not contain a `nextUpdate` |
---|
| 124 | time. |
---|
[4ee45a1] | 125 | |
---|
[df49a2d] | 126 | ### GnuTLSSessionTickets |
---|
[4ee45a1] | 127 | |
---|
[2b16350] | 128 | Enable Session Tickets for the server |
---|
[4ee45a1] | 129 | |
---|
[2b16350] | 130 | GnuTLSSessionTickets [on|off] |
---|
[4ee45a1] | 131 | |
---|
[2b16350] | 132 | Default: `off`\ |
---|
| 133 | Context: server config, virtual host |
---|
[4ee45a1] | 134 | |
---|
[444e6ed] | 135 | To avoid storing data for TLS session resumption the server can |
---|
| 136 | provide clients with tickets, to use on return. Tickets are an |
---|
[e9ef72c] | 137 | alternative to using a session cache, mostly used for busy servers |
---|
| 138 | with limited storage. For a pool of servers this option is not |
---|
| 139 | recommended since the tickets are bound to the issuing server only. |
---|
[4ee45a1] | 140 | |
---|
[e9ef72c] | 141 | If this option is set in the global configuration, virtual hosts |
---|
| 142 | without a `GnuTLSSessionTickets` setting will use the global setting. |
---|
| 143 | |
---|
| 144 | *Warning:* Currently the master key that protects the tickets is |
---|
| 145 | generated only on server start, and there is no mechanism to roll over |
---|
| 146 | the key. If session tickets are enabled it is highly recommened to |
---|
| 147 | restart the server regularly to protect past sessions in case an |
---|
| 148 | attacker gains access to server memory. |
---|
[4ee45a1] | 149 | |
---|
[df49a2d] | 150 | ### GnuTLSClientVerify |
---|
[4ee45a1] | 151 | |
---|
[df49a2d] | 152 | Enable Client Certificate Verification |
---|
[4ee45a1] | 153 | |
---|
[2b16350] | 154 | GnuTLSClientVerify [ignore|request|require] |
---|
[4ee45a1] | 155 | |
---|
[2b16350] | 156 | Default: `ignore`\ |
---|
| 157 | Context: server config, virtual host, directory, .htaccess |
---|
[4ee45a1] | 158 | |
---|
[743e31f] | 159 | This directive controls the use of TLS Client Certificate |
---|
[2b16350] | 160 | Authentication. If used in the .htaccess context, it can force TLS |
---|
| 161 | re-negotiation. |
---|
[4ee45a1] | 162 | |
---|
[2b16350] | 163 | `ignore` |
---|
[743e31f] | 164 | : `mod_gnutls` will ignore the contents of any TLS Client Certificates |
---|
[2b16350] | 165 | sent. It will not request that the client sends a certificate. |
---|
[4ee45a1] | 166 | |
---|
[2b16350] | 167 | `request` |
---|
| 168 | : The client certificate will be requested, but not required. |
---|
| 169 | The Certificate will be validated if sent. The output of the |
---|
| 170 | validation status will be stored in the `SSL_CLIENT_VERIFY` |
---|
| 171 | environment variable and can be `SUCCESS`, `FAILED` or `NONE`. |
---|
[4ee45a1] | 172 | |
---|
[2b16350] | 173 | `require` |
---|
| 174 | : A Client certificate will be required. Any requests without a valid |
---|
| 175 | client certificate will be denied. The `SSL_CLIENT_VERIFY` |
---|
| 176 | environment variable will only be set to `SUCCESS`. |
---|
[4ee45a1] | 177 | |
---|
[df49a2d] | 178 | ### GnuTLSDHFile |
---|
[4ee45a1] | 179 | |
---|
[2b16350] | 180 | Set to the PKCS \#3 encoded Diffie Hellman parameters |
---|
[4ee45a1] | 181 | |
---|
[2b16350] | 182 | GnuTLSDHFile FILEPATH |
---|
[4ee45a1] | 183 | |
---|
[2b16350] | 184 | Default: *none*\ |
---|
| 185 | Context: server config, virtual host |
---|
[4ee45a1] | 186 | |
---|
[2b16350] | 187 | Takes an absolute or relative path to a PKCS \#3 encoded DH |
---|
| 188 | parameters.Those are used when the DHE key exchange method is enabled. |
---|
| 189 | You can generate this file using `certtool --generate-dh-params --bits |
---|
| 190 | 2048`. If not set `mod_gnutls` will use the included parameters. |
---|
[4ee45a1] | 191 | |
---|
[df49a2d] | 192 | ### GnuTLSPriorities |
---|
[4ee45a1] | 193 | |
---|
[c3c96ca] | 194 | Set the allowed protocol versions, ciphers, key exchange algorithms, |
---|
| 195 | MACs and compression methods |
---|
[4ee45a1] | 196 | |
---|
[5409165] | 197 | GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N |
---|
[4ee45a1] | 198 | |
---|
[2b16350] | 199 | Default: *none*\ |
---|
| 200 | Context: server config, virtual host |
---|
[4ee45a1] | 201 | |
---|
[c3c96ca] | 202 | Takes a colon separated list of protocol version, ciphers, key |
---|
| 203 | exchange methods message authentication codes, and compression methods |
---|
| 204 | to enable. The allowed keywords are specified in the |
---|
| 205 | `gnutls_priority_init()` function of GnuTLS. |
---|
[4ee45a1] | 206 | |
---|
[c3c96ca] | 207 | Please refer to [the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings) |
---|
| 208 | for details. A few commonly used sets are listed below, note that |
---|
| 209 | their exact meaning may change with GnuTLS versions. |
---|
[4ee45a1] | 210 | |
---|
[2b16350] | 211 | `PERFORMANCE` |
---|
[c3c96ca] | 212 | : A list with all the secure cipher combinations sorted in terms of |
---|
| 213 | performance. |
---|
[4ee45a1] | 214 | |
---|
[2b16350] | 215 | `NORMAL` |
---|
| 216 | : A list with all the secure cipher combinations sorted |
---|
| 217 | with respect to security margin (subjective term). |
---|
[4ee45a1] | 218 | |
---|
[c3c96ca] | 219 | `SECURE128` |
---|
| 220 | : A list with all the secure cipher suites that offer a security level |
---|
| 221 | of 128-bit or more. |
---|
[4ee45a1] | 222 | |
---|
[c3c96ca] | 223 | `PFS` |
---|
| 224 | : Only cipher suites offering perfect forward secrecy (ECDHE and DHE), |
---|
| 225 | sorted by security margin. |
---|
[4ee45a1] | 226 | |
---|
[c3c96ca] | 227 | You can add or remove algorithms using the `+` and `!` prefixes |
---|
| 228 | respectively. For example, in order to use the `NORMAL` set but |
---|
| 229 | disable TLS 1.0 and 1.1 you can use the string |
---|
| 230 | `NORMAL:!VERS-TLS1.0:!VERS-TLS1.1`. |
---|
[4ee45a1] | 231 | |
---|
[2b16350] | 232 | You can find a list of all supported Ciphers, Versions, MACs, etc. by |
---|
| 233 | running `gnutls-cli --list`. |
---|
[4ee45a1] | 234 | |
---|
[df49a2d] | 235 | ### GnuTLSP11Module |
---|
[8873a06] | 236 | |
---|
[7764015] | 237 | Load this PKCS #11 module. |
---|
[8873a06] | 238 | |
---|
| 239 | GnuTLSP11Module PATH_TO_LIBRARY |
---|
| 240 | |
---|
| 241 | Default: *none*\ |
---|
| 242 | Context: server config |
---|
| 243 | |
---|
[9ca1f21] | 244 | Load this PKCS #11 provider module, instead of the system |
---|
| 245 | defaults. May occur multiple times to load multiple modules. |
---|
[8873a06] | 246 | |
---|
[df49a2d] | 247 | ### GnuTLSPIN |
---|
[031acac] | 248 | |
---|
| 249 | Set the PIN to be used to access encrypted key files or PKCS #11 objects. |
---|
| 250 | |
---|
| 251 | GnuTLSPIN XXXXXX |
---|
| 252 | |
---|
| 253 | Default: *none*\ |
---|
| 254 | Context: server config, virtual host |
---|
| 255 | |
---|
| 256 | Takes a string to be used as a PIN for the protected objects in |
---|
| 257 | a security module, or as a key to be used to decrypt PKCS #8, PKCS #12, |
---|
| 258 | or openssl encrypted keys. |
---|
| 259 | |
---|
[df49a2d] | 260 | ### GnuTLSSRKPIN |
---|
[031acac] | 261 | |
---|
[df49a2d] | 262 | Set the SRK PIN to be used to access the TPM. |
---|
[031acac] | 263 | |
---|
| 264 | GnuTLSSRKPIN XXXXXX |
---|
| 265 | |
---|
| 266 | Default: *none*\ |
---|
| 267 | Context: server config, virtual host |
---|
| 268 | |
---|
| 269 | Takes a string to be used as a PIN for the protected objects in |
---|
| 270 | the TPM module. |
---|
| 271 | |
---|
[df49a2d] | 272 | ### GnuTLSExportCertificates |
---|
[4ee45a1] | 273 | |
---|
[2b16350] | 274 | Export the PEM encoded certificates to CGIs |
---|
[4ee45a1] | 275 | |
---|
[999cdec] | 276 | GnuTLSExportCertificates [off|on|SIZE] |
---|
[4ee45a1] | 277 | |
---|
[2b16350] | 278 | Default: `off`\ |
---|
| 279 | Context: server config, virtual host |
---|
[4ee45a1] | 280 | |
---|
[999cdec] | 281 | This directive configures exporting the full certificates of the |
---|
| 282 | server and the client to CGI scripts via the `SSL_SERVER_CERT` and |
---|
| 283 | `SSL_CLIENT_CERT` environment variables. The exported certificates |
---|
| 284 | will be PEM-encoded (if X.509) or ASCII-armored (if OpenPGP) up to the |
---|
| 285 | size given. The type of the certificate will be exported in |
---|
| 286 | `SSL_SERVER_CERT_TYPE` and `SSL_CLIENT_CERT_TYPE`. |
---|
| 287 | |
---|
| 288 | SIZE should be an integer number of bytes, or may be written with a |
---|
| 289 | trailing `K` to indicate kibibytes. `off` means the same thing as |
---|
| 290 | `0`, in which case the certificates will not be exported to the |
---|
| 291 | environment. `on` is an alias for `16K`. If a non-zero size is |
---|
| 292 | specified for this directive, but a certificate is too large to fit in |
---|
| 293 | the buffer, then the corresponding environment variable will contain |
---|
| 294 | the fixed string `GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED`. |
---|
| 295 | |
---|
[2b16350] | 296 | With GnuTLSExportCertificates enabled, `mod_gnutls` exports the same |
---|
| 297 | environment variables to the CGI process as `mod_ssl`. |
---|
[4ee45a1] | 298 | |
---|
[df49a2d] | 299 | X.509 Certificate Authentication |
---|
| 300 | -------------------------------- |
---|
| 301 | |
---|
| 302 | ### GnuTLSCertificateFile |
---|
[d8ae2a0] | 303 | |
---|
[df49a2d] | 304 | Set to the PEM Encoded Server Certificate |
---|
| 305 | |
---|
| 306 | GnuTLSCertificateFile FILEPATH |
---|
| 307 | |
---|
| 308 | Default: *none*\ |
---|
| 309 | Context: server config, virtual host |
---|
| 310 | |
---|
| 311 | Takes an absolute or relative path to a PEM-encoded X.509 certificate to |
---|
| 312 | use as this Server's End Entity (EE) certificate. If you need to supply |
---|
| 313 | certificates for intermediate Certificate Authorities (iCAs), they |
---|
| 314 | should be listed in sequence in the file, from EE to the iCA closest to |
---|
| 315 | the root CA. Optionally, you can also include the root CA's certificate |
---|
| 316 | as the last certificate in the list. |
---|
| 317 | |
---|
| 318 | Since version 0.7 this can be a PKCS #11 URL. |
---|
| 319 | |
---|
| 320 | ### GnuTLSKeyFile |
---|
| 321 | |
---|
| 322 | Set to the PEM Encoded Server Private Key |
---|
| 323 | |
---|
| 324 | GnuTLSKeyFile FILEPATH |
---|
| 325 | |
---|
| 326 | Default: *none*\ |
---|
| 327 | Context: server config, virtual host |
---|
| 328 | |
---|
| 329 | Takes an absolute or relative path to the Server Private Key. Set |
---|
| 330 | `GnuTLSPIN` if the key file is encrypted. |
---|
| 331 | |
---|
| 332 | Since version 0.7 this can be a PKCS #11 URL. |
---|
| 333 | |
---|
| 334 | **Security Warning:**\ |
---|
| 335 | This private key must be protected. It is read while Apache is still |
---|
| 336 | running as root, and does not need to be readable by the nobody or |
---|
| 337 | apache user. |
---|
| 338 | |
---|
| 339 | ### GnuTLSClientCAFile |
---|
| 340 | |
---|
| 341 | Set the PEM encoded Certificate Authority list to use for X.509 base |
---|
| 342 | client authentication |
---|
| 343 | |
---|
| 344 | GnuTLSClientCAFile FILEPATH |
---|
| 345 | |
---|
| 346 | Default: *none* |
---|
| 347 | Context: server config, virtual host |
---|
| 348 | |
---|
| 349 | Takes an absolute or relative path to a PEM Encoded Certificate to use |
---|
| 350 | as a Certificate Authority with Client Certificate Authentication. |
---|
| 351 | This file may contain a list of trusted authorities. |
---|
| 352 | |
---|
| 353 | OpenPGP Certificate Authentication |
---|
| 354 | ---------------------------------- |
---|
| 355 | |
---|
| 356 | ### GnuTLSPGPCertificateFile |
---|
| 357 | |
---|
| 358 | Set to a base64 Encoded Server OpenPGP Certificate |
---|
| 359 | |
---|
| 360 | GnuTLSPGPCertificateFile FILEPATH |
---|
| 361 | |
---|
| 362 | Default: *none*\ |
---|
| 363 | Context: server config, virtual host |
---|
| 364 | |
---|
| 365 | Takes an absolute or relative path to a base64 Encoded OpenPGP |
---|
| 366 | Certificate to use as this Server's Certificate. |
---|
| 367 | |
---|
| 368 | ### GnuTLSPGPKeyFile |
---|
| 369 | |
---|
| 370 | Set to the Server OpenPGP Secret Key |
---|
| 371 | |
---|
| 372 | GnuTLSPGPKeyFile FILEPATH |
---|
| 373 | |
---|
| 374 | Default: *none*\ |
---|
| 375 | Context: server config, virtual host |
---|
| 376 | |
---|
| 377 | Takes an absolute or relative path to the Server Private Key. This key |
---|
| 378 | cannot currently be password protected. |
---|
| 379 | |
---|
| 380 | **Security Warning:**\ |
---|
| 381 | This private key must be protected. It is read while Apache is still |
---|
| 382 | running as root, and does not need to be readable by the nobody or |
---|
| 383 | apache user. |
---|
| 384 | |
---|
| 385 | ### GnuTLSPGPKeyringFile |
---|
| 386 | |
---|
| 387 | Set to a base64 Encoded key ring |
---|
| 388 | |
---|
| 389 | GnuTLSPGPKeyringFile FILEPATH |
---|
| 390 | |
---|
| 391 | Default: *none*\ |
---|
| 392 | Context: server config, virtual host |
---|
| 393 | |
---|
| 394 | Takes an absolute or relative path to a base64 Encoded Certificate |
---|
| 395 | list (key ring) to use as a means of verification of Client |
---|
| 396 | Certificates. This file should contain a list of trusted signers. |
---|
| 397 | |
---|
| 398 | SRP Authentication |
---|
| 399 | ------------------ |
---|
| 400 | |
---|
| 401 | ### GnuTLSSRPPasswdFile |
---|
| 402 | |
---|
| 403 | Set to the SRP password file for SRP ciphersuites |
---|
| 404 | |
---|
| 405 | GnuTLSSRPPasswdFile FILEPATH |
---|
| 406 | |
---|
| 407 | Default: *none*\ |
---|
| 408 | Context: server config, virtual host |
---|
| 409 | |
---|
| 410 | Takes an absolute or relative path to an SRP password file. This is |
---|
| 411 | the same format as used in libsrp. You can generate such file using |
---|
| 412 | the command `srptool --passwd /etc/tpasswd --passwd-conf |
---|
| 413 | /etc/tpasswd.conf -u test` to set a password for user test. This |
---|
| 414 | password file holds the username, a password verifier and the |
---|
| 415 | dependency to the SRP parameters. |
---|
| 416 | |
---|
| 417 | ### GnuTLSSRPPasswdConfFile |
---|
| 418 | |
---|
| 419 | Set to the SRP password.conf file for SRP ciphersuites |
---|
| 420 | |
---|
| 421 | GnuTLSSRPPasswdConfFile FILEPATH |
---|
| 422 | |
---|
| 423 | Default: *none*\ |
---|
| 424 | Context: server config, virtual host |
---|
| 425 | |
---|
| 426 | Takes an absolute or relative path to an SRP password.conf file. This |
---|
| 427 | is the same format as used in `libsrp`. You can generate such file |
---|
| 428 | using the command `srptool --create-conf /etc/tpasswd.conf`. This |
---|
| 429 | file holds the SRP parameters and is associate with the password file |
---|
| 430 | (the verifiers depends on these parameters). |
---|
| 431 | |
---|
| 432 | TLS Proxy Configuration |
---|
| 433 | ----------------------- |
---|
| 434 | |
---|
| 435 | ### GnuTLSProxyEngine |
---|
[d8ae2a0] | 436 | |
---|
| 437 | Enable TLS proxy connections for this virtual host |
---|
| 438 | |
---|
[a2e3c33] | 439 | GnuTLSProxyEngine [on|off] |
---|
[d8ae2a0] | 440 | |
---|
| 441 | Default: *off*\ |
---|
| 442 | Context: virtual host |
---|
| 443 | |
---|
| 444 | This directive enables support for TLS proxy connections for a virtual |
---|
| 445 | host. |
---|
| 446 | |
---|
[df49a2d] | 447 | ### GnuTLSProxyCAFile |
---|
[d8ae2a0] | 448 | |
---|
[809c422] | 449 | Set to the PEM encoded Certificate Authority Certificate |
---|
[d8ae2a0] | 450 | |
---|
| 451 | GnuTLSProxyCAFile FILEPATH |
---|
| 452 | |
---|
| 453 | Default: *none*\ |
---|
| 454 | Context: server config, virtual host |
---|
| 455 | |
---|
[809c422] | 456 | Takes an absolute or relative path to a PEM encoded certificate to use |
---|
[d8ae2a0] | 457 | as a Certificate Authority when verifying certificates provided by |
---|
| 458 | proxy back end servers. This file may contain a list of trusted |
---|
| 459 | authorities. If not set, verification of TLS back end servers will |
---|
| 460 | always fail due to lack of a trusted CA. |
---|
| 461 | |
---|
[df49a2d] | 462 | ### GnuTLSProxyCRLFile |
---|
[809c422] | 463 | |
---|
| 464 | Set to the PEM encoded Certificate Revocation List |
---|
| 465 | |
---|
| 466 | GnuTLSProxyCRLFile FILEPATH |
---|
| 467 | |
---|
| 468 | Default: *none*\ |
---|
| 469 | Context: server config, virtual host |
---|
| 470 | |
---|
| 471 | Takes an absolute or relative path to a PEM encoded Certificate |
---|
| 472 | Revocation List to use when verifying certificates provided by proxy |
---|
| 473 | back end servers. The file may contain a list of CRLs. |
---|
| 474 | |
---|
[df49a2d] | 475 | ### GnuTLSProxyCertificateFile |
---|
[d8ae2a0] | 476 | |
---|
[809c422] | 477 | Set to the PEM encoded Client Certificate |
---|
[d8ae2a0] | 478 | |
---|
| 479 | GnuTLSProxyCertificateFile FILEPATH |
---|
| 480 | |
---|
| 481 | Default: *none*\ |
---|
| 482 | Context: server config, virtual host |
---|
| 483 | |
---|
[809c422] | 484 | Takes an absolute or relative path to a PEM encoded X.509 certificate |
---|
[d8ae2a0] | 485 | to use as this Server's End Entity (EE) client certificate for TLS |
---|
| 486 | client authentication in proxy TLS connections. If you need to supply |
---|
| 487 | certificates for intermediate Certificate Authorities (iCAs), they |
---|
| 488 | should be listed in sequence in the file, from EE to the iCA closest |
---|
| 489 | to the root CA. Optionally, you can also include the root CA's |
---|
| 490 | certificate as the last certificate in the list. |
---|
| 491 | |
---|
| 492 | If not set, TLS client authentication will be disabled for TLS proxy |
---|
| 493 | connections. If set, `GnuTLSProxyKeyFile` must be set as well to |
---|
| 494 | provide the matching private key. |
---|
| 495 | |
---|
[df49a2d] | 496 | ### GnuTLSProxyKeyFile |
---|
[d8ae2a0] | 497 | |
---|
[809c422] | 498 | Set to the PEM encoded Private Key |
---|
[d8ae2a0] | 499 | |
---|
| 500 | GnuTLSProxyKeyFile FILEPATH |
---|
| 501 | |
---|
| 502 | Default: *none*\ |
---|
| 503 | Context: server config, virtual host |
---|
| 504 | |
---|
| 505 | Takes an absolute or relative path to the Private Key matching the |
---|
| 506 | certificate configured using the `GnuTLSProxyCertificateFile` |
---|
| 507 | directive. This key cannot currently be password protected. |
---|
| 508 | |
---|
| 509 | **Security Warning:**\ |
---|
| 510 | This private key must be protected. It is read while Apache is still |
---|
| 511 | running as root, and does not need to be readable by the nobody or |
---|
| 512 | apache user. |
---|
| 513 | |
---|
[df49a2d] | 514 | ### GnuTLSProxyPriorities |
---|
[f030883] | 515 | |
---|
| 516 | Set the allowed ciphers, key exchange algorithms, MACs and compression |
---|
| 517 | methods for proxy connections |
---|
| 518 | |
---|
| 519 | GnuTLSProxyPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N |
---|
| 520 | |
---|
| 521 | Default: *none*\ |
---|
| 522 | Context: server config, virtual host |
---|
| 523 | |
---|
| 524 | This option is used to set the allowed ciphers, key exchange |
---|
| 525 | algorithms, MACs and compression methods for proxy connections. It |
---|
| 526 | takes the same parameters as `GnuTLSPriorities`. Required if |
---|
[a2e3c33] | 527 | `GnuTLSProxyEngine` is `On`. |
---|
[f030883] | 528 | |
---|
[df49a2d] | 529 | OCSP Stapling Configuration |
---|
| 530 | --------------------------- |
---|
| 531 | |
---|
| 532 | ### GnuTLSOCSPStapling |
---|
[5a5032f] | 533 | |
---|
[0cd8f3d] | 534 | Enable OCSP stapling for this (virtual) host. |
---|
[5a5032f] | 535 | |
---|
| 536 | GnuTLSOCSPStapling [On|Off] |
---|
| 537 | |
---|
| 538 | Default: *off*\ |
---|
| 539 | Context: server config, virtual host |
---|
| 540 | |
---|
| 541 | OCSP stapling, formally known as the TLS Certificate Status Request |
---|
| 542 | extension, allows the server to provide the client with an OCSP |
---|
| 543 | response for its certificate during the handshake. This way the client |
---|
| 544 | does not have to send an OCSP request to the CA to check the |
---|
| 545 | certificate status, which offers privacy and performance advantages. |
---|
| 546 | |
---|
| 547 | Using OCSP stapling has a few requirements: |
---|
| 548 | |
---|
| 549 | * Caching OCSP responses requires a cache, so `GnuTLSCache` must not |
---|
| 550 | be `none`. |
---|
| 551 | * `GnuTLSCertificateFile` must contain the issuer CA certificate in |
---|
| 552 | addition to the server certificate so responses can be verified. |
---|
| 553 | * The certificate must either contain an OCSP access URI using HTTP, |
---|
| 554 | or `GnuTLSOCSPResponseFile` must be set. |
---|
| 555 | |
---|
| 556 | OCSP cache updates are serialized using the `gnutls-ocsp` mutex. |
---|
| 557 | |
---|
[b888e8b] | 558 | ### GnuTLSOCSPCheckNonce |
---|
| 559 | |
---|
| 560 | Check the nonce in OCSP responses? |
---|
| 561 | |
---|
| 562 | GnuTLSOCSPCheckNonce [On|Off] |
---|
| 563 | |
---|
| 564 | Default: *on*\ |
---|
| 565 | Context: server config, virtual host |
---|
| 566 | |
---|
| 567 | Some CAs refuse to send nonces in their OCSP responses, probably |
---|
| 568 | because that way they can cache responses. If your CA is one of them |
---|
| 569 | you can use this flag to disable nonce verification. Note that |
---|
| 570 | `mod_gnutls` will _send_ a nonce either way. |
---|
| 571 | |
---|
[df49a2d] | 572 | ### GnuTLSOCSPResponseFile |
---|
[5a5032f] | 573 | |
---|
[0cd8f3d] | 574 | Read the OCSP response for stapling from this file instead of sending |
---|
| 575 | a request over HTTP. |
---|
[5a5032f] | 576 | |
---|
| 577 | GnuTLSOCSPResponseFile /path/to/response.der |
---|
| 578 | |
---|
| 579 | Default: *empty*\ |
---|
| 580 | Context: server config, virtual host |
---|
| 581 | |
---|
| 582 | The response file must be updated externally, for example using a cron |
---|
| 583 | job. This option is an alternative to the server fetching OCSP |
---|
| 584 | responses over HTTP. Reasons to use this option include: |
---|
| 585 | |
---|
| 586 | * Performing OCSP requests separate from the web server, to prevent slow |
---|
| 587 | responses from stalling handshakes. |
---|
| 588 | * The issuer CA uses an access method other than HTTP. |
---|
| 589 | * Testing |
---|
| 590 | |
---|
[b34a67e] | 591 | You can use a GnuTLS `ocsptool` command like the following to create |
---|
| 592 | and update the response file: |
---|
| 593 | |
---|
| 594 | ocsptool --ask --nonce --load-issuer ca_cert.pem \ |
---|
| 595 | --load-cert server_cert.pem --outfile ocsp_response.der |
---|
| 596 | |
---|
| 597 | Additional error checking is highly recommended. You may have to |
---|
| 598 | remove the `--nonce` option if the OCSP responder of your CA does not |
---|
| 599 | support nonces. |
---|
| 600 | |
---|
[e1c094c] | 601 | ### GnuTLSOCSPCacheTimeout |
---|
[5a5032f] | 602 | |
---|
[e1c094c] | 603 | Cache timeout for OCSP responses |
---|
[5a5032f] | 604 | |
---|
[e1c094c] | 605 | GnuTLSOCSPCacheTimeout SECONDS |
---|
[5a5032f] | 606 | |
---|
[e1c094c] | 607 | Default: *3600*\ |
---|
[5a5032f] | 608 | Context: server config, virtual host |
---|
| 609 | |
---|
[e1c094c] | 610 | Cached OCSP responses will be refreshed after the configured number of |
---|
| 611 | seconds. How long this timeout should reasonably be depends on your |
---|
| 612 | CA, namely how often its OCSP responder is updated and how long |
---|
| 613 | responses are valid. Note that a response will not be cached beyond |
---|
| 614 | its lifetime as denoted in the `nextUpdate` field of the response. |
---|
[5a5032f] | 615 | |
---|
[c6dda6d] | 616 | ### GnuTLSOCSPFailureTimeout |
---|
| 617 | |
---|
[0cd8f3d] | 618 | Wait this many seconds before retrying a failed OCSP request. |
---|
[c6dda6d] | 619 | |
---|
| 620 | GnuTLSOCSPFailureTimeout SECONDS |
---|
| 621 | |
---|
| 622 | Default: *300*\ |
---|
| 623 | Context: server config, virtual host |
---|
| 624 | |
---|
| 625 | Retries of failed OCSP requests must be rate limited to avoid |
---|
| 626 | overloading both the server using mod_gnutls and the CA's OCSP |
---|
| 627 | responder. A shorter value increases the load on both sides, a longer |
---|
| 628 | one means that stapling will remain disabled for longer after a failed |
---|
| 629 | request. |
---|
| 630 | |
---|
[333bbc7] | 631 | ### GnuTLSOCSPSocketTimeout |
---|
| 632 | |
---|
[0cd8f3d] | 633 | Timeout for TCP sockets used to send OCSP requests |
---|
[333bbc7] | 634 | |
---|
| 635 | GnuTLSOCSPFailureTimeout SECONDS |
---|
| 636 | |
---|
| 637 | Default: *6*\ |
---|
| 638 | Context: server config, virtual host |
---|
| 639 | |
---|
| 640 | Stalled OCSP requests must time out after a while to prevent stalling |
---|
| 641 | the server too much. However, if the timeout is too short requests may |
---|
| 642 | fail with a slow OCSP responder or high latency network |
---|
| 643 | connection. This parameter allows you to adjust the timeout if |
---|
| 644 | necessary. |
---|
| 645 | |
---|
| 646 | Note that this is not an upper limit for the completion of an OCSP |
---|
| 647 | request but a socket timeout. The connection will time out if there is |
---|
| 648 | no activity (successful send or receive) at all for the configured |
---|
| 649 | time. |
---|
| 650 | |
---|
[4ee45a1] | 651 | * * * * * |
---|
| 652 | |
---|
| 653 | Configuration Examples |
---|
[2b16350] | 654 | ====================== |
---|
[4ee45a1] | 655 | |
---|
[743e31f] | 656 | Simple Standard TLS Example |
---|
[2b16350] | 657 | --------------------------- |
---|
[4ee45a1] | 658 | |
---|
[fc124e9] | 659 | The following is an example of simple TLS hosting, using one IP |
---|
| 660 | Addresses for each virtual host. |
---|
[4ee45a1] | 661 | |
---|
[2b16350] | 662 | # Load the module into Apache. |
---|
| 663 | LoadModule gnutls_module modules/mod_gnutls.so |
---|
| 664 | GnuTLSCache gdbm /var/cache/www-tls-cache |
---|
| 665 | GnuTLSCacheTimeout 500 |
---|
[fc124e9] | 666 | |
---|
| 667 | # Without SNI you need one IP Address per-site. |
---|
| 668 | Listen 192.0.2.1:443 |
---|
| 669 | Listen 192.0.2.2:443 |
---|
| 670 | Listen 192.0.2.3:443 |
---|
| 671 | Listen 192.0.2.4:443 |
---|
| 672 | |
---|
| 673 | <VirtualHost 192.0.2.1:443> |
---|
| 674 | GnuTLSEnable on |
---|
| 675 | GnuTLSPriorities SECURE128 |
---|
| 676 | DocumentRoot /www/site1.example.com/html |
---|
| 677 | ServerName site1.example.com:443 |
---|
| 678 | GnuTLSCertificateFile conf/tls/site1.crt |
---|
| 679 | GnuTLSKeyFile conf/tls/site1.key |
---|
[2b16350] | 680 | </VirtualHost> |
---|
[fc124e9] | 681 | |
---|
| 682 | <VirtualHost 192.0.2.2:443> |
---|
| 683 | # This virtual host enables SRP authentication |
---|
| 684 | GnuTLSEnable on |
---|
| 685 | GnuTLSPriorities NORMAL:+SRP |
---|
| 686 | DocumentRoot /www/site2.example.com/html |
---|
| 687 | ServerName site2.example.com:443 |
---|
| 688 | GnuTLSSRPPasswdFile conf/tls/tpasswd.site2 |
---|
| 689 | GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site2.conf |
---|
[2b16350] | 690 | </VirtualHost> |
---|
[fc124e9] | 691 | |
---|
| 692 | <VirtualHost 192.0.2.3:443> |
---|
| 693 | # This server enables SRP, OpenPGP and X.509 authentication. |
---|
| 694 | GnuTLSEnable on |
---|
| 695 | GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS:+CTYPE-OPENPGP |
---|
| 696 | DocumentRoot /www/site3.example.com/html |
---|
| 697 | ServerName site3.example.com:443 |
---|
| 698 | GnuTLSCertificateFile conf/tls/site3.crt |
---|
| 699 | GnuTLSKeyFile conf/tls/site3.key |
---|
| 700 | GnuTLSClientVerify ignore |
---|
| 701 | GnuTLSPGPCertificateFile conf/tls/site3.pub.asc |
---|
| 702 | GnuTLSPGPKeyFile conf/tls/site3.sec.asc |
---|
| 703 | GnuTLSSRPPasswdFile conf/tls/tpasswd.site3 |
---|
| 704 | GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site3.conf |
---|
[2b16350] | 705 | </VirtualHost> |
---|
[fc124e9] | 706 | |
---|
| 707 | <VirtualHost 192.0.2.4:443> |
---|
| 708 | GnuTLSEnable on |
---|
| 709 | # %COMPAT disables some security features to enable maximum |
---|
| 710 | # compatibility with clients. Don't use this if you need strong |
---|
| 711 | # security. |
---|
| 712 | GnuTLSPriorities NORMAL:%COMPAT |
---|
| 713 | DocumentRoot /www/site4.example.com/html |
---|
| 714 | ServerName site4.example.com:443 |
---|
| 715 | GnuTLSCertificateFile conf/tls/site4.crt |
---|
| 716 | GnuTLSKeyFile conf/tls/site4.key |
---|
[2b16350] | 717 | </VirtualHost> |
---|
| 718 | |
---|
| 719 | Server Name Indication Example |
---|
| 720 | ------------------------------ |
---|
| 721 | |
---|
[fc124e9] | 722 | `mod_gnutls` supports "Server Name Indication", as specified in |
---|
| 723 | RFC 3546. This allows hosting many TLS websites with a single IP |
---|
| 724 | address. All recent browsers support this standard. Here is an |
---|
| 725 | example using SNI: |
---|
[2b16350] | 726 | |
---|
| 727 | # Load the module into Apache. |
---|
| 728 | LoadModule gnutls_module modules/mod_gnutls.so |
---|
[fc124e9] | 729 | |
---|
| 730 | # SNI allows hosting multiple sites using one IP address. This |
---|
| 731 | # could also be 'Listen *:443', just like '*:80' is common for |
---|
| 732 | # non-HTTPS |
---|
| 733 | Listen 198.51.100.1:443 |
---|
| 734 | |
---|
| 735 | <VirtualHost _default_:443> |
---|
| 736 | GnuTLSEnable on |
---|
| 737 | GnuTLSSessionTickets on |
---|
| 738 | GnuTLSPriorities NORMAL |
---|
| 739 | DocumentRoot /www/site1.example.com/html |
---|
| 740 | ServerName site1.example.com:443 |
---|
| 741 | GnuTLSCertificateFile conf/tls/site1.crt |
---|
| 742 | GnuTLSKeyFile conf/tls/site1.key |
---|
[2b16350] | 743 | </VirtualHost> |
---|
[4ee45a1] | 744 | |
---|
[fc124e9] | 745 | <VirtualHost _default_:443> |
---|
| 746 | GnuTLSEnable on |
---|
| 747 | GnuTLSPriorities NORMAL |
---|
| 748 | DocumentRoot /www/site2.example.com/html |
---|
| 749 | ServerName site2.example.com:443 |
---|
| 750 | GnuTLSCertificateFile conf/tls/site2.crt |
---|
| 751 | GnuTLSKeyFile conf/tls/site2.key |
---|
| 752 | </VirtualHost> |
---|
[4ee45a1] | 753 | |
---|
[fc124e9] | 754 | <VirtualHost _default_:443> |
---|
| 755 | GnuTLSEnable on |
---|
| 756 | GnuTLSPriorities NORMAL |
---|
| 757 | DocumentRoot /www/site3.example.com/html |
---|
| 758 | ServerName site3.example.com:443 |
---|
| 759 | GnuTLSCertificateFile conf/tls/site3.crt |
---|
| 760 | GnuTLSKeyFile conf/tls/site3.key |
---|
| 761 | </VirtualHost> |
---|
[4ee45a1] | 762 | |
---|
[fc124e9] | 763 | <VirtualHost _default_:443> |
---|
| 764 | GnuTLSEnable on |
---|
| 765 | GnuTLSPriorities NORMAL |
---|
| 766 | DocumentRoot /www/site4.example.com/html |
---|
| 767 | ServerName site4.example.com:443 |
---|
| 768 | GnuTLSCertificateFile conf/tls/site4.crt |
---|
| 769 | GnuTLSKeyFile conf/tls/site4.key |
---|
| 770 | </VirtualHost> |
---|
[2b16350] | 771 | |
---|
[fc124e9] | 772 | OCSP Stapling Example |
---|
| 773 | --------------------- |
---|
[2b16350] | 774 | |
---|
[fc124e9] | 775 | This example uses an X.509 server certificate. The server will fetch |
---|
| 776 | OCSP responses from the responder listed in the certificate and store |
---|
| 777 | them im a memcached cache shared with another server. |
---|
[2b16350] | 778 | |
---|
| 779 | # Load the module into Apache. |
---|
| 780 | LoadModule gnutls_module modules/mod_gnutls.so |
---|
[fc124e9] | 781 | GnuTLSCache memcache "192.0.2.1:11211 192.0.2.2:11211" |
---|
[2b16350] | 782 | GnuTLSCacheTimeout 600 |
---|
[fc124e9] | 783 | |
---|
| 784 | Listen 192.0.2.1:443 |
---|
| 785 | |
---|
| 786 | <VirtualHost _default_:443> |
---|
| 787 | GnuTLSEnable On |
---|
| 788 | GnuTLSPriorities NORMAL |
---|
| 789 | DocumentRoot /www/site1.example.com/html |
---|
| 790 | ServerName site1.example.com:443 |
---|
| 791 | GnuTLSCertificateFile conf/tls/site1.crt |
---|
| 792 | GnuTLSKeyFile conf/tls/site1.key |
---|
| 793 | GnuTLSPriorities NORMAL |
---|
| 794 | GnuTLSOCSPStapling On |
---|
[2b16350] | 795 | </VirtualHost> |
---|
[4ee45a1] | 796 | |
---|
| 797 | * * * * * |
---|
| 798 | |
---|
[2b16350] | 799 | Environment Variables |
---|
| 800 | ===================== |
---|
[4ee45a1] | 801 | |
---|
[2b16350] | 802 | `mod_gnutls` exports the following environment variables to scripts. |
---|
| 803 | These are compatible with `mod_ssl`. |
---|
[4ee45a1] | 804 | |
---|
[2b16350] | 805 | `HTTPS` |
---|
| 806 | ------- |
---|
[4ee45a1] | 807 | |
---|
[2b16350] | 808 | Can be `on` or `off` |
---|
[4ee45a1] | 809 | |
---|
[2b16350] | 810 | `SSL_VERSION_LIBRARY` |
---|
| 811 | --------------------- |
---|
[4ee45a1] | 812 | |
---|
[2b16350] | 813 | The version of the GnuTLS library |
---|
[4ee45a1] | 814 | |
---|
[2b16350] | 815 | `SSL_VERSION_INTERFACE` |
---|
| 816 | ----------------------- |
---|
[4ee45a1] | 817 | |
---|
| 818 | The version of this module |
---|
| 819 | |
---|
[2b16350] | 820 | `SSL_PROTOCOL` |
---|
| 821 | -------------- |
---|
[4ee45a1] | 822 | |
---|
[2b16350] | 823 | The SSL or TLS protocol name (such as `TLS 1.0` etc.) |
---|
[4ee45a1] | 824 | |
---|
[2b16350] | 825 | `SSL_CIPHER` |
---|
| 826 | ------------ |
---|
[4ee45a1] | 827 | |
---|
| 828 | The SSL or TLS cipher suite name |
---|
| 829 | |
---|
[2b16350] | 830 | `SSL_COMPRESS_METHOD` |
---|
| 831 | --------------------- |
---|
[4ee45a1] | 832 | |
---|
[2b16350] | 833 | The negotiated compression method (`NULL` or `DEFLATE`) |
---|
[4ee45a1] | 834 | |
---|
[2b16350] | 835 | `SSL_SRP_USER` |
---|
| 836 | -------------- |
---|
[4ee45a1] | 837 | |
---|
| 838 | The SRP username used for authentication (only set when |
---|
[2b16350] | 839 | `GnuTLSSRPPasswdFile` and `GnuTLSSRPPasswdConfFile` are configured). |
---|
[4ee45a1] | 840 | |
---|
[2b16350] | 841 | `SSL_CIPHER_USEKEYSIZE` & `SSL_CIPHER_ALGKEYSIZE` |
---|
| 842 | ------------------------------------------------- |
---|
[4ee45a1] | 843 | |
---|
| 844 | The number if bits used in the used cipher algorithm. |
---|
| 845 | |
---|
| 846 | This does not fully reflect the security level since the size of |
---|
| 847 | RSA or DHE key exchange parameters affect the security level too. |
---|
| 848 | |
---|
[5674676] | 849 | `SSL_DH_PRIME_BITS` |
---|
| 850 | ------------------- |
---|
| 851 | |
---|
| 852 | The number if bits in the modulus for the DH group, if DHE or static |
---|
| 853 | DH is used. |
---|
| 854 | |
---|
| 855 | This will not be set if DH is not used. |
---|
| 856 | |
---|
[2b16350] | 857 | `SSL_CIPHER_EXPORT` |
---|
| 858 | ------------------- |
---|
[4ee45a1] | 859 | |
---|
[2b16350] | 860 | `True` or `False`. Whether the cipher suite negotiated is an export one. |
---|
[4ee45a1] | 861 | |
---|
[2b16350] | 862 | `SSL_SESSION_ID` |
---|
| 863 | ---------------- |
---|
[4ee45a1] | 864 | |
---|
| 865 | The session ID negotiated in this session. Can be the same during client |
---|
| 866 | reloads. |
---|
| 867 | |
---|
[2b16350] | 868 | `SSL_CLIENT_V_REMAIN` |
---|
| 869 | --------------------- |
---|
[4ee45a1] | 870 | |
---|
| 871 | The number of days until the client's certificate is expired. |
---|
| 872 | |
---|
[2b16350] | 873 | `SSL_CLIENT_V_START` |
---|
| 874 | -------------------- |
---|
[4ee45a1] | 875 | |
---|
| 876 | The activation time of client's certificate. |
---|
| 877 | |
---|
[2b16350] | 878 | `SSL_CLIENT_V_END` |
---|
| 879 | ------------------ |
---|
[4ee45a1] | 880 | |
---|
| 881 | The expiration time of client's certificate. |
---|
| 882 | |
---|
[2b16350] | 883 | `SSL_CLIENT_S_DN` |
---|
| 884 | ----------------- |
---|
[4ee45a1] | 885 | |
---|
| 886 | The distinguished name of client's certificate in RFC2253 format. |
---|
| 887 | |
---|
[2b16350] | 888 | `SSL_CLIENT_I_DN` |
---|
| 889 | ----------------- |
---|
[4ee45a1] | 890 | |
---|
| 891 | The SSL or TLS cipher suite name |
---|
| 892 | |
---|
[2b16350] | 893 | `SSL_CLIENT_S_AN%` |
---|
| 894 | ------------------ |
---|
[4ee45a1] | 895 | |
---|
[2b16350] | 896 | These will contain the alternative names of the client certificate (`%` is |
---|
[4ee45a1] | 897 | a number starting from zero). |
---|
| 898 | |
---|
[2b16350] | 899 | The values will be prepended by `DNSNAME:`, `RFC822NAME:` or `URI:` |
---|
[4ee45a1] | 900 | depending on the type. |
---|
| 901 | |
---|
[2b16350] | 902 | If it is not supported the value `UNSUPPORTED` will be set. |
---|
[4ee45a1] | 903 | |
---|
[2b16350] | 904 | `SSL_SERVER_M_SERIAL` |
---|
| 905 | --------------------- |
---|
[4ee45a1] | 906 | |
---|
| 907 | The serial number of the server's certificate. |
---|
| 908 | |
---|
[2b16350] | 909 | `SSL_SERVER_M_VERSION` |
---|
| 910 | ---------------------- |
---|
[4ee45a1] | 911 | |
---|
| 912 | The version of the server's certificate. |
---|
| 913 | |
---|
[2b16350] | 914 | `SSL_SERVER_A_SIG` |
---|
| 915 | ------------------ |
---|
[4ee45a1] | 916 | |
---|
| 917 | The algorithm used for the signature in server's certificate. |
---|
| 918 | |
---|
[2b16350] | 919 | `SSL_SERVER_A_KEY` |
---|
| 920 | ------------------ |
---|
[4ee45a1] | 921 | |
---|
| 922 | The public key algorithm in server's certificate. |
---|
| 923 | |
---|
[999cdec] | 924 | `SSL_SERVER_CERT` |
---|
[2b16350] | 925 | ------------------ |
---|
[4ee45a1] | 926 | |
---|
[999cdec] | 927 | The PEM-encoded (X.509) or ASCII-armored (OpenPGP) server certificate |
---|
| 928 | (see the `GnuTLSExportCertificates` directive). |
---|
[4ee45a1] | 929 | |
---|
[2b16350] | 930 | `SSL_SERVER_CERT_TYPE` |
---|
| 931 | ---------------------- |
---|
[4ee45a1] | 932 | |
---|
[2b16350] | 933 | The certificate type can be `X.509` or `OPENPGP`. |
---|
[ac32bb5] | 934 | |
---|
[999cdec] | 935 | `SSL_CLIENT_CERT` |
---|
| 936 | ------------------ |
---|
| 937 | |
---|
| 938 | The PEM-encoded (X.509) or ASCII-armored (OpenPGP) client certificate |
---|
| 939 | (see the `GnuTLSExportCertificates` directive). |
---|
| 940 | |
---|
[ac32bb5] | 941 | `SSL_CLIENT_CERT_TYPE` |
---|
| 942 | ---------------------- |
---|
| 943 | |
---|
| 944 | The certificate type can be `X.509` or `OPENPGP`. |
---|