source: mod_gnutls/doc/mod_gnutls_manual.mdwn @ 176047e

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since 176047e was 7764015, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Update GnuTLSP11Module documentation for stricter semantics

  • Property mode set to 100644
File size: 24.6 KB
Line 
1% `mod_gnutls` Manual
2
3* * * * *
4
5`mod_gnutls` is a module for the Apache web server that provides HTTPS
6(HTTP over Transport Layer Security (TLS) or the older Secure Sockets
7Layer (SSL)) using the GnuTLS library.  More information about the
8module can be found at [the project's website](https://mod.gnutls.org/).
9
10* * * * *
11
12Compilation & Installation
13==========================
14
15`mod_gnutls` uses the `./configure && make && make install` mechanism
16common to many Open Source programs.  Most of the dirty work is
17handled by either `./configure` or Apache's `apxs` utility. If you have
18built Apache modules before, there shouldn't be any surprises for you.
19
20The interesting options you can pass to configure are:
21
22`--with-apxs=PATH`
23:   This option is used to specify the location of the apxs utility that
24    was installed as part of apache. Specify the location of the
25    binary, not the directory it is located in.
26
27`--with-libgnutls=PATH`
28:   Full path to the libgnutls-config program.
29
30`--with-apr-memcache=PREFIX`
31:   Prefix to where apr\_memcache is installed.
32
33`--help`
34:   Provides a list of all available configure options.
35
36* * * * *
37
38Integration
39===========
40
41To activate `mod_gnutls` just add the following line to your httpd.conf
42and restart Apache:
43
44    LoadModule gnutls_module modules/mod_gnutls.so
45
46* * * * *
47
48Configuration Directives
49========================
50
51`GnuTLSEnable`
52--------------
53
54Enable GnuTLS for this virtual host
55
56    GnuTLSEnable [on|off]
57
58Default: *off*\
59Context: virtual host
60
61This directive enables SSL/TLS Encryption for a Virtual Host.
62
63`GnuTLSCache`
64-------------
65
66Configure SSL Session Cache
67
68    GnuTLSCache [dbm|gdbm|memcache|none] [PATH|SERVERLIST|-]
69
70Default: `GnuTLSCache none`\
71Context: server config
72
73This directive configures the SSL Session Cache for `mod_gnutls`.
74This could be shared between machines of different architectures.
75
76`dbm` (Requires Berkeley DBM)
77:   Uses the default Berkeley DB backend of APR DBM to cache SSL
78    Sessions results.  The argument is a relative or absolute path to
79    be used as the DBM Cache file. This is compatible with most
80    operating systems, but needs the Apache Runtime to be compiled
81    with Berkeley DBM support.
82
83`gdbm`
84:   Uses the GDBM backend of APR DBM to cache SSL Sessions results.
85
86    The argument is a relative or absolute path to be used as the DBM Cache
87    file.  This is the recommended option.
88
89`memcache`
90:   Uses a memcached server to cache the SSL Session.
91
92    The argument is a space separated list of servers. If no port
93    number is supplied, the default of 11211 is used.  This can be
94    used to share a session cache between all servers in a cluster.
95
96`none`
97:   Turns off all caching of SSL Sessions.
98
99    This can significantly reduce the performance of `mod_gnutls` since
100    even followup connections by a client must renegotiate parameters
101    instead of reusing old ones.  This is the default, since it
102    requires no configuration.
103
104`GnuTLSCacheTimeout`
105--------------------
106
107Timeout for SSL Session Cache expiration
108
109    GnuTLSCacheTimeout SECONDS
110
111Default: `GnuTLSCacheTimeout 300`\
112Context: server config
113
114Sets the timeout for SSL Session Cache entries expiration.  This
115directive is valid even if Session Tickets are used, and indicates the
116expiration time of the ticket in seconds.
117
118`GnuTLSSessionTickets`
119----------------------
120
121Enable Session Tickets for the server
122
123    GnuTLSSessionTickets [on|off]
124
125Default: `off`\
126Context: server config, virtual host
127
128To avoid storing data for TLS session resumption it is allowed to
129provide client with a ticket, to use on return.  Use for servers with
130limited storage, and don't combine with GnuTLSCache. For a pool of
131servers this option is not recommended since the tickets are unique
132for the issuing server only.
133
134
135`GnuTLSCertificateFile`
136-----------------------
137
138Set to the PEM Encoded Server Certificate
139
140    GnuTLSCertificateFile FILEPATH
141
142Default: *none*\
143Context: server config, virtual host
144
145Takes an absolute or relative path to a PEM-encoded X.509 certificate to
146use as this Server's End Entity (EE) certificate. If you need to supply
147certificates for intermediate Certificate Authorities (iCAs), they
148should be listed in sequence in the file, from EE to the iCA closest to
149the root CA. Optionally, you can also include the root CA's certificate
150as the last certificate in the list.
151
152Since version 0.7 this can be a PKCS #11 URL.
153
154`GnuTLSKeyFile`
155---------------
156
157Set to the PEM Encoded Server Private Key
158
159    GnuTLSKeyFile FILEPATH
160
161Default: *none*\
162Context: server config, virtual host
163
164Takes an absolute or relative path to the Server Private Key. Set
165`GnuTLSPIN` if the key file is encrypted.
166
167Since version 0.7 this can be a PKCS #11 URL.
168
169**Security Warning:**\
170This private key must be protected. It is read while Apache is still
171running as root, and does not need to be readable by the nobody or
172apache user.
173
174`GnuTLSPGPCertificateFile`
175--------------------------
176
177Set to a base64 Encoded Server OpenPGP Certificate
178
179    GnuTLSPGPCertificateFile FILEPATH
180
181Default: *none*\
182Context: server config, virtual host
183
184Takes an absolute or relative path to a base64 Encoded OpenPGP
185Certificate to use as this Server's Certificate.
186
187`GnuTLSPGPKeyFile`
188------------------
189
190Set to the Server OpenPGP Secret Key
191
192    GnuTLSPGPKeyFile FILEPATH
193
194Default: *none*\
195Context: server config, virtual host
196
197Takes an absolute or relative path to the Server Private Key. This key
198cannot currently be password protected.
199
200**Security Warning:**\
201 This private key must be protected. It is read while Apache is still
202running as root, and does not need to be readable by the nobody or
203apache user.
204
205`GnuTLSClientVerify`
206--------------------
207
208Enable Client Certificate Verification\
209
210    GnuTLSClientVerify [ignore|request|require]
211
212Default: `ignore`\
213Context: server config, virtual host, directory, .htaccess
214
215This directive controls the use of SSL Client Certificate
216Authentication. If used in the .htaccess context, it can force TLS
217re-negotiation.
218
219`ignore`
220:   `mod_gnutls` will ignore the contents of any SSL Client Certificates
221    sent. It will not request that the client sends a certificate.
222
223`request`
224:   The client certificate will be requested, but not required.
225    The Certificate will be validated if sent.  The output of the
226    validation status will be stored in the `SSL_CLIENT_VERIFY`
227    environment variable and can be `SUCCESS`, `FAILED` or `NONE`.
228
229`require`
230:   A Client certificate will be required. Any requests without a valid
231    client certificate will be denied.  The `SSL_CLIENT_VERIFY`
232    environment variable will only be set to `SUCCESS`.
233
234`GnuTLSClientCAFile`
235--------------------
236
237Set to the PEM Encoded Certificate Authority Certificate
238
239    GnuTLSClientCAFile FILEPATH
240
241Default: *none*
242Context: server config, virtual host
243
244Takes an absolute or relative path to a PEM Encoded Certificate to use
245as a Certificate Authority with Client Certificate Authentication.
246This file may contain a list of trusted authorities.
247
248`GnuTLSPGPKeyringFile`
249----------------------
250
251Set to a base64 Encoded key ring
252
253    GnuTLSPGPKeyringFile FILEPATH
254
255Default: *none*\
256Context: server config, virtual host
257
258Takes an absolute or relative path to a base64 Encoded Certificate
259list (key ring) to use as a means of verification of Client
260Certificates.  This file should contain a list of trusted signers.
261
262`GnuTLSDHFile`
263--------------
264
265Set to the PKCS \#3 encoded Diffie Hellman parameters
266
267    GnuTLSDHFile FILEPATH
268
269Default: *none*\
270Context: server config, virtual host
271
272Takes an absolute or relative path to a PKCS \#3 encoded DH
273parameters.Those are used when the DHE key exchange method is enabled.
274You can generate this file using `certtool --generate-dh-params --bits
2752048`.  If not set `mod_gnutls` will use the included parameters.
276
277`GnuTLSSRPPasswdFile`
278---------------------
279
280Set to the SRP password file for SRP ciphersuites
281
282    GnuTLSSRPPasswdFile FILEPATH
283
284Default: *none*\
285Context: server config, virtual host
286
287Takes an absolute or relative path to an SRP password file. This is
288the same format as used in libsrp.  You can generate such file using
289the command `srptool --passwd /etc/tpasswd --passwd-conf
290/etc/tpasswd.conf -u test` to set a password for user test.  This
291password file holds the username, a password verifier and the
292dependency to the SRP parameters.
293
294`GnuTLSSRPPasswdConfFile`
295-------------------------
296
297Set to the SRP password.conf file for SRP ciphersuites
298
299    GnuTLSSRPPasswdConfFile FILEPATH
300
301Default: *none*\
302Context: server config, virtual host
303
304Takes an absolute or relative path to an SRP password.conf file. This
305is the same format as used in `libsrp`.  You can generate such file
306using the command `srptool --create-conf /etc/tpasswd.conf`.  This
307file holds the SRP parameters and is associate with the password file
308(the verifiers depends on these parameters).
309
310`GnuTLSPriorities`
311------------------
312
313Set the allowed ciphers, key exchange algorithms, MACs and compression
314methods
315
316    GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
317
318Default: *none*\
319Context: server config, virtual host
320
321Takes a semi-colon separated list of ciphers, key exchange methods
322Message authentication codes and compression methods to enable.
323The allowed keywords are specified in the `gnutls_priority_init()`
324function of GnuTLS.
325
326Full details can be found at [the GnuTLS documentation](http://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings).
327In brief you can specify a set of ciphersuites from the choices:
328
329`NONE`
330:   The empty list.
331
332`EXPORT`
333:   A list with all the supported cipher combinations
334    including the `EXPORT` strength algorithms.
335
336`PERFORMANCE`
337:   A list with all the secure cipher combinations sorted in terms of performance.
338
339`NORMAL`
340:   A list with all the secure cipher combinations sorted
341    with respect to security margin (subjective term).
342
343`SECURE`
344:   A list with all the secure cipher combinations including
345    the 256-bit ciphers sorted with respect to security margin.
346
347Additionally you can add or remove algorithms using the `+` and `!`
348prefixes respectively.
349
350For example, in order to disable the `ARCFOUR` cipher from the `NORMAL` set
351you can use the string `NORMAL:!ARCFOUR-128`
352
353Other options such as the protocol version and the compression method
354can be specified using the `VERS-` and `COMP-` prefixes.
355
356So in order to remove or add a specific TLS version from the `NORMAL`
357set, use `NORMAL:!VERS-SSL3.0`.  And to enable zlib compression use
358`NORMAL:+COMP-DEFLATE`.
359
360
361However it is recommended not to add compression at this level.  With
362the `NONE` set, in order to be usable, you have to specify a complete
363set of combinations of protocol versions, cipher algorithms
364(`AES-128-CBC`), key exchange algorithms (`RSA`), message
365authentication codes (`SHA1`) and compression methods (`COMP-NULL`).
366
367You can find a list of all supported Ciphers, Versions, MACs, etc.  by
368running `gnutls-cli --list`.
369
370The special keyword `%COMPAT` will disable some security features such
371as protection against statistical attacks to ciphertext data in order to
372achieve maximum compatibility (some broken mobile clients need this).
373
374`GnuTLSP11Module`
375------------------
376
377Load this PKCS #11 module.
378
379    GnuTLSP11Module PATH_TO_LIBRARY
380
381Default: *none*\
382Context: server config
383
384Load this PKCS #11 provider module, instead of the system defaults.
385
386`GnuTLSPIN`
387------------------
388
389Set the PIN to be used to access encrypted key files or PKCS #11 objects.
390
391    GnuTLSPIN XXXXXX
392
393Default: *none*\
394Context: server config, virtual host
395
396Takes a string to be used as a PIN for the protected objects in
397a security module, or as a key to be used to decrypt PKCS #8, PKCS #12,
398or openssl encrypted keys.
399
400`GnuTLSSRKPIN`
401------------------
402
403Set the SRK PIN to be used to unlaccess the TPM.
404
405    GnuTLSSRKPIN XXXXXX
406
407Default: *none*\
408Context: server config, virtual host
409
410Takes a string to be used as a PIN for the protected objects in
411the TPM module.
412
413`GnuTLSExportCertificates`
414--------------------------
415
416Export the PEM encoded certificates to CGIs
417
418    GnuTLSExportCertificates [off|on|SIZE]
419
420Default: `off`\
421Context: server config, virtual host
422
423This directive configures exporting the full certificates of the
424server and the client to CGI scripts via the `SSL_SERVER_CERT` and
425`SSL_CLIENT_CERT` environment variables. The exported certificates
426will be PEM-encoded (if X.509) or ASCII-armored (if OpenPGP) up to the
427size given.  The type of the certificate will be exported in
428`SSL_SERVER_CERT_TYPE` and `SSL_CLIENT_CERT_TYPE`.
429
430SIZE should be an integer number of bytes, or may be written with a
431trailing `K` to indicate kibibytes.  `off` means the same thing as
432`0`, in which case the certificates will not be exported to the
433environment.  `on` is an alias for `16K`.  If a non-zero size is
434specified for this directive, but a certificate is too large to fit in
435the buffer, then the corresponding environment variable will contain
436the fixed string `GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED`.
437
438With GnuTLSExportCertificates enabled, `mod_gnutls` exports the same
439environment variables to the CGI process as `mod_ssl`.
440
441
442`GnuTLSProxyEngine`
443--------------
444
445Enable TLS proxy connections for this virtual host
446
447    GnuTLSProxyEngine [on|off]
448
449Default: *off*\
450Context: virtual host
451
452This directive enables support for TLS proxy connections for a virtual
453host.
454
455`GnuTLSProxyCAFile`
456--------------------
457
458Set to the PEM encoded Certificate Authority Certificate
459
460    GnuTLSProxyCAFile FILEPATH
461
462Default: *none*\
463Context: server config, virtual host
464
465Takes an absolute or relative path to a PEM encoded certificate to use
466as a Certificate Authority when verifying certificates provided by
467proxy back end servers. This file may contain a list of trusted
468authorities. If not set, verification of TLS back end servers will
469always fail due to lack of a trusted CA.
470
471`GnuTLSProxyCRLFile`
472--------------------
473
474Set to the PEM encoded Certificate Revocation List
475
476    GnuTLSProxyCRLFile FILEPATH
477
478Default: *none*\
479Context: server config, virtual host
480
481Takes an absolute or relative path to a PEM encoded Certificate
482Revocation List to use when verifying certificates provided by proxy
483back end servers. The file may contain a list of CRLs.
484
485`GnuTLSProxyCertificateFile`
486-----------------------
487
488Set to the PEM encoded Client Certificate
489
490    GnuTLSProxyCertificateFile FILEPATH
491
492Default: *none*\
493Context: server config, virtual host
494
495Takes an absolute or relative path to a PEM encoded X.509 certificate
496to use as this Server's End Entity (EE) client certificate for TLS
497client authentication in proxy TLS connections. If you need to supply
498certificates for intermediate Certificate Authorities (iCAs), they
499should be listed in sequence in the file, from EE to the iCA closest
500to the root CA. Optionally, you can also include the root CA's
501certificate as the last certificate in the list.
502
503If not set, TLS client authentication will be disabled for TLS proxy
504connections. If set, `GnuTLSProxyKeyFile` must be set as well to
505provide the matching private key.
506
507`GnuTLSProxyKeyFile`
508---------------
509
510Set to the PEM encoded Private Key
511
512    GnuTLSProxyKeyFile FILEPATH
513
514Default: *none*\
515Context: server config, virtual host
516
517Takes an absolute or relative path to the Private Key matching the
518certificate configured using the `GnuTLSProxyCertificateFile`
519directive. This key cannot currently be password protected.
520
521**Security Warning:**\
522This private key must be protected. It is read while Apache is still
523running as root, and does not need to be readable by the nobody or
524apache user.
525
526`GnuTLSProxyPriorities`
527------------------
528
529Set the allowed ciphers, key exchange algorithms, MACs and compression
530methods for proxy connections
531
532    GnuTLSProxyPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
533
534Default: *none*\
535Context: server config, virtual host
536
537This option is used to set the allowed ciphers, key exchange
538algorithms, MACs and compression methods for proxy connections. It
539takes the same parameters as `GnuTLSPriorities`. Required if
540`GnuTLSProxyEngine` is `On`.
541
542* * * * *
543
544Configuration Examples
545======================
546
547Simple Standard SSL Example
548---------------------------
549
550The following is an example of standard SSL Hosting, using one IP
551Addresses for each virtual host
552
553     # Load the module into Apache.
554     LoadModule gnutls_module modules/mod_gnutls.so
555     GnuTLSCache gdbm /var/cache/www-tls-cache
556     GnuTLSCacheTimeout 500
557     # With normal SSL Websites, you need one IP Address per-site.
558     Listen 1.2.3.1:443
559     Listen 1.2.3.2:443
560     Listen 1.2.3.3:443
561     Listen 1.2.3.4:443
562     <VirtualHost 1.2.3.1:443>
563     GnuTLSEnable on
564     GnuTLSPriorities NONE:+AES-128-CBC:+3DES-CBC:+ARCFOUR-128:+RSA:+DHE-RSA:+DHE-DSS:+SHA1:+MD5:+COMP-NULL
565     DocumentRoot /www/site1.example.com/html
566     ServerName site1.example.com:443
567     GnuTLSCertificateFile conf/ssl/site1.crt
568     GnuTLSKeyFile conf/ss/site1.key
569     </VirtualHost>
570     <VirtualHost 1.2.3.2:443>
571     # This virtual host enables SRP authentication
572     GnuTLSEnable on
573     GnuTLSPriorities NORMAL:+SRP
574     DocumentRoot /www/site2.example.com/html
575     ServerName site2.example.com:443
576     GnuTLSSRPPasswdFile conf/ssl/tpasswd.site2
577     GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site2.conf
578     </VirtualHost>
579     <VirtualHost 1.2.3.3:443>
580     # This server enables SRP, OpenPGP and X.509 authentication.
581     GnuTLSEnable on
582     GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS
583     DocumentRoot /www/site3.example.com/html
584     ServerName site3.example.com:443
585     GnuTLSCertificateFile conf/ssl/site3.crt
586     GnuTLSKeyFile conf/ss/site3.key
587     GnuTLSClientVerify ignore
588     GnuTLSPGPCertificateFile conf/ss/site3.pub.asc
589     GnuTLSPGPKeyFile conf/ss/site3.sec.asc
590     GnuTLSSRPPasswdFile conf/ssl/tpasswd.site3
591     GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site3.conf
592     </VirtualHost>
593     <VirtualHost 1.2.3.4:443>
594     GnuTLSEnable on
595     # %COMPAT disables some security features to enable maximum compatibility with clients.
596     GnuTLSPriorities NONE:+AES-128-CBC:+ARCFOUR-128:+RSA:+SHA1:+MD5:+COMP-NULL:%COMPAT
597     DocumentRoot /www/site4.example.com/html
598     ServerName site4.example.com:443
599     GnuTLSCertificateFile conf/ssl/site4.crt
600     GnuTLSKeyFile conf/ss/site4.key
601     </VirtualHost>
602
603Server Name Indication Example
604------------------------------
605
606`mod_gnutls` can also use "Server Name Indication", as specified in
607RFC 3546.  This allows hosting many SSL Websites, with a Single IP
608Address.  Currently all the recent browsers support this
609standard. Here is an example, using SNI: ` `
610
611
612     # Load the module into Apache.
613     LoadModule gnutls_module modules/mod_gnutls.so
614     # With normal SSL Websites, you need one IP Address per-site.
615     Listen 1.2.3.1:443
616     # This could also be 'Listen *:443',
617     # just like '*:80' is common for non-https
618     # No caching. Enable session tickets. Timeout is still used for
619     # ticket expiration.
620     GnuTLSCacheTimeout 600
621     # This tells apache, that for this IP/Port combination, we want to use
622     # Name Based Virtual Hosting. In the case of Server Name Indication,
623     # it lets mod_gnutls pick the correct Server Certificate.
624     NameVirtualHost 1.2.3.1:443
625     <VirtualHost 1.2.3.1:443>
626     GnuTLSEnable on
627     GnuTLSSessionTickets on
628     GnuTLSPriorities NORMAL
629     DocumentRoot /www/site1.example.com/html
630     ServerName site1.example.com:443
631     GnuTLSCertificateFile conf/ssl/site1.crt
632     GnuTLSKeyFile conf/ss/site1.key
633     </VirtualHost>
634     <VirtualHost 1.2.3.1:443>
635     GnuTLSEnable on
636     GnuTLSPriorities NORMAL
637     DocumentRoot /www/site2.example.com/html
638     ServerName site2.example.com:443
639     GnuTLSCertificateFile conf/ssl/site2.crt
640     GnuTLSKeyFile conf/ss/site2.key
641     </VirtualHost>
642     <VirtualHost 1.2.3.1:443>
643     GnuTLSEnable on
644     GnuTLSPriorities NORMAL
645     DocumentRoot /www/site3.example.com/html
646     ServerName site3.example.com:443
647     GnuTLSCertificateFile conf/ssl/site3.crt
648     GnuTLSKeyFile conf/ss/site3.key
649     </VirtualHost>
650     <VirtualHost 1.2.3.1:443>
651     GnuTLSEnable on
652     GnuTLSPriorities NORMAL
653     DocumentRoot /www/site4.example.com/html
654     ServerName site4.example.com:443
655     GnuTLSCertificateFile conf/ssl/site4.crt
656     GnuTLSKeyFile conf/ss/site4.key
657     </VirtualHost>
658
659
660* * * * *
661
662Performance Issues
663==================
664
665`mod_gnutls` by default uses conservative settings for the server.
666You can fine tune the configuration to reduce the load on a busy
667server.  The following examples do exactly this:
668
669
670     # Load the module into Apache.
671     LoadModule gnutls_module modules/mod_gnutls.so
672     # Using 4 memcache servers to distribute the SSL Session Cache.
673     GnuTLSCache memcache "mc1.example.com mc2.example.com mc3.example.com mc4.example.com"
674     GnuTLSCacheTimeout 600
675     Listen 1.2.3.1:443
676     NameVirtualHost 1.2.3.1:443
677     <VirtualHost 1.2.3.1:443>
678     GnuTLSEnable on
679     # Here we disable the Perfect forward secrecy ciphersuites (DHE)
680     # and disallow AES-256 since AES-128 is just fine.
681     GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT
682     DocumentRoot /www/site1.example.com/html
683     ServerName site1.example.com:443
684     GnuTLSCertificateFile conf/ssl/site1.crt
685     GnuTLSKeyFile conf/ss/site1.key
686     </VirtualHost>
687     <VirtualHost 1.2.3.1:443>
688     GnuTLSEnable on
689     # Here we instead of disabling the DHE ciphersuites we use
690     # Diffie Hellman parameters of smaller size than the default (2048 bits).
691     # Using small numbers from 768 to 1024 bits should be ok once they are
692     # regenerated every few hours.
693     # Use "certtool --generate-dh-params --bits 1024" to get those
694     GnuTLSDHFile /etc/apache2/dh.params
695     GnuTLSPriorities NORMAL:!AES-256-CBC:%COMPAT
696     DocumentRoot /www/site2.example.com/html
697     ServerName site2.example.com:443
698     GnuTLSCertificateFile conf/ssl/site2.crt
699     GnuTLSKeyFile conf/ss/site2.key
700     </VirtualHost>
701
702* * * * *
703
704Environment Variables
705=====================
706
707`mod_gnutls` exports the following environment variables to scripts.
708These are compatible with `mod_ssl`.
709
710`HTTPS`
711-------
712
713Can be `on` or `off`
714
715`SSL_VERSION_LIBRARY`
716---------------------
717
718The version of the GnuTLS library
719
720`SSL_VERSION_INTERFACE`
721-----------------------
722
723The version of this module
724
725`SSL_PROTOCOL`
726--------------
727
728The SSL or TLS protocol name (such as `TLS 1.0` etc.)
729
730`SSL_CIPHER`
731------------
732
733The SSL or TLS cipher suite name
734
735`SSL_COMPRESS_METHOD`
736---------------------
737
738The negotiated compression method (`NULL` or `DEFLATE`)
739
740`SSL_SRP_USER`
741--------------
742
743The SRP username used for authentication (only set when
744`GnuTLSSRPPasswdFile` and `GnuTLSSRPPasswdConfFile` are configured).
745
746`SSL_CIPHER_USEKEYSIZE` & `SSL_CIPHER_ALGKEYSIZE`
747-------------------------------------------------
748
749The number if bits used in the used cipher algorithm.
750
751This does not fully reflect the security level since the size of
752RSA or DHE key exchange parameters affect the security level too.
753
754`SSL_DH_PRIME_BITS`
755-------------------
756
757The number if bits in the modulus for the DH group, if DHE or static
758DH is used.
759
760This will not be set if DH is not used.
761
762`SSL_CIPHER_EXPORT`
763-------------------
764
765`True` or `False`. Whether the cipher suite negotiated is an export one.
766
767`SSL_SESSION_ID`
768----------------
769
770The session ID negotiated in this session. Can be the same during client
771reloads.
772
773`SSL_CLIENT_V_REMAIN`
774---------------------
775
776The number of days until the client's certificate is expired.
777
778`SSL_CLIENT_V_START`
779--------------------
780
781The activation time of client's certificate.
782
783`SSL_CLIENT_V_END`
784------------------
785
786The expiration time of client's certificate.
787
788`SSL_CLIENT_S_DN`
789-----------------
790
791The distinguished name of client's certificate in RFC2253 format.
792
793`SSL_CLIENT_I_DN`
794-----------------
795
796The SSL or TLS cipher suite name
797
798`SSL_CLIENT_S_AN%`
799------------------
800
801These will contain the alternative names of the client certificate (`%` is
802a number starting from zero).
803
804The values will be prepended by `DNSNAME:`, `RFC822NAME:` or `URI:`
805depending on the type.
806
807If it is not supported the value `UNSUPPORTED` will be set.
808
809`SSL_SERVER_M_SERIAL`
810---------------------
811
812The serial number of the server's certificate.
813
814`SSL_SERVER_M_VERSION`
815----------------------
816
817The version of the server's certificate.
818
819`SSL_SERVER_A_SIG`
820------------------
821
822The algorithm used for the signature in server's certificate.
823
824`SSL_SERVER_A_KEY`
825------------------
826
827The public key algorithm in server's certificate.
828
829`SSL_SERVER_CERT`
830------------------
831
832The PEM-encoded (X.509) or ASCII-armored (OpenPGP) server certificate
833(see the `GnuTLSExportCertificates` directive).
834
835`SSL_SERVER_CERT_TYPE`
836----------------------
837
838The certificate type can be `X.509` or `OPENPGP`.
839
840`SSL_CLIENT_CERT`
841------------------
842
843The PEM-encoded (X.509) or ASCII-armored (OpenPGP) client certificate
844(see the `GnuTLSExportCertificates` directive).
845
846`SSL_CLIENT_CERT_TYPE`
847----------------------
848
849The certificate type can be `X.509` or `OPENPGP`.
Note: See TracBrowser for help on using the repository browser.