source: mod_gnutls/doc/mod_gnutls_manual.mdwn @ 06f8005

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since 06f8005 was dff57b4, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Update documentation for TEST_IP and "--disable-flock"

  • Property mode set to 100644
File size: 24.9 KB
Line 
1% `mod_gnutls` Manual
2
3* * * * *
4
5`mod_gnutls` is a module for the Apache web server that provides HTTPS
6(HTTP over Transport Layer Security (TLS) or the older Secure Sockets
7Layer (SSL)) using the GnuTLS library.  More information about the
8module can be found at [the project's website](https://mod.gnutls.org/).
9
10* * * * *
11
12Compilation & Installation
13==========================
14
15`mod_gnutls` uses the `./configure && make && make install` mechanism
16common to many Open Source programs.  Most of the dirty work is
17handled by either `./configure` or Apache's `apxs` utility. If you have
18built Apache modules before, there shouldn't be any surprises for you.
19
20The interesting options you can pass to configure are:
21
22`--with-apxs=PATH`
23:   This option is used to specify the location of the apxs utility that
24    was installed as part of apache. Specify the location of the
25    binary, not the directory it is located in.
26
27`--with-apu-config=PATH`
28:   Path to APR Utility Library config tool (`apu-1-config`)
29
30`--help`
31:   Provides a list of all available configure options.
32
33It is recommended to run `make check` before installation. If your
34system doesn't have a loopback device with IPv6 and IPv4 support or
35`localhost` does not resolve to at least one of `[::1]` and
36`127.0.0.1`, you may have to set the `TEST_HOST` or `TEST_IP`
37environment variables when running `./configure` to make the test
38suite work correctly.
39
40* * * * *
41
42Integration
43===========
44
45To activate `mod_gnutls` just add the following line to your httpd.conf
46and restart Apache:
47
48    LoadModule gnutls_module modules/mod_gnutls.so
49
50* * * * *
51
52Configuration Directives
53========================
54
55`GnuTLSEnable`
56--------------
57
58Enable GnuTLS for this virtual host
59
60    GnuTLSEnable [on|off]
61
62Default: *off*\
63Context: virtual host
64
65This directive enables SSL/TLS Encryption for a Virtual Host.
66
67`GnuTLSCache`
68-------------
69
70Configure SSL Session Cache
71
72    GnuTLSCache [dbm|gdbm|memcache|none] [PATH|SERVERLIST|-]
73
74Default: `GnuTLSCache none`\
75Context: server config
76
77This directive configures the SSL Session Cache for `mod_gnutls`.
78This could be shared between machines of different architectures.
79
80`dbm` (Requires Berkeley DBM)
81:   Uses the default Berkeley DB backend of APR DBM to cache SSL
82    Sessions results.  The argument is a relative or absolute path to
83    be used as the DBM Cache file. This is compatible with most
84    operating systems, but needs the Apache Runtime to be compiled
85    with Berkeley DBM support.
86
87`gdbm`
88:   Uses the GDBM backend of APR DBM to cache SSL Sessions results.
89
90    The argument is a relative or absolute path to be used as the DBM Cache
91    file.  This is the recommended option.
92
93`memcache`
94:   Uses a memcached server to cache the SSL Session.
95
96    The argument is a space separated list of servers. If no port
97    number is supplied, the default of 11211 is used.  This can be
98    used to share a session cache between all servers in a cluster.
99
100`none`
101:   Turns off all caching of SSL Sessions.
102
103    This can significantly reduce the performance of `mod_gnutls` since
104    even followup connections by a client must renegotiate parameters
105    instead of reusing old ones.  This is the default, since it
106    requires no configuration.
107
108`GnuTLSCacheTimeout`
109--------------------
110
111Timeout for SSL Session Cache expiration
112
113    GnuTLSCacheTimeout SECONDS
114
115Default: `GnuTLSCacheTimeout 300`\
116Context: server config
117
118Sets the timeout for SSL Session Cache entries expiration.  This
119directive is valid even if Session Tickets are used, and indicates the
120expiration time of the ticket in seconds.
121
122`GnuTLSSessionTickets`
123----------------------
124
125Enable Session Tickets for the server
126
127    GnuTLSSessionTickets [on|off]
128
129Default: `off`\
130Context: server config, virtual host
131
132To avoid storing data for TLS session resumption it is allowed to
133provide client with a ticket, to use on return.  Use for servers with
134limited storage, and don't combine with GnuTLSCache. For a pool of
135servers this option is not recommended since the tickets are unique
136for the issuing server only.
137
138
139`GnuTLSCertificateFile`
140-----------------------
141
142Set to the PEM Encoded Server Certificate
143
144    GnuTLSCertificateFile FILEPATH
145
146Default: *none*\
147Context: server config, virtual host
148
149Takes an absolute or relative path to a PEM-encoded X.509 certificate to
150use as this Server's End Entity (EE) certificate. If you need to supply
151certificates for intermediate Certificate Authorities (iCAs), they
152should be listed in sequence in the file, from EE to the iCA closest to
153the root CA. Optionally, you can also include the root CA's certificate
154as the last certificate in the list.
155
156Since version 0.7 this can be a PKCS #11 URL.
157
158`GnuTLSKeyFile`
159---------------
160
161Set to the PEM Encoded Server Private Key
162
163    GnuTLSKeyFile FILEPATH
164
165Default: *none*\
166Context: server config, virtual host
167
168Takes an absolute or relative path to the Server Private Key. Set
169`GnuTLSPIN` if the key file is encrypted.
170
171Since version 0.7 this can be a PKCS #11 URL.
172
173**Security Warning:**\
174This private key must be protected. It is read while Apache is still
175running as root, and does not need to be readable by the nobody or
176apache user.
177
178`GnuTLSPGPCertificateFile`
179--------------------------
180
181Set to a base64 Encoded Server OpenPGP Certificate
182
183    GnuTLSPGPCertificateFile FILEPATH
184
185Default: *none*\
186Context: server config, virtual host
187
188Takes an absolute or relative path to a base64 Encoded OpenPGP
189Certificate to use as this Server's Certificate.
190
191`GnuTLSPGPKeyFile`
192------------------
193
194Set to the Server OpenPGP Secret Key
195
196    GnuTLSPGPKeyFile FILEPATH
197
198Default: *none*\
199Context: server config, virtual host
200
201Takes an absolute or relative path to the Server Private Key. This key
202cannot currently be password protected.
203
204**Security Warning:**\
205 This private key must be protected. It is read while Apache is still
206running as root, and does not need to be readable by the nobody or
207apache user.
208
209`GnuTLSClientVerify`
210--------------------
211
212Enable Client Certificate Verification\
213
214    GnuTLSClientVerify [ignore|request|require]
215
216Default: `ignore`\
217Context: server config, virtual host, directory, .htaccess
218
219This directive controls the use of SSL Client Certificate
220Authentication. If used in the .htaccess context, it can force TLS
221re-negotiation.
222
223`ignore`
224:   `mod_gnutls` will ignore the contents of any SSL Client Certificates
225    sent. It will not request that the client sends a certificate.
226
227`request`
228:   The client certificate will be requested, but not required.
229    The Certificate will be validated if sent.  The output of the
230    validation status will be stored in the `SSL_CLIENT_VERIFY`
231    environment variable and can be `SUCCESS`, `FAILED` or `NONE`.
232
233`require`
234:   A Client certificate will be required. Any requests without a valid
235    client certificate will be denied.  The `SSL_CLIENT_VERIFY`
236    environment variable will only be set to `SUCCESS`.
237
238`GnuTLSClientCAFile`
239--------------------
240
241Set to the PEM Encoded Certificate Authority Certificate
242
243    GnuTLSClientCAFile FILEPATH
244
245Default: *none*
246Context: server config, virtual host
247
248Takes an absolute or relative path to a PEM Encoded Certificate to use
249as a Certificate Authority with Client Certificate Authentication.
250This file may contain a list of trusted authorities.
251
252`GnuTLSPGPKeyringFile`
253----------------------
254
255Set to a base64 Encoded key ring
256
257    GnuTLSPGPKeyringFile FILEPATH
258
259Default: *none*\
260Context: server config, virtual host
261
262Takes an absolute or relative path to a base64 Encoded Certificate
263list (key ring) to use as a means of verification of Client
264Certificates.  This file should contain a list of trusted signers.
265
266`GnuTLSDHFile`
267--------------
268
269Set to the PKCS \#3 encoded Diffie Hellman parameters
270
271    GnuTLSDHFile FILEPATH
272
273Default: *none*\
274Context: server config, virtual host
275
276Takes an absolute or relative path to a PKCS \#3 encoded DH
277parameters.Those are used when the DHE key exchange method is enabled.
278You can generate this file using `certtool --generate-dh-params --bits
2792048`.  If not set `mod_gnutls` will use the included parameters.
280
281`GnuTLSSRPPasswdFile`
282---------------------
283
284Set to the SRP password file for SRP ciphersuites
285
286    GnuTLSSRPPasswdFile FILEPATH
287
288Default: *none*\
289Context: server config, virtual host
290
291Takes an absolute or relative path to an SRP password file. This is
292the same format as used in libsrp.  You can generate such file using
293the command `srptool --passwd /etc/tpasswd --passwd-conf
294/etc/tpasswd.conf -u test` to set a password for user test.  This
295password file holds the username, a password verifier and the
296dependency to the SRP parameters.
297
298`GnuTLSSRPPasswdConfFile`
299-------------------------
300
301Set to the SRP password.conf file for SRP ciphersuites
302
303    GnuTLSSRPPasswdConfFile FILEPATH
304
305Default: *none*\
306Context: server config, virtual host
307
308Takes an absolute or relative path to an SRP password.conf file. This
309is the same format as used in `libsrp`.  You can generate such file
310using the command `srptool --create-conf /etc/tpasswd.conf`.  This
311file holds the SRP parameters and is associate with the password file
312(the verifiers depends on these parameters).
313
314`GnuTLSPriorities`
315------------------
316
317Set the allowed ciphers, key exchange algorithms, MACs and compression
318methods
319
320    GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
321
322Default: *none*\
323Context: server config, virtual host
324
325Takes a semi-colon separated list of ciphers, key exchange methods
326Message authentication codes and compression methods to enable.
327The allowed keywords are specified in the `gnutls_priority_init()`
328function of GnuTLS.
329
330Full details can be found at [the GnuTLS documentation](http://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings).
331In brief you can specify a set of ciphersuites from the choices:
332
333`NONE`
334:   The empty list.
335
336`EXPORT`
337:   A list with all the supported cipher combinations
338    including the `EXPORT` strength algorithms.
339
340`PERFORMANCE`
341:   A list with all the secure cipher combinations sorted in terms of performance.
342
343`NORMAL`
344:   A list with all the secure cipher combinations sorted
345    with respect to security margin (subjective term).
346
347`SECURE`
348:   A list with all the secure cipher combinations including
349    the 256-bit ciphers sorted with respect to security margin.
350
351Additionally you can add or remove algorithms using the `+` and `!`
352prefixes respectively.
353
354For example, in order to disable the `ARCFOUR` cipher from the `NORMAL` set
355you can use the string `NORMAL:!ARCFOUR-128`
356
357Other options such as the protocol version and the compression method
358can be specified using the `VERS-` and `COMP-` prefixes.
359
360So in order to remove or add a specific TLS version from the `NORMAL`
361set, use `NORMAL:!VERS-SSL3.0`.  And to enable zlib compression use
362`NORMAL:+COMP-DEFLATE`.
363
364
365However it is recommended not to add compression at this level.  With
366the `NONE` set, in order to be usable, you have to specify a complete
367set of combinations of protocol versions, cipher algorithms
368(`AES-128-CBC`), key exchange algorithms (`RSA`), message
369authentication codes (`SHA1`) and compression methods (`COMP-NULL`).
370
371You can find a list of all supported Ciphers, Versions, MACs, etc.  by
372running `gnutls-cli --list`.
373
374The special keyword `%COMPAT` will disable some security features such
375as protection against statistical attacks to ciphertext data in order to
376achieve maximum compatibility (some broken mobile clients need this).
377
378`GnuTLSP11Module`
379------------------
380
381Load this PKCS #11 module.
382
383    GnuTLSP11Module PATH_TO_LIBRARY
384
385Default: *none*\
386Context: server config
387
388Load this PKCS #11 provider module, instead of the system
389defaults. May occur multiple times to load multiple modules.
390
391`GnuTLSPIN`
392------------------
393
394Set the PIN to be used to access encrypted key files or PKCS #11 objects.
395
396    GnuTLSPIN XXXXXX
397
398Default: *none*\
399Context: server config, virtual host
400
401Takes a string to be used as a PIN for the protected objects in
402a security module, or as a key to be used to decrypt PKCS #8, PKCS #12,
403or openssl encrypted keys.
404
405`GnuTLSSRKPIN`
406------------------
407
408Set the SRK PIN to be used to unlaccess the TPM.
409
410    GnuTLSSRKPIN XXXXXX
411
412Default: *none*\
413Context: server config, virtual host
414
415Takes a string to be used as a PIN for the protected objects in
416the TPM module.
417
418`GnuTLSExportCertificates`
419--------------------------
420
421Export the PEM encoded certificates to CGIs
422
423    GnuTLSExportCertificates [off|on|SIZE]
424
425Default: `off`\
426Context: server config, virtual host
427
428This directive configures exporting the full certificates of the
429server and the client to CGI scripts via the `SSL_SERVER_CERT` and
430`SSL_CLIENT_CERT` environment variables. The exported certificates
431will be PEM-encoded (if X.509) or ASCII-armored (if OpenPGP) up to the
432size given.  The type of the certificate will be exported in
433`SSL_SERVER_CERT_TYPE` and `SSL_CLIENT_CERT_TYPE`.
434
435SIZE should be an integer number of bytes, or may be written with a
436trailing `K` to indicate kibibytes.  `off` means the same thing as
437`0`, in which case the certificates will not be exported to the
438environment.  `on` is an alias for `16K`.  If a non-zero size is
439specified for this directive, but a certificate is too large to fit in
440the buffer, then the corresponding environment variable will contain
441the fixed string `GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED`.
442
443With GnuTLSExportCertificates enabled, `mod_gnutls` exports the same
444environment variables to the CGI process as `mod_ssl`.
445
446
447`GnuTLSProxyEngine`
448--------------
449
450Enable TLS proxy connections for this virtual host
451
452    GnuTLSProxyEngine [on|off]
453
454Default: *off*\
455Context: virtual host
456
457This directive enables support for TLS proxy connections for a virtual
458host.
459
460`GnuTLSProxyCAFile`
461--------------------
462
463Set to the PEM encoded Certificate Authority Certificate
464
465    GnuTLSProxyCAFile FILEPATH
466
467Default: *none*\
468Context: server config, virtual host
469
470Takes an absolute or relative path to a PEM encoded certificate to use
471as a Certificate Authority when verifying certificates provided by
472proxy back end servers. This file may contain a list of trusted
473authorities. If not set, verification of TLS back end servers will
474always fail due to lack of a trusted CA.
475
476`GnuTLSProxyCRLFile`
477--------------------
478
479Set to the PEM encoded Certificate Revocation List
480
481    GnuTLSProxyCRLFile FILEPATH
482
483Default: *none*\
484Context: server config, virtual host
485
486Takes an absolute or relative path to a PEM encoded Certificate
487Revocation List to use when verifying certificates provided by proxy
488back end servers. The file may contain a list of CRLs.
489
490`GnuTLSProxyCertificateFile`
491-----------------------
492
493Set to the PEM encoded Client Certificate
494
495    GnuTLSProxyCertificateFile FILEPATH
496
497Default: *none*\
498Context: server config, virtual host
499
500Takes an absolute or relative path to a PEM encoded X.509 certificate
501to use as this Server's End Entity (EE) client certificate for TLS
502client authentication in proxy TLS connections. If you need to supply
503certificates for intermediate Certificate Authorities (iCAs), they
504should be listed in sequence in the file, from EE to the iCA closest
505to the root CA. Optionally, you can also include the root CA's
506certificate as the last certificate in the list.
507
508If not set, TLS client authentication will be disabled for TLS proxy
509connections. If set, `GnuTLSProxyKeyFile` must be set as well to
510provide the matching private key.
511
512`GnuTLSProxyKeyFile`
513---------------
514
515Set to the PEM encoded Private Key
516
517    GnuTLSProxyKeyFile FILEPATH
518
519Default: *none*\
520Context: server config, virtual host
521
522Takes an absolute or relative path to the Private Key matching the
523certificate configured using the `GnuTLSProxyCertificateFile`
524directive. This key cannot currently be password protected.
525
526**Security Warning:**\
527This private key must be protected. It is read while Apache is still
528running as root, and does not need to be readable by the nobody or
529apache user.
530
531`GnuTLSProxyPriorities`
532------------------
533
534Set the allowed ciphers, key exchange algorithms, MACs and compression
535methods for proxy connections
536
537    GnuTLSProxyPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
538
539Default: *none*\
540Context: server config, virtual host
541
542This option is used to set the allowed ciphers, key exchange
543algorithms, MACs and compression methods for proxy connections. It
544takes the same parameters as `GnuTLSPriorities`. Required if
545`GnuTLSProxyEngine` is `On`.
546
547* * * * *
548
549Configuration Examples
550======================
551
552Simple Standard SSL Example
553---------------------------
554
555The following is an example of standard SSL Hosting, using one IP
556Addresses for each virtual host
557
558     # Load the module into Apache.
559     LoadModule gnutls_module modules/mod_gnutls.so
560     GnuTLSCache gdbm /var/cache/www-tls-cache
561     GnuTLSCacheTimeout 500
562     # With normal SSL Websites, you need one IP Address per-site.
563     Listen 1.2.3.1:443
564     Listen 1.2.3.2:443
565     Listen 1.2.3.3:443
566     Listen 1.2.3.4:443
567     <VirtualHost 1.2.3.1:443>
568     GnuTLSEnable on
569     GnuTLSPriorities NONE:+AES-128-CBC:+3DES-CBC:+ARCFOUR-128:+RSA:+DHE-RSA:+DHE-DSS:+SHA1:+MD5:+COMP-NULL
570     DocumentRoot /www/site1.example.com/html
571     ServerName site1.example.com:443
572     GnuTLSCertificateFile conf/ssl/site1.crt
573     GnuTLSKeyFile conf/ss/site1.key
574     </VirtualHost>
575     <VirtualHost 1.2.3.2:443>
576     # This virtual host enables SRP authentication
577     GnuTLSEnable on
578     GnuTLSPriorities NORMAL:+SRP
579     DocumentRoot /www/site2.example.com/html
580     ServerName site2.example.com:443
581     GnuTLSSRPPasswdFile conf/ssl/tpasswd.site2
582     GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site2.conf
583     </VirtualHost>
584     <VirtualHost 1.2.3.3:443>
585     # This server enables SRP, OpenPGP and X.509 authentication.
586     GnuTLSEnable on
587     GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS
588     DocumentRoot /www/site3.example.com/html
589     ServerName site3.example.com:443
590     GnuTLSCertificateFile conf/ssl/site3.crt
591     GnuTLSKeyFile conf/ss/site3.key
592     GnuTLSClientVerify ignore
593     GnuTLSPGPCertificateFile conf/ss/site3.pub.asc
594     GnuTLSPGPKeyFile conf/ss/site3.sec.asc
595     GnuTLSSRPPasswdFile conf/ssl/tpasswd.site3
596     GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site3.conf
597     </VirtualHost>
598     <VirtualHost 1.2.3.4:443>
599     GnuTLSEnable on
600     # %COMPAT disables some security features to enable maximum compatibility with clients.
601     GnuTLSPriorities NONE:+AES-128-CBC:+ARCFOUR-128:+RSA:+SHA1:+MD5:+COMP-NULL:%COMPAT
602     DocumentRoot /www/site4.example.com/html
603     ServerName site4.example.com:443
604     GnuTLSCertificateFile conf/ssl/site4.crt
605     GnuTLSKeyFile conf/ss/site4.key
606     </VirtualHost>
607
608Server Name Indication Example
609------------------------------
610
611`mod_gnutls` can also use "Server Name Indication", as specified in
612RFC 3546.  This allows hosting many SSL Websites, with a Single IP
613Address.  Currently all the recent browsers support this
614standard. Here is an example, using SNI: ` `
615
616
617     # Load the module into Apache.
618     LoadModule gnutls_module modules/mod_gnutls.so
619     # With normal SSL Websites, you need one IP Address per-site.
620     Listen 1.2.3.1:443
621     # This could also be 'Listen *:443',
622     # just like '*:80' is common for non-https
623     # No caching. Enable session tickets. Timeout is still used for
624     # ticket expiration.
625     GnuTLSCacheTimeout 600
626     # This tells apache, that for this IP/Port combination, we want to use
627     # Name Based Virtual Hosting. In the case of Server Name Indication,
628     # it lets mod_gnutls pick the correct Server Certificate.
629     NameVirtualHost 1.2.3.1:443
630     <VirtualHost 1.2.3.1:443>
631     GnuTLSEnable on
632     GnuTLSSessionTickets on
633     GnuTLSPriorities NORMAL
634     DocumentRoot /www/site1.example.com/html
635     ServerName site1.example.com:443
636     GnuTLSCertificateFile conf/ssl/site1.crt
637     GnuTLSKeyFile conf/ss/site1.key
638     </VirtualHost>
639     <VirtualHost 1.2.3.1:443>
640     GnuTLSEnable on
641     GnuTLSPriorities NORMAL
642     DocumentRoot /www/site2.example.com/html
643     ServerName site2.example.com:443
644     GnuTLSCertificateFile conf/ssl/site2.crt
645     GnuTLSKeyFile conf/ss/site2.key
646     </VirtualHost>
647     <VirtualHost 1.2.3.1:443>
648     GnuTLSEnable on
649     GnuTLSPriorities NORMAL
650     DocumentRoot /www/site3.example.com/html
651     ServerName site3.example.com:443
652     GnuTLSCertificateFile conf/ssl/site3.crt
653     GnuTLSKeyFile conf/ss/site3.key
654     </VirtualHost>
655     <VirtualHost 1.2.3.1:443>
656     GnuTLSEnable on
657     GnuTLSPriorities NORMAL
658     DocumentRoot /www/site4.example.com/html
659     ServerName site4.example.com:443
660     GnuTLSCertificateFile conf/ssl/site4.crt
661     GnuTLSKeyFile conf/ss/site4.key
662     </VirtualHost>
663
664
665* * * * *
666
667Performance Issues
668==================
669
670`mod_gnutls` by default uses conservative settings for the server.
671You can fine tune the configuration to reduce the load on a busy
672server.  The following examples do exactly this:
673
674
675     # Load the module into Apache.
676     LoadModule gnutls_module modules/mod_gnutls.so
677     # Using 4 memcache servers to distribute the SSL Session Cache.
678     GnuTLSCache memcache "mc1.example.com mc2.example.com mc3.example.com mc4.example.com"
679     GnuTLSCacheTimeout 600
680     Listen 1.2.3.1:443
681     NameVirtualHost 1.2.3.1:443
682     <VirtualHost 1.2.3.1:443>
683     GnuTLSEnable on
684     # Here we disable the Perfect forward secrecy ciphersuites (DHE)
685     # and disallow AES-256 since AES-128 is just fine.
686     GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT
687     DocumentRoot /www/site1.example.com/html
688     ServerName site1.example.com:443
689     GnuTLSCertificateFile conf/ssl/site1.crt
690     GnuTLSKeyFile conf/ss/site1.key
691     </VirtualHost>
692     <VirtualHost 1.2.3.1:443>
693     GnuTLSEnable on
694     # Here we instead of disabling the DHE ciphersuites we use
695     # Diffie Hellman parameters of smaller size than the default (2048 bits).
696     # Using small numbers from 768 to 1024 bits should be ok once they are
697     # regenerated every few hours.
698     # Use "certtool --generate-dh-params --bits 1024" to get those
699     GnuTLSDHFile /etc/apache2/dh.params
700     GnuTLSPriorities NORMAL:!AES-256-CBC:%COMPAT
701     DocumentRoot /www/site2.example.com/html
702     ServerName site2.example.com:443
703     GnuTLSCertificateFile conf/ssl/site2.crt
704     GnuTLSKeyFile conf/ss/site2.key
705     </VirtualHost>
706
707* * * * *
708
709Environment Variables
710=====================
711
712`mod_gnutls` exports the following environment variables to scripts.
713These are compatible with `mod_ssl`.
714
715`HTTPS`
716-------
717
718Can be `on` or `off`
719
720`SSL_VERSION_LIBRARY`
721---------------------
722
723The version of the GnuTLS library
724
725`SSL_VERSION_INTERFACE`
726-----------------------
727
728The version of this module
729
730`SSL_PROTOCOL`
731--------------
732
733The SSL or TLS protocol name (such as `TLS 1.0` etc.)
734
735`SSL_CIPHER`
736------------
737
738The SSL or TLS cipher suite name
739
740`SSL_COMPRESS_METHOD`
741---------------------
742
743The negotiated compression method (`NULL` or `DEFLATE`)
744
745`SSL_SRP_USER`
746--------------
747
748The SRP username used for authentication (only set when
749`GnuTLSSRPPasswdFile` and `GnuTLSSRPPasswdConfFile` are configured).
750
751`SSL_CIPHER_USEKEYSIZE` & `SSL_CIPHER_ALGKEYSIZE`
752-------------------------------------------------
753
754The number if bits used in the used cipher algorithm.
755
756This does not fully reflect the security level since the size of
757RSA or DHE key exchange parameters affect the security level too.
758
759`SSL_DH_PRIME_BITS`
760-------------------
761
762The number if bits in the modulus for the DH group, if DHE or static
763DH is used.
764
765This will not be set if DH is not used.
766
767`SSL_CIPHER_EXPORT`
768-------------------
769
770`True` or `False`. Whether the cipher suite negotiated is an export one.
771
772`SSL_SESSION_ID`
773----------------
774
775The session ID negotiated in this session. Can be the same during client
776reloads.
777
778`SSL_CLIENT_V_REMAIN`
779---------------------
780
781The number of days until the client's certificate is expired.
782
783`SSL_CLIENT_V_START`
784--------------------
785
786The activation time of client's certificate.
787
788`SSL_CLIENT_V_END`
789------------------
790
791The expiration time of client's certificate.
792
793`SSL_CLIENT_S_DN`
794-----------------
795
796The distinguished name of client's certificate in RFC2253 format.
797
798`SSL_CLIENT_I_DN`
799-----------------
800
801The SSL or TLS cipher suite name
802
803`SSL_CLIENT_S_AN%`
804------------------
805
806These will contain the alternative names of the client certificate (`%` is
807a number starting from zero).
808
809The values will be prepended by `DNSNAME:`, `RFC822NAME:` or `URI:`
810depending on the type.
811
812If it is not supported the value `UNSUPPORTED` will be set.
813
814`SSL_SERVER_M_SERIAL`
815---------------------
816
817The serial number of the server's certificate.
818
819`SSL_SERVER_M_VERSION`
820----------------------
821
822The version of the server's certificate.
823
824`SSL_SERVER_A_SIG`
825------------------
826
827The algorithm used for the signature in server's certificate.
828
829`SSL_SERVER_A_KEY`
830------------------
831
832The public key algorithm in server's certificate.
833
834`SSL_SERVER_CERT`
835------------------
836
837The PEM-encoded (X.509) or ASCII-armored (OpenPGP) server certificate
838(see the `GnuTLSExportCertificates` directive).
839
840`SSL_SERVER_CERT_TYPE`
841----------------------
842
843The certificate type can be `X.509` or `OPENPGP`.
844
845`SSL_CLIENT_CERT`
846------------------
847
848The PEM-encoded (X.509) or ASCII-armored (OpenPGP) client certificate
849(see the `GnuTLSExportCertificates` directive).
850
851`SSL_CLIENT_CERT_TYPE`
852----------------------
853
854The certificate type can be `X.509` or `OPENPGP`.
Note: See TracBrowser for help on using the repository browser.