source: mod_gnutls/doc/mod_gnutls_manual.mdwn @ c3c96ca

debian/masterdebian/stretch-backportsupstream
Last change on this file since c3c96ca was c3c96ca, checked in by Thomas Klute <thomas2.klute@…>, 3 years ago

Handbook: Update and simplify description of GnuTLSPriorities

The section has been shortened quite a bit. Anyone who is looking to
build their own priority list should really consult the GnuTLS
documentation. A rarely updated handbook is not the right place for
advice on cipher suites.

  • Property mode set to 100644
File size: 25.6 KB
Line 
1% `mod_gnutls` Manual
2
3* * * * *
4
5`mod_gnutls` is a module for the Apache web server that provides HTTPS
6(HTTP over Transport Layer Security (TLS) or the older Secure Sockets
7Layer (SSL)) using the GnuTLS library.  More information about the
8module can be found at [the project's website](https://mod.gnutls.org/).
9
10* * * * *
11
12Compilation & Installation
13==========================
14
15`mod_gnutls` uses the `./configure && make && make install` mechanism
16common to many Open Source programs.  Most of the dirty work is
17handled by either `./configure` or Apache's `apxs` utility. If you have
18built Apache modules before, there shouldn't be any surprises for you.
19
20The interesting options you can pass to configure are:
21
22`--with-apxs=PATH`
23:   This option is used to specify the location of the apxs utility that
24    was installed as part of apache. Specify the location of the
25    binary, not the directory it is located in.
26
27`--with-apu-config=PATH`
28:   Path to APR Utility Library config tool (`apu-1-config`)
29
30`--help`
31:   Provides a list of all available configure options.
32
33It is recommended to run `make check` before installation. If your
34system doesn't have a loopback device with IPv6 and IPv4 support or
35`localhost` does not resolve to at least one of `[::1]` and
36`127.0.0.1`, you may have to set the `TEST_HOST` or `TEST_IP`
37environment variables when running `./configure` to make the test
38suite work correctly.
39
40* * * * *
41
42Integration
43===========
44
45To activate `mod_gnutls` just add the following line to your httpd.conf
46and restart Apache:
47
48    LoadModule gnutls_module modules/mod_gnutls.so
49
50* * * * *
51
52Configuration Directives
53========================
54
55`GnuTLSEnable`
56--------------
57
58Enable GnuTLS for this virtual host
59
60    GnuTLSEnable [on|off]
61
62Default: *off*\
63Context: virtual host
64
65This directive enables SSL/TLS Encryption for a Virtual Host.
66
67`GnuTLSCache`
68-------------
69
70Configure TLS Session Cache
71
72    GnuTLSCache [dbm|gdbm|memcache|none] [PATH|SERVERLIST|-]
73
74Default: `GnuTLSCache none`\
75Context: server config
76
77This directive configures the TLS Session Cache for `mod_gnutls`.
78This could be shared between machines of different architectures. If a
79DBM cache is used, access is serialized using the `gnutls-cache`
80mutex.
81
82`dbm` (Requires Berkeley DBM)
83:   Uses the default Berkeley DB backend of APR DBM to cache TLS
84    Sessions results.  The argument is a relative or absolute path to
85    be used as the DBM Cache file. This is compatible with most
86    operating systems, but needs the Apache Runtime to be compiled
87    with Berkeley DBM support.
88
89`gdbm`
90:   Uses the GDBM backend of APR DBM to cache TLS Sessions results.
91
92    The argument is a relative or absolute path to be used as the DBM Cache
93    file.  This is the recommended option.
94
95`memcache`
96:   Uses a memcached server to cache the TLS Session.
97
98    The argument is a space separated list of servers. If no port
99    number is supplied, the default of 11211 is used.  This can be
100    used to share a session cache between all servers in a cluster.
101
102`none`
103:   Turns off all caching of TLS Sessions.
104
105    This can significantly reduce the performance of `mod_gnutls` since
106    even followup connections by a client must renegotiate parameters
107    instead of reusing old ones.  This is the default, since it
108    requires no configuration.
109
110`GnuTLSCacheTimeout`
111--------------------
112
113Timeout for TLS Session Cache expiration
114
115    GnuTLSCacheTimeout SECONDS
116
117Default: `GnuTLSCacheTimeout 300`\
118Context: server config
119
120Sets the timeout for TLS Session Cache entries expiration.  This
121directive is valid even if Session Tickets are used, and indicates the
122expiration time of the ticket in seconds.
123
124`GnuTLSSessionTickets`
125----------------------
126
127Enable Session Tickets for the server
128
129    GnuTLSSessionTickets [on|off]
130
131Default: `off`\
132Context: server config, virtual host
133
134To avoid storing data for TLS session resumption it is allowed to
135provide client with a ticket, to use on return. Tickets are an
136alternative to using a session cache, mostly used for busy servers
137with limited storage. For a pool of servers this option is not
138recommended since the tickets are bound to the issuing server only.
139
140If this option is set in the global configuration, virtual hosts
141without a `GnuTLSSessionTickets` setting will use the global setting.
142
143*Warning:* Currently the master key that protects the tickets is
144generated only on server start, and there is no mechanism to roll over
145the key. If session tickets are enabled it is highly recommened to
146restart the server regularly to protect past sessions in case an
147attacker gains access to server memory.
148
149`GnuTLSCertificateFile`
150-----------------------
151
152Set to the PEM Encoded Server Certificate
153
154    GnuTLSCertificateFile FILEPATH
155
156Default: *none*\
157Context: server config, virtual host
158
159Takes an absolute or relative path to a PEM-encoded X.509 certificate to
160use as this Server's End Entity (EE) certificate. If you need to supply
161certificates for intermediate Certificate Authorities (iCAs), they
162should be listed in sequence in the file, from EE to the iCA closest to
163the root CA. Optionally, you can also include the root CA's certificate
164as the last certificate in the list.
165
166Since version 0.7 this can be a PKCS #11 URL.
167
168`GnuTLSKeyFile`
169---------------
170
171Set to the PEM Encoded Server Private Key
172
173    GnuTLSKeyFile FILEPATH
174
175Default: *none*\
176Context: server config, virtual host
177
178Takes an absolute or relative path to the Server Private Key. Set
179`GnuTLSPIN` if the key file is encrypted.
180
181Since version 0.7 this can be a PKCS #11 URL.
182
183**Security Warning:**\
184This private key must be protected. It is read while Apache is still
185running as root, and does not need to be readable by the nobody or
186apache user.
187
188`GnuTLSPGPCertificateFile`
189--------------------------
190
191Set to a base64 Encoded Server OpenPGP Certificate
192
193    GnuTLSPGPCertificateFile FILEPATH
194
195Default: *none*\
196Context: server config, virtual host
197
198Takes an absolute or relative path to a base64 Encoded OpenPGP
199Certificate to use as this Server's Certificate.
200
201`GnuTLSPGPKeyFile`
202------------------
203
204Set to the Server OpenPGP Secret Key
205
206    GnuTLSPGPKeyFile FILEPATH
207
208Default: *none*\
209Context: server config, virtual host
210
211Takes an absolute or relative path to the Server Private Key. This key
212cannot currently be password protected.
213
214**Security Warning:**\
215 This private key must be protected. It is read while Apache is still
216running as root, and does not need to be readable by the nobody or
217apache user.
218
219`GnuTLSClientVerify`
220--------------------
221
222Enable Client Certificate Verification\
223
224    GnuTLSClientVerify [ignore|request|require]
225
226Default: `ignore`\
227Context: server config, virtual host, directory, .htaccess
228
229This directive controls the use of TLS Client Certificate
230Authentication. If used in the .htaccess context, it can force TLS
231re-negotiation.
232
233`ignore`
234:   `mod_gnutls` will ignore the contents of any TLS Client Certificates
235    sent. It will not request that the client sends a certificate.
236
237`request`
238:   The client certificate will be requested, but not required.
239    The Certificate will be validated if sent.  The output of the
240    validation status will be stored in the `SSL_CLIENT_VERIFY`
241    environment variable and can be `SUCCESS`, `FAILED` or `NONE`.
242
243`require`
244:   A Client certificate will be required. Any requests without a valid
245    client certificate will be denied.  The `SSL_CLIENT_VERIFY`
246    environment variable will only be set to `SUCCESS`.
247
248`GnuTLSClientCAFile`
249--------------------
250
251Set to the PEM Encoded Certificate Authority Certificate
252
253    GnuTLSClientCAFile FILEPATH
254
255Default: *none*
256Context: server config, virtual host
257
258Takes an absolute or relative path to a PEM Encoded Certificate to use
259as a Certificate Authority with Client Certificate Authentication.
260This file may contain a list of trusted authorities.
261
262`GnuTLSPGPKeyringFile`
263----------------------
264
265Set to a base64 Encoded key ring
266
267    GnuTLSPGPKeyringFile FILEPATH
268
269Default: *none*\
270Context: server config, virtual host
271
272Takes an absolute or relative path to a base64 Encoded Certificate
273list (key ring) to use as a means of verification of Client
274Certificates.  This file should contain a list of trusted signers.
275
276`GnuTLSDHFile`
277--------------
278
279Set to the PKCS \#3 encoded Diffie Hellman parameters
280
281    GnuTLSDHFile FILEPATH
282
283Default: *none*\
284Context: server config, virtual host
285
286Takes an absolute or relative path to a PKCS \#3 encoded DH
287parameters.Those are used when the DHE key exchange method is enabled.
288You can generate this file using `certtool --generate-dh-params --bits
2892048`.  If not set `mod_gnutls` will use the included parameters.
290
291`GnuTLSSRPPasswdFile`
292---------------------
293
294Set to the SRP password file for SRP ciphersuites
295
296    GnuTLSSRPPasswdFile FILEPATH
297
298Default: *none*\
299Context: server config, virtual host
300
301Takes an absolute or relative path to an SRP password file. This is
302the same format as used in libsrp.  You can generate such file using
303the command `srptool --passwd /etc/tpasswd --passwd-conf
304/etc/tpasswd.conf -u test` to set a password for user test.  This
305password file holds the username, a password verifier and the
306dependency to the SRP parameters.
307
308`GnuTLSSRPPasswdConfFile`
309-------------------------
310
311Set to the SRP password.conf file for SRP ciphersuites
312
313    GnuTLSSRPPasswdConfFile FILEPATH
314
315Default: *none*\
316Context: server config, virtual host
317
318Takes an absolute or relative path to an SRP password.conf file. This
319is the same format as used in `libsrp`.  You can generate such file
320using the command `srptool --create-conf /etc/tpasswd.conf`.  This
321file holds the SRP parameters and is associate with the password file
322(the verifiers depends on these parameters).
323
324`GnuTLSPriorities`
325------------------
326
327Set the allowed protocol versions, ciphers, key exchange algorithms,
328MACs and compression methods
329
330    GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
331
332Default: *none*\
333Context: server config, virtual host
334
335Takes a colon separated list of protocol version, ciphers, key
336exchange methods message authentication codes, and compression methods
337to enable. The allowed keywords are specified in the
338`gnutls_priority_init()` function of GnuTLS.
339
340Please refer to [the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings)
341for details. A few commonly used sets are listed below, note that
342their exact meaning may change with GnuTLS versions.
343
344`PERFORMANCE`
345:   A list with all the secure cipher combinations sorted in terms of
346    performance.
347
348`NORMAL`
349:   A list with all the secure cipher combinations sorted
350    with respect to security margin (subjective term).
351
352`SECURE128`
353:   A list with all the secure cipher suites that offer a security level
354    of 128-bit or more.
355
356`PFS`
357:   Only cipher suites offering perfect forward secrecy (ECDHE and DHE),
358    sorted by security margin.
359
360You can add or remove algorithms using the `+` and `!` prefixes
361respectively. For example, in order to use the `NORMAL` set but
362disable TLS 1.0 and 1.1 you can use the string
363`NORMAL:!VERS-TLS1.0:!VERS-TLS1.1`.
364
365You can find a list of all supported Ciphers, Versions, MACs, etc.  by
366running `gnutls-cli --list`.
367
368`GnuTLSP11Module`
369------------------
370
371Load this PKCS #11 module.
372
373    GnuTLSP11Module PATH_TO_LIBRARY
374
375Default: *none*\
376Context: server config
377
378Load this PKCS #11 provider module, instead of the system
379defaults. May occur multiple times to load multiple modules.
380
381`GnuTLSPIN`
382------------------
383
384Set the PIN to be used to access encrypted key files or PKCS #11 objects.
385
386    GnuTLSPIN XXXXXX
387
388Default: *none*\
389Context: server config, virtual host
390
391Takes a string to be used as a PIN for the protected objects in
392a security module, or as a key to be used to decrypt PKCS #8, PKCS #12,
393or openssl encrypted keys.
394
395`GnuTLSSRKPIN`
396------------------
397
398Set the SRK PIN to be used to unlaccess the TPM.
399
400    GnuTLSSRKPIN XXXXXX
401
402Default: *none*\
403Context: server config, virtual host
404
405Takes a string to be used as a PIN for the protected objects in
406the TPM module.
407
408`GnuTLSExportCertificates`
409--------------------------
410
411Export the PEM encoded certificates to CGIs
412
413    GnuTLSExportCertificates [off|on|SIZE]
414
415Default: `off`\
416Context: server config, virtual host
417
418This directive configures exporting the full certificates of the
419server and the client to CGI scripts via the `SSL_SERVER_CERT` and
420`SSL_CLIENT_CERT` environment variables. The exported certificates
421will be PEM-encoded (if X.509) or ASCII-armored (if OpenPGP) up to the
422size given.  The type of the certificate will be exported in
423`SSL_SERVER_CERT_TYPE` and `SSL_CLIENT_CERT_TYPE`.
424
425SIZE should be an integer number of bytes, or may be written with a
426trailing `K` to indicate kibibytes.  `off` means the same thing as
427`0`, in which case the certificates will not be exported to the
428environment.  `on` is an alias for `16K`.  If a non-zero size is
429specified for this directive, but a certificate is too large to fit in
430the buffer, then the corresponding environment variable will contain
431the fixed string `GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED`.
432
433With GnuTLSExportCertificates enabled, `mod_gnutls` exports the same
434environment variables to the CGI process as `mod_ssl`.
435
436
437`GnuTLSProxyEngine`
438--------------
439
440Enable TLS proxy connections for this virtual host
441
442    GnuTLSProxyEngine [on|off]
443
444Default: *off*\
445Context: virtual host
446
447This directive enables support for TLS proxy connections for a virtual
448host.
449
450`GnuTLSProxyCAFile`
451--------------------
452
453Set to the PEM encoded Certificate Authority Certificate
454
455    GnuTLSProxyCAFile FILEPATH
456
457Default: *none*\
458Context: server config, virtual host
459
460Takes an absolute or relative path to a PEM encoded certificate to use
461as a Certificate Authority when verifying certificates provided by
462proxy back end servers. This file may contain a list of trusted
463authorities. If not set, verification of TLS back end servers will
464always fail due to lack of a trusted CA.
465
466`GnuTLSProxyCRLFile`
467--------------------
468
469Set to the PEM encoded Certificate Revocation List
470
471    GnuTLSProxyCRLFile FILEPATH
472
473Default: *none*\
474Context: server config, virtual host
475
476Takes an absolute or relative path to a PEM encoded Certificate
477Revocation List to use when verifying certificates provided by proxy
478back end servers. The file may contain a list of CRLs.
479
480`GnuTLSProxyCertificateFile`
481-----------------------
482
483Set to the PEM encoded Client Certificate
484
485    GnuTLSProxyCertificateFile FILEPATH
486
487Default: *none*\
488Context: server config, virtual host
489
490Takes an absolute or relative path to a PEM encoded X.509 certificate
491to use as this Server's End Entity (EE) client certificate for TLS
492client authentication in proxy TLS connections. If you need to supply
493certificates for intermediate Certificate Authorities (iCAs), they
494should be listed in sequence in the file, from EE to the iCA closest
495to the root CA. Optionally, you can also include the root CA's
496certificate as the last certificate in the list.
497
498If not set, TLS client authentication will be disabled for TLS proxy
499connections. If set, `GnuTLSProxyKeyFile` must be set as well to
500provide the matching private key.
501
502`GnuTLSProxyKeyFile`
503---------------
504
505Set to the PEM encoded Private Key
506
507    GnuTLSProxyKeyFile FILEPATH
508
509Default: *none*\
510Context: server config, virtual host
511
512Takes an absolute or relative path to the Private Key matching the
513certificate configured using the `GnuTLSProxyCertificateFile`
514directive. This key cannot currently be password protected.
515
516**Security Warning:**\
517This private key must be protected. It is read while Apache is still
518running as root, and does not need to be readable by the nobody or
519apache user.
520
521`GnuTLSProxyPriorities`
522------------------
523
524Set the allowed ciphers, key exchange algorithms, MACs and compression
525methods for proxy connections
526
527    GnuTLSProxyPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
528
529Default: *none*\
530Context: server config, virtual host
531
532This option is used to set the allowed ciphers, key exchange
533algorithms, MACs and compression methods for proxy connections. It
534takes the same parameters as `GnuTLSPriorities`. Required if
535`GnuTLSProxyEngine` is `On`.
536
537`GnuTLSOCSPStapling`
538------------------
539
540EXPERIMENTAL: Enable OCSP stapling for this (virtual) host.
541
542    GnuTLSOCSPStapling [On|Off]
543
544Default: *off*\
545Context: server config, virtual host
546
547OCSP stapling, formally known as the TLS Certificate Status Request
548extension, allows the server to provide the client with an OCSP
549response for its certificate during the handshake. This way the client
550does not have to send an OCSP request to the CA to check the
551certificate status, which offers privacy and performance advantages.
552
553Using OCSP stapling has a few requirements:
554
555* Caching OCSP responses requires a cache, so `GnuTLSCache` must not
556  be `none`.
557* `GnuTLSCertificateFile` must contain the issuer CA certificate in
558  addition to the server certificate so responses can be verified.
559* The certificate must either contain an OCSP access URI using HTTP,
560  or `GnuTLSOCSPResponseFile` must be set.
561
562OCSP cache updates are serialized using the `gnutls-ocsp` mutex.
563
564`GnuTLSOCSPResponseFile`
565------------------
566
567EXPERIMENTAL: Read the OCSP response for stapling from this file
568instead of sending a request over HTTP
569
570    GnuTLSOCSPResponseFile /path/to/response.der
571
572Default: *empty*\
573Context: server config, virtual host
574
575The response file must be updated externally, for example using a cron
576job. This option is an alternative to the server fetching OCSP
577responses over HTTP. Reasons to use this option include:
578
579* Performing OCSP requests separate from the web server, to prevent slow
580  responses from stalling handshakes.
581* The issuer CA uses an access method other than HTTP.
582* Testing
583
584`GnuTLSOCSPGraceTime`
585------------------
586
587EXPERIMENTAL: Replace cached OCSP responses this many seconds before
588they expire.
589
590    GnuTLSOCSPGraceTime SECONDS
591
592Default: *60*\
593Context: server config, virtual host
594
595A cached OCSP response should be updated a little before it expires to
596account for potential clock skew between server, CA, and client, as
597well as transmission time in corner cases.
598
599* * * * *
600
601Configuration Examples
602======================
603
604Simple Standard TLS Example
605---------------------------
606
607The following is an example of simple TLS hosting, using one IP
608Addresses for each virtual host.
609
610     # Load the module into Apache.
611     LoadModule gnutls_module modules/mod_gnutls.so
612     GnuTLSCache gdbm /var/cache/www-tls-cache
613     GnuTLSCacheTimeout 500
614
615     # Without SNI you need one IP Address per-site.
616     Listen 192.0.2.1:443
617     Listen 192.0.2.2:443
618     Listen 192.0.2.3:443
619     Listen 192.0.2.4:443
620
621     <VirtualHost 192.0.2.1:443>
622         GnuTLSEnable on
623         GnuTLSPriorities SECURE128
624         DocumentRoot /www/site1.example.com/html
625         ServerName site1.example.com:443
626         GnuTLSCertificateFile conf/tls/site1.crt
627         GnuTLSKeyFile conf/tls/site1.key
628     </VirtualHost>
629
630     <VirtualHost 192.0.2.2:443>
631         # This virtual host enables SRP authentication
632         GnuTLSEnable on
633         GnuTLSPriorities NORMAL:+SRP
634         DocumentRoot /www/site2.example.com/html
635         ServerName site2.example.com:443
636         GnuTLSSRPPasswdFile conf/tls/tpasswd.site2
637         GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site2.conf
638     </VirtualHost>
639
640     <VirtualHost 192.0.2.3:443>
641         # This server enables SRP, OpenPGP and X.509 authentication.
642         GnuTLSEnable on
643         GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS:+CTYPE-OPENPGP
644         DocumentRoot /www/site3.example.com/html
645         ServerName site3.example.com:443
646         GnuTLSCertificateFile conf/tls/site3.crt
647         GnuTLSKeyFile conf/tls/site3.key
648         GnuTLSClientVerify ignore
649         GnuTLSPGPCertificateFile conf/tls/site3.pub.asc
650         GnuTLSPGPKeyFile conf/tls/site3.sec.asc
651         GnuTLSSRPPasswdFile conf/tls/tpasswd.site3
652         GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site3.conf
653     </VirtualHost>
654
655     <VirtualHost 192.0.2.4:443>
656         GnuTLSEnable on
657         # %COMPAT disables some security features to enable maximum
658         # compatibility with clients. Don't use this if you need strong
659         # security.
660         GnuTLSPriorities NORMAL:%COMPAT
661         DocumentRoot /www/site4.example.com/html
662         ServerName site4.example.com:443
663         GnuTLSCertificateFile conf/tls/site4.crt
664         GnuTLSKeyFile conf/tls/site4.key
665     </VirtualHost>
666
667Server Name Indication Example
668------------------------------
669
670`mod_gnutls` supports "Server Name Indication", as specified in
671RFC 3546. This allows hosting many TLS websites with a single IP
672address. All recent browsers support this standard. Here is an
673example using SNI:
674
675     # Load the module into Apache.
676     LoadModule gnutls_module modules/mod_gnutls.so
677
678     # SNI allows hosting multiple sites using one IP address. This
679     # could also be 'Listen *:443', just like '*:80' is common for
680     # non-HTTPS
681     Listen 198.51.100.1:443
682
683     <VirtualHost _default_:443>
684         GnuTLSEnable on
685         GnuTLSSessionTickets on
686         GnuTLSPriorities NORMAL
687         DocumentRoot /www/site1.example.com/html
688         ServerName site1.example.com:443
689         GnuTLSCertificateFile conf/tls/site1.crt
690         GnuTLSKeyFile conf/tls/site1.key
691     </VirtualHost>
692
693     <VirtualHost _default_:443>
694         GnuTLSEnable on
695         GnuTLSPriorities NORMAL
696         DocumentRoot /www/site2.example.com/html
697         ServerName site2.example.com:443
698         GnuTLSCertificateFile conf/tls/site2.crt
699         GnuTLSKeyFile conf/tls/site2.key
700     </VirtualHost>
701
702     <VirtualHost _default_:443>
703         GnuTLSEnable on
704         GnuTLSPriorities NORMAL
705         DocumentRoot /www/site3.example.com/html
706         ServerName site3.example.com:443
707         GnuTLSCertificateFile conf/tls/site3.crt
708         GnuTLSKeyFile conf/tls/site3.key
709     </VirtualHost>
710
711     <VirtualHost _default_:443>
712         GnuTLSEnable on
713         GnuTLSPriorities NORMAL
714         DocumentRoot /www/site4.example.com/html
715         ServerName site4.example.com:443
716         GnuTLSCertificateFile conf/tls/site4.crt
717         GnuTLSKeyFile conf/tls/site4.key
718     </VirtualHost>
719
720OCSP Stapling Example
721---------------------
722
723This example uses an X.509 server certificate. The server will fetch
724OCSP responses from the responder listed in the certificate and store
725them im a memcached cache shared with another server.
726
727     # Load the module into Apache.
728     LoadModule gnutls_module modules/mod_gnutls.so
729     GnuTLSCache memcache "192.0.2.1:11211 192.0.2.2:11211"
730     GnuTLSCacheTimeout 600
731
732     Listen 192.0.2.1:443
733
734     <VirtualHost _default_:443>
735         GnuTLSEnable          On
736         GnuTLSPriorities      NORMAL
737         DocumentRoot          /www/site1.example.com/html
738         ServerName            site1.example.com:443
739         GnuTLSCertificateFile conf/tls/site1.crt
740         GnuTLSKeyFile         conf/tls/site1.key
741         GnuTLSPriorities      NORMAL
742         GnuTLSOCSPStapling    On
743     </VirtualHost>
744
745* * * * *
746
747Environment Variables
748=====================
749
750`mod_gnutls` exports the following environment variables to scripts.
751These are compatible with `mod_ssl`.
752
753`HTTPS`
754-------
755
756Can be `on` or `off`
757
758`SSL_VERSION_LIBRARY`
759---------------------
760
761The version of the GnuTLS library
762
763`SSL_VERSION_INTERFACE`
764-----------------------
765
766The version of this module
767
768`SSL_PROTOCOL`
769--------------
770
771The SSL or TLS protocol name (such as `TLS 1.0` etc.)
772
773`SSL_CIPHER`
774------------
775
776The SSL or TLS cipher suite name
777
778`SSL_COMPRESS_METHOD`
779---------------------
780
781The negotiated compression method (`NULL` or `DEFLATE`)
782
783`SSL_SRP_USER`
784--------------
785
786The SRP username used for authentication (only set when
787`GnuTLSSRPPasswdFile` and `GnuTLSSRPPasswdConfFile` are configured).
788
789`SSL_CIPHER_USEKEYSIZE` & `SSL_CIPHER_ALGKEYSIZE`
790-------------------------------------------------
791
792The number if bits used in the used cipher algorithm.
793
794This does not fully reflect the security level since the size of
795RSA or DHE key exchange parameters affect the security level too.
796
797`SSL_DH_PRIME_BITS`
798-------------------
799
800The number if bits in the modulus for the DH group, if DHE or static
801DH is used.
802
803This will not be set if DH is not used.
804
805`SSL_CIPHER_EXPORT`
806-------------------
807
808`True` or `False`. Whether the cipher suite negotiated is an export one.
809
810`SSL_SESSION_ID`
811----------------
812
813The session ID negotiated in this session. Can be the same during client
814reloads.
815
816`SSL_CLIENT_V_REMAIN`
817---------------------
818
819The number of days until the client's certificate is expired.
820
821`SSL_CLIENT_V_START`
822--------------------
823
824The activation time of client's certificate.
825
826`SSL_CLIENT_V_END`
827------------------
828
829The expiration time of client's certificate.
830
831`SSL_CLIENT_S_DN`
832-----------------
833
834The distinguished name of client's certificate in RFC2253 format.
835
836`SSL_CLIENT_I_DN`
837-----------------
838
839The SSL or TLS cipher suite name
840
841`SSL_CLIENT_S_AN%`
842------------------
843
844These will contain the alternative names of the client certificate (`%` is
845a number starting from zero).
846
847The values will be prepended by `DNSNAME:`, `RFC822NAME:` or `URI:`
848depending on the type.
849
850If it is not supported the value `UNSUPPORTED` will be set.
851
852`SSL_SERVER_M_SERIAL`
853---------------------
854
855The serial number of the server's certificate.
856
857`SSL_SERVER_M_VERSION`
858----------------------
859
860The version of the server's certificate.
861
862`SSL_SERVER_A_SIG`
863------------------
864
865The algorithm used for the signature in server's certificate.
866
867`SSL_SERVER_A_KEY`
868------------------
869
870The public key algorithm in server's certificate.
871
872`SSL_SERVER_CERT`
873------------------
874
875The PEM-encoded (X.509) or ASCII-armored (OpenPGP) server certificate
876(see the `GnuTLSExportCertificates` directive).
877
878`SSL_SERVER_CERT_TYPE`
879----------------------
880
881The certificate type can be `X.509` or `OPENPGP`.
882
883`SSL_CLIENT_CERT`
884------------------
885
886The PEM-encoded (X.509) or ASCII-armored (OpenPGP) client certificate
887(see the `GnuTLSExportCertificates` directive).
888
889`SSL_CLIENT_CERT_TYPE`
890----------------------
891
892The certificate type can be `X.509` or `OPENPGP`.
Note: See TracBrowser for help on using the repository browser.