source: mod_gnutls/doc/mod_gnutls_manual.mdwn @ dc058b8

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since dc058b8 was dc058b8, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Update installation documentation

  • The --with-apr-memcache option has effectively been replaced by automatic configuration of the APR Utility Library, use --with-apu-config to change the path to apu-1-config.
  • Recommend running the test suite before installation
  • Option --with-libgnutls was removed years ago
  • Property mode set to 100644
File size: 24.8 KB
Line 
1% `mod_gnutls` Manual
2
3* * * * *
4
5`mod_gnutls` is a module for the Apache web server that provides HTTPS
6(HTTP over Transport Layer Security (TLS) or the older Secure Sockets
7Layer (SSL)) using the GnuTLS library.  More information about the
8module can be found at [the project's website](https://mod.gnutls.org/).
9
10* * * * *
11
12Compilation & Installation
13==========================
14
15`mod_gnutls` uses the `./configure && make && make install` mechanism
16common to many Open Source programs.  Most of the dirty work is
17handled by either `./configure` or Apache's `apxs` utility. If you have
18built Apache modules before, there shouldn't be any surprises for you.
19
20The interesting options you can pass to configure are:
21
22`--with-apxs=PATH`
23:   This option is used to specify the location of the apxs utility that
24    was installed as part of apache. Specify the location of the
25    binary, not the directory it is located in.
26
27`--with-apu-config=PATH`
28:   Path to APR Utility Library config tool (`apu-1-config`)
29
30`--help`
31:   Provides a list of all available configure options.
32
33It is recommended to run `make check` before installation. If
34`localhost` does not resolve to the IPv6 loopback address `[::1]` on
35your system, you may have to set the `TEST_HOST` or `TEST_IP`
36environment variables when running `./configure` to make the test
37suite work correctly.
38
39* * * * *
40
41Integration
42===========
43
44To activate `mod_gnutls` just add the following line to your httpd.conf
45and restart Apache:
46
47    LoadModule gnutls_module modules/mod_gnutls.so
48
49* * * * *
50
51Configuration Directives
52========================
53
54`GnuTLSEnable`
55--------------
56
57Enable GnuTLS for this virtual host
58
59    GnuTLSEnable [on|off]
60
61Default: *off*\
62Context: virtual host
63
64This directive enables SSL/TLS Encryption for a Virtual Host.
65
66`GnuTLSCache`
67-------------
68
69Configure SSL Session Cache
70
71    GnuTLSCache [dbm|gdbm|memcache|none] [PATH|SERVERLIST|-]
72
73Default: `GnuTLSCache none`\
74Context: server config
75
76This directive configures the SSL Session Cache for `mod_gnutls`.
77This could be shared between machines of different architectures.
78
79`dbm` (Requires Berkeley DBM)
80:   Uses the default Berkeley DB backend of APR DBM to cache SSL
81    Sessions results.  The argument is a relative or absolute path to
82    be used as the DBM Cache file. This is compatible with most
83    operating systems, but needs the Apache Runtime to be compiled
84    with Berkeley DBM support.
85
86`gdbm`
87:   Uses the GDBM backend of APR DBM to cache SSL Sessions results.
88
89    The argument is a relative or absolute path to be used as the DBM Cache
90    file.  This is the recommended option.
91
92`memcache`
93:   Uses a memcached server to cache the SSL Session.
94
95    The argument is a space separated list of servers. If no port
96    number is supplied, the default of 11211 is used.  This can be
97    used to share a session cache between all servers in a cluster.
98
99`none`
100:   Turns off all caching of SSL Sessions.
101
102    This can significantly reduce the performance of `mod_gnutls` since
103    even followup connections by a client must renegotiate parameters
104    instead of reusing old ones.  This is the default, since it
105    requires no configuration.
106
107`GnuTLSCacheTimeout`
108--------------------
109
110Timeout for SSL Session Cache expiration
111
112    GnuTLSCacheTimeout SECONDS
113
114Default: `GnuTLSCacheTimeout 300`\
115Context: server config
116
117Sets the timeout for SSL Session Cache entries expiration.  This
118directive is valid even if Session Tickets are used, and indicates the
119expiration time of the ticket in seconds.
120
121`GnuTLSSessionTickets`
122----------------------
123
124Enable Session Tickets for the server
125
126    GnuTLSSessionTickets [on|off]
127
128Default: `off`\
129Context: server config, virtual host
130
131To avoid storing data for TLS session resumption it is allowed to
132provide client with a ticket, to use on return.  Use for servers with
133limited storage, and don't combine with GnuTLSCache. For a pool of
134servers this option is not recommended since the tickets are unique
135for the issuing server only.
136
137
138`GnuTLSCertificateFile`
139-----------------------
140
141Set to the PEM Encoded Server Certificate
142
143    GnuTLSCertificateFile FILEPATH
144
145Default: *none*\
146Context: server config, virtual host
147
148Takes an absolute or relative path to a PEM-encoded X.509 certificate to
149use as this Server's End Entity (EE) certificate. If you need to supply
150certificates for intermediate Certificate Authorities (iCAs), they
151should be listed in sequence in the file, from EE to the iCA closest to
152the root CA. Optionally, you can also include the root CA's certificate
153as the last certificate in the list.
154
155Since version 0.7 this can be a PKCS #11 URL.
156
157`GnuTLSKeyFile`
158---------------
159
160Set to the PEM Encoded Server Private Key
161
162    GnuTLSKeyFile FILEPATH
163
164Default: *none*\
165Context: server config, virtual host
166
167Takes an absolute or relative path to the Server Private Key. Set
168`GnuTLSPIN` if the key file is encrypted.
169
170Since version 0.7 this can be a PKCS #11 URL.
171
172**Security Warning:**\
173This private key must be protected. It is read while Apache is still
174running as root, and does not need to be readable by the nobody or
175apache user.
176
177`GnuTLSPGPCertificateFile`
178--------------------------
179
180Set to a base64 Encoded Server OpenPGP Certificate
181
182    GnuTLSPGPCertificateFile FILEPATH
183
184Default: *none*\
185Context: server config, virtual host
186
187Takes an absolute or relative path to a base64 Encoded OpenPGP
188Certificate to use as this Server's Certificate.
189
190`GnuTLSPGPKeyFile`
191------------------
192
193Set to the Server OpenPGP Secret Key
194
195    GnuTLSPGPKeyFile FILEPATH
196
197Default: *none*\
198Context: server config, virtual host
199
200Takes an absolute or relative path to the Server Private Key. This key
201cannot currently be password protected.
202
203**Security Warning:**\
204 This private key must be protected. It is read while Apache is still
205running as root, and does not need to be readable by the nobody or
206apache user.
207
208`GnuTLSClientVerify`
209--------------------
210
211Enable Client Certificate Verification\
212
213    GnuTLSClientVerify [ignore|request|require]
214
215Default: `ignore`\
216Context: server config, virtual host, directory, .htaccess
217
218This directive controls the use of SSL Client Certificate
219Authentication. If used in the .htaccess context, it can force TLS
220re-negotiation.
221
222`ignore`
223:   `mod_gnutls` will ignore the contents of any SSL Client Certificates
224    sent. It will not request that the client sends a certificate.
225
226`request`
227:   The client certificate will be requested, but not required.
228    The Certificate will be validated if sent.  The output of the
229    validation status will be stored in the `SSL_CLIENT_VERIFY`
230    environment variable and can be `SUCCESS`, `FAILED` or `NONE`.
231
232`require`
233:   A Client certificate will be required. Any requests without a valid
234    client certificate will be denied.  The `SSL_CLIENT_VERIFY`
235    environment variable will only be set to `SUCCESS`.
236
237`GnuTLSClientCAFile`
238--------------------
239
240Set to the PEM Encoded Certificate Authority Certificate
241
242    GnuTLSClientCAFile FILEPATH
243
244Default: *none*
245Context: server config, virtual host
246
247Takes an absolute or relative path to a PEM Encoded Certificate to use
248as a Certificate Authority with Client Certificate Authentication.
249This file may contain a list of trusted authorities.
250
251`GnuTLSPGPKeyringFile`
252----------------------
253
254Set to a base64 Encoded key ring
255
256    GnuTLSPGPKeyringFile FILEPATH
257
258Default: *none*\
259Context: server config, virtual host
260
261Takes an absolute or relative path to a base64 Encoded Certificate
262list (key ring) to use as a means of verification of Client
263Certificates.  This file should contain a list of trusted signers.
264
265`GnuTLSDHFile`
266--------------
267
268Set to the PKCS \#3 encoded Diffie Hellman parameters
269
270    GnuTLSDHFile FILEPATH
271
272Default: *none*\
273Context: server config, virtual host
274
275Takes an absolute or relative path to a PKCS \#3 encoded DH
276parameters.Those are used when the DHE key exchange method is enabled.
277You can generate this file using `certtool --generate-dh-params --bits
2782048`.  If not set `mod_gnutls` will use the included parameters.
279
280`GnuTLSSRPPasswdFile`
281---------------------
282
283Set to the SRP password file for SRP ciphersuites
284
285    GnuTLSSRPPasswdFile FILEPATH
286
287Default: *none*\
288Context: server config, virtual host
289
290Takes an absolute or relative path to an SRP password file. This is
291the same format as used in libsrp.  You can generate such file using
292the command `srptool --passwd /etc/tpasswd --passwd-conf
293/etc/tpasswd.conf -u test` to set a password for user test.  This
294password file holds the username, a password verifier and the
295dependency to the SRP parameters.
296
297`GnuTLSSRPPasswdConfFile`
298-------------------------
299
300Set to the SRP password.conf file for SRP ciphersuites
301
302    GnuTLSSRPPasswdConfFile FILEPATH
303
304Default: *none*\
305Context: server config, virtual host
306
307Takes an absolute or relative path to an SRP password.conf file. This
308is the same format as used in `libsrp`.  You can generate such file
309using the command `srptool --create-conf /etc/tpasswd.conf`.  This
310file holds the SRP parameters and is associate with the password file
311(the verifiers depends on these parameters).
312
313`GnuTLSPriorities`
314------------------
315
316Set the allowed ciphers, key exchange algorithms, MACs and compression
317methods
318
319    GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
320
321Default: *none*\
322Context: server config, virtual host
323
324Takes a semi-colon separated list of ciphers, key exchange methods
325Message authentication codes and compression methods to enable.
326The allowed keywords are specified in the `gnutls_priority_init()`
327function of GnuTLS.
328
329Full details can be found at [the GnuTLS documentation](http://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings).
330In brief you can specify a set of ciphersuites from the choices:
331
332`NONE`
333:   The empty list.
334
335`EXPORT`
336:   A list with all the supported cipher combinations
337    including the `EXPORT` strength algorithms.
338
339`PERFORMANCE`
340:   A list with all the secure cipher combinations sorted in terms of performance.
341
342`NORMAL`
343:   A list with all the secure cipher combinations sorted
344    with respect to security margin (subjective term).
345
346`SECURE`
347:   A list with all the secure cipher combinations including
348    the 256-bit ciphers sorted with respect to security margin.
349
350Additionally you can add or remove algorithms using the `+` and `!`
351prefixes respectively.
352
353For example, in order to disable the `ARCFOUR` cipher from the `NORMAL` set
354you can use the string `NORMAL:!ARCFOUR-128`
355
356Other options such as the protocol version and the compression method
357can be specified using the `VERS-` and `COMP-` prefixes.
358
359So in order to remove or add a specific TLS version from the `NORMAL`
360set, use `NORMAL:!VERS-SSL3.0`.  And to enable zlib compression use
361`NORMAL:+COMP-DEFLATE`.
362
363
364However it is recommended not to add compression at this level.  With
365the `NONE` set, in order to be usable, you have to specify a complete
366set of combinations of protocol versions, cipher algorithms
367(`AES-128-CBC`), key exchange algorithms (`RSA`), message
368authentication codes (`SHA1`) and compression methods (`COMP-NULL`).
369
370You can find a list of all supported Ciphers, Versions, MACs, etc.  by
371running `gnutls-cli --list`.
372
373The special keyword `%COMPAT` will disable some security features such
374as protection against statistical attacks to ciphertext data in order to
375achieve maximum compatibility (some broken mobile clients need this).
376
377`GnuTLSP11Module`
378------------------
379
380Load this PKCS #11 module.
381
382    GnuTLSP11Module PATH_TO_LIBRARY
383
384Default: *none*\
385Context: server config
386
387Load this PKCS #11 provider module, instead of the system
388defaults. May occur multiple times to load multiple modules.
389
390`GnuTLSPIN`
391------------------
392
393Set the PIN to be used to access encrypted key files or PKCS #11 objects.
394
395    GnuTLSPIN XXXXXX
396
397Default: *none*\
398Context: server config, virtual host
399
400Takes a string to be used as a PIN for the protected objects in
401a security module, or as a key to be used to decrypt PKCS #8, PKCS #12,
402or openssl encrypted keys.
403
404`GnuTLSSRKPIN`
405------------------
406
407Set the SRK PIN to be used to unlaccess the TPM.
408
409    GnuTLSSRKPIN XXXXXX
410
411Default: *none*\
412Context: server config, virtual host
413
414Takes a string to be used as a PIN for the protected objects in
415the TPM module.
416
417`GnuTLSExportCertificates`
418--------------------------
419
420Export the PEM encoded certificates to CGIs
421
422    GnuTLSExportCertificates [off|on|SIZE]
423
424Default: `off`\
425Context: server config, virtual host
426
427This directive configures exporting the full certificates of the
428server and the client to CGI scripts via the `SSL_SERVER_CERT` and
429`SSL_CLIENT_CERT` environment variables. The exported certificates
430will be PEM-encoded (if X.509) or ASCII-armored (if OpenPGP) up to the
431size given.  The type of the certificate will be exported in
432`SSL_SERVER_CERT_TYPE` and `SSL_CLIENT_CERT_TYPE`.
433
434SIZE should be an integer number of bytes, or may be written with a
435trailing `K` to indicate kibibytes.  `off` means the same thing as
436`0`, in which case the certificates will not be exported to the
437environment.  `on` is an alias for `16K`.  If a non-zero size is
438specified for this directive, but a certificate is too large to fit in
439the buffer, then the corresponding environment variable will contain
440the fixed string `GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED`.
441
442With GnuTLSExportCertificates enabled, `mod_gnutls` exports the same
443environment variables to the CGI process as `mod_ssl`.
444
445
446`GnuTLSProxyEngine`
447--------------
448
449Enable TLS proxy connections for this virtual host
450
451    GnuTLSProxyEngine [on|off]
452
453Default: *off*\
454Context: virtual host
455
456This directive enables support for TLS proxy connections for a virtual
457host.
458
459`GnuTLSProxyCAFile`
460--------------------
461
462Set to the PEM encoded Certificate Authority Certificate
463
464    GnuTLSProxyCAFile FILEPATH
465
466Default: *none*\
467Context: server config, virtual host
468
469Takes an absolute or relative path to a PEM encoded certificate to use
470as a Certificate Authority when verifying certificates provided by
471proxy back end servers. This file may contain a list of trusted
472authorities. If not set, verification of TLS back end servers will
473always fail due to lack of a trusted CA.
474
475`GnuTLSProxyCRLFile`
476--------------------
477
478Set to the PEM encoded Certificate Revocation List
479
480    GnuTLSProxyCRLFile FILEPATH
481
482Default: *none*\
483Context: server config, virtual host
484
485Takes an absolute or relative path to a PEM encoded Certificate
486Revocation List to use when verifying certificates provided by proxy
487back end servers. The file may contain a list of CRLs.
488
489`GnuTLSProxyCertificateFile`
490-----------------------
491
492Set to the PEM encoded Client Certificate
493
494    GnuTLSProxyCertificateFile FILEPATH
495
496Default: *none*\
497Context: server config, virtual host
498
499Takes an absolute or relative path to a PEM encoded X.509 certificate
500to use as this Server's End Entity (EE) client certificate for TLS
501client authentication in proxy TLS connections. If you need to supply
502certificates for intermediate Certificate Authorities (iCAs), they
503should be listed in sequence in the file, from EE to the iCA closest
504to the root CA. Optionally, you can also include the root CA's
505certificate as the last certificate in the list.
506
507If not set, TLS client authentication will be disabled for TLS proxy
508connections. If set, `GnuTLSProxyKeyFile` must be set as well to
509provide the matching private key.
510
511`GnuTLSProxyKeyFile`
512---------------
513
514Set to the PEM encoded Private Key
515
516    GnuTLSProxyKeyFile FILEPATH
517
518Default: *none*\
519Context: server config, virtual host
520
521Takes an absolute or relative path to the Private Key matching the
522certificate configured using the `GnuTLSProxyCertificateFile`
523directive. This key cannot currently be password protected.
524
525**Security Warning:**\
526This private key must be protected. It is read while Apache is still
527running as root, and does not need to be readable by the nobody or
528apache user.
529
530`GnuTLSProxyPriorities`
531------------------
532
533Set the allowed ciphers, key exchange algorithms, MACs and compression
534methods for proxy connections
535
536    GnuTLSProxyPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
537
538Default: *none*\
539Context: server config, virtual host
540
541This option is used to set the allowed ciphers, key exchange
542algorithms, MACs and compression methods for proxy connections. It
543takes the same parameters as `GnuTLSPriorities`. Required if
544`GnuTLSProxyEngine` is `On`.
545
546* * * * *
547
548Configuration Examples
549======================
550
551Simple Standard SSL Example
552---------------------------
553
554The following is an example of standard SSL Hosting, using one IP
555Addresses for each virtual host
556
557     # Load the module into Apache.
558     LoadModule gnutls_module modules/mod_gnutls.so
559     GnuTLSCache gdbm /var/cache/www-tls-cache
560     GnuTLSCacheTimeout 500
561     # With normal SSL Websites, you need one IP Address per-site.
562     Listen 1.2.3.1:443
563     Listen 1.2.3.2:443
564     Listen 1.2.3.3:443
565     Listen 1.2.3.4:443
566     <VirtualHost 1.2.3.1:443>
567     GnuTLSEnable on
568     GnuTLSPriorities NONE:+AES-128-CBC:+3DES-CBC:+ARCFOUR-128:+RSA:+DHE-RSA:+DHE-DSS:+SHA1:+MD5:+COMP-NULL
569     DocumentRoot /www/site1.example.com/html
570     ServerName site1.example.com:443
571     GnuTLSCertificateFile conf/ssl/site1.crt
572     GnuTLSKeyFile conf/ss/site1.key
573     </VirtualHost>
574     <VirtualHost 1.2.3.2:443>
575     # This virtual host enables SRP authentication
576     GnuTLSEnable on
577     GnuTLSPriorities NORMAL:+SRP
578     DocumentRoot /www/site2.example.com/html
579     ServerName site2.example.com:443
580     GnuTLSSRPPasswdFile conf/ssl/tpasswd.site2
581     GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site2.conf
582     </VirtualHost>
583     <VirtualHost 1.2.3.3:443>
584     # This server enables SRP, OpenPGP and X.509 authentication.
585     GnuTLSEnable on
586     GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS
587     DocumentRoot /www/site3.example.com/html
588     ServerName site3.example.com:443
589     GnuTLSCertificateFile conf/ssl/site3.crt
590     GnuTLSKeyFile conf/ss/site3.key
591     GnuTLSClientVerify ignore
592     GnuTLSPGPCertificateFile conf/ss/site3.pub.asc
593     GnuTLSPGPKeyFile conf/ss/site3.sec.asc
594     GnuTLSSRPPasswdFile conf/ssl/tpasswd.site3
595     GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site3.conf
596     </VirtualHost>
597     <VirtualHost 1.2.3.4:443>
598     GnuTLSEnable on
599     # %COMPAT disables some security features to enable maximum compatibility with clients.
600     GnuTLSPriorities NONE:+AES-128-CBC:+ARCFOUR-128:+RSA:+SHA1:+MD5:+COMP-NULL:%COMPAT
601     DocumentRoot /www/site4.example.com/html
602     ServerName site4.example.com:443
603     GnuTLSCertificateFile conf/ssl/site4.crt
604     GnuTLSKeyFile conf/ss/site4.key
605     </VirtualHost>
606
607Server Name Indication Example
608------------------------------
609
610`mod_gnutls` can also use "Server Name Indication", as specified in
611RFC 3546.  This allows hosting many SSL Websites, with a Single IP
612Address.  Currently all the recent browsers support this
613standard. Here is an example, using SNI: ` `
614
615
616     # Load the module into Apache.
617     LoadModule gnutls_module modules/mod_gnutls.so
618     # With normal SSL Websites, you need one IP Address per-site.
619     Listen 1.2.3.1:443
620     # This could also be 'Listen *:443',
621     # just like '*:80' is common for non-https
622     # No caching. Enable session tickets. Timeout is still used for
623     # ticket expiration.
624     GnuTLSCacheTimeout 600
625     # This tells apache, that for this IP/Port combination, we want to use
626     # Name Based Virtual Hosting. In the case of Server Name Indication,
627     # it lets mod_gnutls pick the correct Server Certificate.
628     NameVirtualHost 1.2.3.1:443
629     <VirtualHost 1.2.3.1:443>
630     GnuTLSEnable on
631     GnuTLSSessionTickets on
632     GnuTLSPriorities NORMAL
633     DocumentRoot /www/site1.example.com/html
634     ServerName site1.example.com:443
635     GnuTLSCertificateFile conf/ssl/site1.crt
636     GnuTLSKeyFile conf/ss/site1.key
637     </VirtualHost>
638     <VirtualHost 1.2.3.1:443>
639     GnuTLSEnable on
640     GnuTLSPriorities NORMAL
641     DocumentRoot /www/site2.example.com/html
642     ServerName site2.example.com:443
643     GnuTLSCertificateFile conf/ssl/site2.crt
644     GnuTLSKeyFile conf/ss/site2.key
645     </VirtualHost>
646     <VirtualHost 1.2.3.1:443>
647     GnuTLSEnable on
648     GnuTLSPriorities NORMAL
649     DocumentRoot /www/site3.example.com/html
650     ServerName site3.example.com:443
651     GnuTLSCertificateFile conf/ssl/site3.crt
652     GnuTLSKeyFile conf/ss/site3.key
653     </VirtualHost>
654     <VirtualHost 1.2.3.1:443>
655     GnuTLSEnable on
656     GnuTLSPriorities NORMAL
657     DocumentRoot /www/site4.example.com/html
658     ServerName site4.example.com:443
659     GnuTLSCertificateFile conf/ssl/site4.crt
660     GnuTLSKeyFile conf/ss/site4.key
661     </VirtualHost>
662
663
664* * * * *
665
666Performance Issues
667==================
668
669`mod_gnutls` by default uses conservative settings for the server.
670You can fine tune the configuration to reduce the load on a busy
671server.  The following examples do exactly this:
672
673
674     # Load the module into Apache.
675     LoadModule gnutls_module modules/mod_gnutls.so
676     # Using 4 memcache servers to distribute the SSL Session Cache.
677     GnuTLSCache memcache "mc1.example.com mc2.example.com mc3.example.com mc4.example.com"
678     GnuTLSCacheTimeout 600
679     Listen 1.2.3.1:443
680     NameVirtualHost 1.2.3.1:443
681     <VirtualHost 1.2.3.1:443>
682     GnuTLSEnable on
683     # Here we disable the Perfect forward secrecy ciphersuites (DHE)
684     # and disallow AES-256 since AES-128 is just fine.
685     GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT
686     DocumentRoot /www/site1.example.com/html
687     ServerName site1.example.com:443
688     GnuTLSCertificateFile conf/ssl/site1.crt
689     GnuTLSKeyFile conf/ss/site1.key
690     </VirtualHost>
691     <VirtualHost 1.2.3.1:443>
692     GnuTLSEnable on
693     # Here we instead of disabling the DHE ciphersuites we use
694     # Diffie Hellman parameters of smaller size than the default (2048 bits).
695     # Using small numbers from 768 to 1024 bits should be ok once they are
696     # regenerated every few hours.
697     # Use "certtool --generate-dh-params --bits 1024" to get those
698     GnuTLSDHFile /etc/apache2/dh.params
699     GnuTLSPriorities NORMAL:!AES-256-CBC:%COMPAT
700     DocumentRoot /www/site2.example.com/html
701     ServerName site2.example.com:443
702     GnuTLSCertificateFile conf/ssl/site2.crt
703     GnuTLSKeyFile conf/ss/site2.key
704     </VirtualHost>
705
706* * * * *
707
708Environment Variables
709=====================
710
711`mod_gnutls` exports the following environment variables to scripts.
712These are compatible with `mod_ssl`.
713
714`HTTPS`
715-------
716
717Can be `on` or `off`
718
719`SSL_VERSION_LIBRARY`
720---------------------
721
722The version of the GnuTLS library
723
724`SSL_VERSION_INTERFACE`
725-----------------------
726
727The version of this module
728
729`SSL_PROTOCOL`
730--------------
731
732The SSL or TLS protocol name (such as `TLS 1.0` etc.)
733
734`SSL_CIPHER`
735------------
736
737The SSL or TLS cipher suite name
738
739`SSL_COMPRESS_METHOD`
740---------------------
741
742The negotiated compression method (`NULL` or `DEFLATE`)
743
744`SSL_SRP_USER`
745--------------
746
747The SRP username used for authentication (only set when
748`GnuTLSSRPPasswdFile` and `GnuTLSSRPPasswdConfFile` are configured).
749
750`SSL_CIPHER_USEKEYSIZE` & `SSL_CIPHER_ALGKEYSIZE`
751-------------------------------------------------
752
753The number if bits used in the used cipher algorithm.
754
755This does not fully reflect the security level since the size of
756RSA or DHE key exchange parameters affect the security level too.
757
758`SSL_DH_PRIME_BITS`
759-------------------
760
761The number if bits in the modulus for the DH group, if DHE or static
762DH is used.
763
764This will not be set if DH is not used.
765
766`SSL_CIPHER_EXPORT`
767-------------------
768
769`True` or `False`. Whether the cipher suite negotiated is an export one.
770
771`SSL_SESSION_ID`
772----------------
773
774The session ID negotiated in this session. Can be the same during client
775reloads.
776
777`SSL_CLIENT_V_REMAIN`
778---------------------
779
780The number of days until the client's certificate is expired.
781
782`SSL_CLIENT_V_START`
783--------------------
784
785The activation time of client's certificate.
786
787`SSL_CLIENT_V_END`
788------------------
789
790The expiration time of client's certificate.
791
792`SSL_CLIENT_S_DN`
793-----------------
794
795The distinguished name of client's certificate in RFC2253 format.
796
797`SSL_CLIENT_I_DN`
798-----------------
799
800The SSL or TLS cipher suite name
801
802`SSL_CLIENT_S_AN%`
803------------------
804
805These will contain the alternative names of the client certificate (`%` is
806a number starting from zero).
807
808The values will be prepended by `DNSNAME:`, `RFC822NAME:` or `URI:`
809depending on the type.
810
811If it is not supported the value `UNSUPPORTED` will be set.
812
813`SSL_SERVER_M_SERIAL`
814---------------------
815
816The serial number of the server's certificate.
817
818`SSL_SERVER_M_VERSION`
819----------------------
820
821The version of the server's certificate.
822
823`SSL_SERVER_A_SIG`
824------------------
825
826The algorithm used for the signature in server's certificate.
827
828`SSL_SERVER_A_KEY`
829------------------
830
831The public key algorithm in server's certificate.
832
833`SSL_SERVER_CERT`
834------------------
835
836The PEM-encoded (X.509) or ASCII-armored (OpenPGP) server certificate
837(see the `GnuTLSExportCertificates` directive).
838
839`SSL_SERVER_CERT_TYPE`
840----------------------
841
842The certificate type can be `X.509` or `OPENPGP`.
843
844`SSL_CLIENT_CERT`
845------------------
846
847The PEM-encoded (X.509) or ASCII-armored (OpenPGP) client certificate
848(see the `GnuTLSExportCertificates` directive).
849
850`SSL_CLIENT_CERT_TYPE`
851----------------------
852
853The certificate type can be `X.509` or `OPENPGP`.
Note: See TracBrowser for help on using the repository browser.