source: mod_gnutls/doc/mod_gnutls_manual.mdwn @ 8873a06

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since 8873a06 was 8873a06, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Documentation for GnuTLSP11Module option

  • Property mode set to 100644
File size: 24.5 KB
Line 
1% `mod_gnutls` Manual
2
3* * * * *
4
5`mod_gnutls` is a module for the Apache web server that provides HTTPS
6(HTTP over Transport Layer Security (TLS) or the older Secure Sockets
7Layer (SSL)) using the GnuTLS library.  More information about the
8module can be found at [the project's website](https://mod.gnutls.org/).
9
10* * * * *
11
12Compilation & Installation
13==========================
14
15`mod_gnutls` uses the `./configure && make && make install` mechanism
16common to many Open Source programs.  Most of the dirty work is
17handled by either `./configure` or Apache's `apxs` utility. If you have
18built Apache modules before, there shouldn't be any surprises for you.
19
20The interesting options you can pass to configure are:
21
22`--with-apxs=PATH`
23:   This option is used to specify the location of the apxs utility that
24    was installed as part of apache. Specify the location of the
25    binary, not the directory it is located in.
26
27`--with-libgnutls=PATH`
28:   Full path to the libgnutls-config program.
29
30`--with-apr-memcache=PREFIX`
31:   Prefix to where apr\_memcache is installed.
32
33`--help`
34:   Provides a list of all available configure options.
35
36* * * * *
37
38Integration
39===========
40
41To activate `mod_gnutls` just add the following line to your httpd.conf
42and restart Apache:
43
44    LoadModule gnutls_module modules/mod_gnutls.so
45
46* * * * *
47
48Configuration Directives
49========================
50
51`GnuTLSEnable`
52--------------
53
54Enable GnuTLS for this virtual host
55
56    GnuTLSEnable [on|off]
57
58Default: *off*\
59Context: virtual host
60
61This directive enables SSL/TLS Encryption for a Virtual Host.
62
63`GnuTLSCache`
64-------------
65
66Configure SSL Session Cache
67
68    GnuTLSCache [dbm|gdbm|memcache|none] [PATH|SERVERLIST|-]
69
70Default: `GnuTLSCache none`\
71Context: server config
72
73This directive configures the SSL Session Cache for `mod_gnutls`.
74This could be shared between machines of different architectures.
75
76`dbm` (Requires Berkeley DBM)
77:   Uses the default Berkeley DB backend of APR DBM to cache SSL
78    Sessions results.  The argument is a relative or absolute path to
79    be used as the DBM Cache file. This is compatible with most
80    operating systems, but needs the Apache Runtime to be compiled
81    with Berkeley DBM support.
82
83`gdbm`
84:   Uses the GDBM backend of APR DBM to cache SSL Sessions results.
85
86    The argument is a relative or absolute path to be used as the DBM Cache
87    file.  This is the recommended option.
88
89`memcache`
90:   Uses a memcached server to cache the SSL Session.
91
92    The argument is a space separated list of servers. If no port
93    number is supplied, the default of 11211 is used.  This can be
94    used to share a session cache between all servers in a cluster.
95
96`none`
97:   Turns off all caching of SSL Sessions.
98
99    This can significantly reduce the performance of `mod_gnutls` since
100    even followup connections by a client must renegotiate parameters
101    instead of reusing old ones.  This is the default, since it
102    requires no configuration.
103
104`GnuTLSCacheTimeout`
105--------------------
106
107Timeout for SSL Session Cache expiration
108
109    GnuTLSCacheTimeout SECONDS
110
111Default: `GnuTLSCacheTimeout 300`\
112Context: server config
113
114Sets the timeout for SSL Session Cache entries expiration.  This
115directive is valid even if Session Tickets are used, and indicates the
116expiration time of the ticket in seconds.
117
118`GnuTLSSessionTickets`
119----------------------
120
121Enable Session Tickets for the server
122
123    GnuTLSSessionTickets [on|off]
124
125Default: `off`\
126Context: server config, virtual host
127
128To avoid storing data for TLS session resumption it is allowed to
129provide client with a ticket, to use on return.  Use for servers with
130limited storage, and don't combine with GnuTLSCache. For a pool of
131servers this option is not recommended since the tickets are unique
132for the issuing server only.
133
134
135`GnuTLSCertificateFile`
136-----------------------
137
138Set to the PEM Encoded Server Certificate
139
140    GnuTLSCertificateFile FILEPATH
141
142Default: *none*\
143Context: server config, virtual host
144
145Takes an absolute or relative path to a PEM-encoded X.509 certificate to
146use as this Server's End Entity (EE) certificate. If you need to supply
147certificates for intermediate Certificate Authorities (iCAs), they
148should be listed in sequence in the file, from EE to the iCA closest to
149the root CA. Optionally, you can also include the root CA's certificate
150as the last certificate in the list.
151
152`GnuTLSKeyFile`
153---------------
154
155Set to the PEM Encoded Server Private Key
156
157    GnuTLSKeyFile FILEPATH
158
159Default: *none*\
160Context: server config, virtual host
161
162Takes an absolute or relative path to the Server Private Key. This key
163cannot currently be password protected.
164
165**Security Warning:**\
166 This private key must be protected. It is read while Apache is still
167running as root, and does not need to be readable by the nobody or
168apache user.
169
170`GnuTLSPGPCertificateFile`
171--------------------------
172
173Set to a base64 Encoded Server OpenPGP Certificate
174
175    GnuTLSPGPCertificateFile FILEPATH
176
177Default: *none*\
178Context: server config, virtual host
179
180Takes an absolute or relative path to a base64 Encoded OpenPGP
181Certificate to use as this Server's Certificate.
182
183`GnuTLSPGPKeyFile`
184------------------
185
186Set to the Server OpenPGP Secret Key
187
188    GnuTLSPGPKeyFile FILEPATH
189
190Default: *none*\
191Context: server config, virtual host
192
193Takes an absolute or relative path to the Server Private Key. This key
194cannot currently be password protected.
195
196**Security Warning:**\
197 This private key must be protected. It is read while Apache is still
198running as root, and does not need to be readable by the nobody or
199apache user.
200
201`GnuTLSClientVerify`
202--------------------
203
204Enable Client Certificate Verification\
205
206    GnuTLSClientVerify [ignore|request|require]
207
208Default: `ignore`\
209Context: server config, virtual host, directory, .htaccess
210
211This directive controls the use of SSL Client Certificate
212Authentication. If used in the .htaccess context, it can force TLS
213re-negotiation.
214
215`ignore`
216:   `mod_gnutls` will ignore the contents of any SSL Client Certificates
217    sent. It will not request that the client sends a certificate.
218
219`request`
220:   The client certificate will be requested, but not required.
221    The Certificate will be validated if sent.  The output of the
222    validation status will be stored in the `SSL_CLIENT_VERIFY`
223    environment variable and can be `SUCCESS`, `FAILED` or `NONE`.
224
225`require`
226:   A Client certificate will be required. Any requests without a valid
227    client certificate will be denied.  The `SSL_CLIENT_VERIFY`
228    environment variable will only be set to `SUCCESS`.
229
230`GnuTLSClientCAFile`
231--------------------
232
233Set to the PEM Encoded Certificate Authority Certificate
234
235    GnuTLSClientCAFile FILEPATH
236
237Default: *none*
238Context: server config, virtual host
239
240Takes an absolute or relative path to a PEM Encoded Certificate to use
241as a Certificate Authority with Client Certificate Authentication.
242This file may contain a list of trusted authorities.
243
244`GnuTLSPGPKeyringFile`
245----------------------
246
247Set to a base64 Encoded key ring
248
249    GnuTLSPGPKeyringFile FILEPATH
250
251Default: *none*\
252Context: server config, virtual host
253
254Takes an absolute or relative path to a base64 Encoded Certificate
255list (key ring) to use as a means of verification of Client
256Certificates.  This file should contain a list of trusted signers.
257
258`GnuTLSDHFile`
259--------------
260
261Set to the PKCS \#3 encoded Diffie Hellman parameters
262
263    GnuTLSDHFile FILEPATH
264
265Default: *none*\
266Context: server config, virtual host
267
268Takes an absolute or relative path to a PKCS \#3 encoded DH
269parameters.Those are used when the DHE key exchange method is enabled.
270You can generate this file using `certtool --generate-dh-params --bits
2712048`.  If not set `mod_gnutls` will use the included parameters.
272
273`GnuTLSSRPPasswdFile`
274---------------------
275
276Set to the SRP password file for SRP ciphersuites
277
278    GnuTLSSRPPasswdFile FILEPATH
279
280Default: *none*\
281Context: server config, virtual host
282
283Takes an absolute or relative path to an SRP password file. This is
284the same format as used in libsrp.  You can generate such file using
285the command `srptool --passwd /etc/tpasswd --passwd-conf
286/etc/tpasswd.conf -u test` to set a password for user test.  This
287password file holds the username, a password verifier and the
288dependency to the SRP parameters.
289
290`GnuTLSSRPPasswdConfFile`
291-------------------------
292
293Set to the SRP password.conf file for SRP ciphersuites
294
295    GnuTLSSRPPasswdConfFile FILEPATH
296
297Default: *none*\
298Context: server config, virtual host
299
300Takes an absolute or relative path to an SRP password.conf file. This
301is the same format as used in `libsrp`.  You can generate such file
302using the command `srptool --create-conf /etc/tpasswd.conf`.  This
303file holds the SRP parameters and is associate with the password file
304(the verifiers depends on these parameters).
305
306`GnuTLSPriorities`
307------------------
308
309Set the allowed ciphers, key exchange algorithms, MACs and compression
310methods
311
312    GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
313
314Default: *none*\
315Context: server config, virtual host
316
317Takes a semi-colon separated list of ciphers, key exchange methods
318Message authentication codes and compression methods to enable.
319The allowed keywords are specified in the `gnutls_priority_init()`
320function of GnuTLS.
321
322Full details can be found at [the GnuTLS documentation](http://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings).
323In brief you can specify a set of ciphersuites from the choices:
324
325`NONE`
326:   The empty list.
327
328`EXPORT`
329:   A list with all the supported cipher combinations
330    including the `EXPORT` strength algorithms.
331
332`PERFORMANCE`
333:   A list with all the secure cipher combinations sorted in terms of performance.
334
335`NORMAL`
336:   A list with all the secure cipher combinations sorted
337    with respect to security margin (subjective term).
338
339`SECURE`
340:   A list with all the secure cipher combinations including
341    the 256-bit ciphers sorted with respect to security margin.
342
343Additionally you can add or remove algorithms using the `+` and `!`
344prefixes respectively.
345
346For example, in order to disable the `ARCFOUR` cipher from the `NORMAL` set
347you can use the string `NORMAL:!ARCFOUR-128`
348
349Other options such as the protocol version and the compression method
350can be specified using the `VERS-` and `COMP-` prefixes.
351
352So in order to remove or add a specific TLS version from the `NORMAL`
353set, use `NORMAL:!VERS-SSL3.0`.  And to enable zlib compression use
354`NORMAL:+COMP-DEFLATE`.
355
356
357However it is recommended not to add compression at this level.  With
358the `NONE` set, in order to be usable, you have to specify a complete
359set of combinations of protocol versions, cipher algorithms
360(`AES-128-CBC`), key exchange algorithms (`RSA`), message
361authentication codes (`SHA1`) and compression methods (`COMP-NULL`).
362
363You can find a list of all supported Ciphers, Versions, MACs, etc.  by
364running `gnutls-cli --list`.
365
366The special keyword `%COMPAT` will disable some security features such
367as protection against statistical attacks to ciphertext data in order to
368achieve maximum compatibility (some broken mobile clients need this).
369
370`GnuTLSP11Module`
371------------------
372
373Load an additional PKCS #11 module.
374
375    GnuTLSP11Module PATH_TO_LIBRARY
376
377Default: *none*\
378Context: server config
379
380Load this PKCS #11 provider module, in addition to the system
381defaults.
382
383`GnuTLSPIN`
384------------------
385
386Set the PIN to be used to access encrypted key files or PKCS #11 objects.
387
388    GnuTLSPIN XXXXXX
389
390Default: *none*\
391Context: server config, virtual host
392
393Takes a string to be used as a PIN for the protected objects in
394a security module, or as a key to be used to decrypt PKCS #8, PKCS #12,
395or openssl encrypted keys.
396
397`GnuTLSSRKPIN`
398------------------
399
400Set the SRK PIN to be used to unlaccess the TPM.
401
402    GnuTLSSRKPIN XXXXXX
403
404Default: *none*\
405Context: server config, virtual host
406
407Takes a string to be used as a PIN for the protected objects in
408the TPM module.
409
410`GnuTLSExportCertificates`
411--------------------------
412
413Export the PEM encoded certificates to CGIs
414
415    GnuTLSExportCertificates [off|on|SIZE]
416
417Default: `off`\
418Context: server config, virtual host
419
420This directive configures exporting the full certificates of the
421server and the client to CGI scripts via the `SSL_SERVER_CERT` and
422`SSL_CLIENT_CERT` environment variables. The exported certificates
423will be PEM-encoded (if X.509) or ASCII-armored (if OpenPGP) up to the
424size given.  The type of the certificate will be exported in
425`SSL_SERVER_CERT_TYPE` and `SSL_CLIENT_CERT_TYPE`.
426
427SIZE should be an integer number of bytes, or may be written with a
428trailing `K` to indicate kibibytes.  `off` means the same thing as
429`0`, in which case the certificates will not be exported to the
430environment.  `on` is an alias for `16K`.  If a non-zero size is
431specified for this directive, but a certificate is too large to fit in
432the buffer, then the corresponding environment variable will contain
433the fixed string `GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED`.
434
435With GnuTLSExportCertificates enabled, `mod_gnutls` exports the same
436environment variables to the CGI process as `mod_ssl`.
437
438
439`GnuTLSProxyEngine`
440--------------
441
442Enable TLS proxy connections for this virtual host
443
444    GnuTLSProxyEngine [on|off]
445
446Default: *off*\
447Context: virtual host
448
449This directive enables support for TLS proxy connections for a virtual
450host.
451
452`GnuTLSProxyCAFile`
453--------------------
454
455Set to the PEM encoded Certificate Authority Certificate
456
457    GnuTLSProxyCAFile FILEPATH
458
459Default: *none*\
460Context: server config, virtual host
461
462Takes an absolute or relative path to a PEM encoded certificate to use
463as a Certificate Authority when verifying certificates provided by
464proxy back end servers. This file may contain a list of trusted
465authorities. If not set, verification of TLS back end servers will
466always fail due to lack of a trusted CA.
467
468`GnuTLSProxyCRLFile`
469--------------------
470
471Set to the PEM encoded Certificate Revocation List
472
473    GnuTLSProxyCRLFile FILEPATH
474
475Default: *none*\
476Context: server config, virtual host
477
478Takes an absolute or relative path to a PEM encoded Certificate
479Revocation List to use when verifying certificates provided by proxy
480back end servers. The file may contain a list of CRLs.
481
482`GnuTLSProxyCertificateFile`
483-----------------------
484
485Set to the PEM encoded Client Certificate
486
487    GnuTLSProxyCertificateFile FILEPATH
488
489Default: *none*\
490Context: server config, virtual host
491
492Takes an absolute or relative path to a PEM encoded X.509 certificate
493to use as this Server's End Entity (EE) client certificate for TLS
494client authentication in proxy TLS connections. If you need to supply
495certificates for intermediate Certificate Authorities (iCAs), they
496should be listed in sequence in the file, from EE to the iCA closest
497to the root CA. Optionally, you can also include the root CA's
498certificate as the last certificate in the list.
499
500If not set, TLS client authentication will be disabled for TLS proxy
501connections. If set, `GnuTLSProxyKeyFile` must be set as well to
502provide the matching private key.
503
504`GnuTLSProxyKeyFile`
505---------------
506
507Set to the PEM encoded Private Key
508
509    GnuTLSProxyKeyFile FILEPATH
510
511Default: *none*\
512Context: server config, virtual host
513
514Takes an absolute or relative path to the Private Key matching the
515certificate configured using the `GnuTLSProxyCertificateFile`
516directive. This key cannot currently be password protected.
517
518**Security Warning:**\
519This private key must be protected. It is read while Apache is still
520running as root, and does not need to be readable by the nobody or
521apache user.
522
523`GnuTLSProxyPriorities`
524------------------
525
526Set the allowed ciphers, key exchange algorithms, MACs and compression
527methods for proxy connections
528
529    GnuTLSProxyPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
530
531Default: *none*\
532Context: server config, virtual host
533
534This option is used to set the allowed ciphers, key exchange
535algorithms, MACs and compression methods for proxy connections. It
536takes the same parameters as `GnuTLSPriorities`. Required if
537`GnuTLSProxyEngine` is `On`.
538
539* * * * *
540
541Configuration Examples
542======================
543
544Simple Standard SSL Example
545---------------------------
546
547The following is an example of standard SSL Hosting, using one IP
548Addresses for each virtual host
549
550     # Load the module into Apache.
551     LoadModule gnutls_module modules/mod_gnutls.so
552     GnuTLSCache gdbm /var/cache/www-tls-cache
553     GnuTLSCacheTimeout 500
554     # With normal SSL Websites, you need one IP Address per-site.
555     Listen 1.2.3.1:443
556     Listen 1.2.3.2:443
557     Listen 1.2.3.3:443
558     Listen 1.2.3.4:443
559     <VirtualHost 1.2.3.1:443>
560     GnuTLSEnable on
561     GnuTLSPriorities NONE:+AES-128-CBC:+3DES-CBC:+ARCFOUR-128:+RSA:+DHE-RSA:+DHE-DSS:+SHA1:+MD5:+COMP-NULL
562     DocumentRoot /www/site1.example.com/html
563     ServerName site1.example.com:443
564     GnuTLSCertificateFile conf/ssl/site1.crt
565     GnuTLSKeyFile conf/ss/site1.key
566     </VirtualHost>
567     <VirtualHost 1.2.3.2:443>
568     # This virtual host enables SRP authentication
569     GnuTLSEnable on
570     GnuTLSPriorities NORMAL:+SRP
571     DocumentRoot /www/site2.example.com/html
572     ServerName site2.example.com:443
573     GnuTLSSRPPasswdFile conf/ssl/tpasswd.site2
574     GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site2.conf
575     </VirtualHost>
576     <VirtualHost 1.2.3.3:443>
577     # This server enables SRP, OpenPGP and X.509 authentication.
578     GnuTLSEnable on
579     GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS
580     DocumentRoot /www/site3.example.com/html
581     ServerName site3.example.com:443
582     GnuTLSCertificateFile conf/ssl/site3.crt
583     GnuTLSKeyFile conf/ss/site3.key
584     GnuTLSClientVerify ignore
585     GnuTLSPGPCertificateFile conf/ss/site3.pub.asc
586     GnuTLSPGPKeyFile conf/ss/site3.sec.asc
587     GnuTLSSRPPasswdFile conf/ssl/tpasswd.site3
588     GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site3.conf
589     </VirtualHost>
590     <VirtualHost 1.2.3.4:443>
591     GnuTLSEnable on
592     # %COMPAT disables some security features to enable maximum compatibility with clients.
593     GnuTLSPriorities NONE:+AES-128-CBC:+ARCFOUR-128:+RSA:+SHA1:+MD5:+COMP-NULL:%COMPAT
594     DocumentRoot /www/site4.example.com/html
595     ServerName site4.example.com:443
596     GnuTLSCertificateFile conf/ssl/site4.crt
597     GnuTLSKeyFile conf/ss/site4.key
598     </VirtualHost>
599
600Server Name Indication Example
601------------------------------
602
603`mod_gnutls` can also use "Server Name Indication", as specified in
604RFC 3546.  This allows hosting many SSL Websites, with a Single IP
605Address.  Currently all the recent browsers support this
606standard. Here is an example, using SNI: ` `
607
608
609     # Load the module into Apache.
610     LoadModule gnutls_module modules/mod_gnutls.so
611     # With normal SSL Websites, you need one IP Address per-site.
612     Listen 1.2.3.1:443
613     # This could also be 'Listen *:443',
614     # just like '*:80' is common for non-https
615     # No caching. Enable session tickets. Timeout is still used for
616     # ticket expiration.
617     GnuTLSCacheTimeout 600
618     # This tells apache, that for this IP/Port combination, we want to use
619     # Name Based Virtual Hosting. In the case of Server Name Indication,
620     # it lets mod_gnutls pick the correct Server Certificate.
621     NameVirtualHost 1.2.3.1:443
622     <VirtualHost 1.2.3.1:443>
623     GnuTLSEnable on
624     GnuTLSSessionTickets on
625     GnuTLSPriorities NORMAL
626     DocumentRoot /www/site1.example.com/html
627     ServerName site1.example.com:443
628     GnuTLSCertificateFile conf/ssl/site1.crt
629     GnuTLSKeyFile conf/ss/site1.key
630     </VirtualHost>
631     <VirtualHost 1.2.3.1:443>
632     GnuTLSEnable on
633     GnuTLSPriorities NORMAL
634     DocumentRoot /www/site2.example.com/html
635     ServerName site2.example.com:443
636     GnuTLSCertificateFile conf/ssl/site2.crt
637     GnuTLSKeyFile conf/ss/site2.key
638     </VirtualHost>
639     <VirtualHost 1.2.3.1:443>
640     GnuTLSEnable on
641     GnuTLSPriorities NORMAL
642     DocumentRoot /www/site3.example.com/html
643     ServerName site3.example.com:443
644     GnuTLSCertificateFile conf/ssl/site3.crt
645     GnuTLSKeyFile conf/ss/site3.key
646     </VirtualHost>
647     <VirtualHost 1.2.3.1:443>
648     GnuTLSEnable on
649     GnuTLSPriorities NORMAL
650     DocumentRoot /www/site4.example.com/html
651     ServerName site4.example.com:443
652     GnuTLSCertificateFile conf/ssl/site4.crt
653     GnuTLSKeyFile conf/ss/site4.key
654     </VirtualHost>
655
656
657* * * * *
658
659Performance Issues
660==================
661
662`mod_gnutls` by default uses conservative settings for the server.
663You can fine tune the configuration to reduce the load on a busy
664server.  The following examples do exactly this:
665
666
667     # Load the module into Apache.
668     LoadModule gnutls_module modules/mod_gnutls.so
669     # Using 4 memcache servers to distribute the SSL Session Cache.
670     GnuTLSCache memcache "mc1.example.com mc2.example.com mc3.example.com mc4.example.com"
671     GnuTLSCacheTimeout 600
672     Listen 1.2.3.1:443
673     NameVirtualHost 1.2.3.1:443
674     <VirtualHost 1.2.3.1:443>
675     GnuTLSEnable on
676     # Here we disable the Perfect forward secrecy ciphersuites (DHE)
677     # and disallow AES-256 since AES-128 is just fine.
678     GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT
679     DocumentRoot /www/site1.example.com/html
680     ServerName site1.example.com:443
681     GnuTLSCertificateFile conf/ssl/site1.crt
682     GnuTLSKeyFile conf/ss/site1.key
683     </VirtualHost>
684     <VirtualHost 1.2.3.1:443>
685     GnuTLSEnable on
686     # Here we instead of disabling the DHE ciphersuites we use
687     # Diffie Hellman parameters of smaller size than the default (2048 bits).
688     # Using small numbers from 768 to 1024 bits should be ok once they are
689     # regenerated every few hours.
690     # Use "certtool --generate-dh-params --bits 1024" to get those
691     GnuTLSDHFile /etc/apache2/dh.params
692     GnuTLSPriorities NORMAL:!AES-256-CBC:%COMPAT
693     DocumentRoot /www/site2.example.com/html
694     ServerName site2.example.com:443
695     GnuTLSCertificateFile conf/ssl/site2.crt
696     GnuTLSKeyFile conf/ss/site2.key
697     </VirtualHost>
698
699* * * * *
700
701Environment Variables
702=====================
703
704`mod_gnutls` exports the following environment variables to scripts.
705These are compatible with `mod_ssl`.
706
707`HTTPS`
708-------
709
710Can be `on` or `off`
711
712`SSL_VERSION_LIBRARY`
713---------------------
714
715The version of the GnuTLS library
716
717`SSL_VERSION_INTERFACE`
718-----------------------
719
720The version of this module
721
722`SSL_PROTOCOL`
723--------------
724
725The SSL or TLS protocol name (such as `TLS 1.0` etc.)
726
727`SSL_CIPHER`
728------------
729
730The SSL or TLS cipher suite name
731
732`SSL_COMPRESS_METHOD`
733---------------------
734
735The negotiated compression method (`NULL` or `DEFLATE`)
736
737`SSL_SRP_USER`
738--------------
739
740The SRP username used for authentication (only set when
741`GnuTLSSRPPasswdFile` and `GnuTLSSRPPasswdConfFile` are configured).
742
743`SSL_CIPHER_USEKEYSIZE` & `SSL_CIPHER_ALGKEYSIZE`
744-------------------------------------------------
745
746The number if bits used in the used cipher algorithm.
747
748This does not fully reflect the security level since the size of
749RSA or DHE key exchange parameters affect the security level too.
750
751`SSL_DH_PRIME_BITS`
752-------------------
753
754The number if bits in the modulus for the DH group, if DHE or static
755DH is used.
756
757This will not be set if DH is not used.
758
759`SSL_CIPHER_EXPORT`
760-------------------
761
762`True` or `False`. Whether the cipher suite negotiated is an export one.
763
764`SSL_SESSION_ID`
765----------------
766
767The session ID negotiated in this session. Can be the same during client
768reloads.
769
770`SSL_CLIENT_V_REMAIN`
771---------------------
772
773The number of days until the client's certificate is expired.
774
775`SSL_CLIENT_V_START`
776--------------------
777
778The activation time of client's certificate.
779
780`SSL_CLIENT_V_END`
781------------------
782
783The expiration time of client's certificate.
784
785`SSL_CLIENT_S_DN`
786-----------------
787
788The distinguished name of client's certificate in RFC2253 format.
789
790`SSL_CLIENT_I_DN`
791-----------------
792
793The SSL or TLS cipher suite name
794
795`SSL_CLIENT_S_AN%`
796------------------
797
798These will contain the alternative names of the client certificate (`%` is
799a number starting from zero).
800
801The values will be prepended by `DNSNAME:`, `RFC822NAME:` or `URI:`
802depending on the type.
803
804If it is not supported the value `UNSUPPORTED` will be set.
805
806`SSL_SERVER_M_SERIAL`
807---------------------
808
809The serial number of the server's certificate.
810
811`SSL_SERVER_M_VERSION`
812----------------------
813
814The version of the server's certificate.
815
816`SSL_SERVER_A_SIG`
817------------------
818
819The algorithm used for the signature in server's certificate.
820
821`SSL_SERVER_A_KEY`
822------------------
823
824The public key algorithm in server's certificate.
825
826`SSL_SERVER_CERT`
827------------------
828
829The PEM-encoded (X.509) or ASCII-armored (OpenPGP) server certificate
830(see the `GnuTLSExportCertificates` directive).
831
832`SSL_SERVER_CERT_TYPE`
833----------------------
834
835The certificate type can be `X.509` or `OPENPGP`.
836
837`SSL_CLIENT_CERT`
838------------------
839
840The PEM-encoded (X.509) or ASCII-armored (OpenPGP) client certificate
841(see the `GnuTLSExportCertificates` directive).
842
843`SSL_CLIENT_CERT_TYPE`
844----------------------
845
846The certificate type can be `X.509` or `OPENPGP`.
Note: See TracBrowser for help on using the repository browser.