1 | <?xml version="1.0"?> |
---|
2 | <?xml-stylesheet type="text/xsl" href="../../../../../xsl/projects.xsl"?> |
---|
3 | <ooo title="mod_gnutls Documentation" path="/projects/apache/mod_gnutls/docs/"> |
---|
4 | <section title="Documentation"> |
---|
5 | <content type="xhtml"> |
---|
6 | <div xmlns="http://www.w3.org/1999/xhtml"> |
---|
7 | <div id="compilation"> |
---|
8 | <h3>Compilation</h3> |
---|
9 | <p> |
---|
10 | <code>mod_gnutls</code> uses the "<code>configure/make/make install</code>" |
---|
11 | mechanism common to many Open Source programs. |
---|
12 | Most of the dirty work is handled by either configure or |
---|
13 | Apache's apxs utility. If you have built Apache modules before, there |
---|
14 | shouldn't be any surprises for you. |
---|
15 | </p> |
---|
16 | <p> |
---|
17 | The interesting options you can pass to configure are:</p> |
---|
18 | <ul> |
---|
19 | <li><code>--with-apxs=/path/to/apache/dir/bin/apxs</code> |
---|
20 | <p> |
---|
21 | This option is used to specify the location of the |
---|
22 | apxs utility that was installed as part of apache. |
---|
23 | Specify the location of the binary, not the directory |
---|
24 | it is located in. |
---|
25 | </p> |
---|
26 | </li> |
---|
27 | <li><code>--with-libgnutls=PATH</code> |
---|
28 | <p>Full path to the <code>libgnutls-config</code> program.</p> |
---|
29 | </li> |
---|
30 | <li><code>--with-apr-memcache=PREFIX</code> |
---|
31 | <p>Prefix to where <code><a href="/projects/libs/apr_memcache">apr_memcache</a></code> is installed.</p> |
---|
32 | </li> |
---|
33 | <li><code>--help</code> |
---|
34 | <p>Provides a list of available configure options.</p> |
---|
35 | </li> |
---|
36 | </ul> |
---|
37 | <pre class="example">./configure --with-apxs=/usr/sbin/apxs2 --with-libgnutls=/usr |
---|
38 | make |
---|
39 | make install |
---|
40 | </pre> |
---|
41 | </div> |
---|
42 | <div id="integration"> |
---|
43 | <h3>Integration into Apache</h3> |
---|
44 | <p>To activate <code>mod_gnutls</code> Just add<br /><br /> |
---|
45 | <code>LoadModule gnutls_module modules/mod_gnutls.so</code> |
---|
46 | to your <code>httpd.conf</code> and restart Apache. |
---|
47 | </p> |
---|
48 | </div> |
---|
49 | <div id="index"> |
---|
50 | <h3>Examples</h3> |
---|
51 | <p>Some example configuration and the exported variables to scripts can be |
---|
52 | found in the following sections:</p> |
---|
53 | <ul> |
---|
54 | <li><a href="#example">Simple example</a></li> |
---|
55 | <li><a href="#sni-example">Example with Server Name Indication</a></li> |
---|
56 | <li><a href="#performance-example">Performance Issues</a></li> |
---|
57 | <li><a href="#environment-variables">Environment variables</a></li> |
---|
58 | </ul> |
---|
59 | </div> |
---|
60 | <div id="configuration"> |
---|
61 | <h3>Configuring with Apache</h3> |
---|
62 | <p><code>mod_gnutls</code> has the following directives:</p> |
---|
63 | <ul> |
---|
64 | <li><a href="#GnuTLSCache">GnuTLSCache</a></li> |
---|
65 | <li><a href="#GnuTLSCacheTimeout">GnuTLSCacheTimeout</a></li> |
---|
66 | <li><a href="#GnuTLSSessionTickets">GnuTLSSessionTickets</a></li> |
---|
67 | <li><a href="#GnuTLSCertificateFile">GnuTLSCertificateFile</a></li> |
---|
68 | <li><a href="#GnuTLSKeyFile">GnuTLSKeyFile</a></li> |
---|
69 | <li><a href="#GnuTLSPGPCertificateFile">GnuTLSPGPCertificateFile</a></li> |
---|
70 | <li><a href="#GnuTLSPGPKeyFile">GnuTLSPGPKeyFile</a></li> |
---|
71 | <li><a href="#GnuTLSClientVerify">GnuTLSClientVerify</a></li> |
---|
72 | <li><a href="#GnuTLSClientCAFile">GnuTLSClientCAFile</a></li> |
---|
73 | <li><a href="#GnuTLSPGPKeyringFile">GnuTLSPGPKeyringFile</a></li> |
---|
74 | <li><a href="#GnuTLSEnable">GnuTLSEnable</a></li> |
---|
75 | <li><a href="#GnuTLSDHFile">GnuTLSDHFile</a></li> |
---|
76 | <li><a href="#GnuTLSRSAFile">GnuTLSRSAFile</a></li> |
---|
77 | <li><a href="#GnuTLSSRPPasswdFile">GnuTLSSRPPasswdFile</a></li> |
---|
78 | <li><a href="#GnuTLSSRPPasswdConfFile">GnuTLSSRPPasswdConfFile</a></li> |
---|
79 | <li><a href="#GnuTLSPriorities">GnuTLSPriorities</a></li> |
---|
80 | <li><a href="#GnuTLSExportCertificates">GnuTLSExportCertificates</a></li> |
---|
81 | </ul> |
---|
82 | </div> |
---|
83 | <div id="example"> |
---|
84 | <h3>Standard SSL Example</h3> |
---|
85 | <p>The following is an example of standard SSL Hosting, using one IP Addresses for each virtual host:</p> |
---|
86 | <pre class="example"> |
---|
87 | # Load the module into Apache. |
---|
88 | LoadModule gnutls_module modules/mod_gnutls.so |
---|
89 | |
---|
90 | GnuTLSCache dbm /var/cache/www-tls-cache |
---|
91 | GnuTLSCacheTimeout 500 |
---|
92 | |
---|
93 | # With normal SSL Websites, you need one IP Address per-site. |
---|
94 | Listen 1.2.3.1:443 |
---|
95 | Listen 1.2.3.2:443 |
---|
96 | Listen 1.2.3.3:443 |
---|
97 | Listen 1.2.3.4:443 |
---|
98 | |
---|
99 | <VirtualHost 1.2.3.1:443> |
---|
100 | GnuTLSEnable on |
---|
101 | GnuTLSPriorities NONE:+AES-128-CBC:+3DES-CBC:+ARCFOUR-128:+RSA:+DHE-RSA:+DHE-DSS:+SHA1:+MD5:+COMP-NULL |
---|
102 | DocumentRoot /www/site1.example.com/html |
---|
103 | ServerName site1.example.com:443 |
---|
104 | GnuTLSCertificateFile conf/ssl/site1.crt |
---|
105 | GnuTLSKeyFile conf/ss/site1.key |
---|
106 | </VirtualHost> |
---|
107 | <VirtualHost 1.2.3.2:443> |
---|
108 | # This virtual host enables SRP authentication |
---|
109 | GnuTLSEnable on |
---|
110 | GnuTLSPriorities NORMAL:+SRP |
---|
111 | DocumentRoot /www/site2.example.com/html |
---|
112 | ServerName site2.example.com:443 |
---|
113 | GnuTLSSRPPasswdFile conf/ssl/tpasswd.site2 |
---|
114 | GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site2.conf |
---|
115 | </VirtualHost> |
---|
116 | <VirtualHost 1.2.3.3:443> |
---|
117 | # This server enables SRP, OpenPGP and X.509 authentication. |
---|
118 | GnuTLSEnable on |
---|
119 | GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS |
---|
120 | DocumentRoot /www/site3.example.com/html |
---|
121 | ServerName site3.example.com:443 |
---|
122 | GnuTLSCertificateFile conf/ssl/site3.crt |
---|
123 | GnuTLSKeyFile conf/ss/site3.key |
---|
124 | GnuTLSClientVerify ignore |
---|
125 | GnuTLSPGPCertificateFile conf/ss/site3.pub.asc |
---|
126 | GnuTLSPGPKeyFile conf/ss/site3.sec.asc |
---|
127 | GnuTLSSRPPasswdFile conf/ssl/tpasswd.site3 |
---|
128 | GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site3.conf |
---|
129 | </VirtualHost> |
---|
130 | <VirtualHost 1.2.3.4:443> |
---|
131 | GnuTLSEnable on |
---|
132 | # %COMPAT disables some security features to enable maximum compatibility with clients. |
---|
133 | GnuTLSPriorities NONE:+AES-128-CBC:+ARCFOUR-128:+RSA:+SHA1:+MD5:+COMP-NULL:%COMPAT |
---|
134 | DocumentRoot /www/site4.example.com/html |
---|
135 | ServerName site4.example.com:443 |
---|
136 | GnuTLSCertificateFile conf/ssl/site4.crt |
---|
137 | GnuTLSKeyFile conf/ss/site4.key |
---|
138 | </VirtualHost> |
---|
139 | </pre> |
---|
140 | </div> |
---|
141 | <div id="sni-example"> |
---|
142 | <h3>Server Name Indication Example</h3> |
---|
143 | <p><code>mod_gnutls</code> can also use 'Server Name Indication', as specified in |
---|
144 | <a href="http://www.zvon.org/tmRFC/RFC3546/Output/chapter3.html#sub1">RFC 3546</a>. This allows hosting many SSL Websites, with a Single IP Address. Currently all the recent |
---|
145 | browsers support this standard. Here is an example, using SNI: |
---|
146 | </p> |
---|
147 | <pre class="example"> |
---|
148 | # Load the module into Apache. |
---|
149 | LoadModule gnutls_module modules/mod_gnutls.so |
---|
150 | |
---|
151 | # With normal SSL Websites, you need one IP Address per-site. |
---|
152 | Listen 1.2.3.1:443 |
---|
153 | # This could also be 'Listen *:443', |
---|
154 | # just like '*:80' is common for non-https |
---|
155 | |
---|
156 | # No caching. Enable session tickets. Timeout is still used for |
---|
157 | # ticket expiration. |
---|
158 | GnuTLSCacheTimeout 600 |
---|
159 | |
---|
160 | # This tells apache, that for this IP/Port combination, we want to use |
---|
161 | # Name Based Virtual Hosting. In the case of Server Name Indication, |
---|
162 | # it lets mod_gnutls pick the correct Server Certificate. |
---|
163 | NameVirtualHost 1.2.3.1:443 |
---|
164 | |
---|
165 | <VirtualHost 1.2.3.1:443> |
---|
166 | GnuTLSEnable on |
---|
167 | GnuTLSSessionTickets on |
---|
168 | GnuTLSPriorities NORMAL |
---|
169 | DocumentRoot /www/site1.example.com/html |
---|
170 | ServerName site1.example.com:443 |
---|
171 | GnuTLSCertificateFile conf/ssl/site1.crt |
---|
172 | GnuTLSKeyFile conf/ss/site1.key |
---|
173 | </VirtualHost> |
---|
174 | <VirtualHost 1.2.3.1:443> |
---|
175 | GnuTLSEnable on |
---|
176 | GnuTLSPriorities NORMAL |
---|
177 | DocumentRoot /www/site2.example.com/html |
---|
178 | ServerName site2.example.com:443 |
---|
179 | GnuTLSCertificateFile conf/ssl/site2.crt |
---|
180 | GnuTLSKeyFile conf/ss/site2.key |
---|
181 | </VirtualHost> |
---|
182 | <VirtualHost 1.2.3.1:443> |
---|
183 | GnuTLSEnable on |
---|
184 | GnuTLSPriorities NORMAL |
---|
185 | DocumentRoot /www/site3.example.com/html |
---|
186 | ServerName site3.example.com:443 |
---|
187 | GnuTLSCertificateFile conf/ssl/site3.crt |
---|
188 | GnuTLSKeyFile conf/ss/site3.key |
---|
189 | </VirtualHost> |
---|
190 | <VirtualHost 1.2.3.1:443> |
---|
191 | GnuTLSEnable on |
---|
192 | GnuTLSPriorities NORMAL |
---|
193 | DocumentRoot /www/site4.example.com/html |
---|
194 | ServerName site4.example.com:443 |
---|
195 | GnuTLSCertificateFile conf/ssl/site4.crt |
---|
196 | GnuTLSKeyFile conf/ss/site4.key |
---|
197 | </VirtualHost> |
---|
198 | </pre> |
---|
199 | </div> |
---|
200 | <div id="performance-example"> |
---|
201 | <h3>Performance Issues</h3> |
---|
202 | <p><code>mod_gnutls</code> by default uses conservative settings for the |
---|
203 | server. You can fine tune the configuration to reduce the load on a busy |
---|
204 | server. The following examples do exactly this. |
---|
205 | </p> |
---|
206 | <pre class="example"> |
---|
207 | # Load the module into Apache. |
---|
208 | LoadModule gnutls_module modules/mod_gnutls.so |
---|
209 | |
---|
210 | # Using 4 memcache servers to distribute the SSL Session Cache. |
---|
211 | GnuTLSCache memcache "mc1.example.com mc2.example.com mc3.example.com mc4.example.com" |
---|
212 | GnuTLSCacheTimeout 600 |
---|
213 | |
---|
214 | Listen 1.2.3.1:443 |
---|
215 | NameVirtualHost 1.2.3.1:443 |
---|
216 | |
---|
217 | <VirtualHost 1.2.3.1:443> |
---|
218 | GnuTLSEnable on |
---|
219 | # Here we disable the Perfect forward secrecy ciphersuites (DHE) |
---|
220 | # and disallow AES-256 since AES-128 is just fine. |
---|
221 | GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT |
---|
222 | DocumentRoot /www/site1.example.com/html |
---|
223 | ServerName site1.example.com:443 |
---|
224 | GnuTLSCertificateFile conf/ssl/site1.crt |
---|
225 | GnuTLSKeyFile conf/ss/site1.key |
---|
226 | </VirtualHost> |
---|
227 | <VirtualHost 1.2.3.1:443> |
---|
228 | GnuTLSEnable on |
---|
229 | # Here we instead of disabling the DHE ciphersuites we use |
---|
230 | # Diffie Hellman parameters of smaller size than the default (2048 bits). |
---|
231 | # Using small numbers from 768 to 1024 bits should be ok once they are |
---|
232 | # regenerated every few hours. |
---|
233 | # Use "certtool --generate-dh-params --bits 1024" to get those |
---|
234 | GnuTLSDHFile /etc/apache2/dh.params |
---|
235 | GnuTLSPriorities NORMAL:!AES-256-CBC:%COMPAT |
---|
236 | DocumentRoot /www/site2.example.com/html |
---|
237 | ServerName site2.example.com:443 |
---|
238 | GnuTLSCertificateFile conf/ssl/site2.crt |
---|
239 | GnuTLSKeyFile conf/ss/site2.key |
---|
240 | </VirtualHost> |
---|
241 | </pre> |
---|
242 | </div> |
---|
243 | |
---|
244 | <div id="environment-variables"> |
---|
245 | <h3>Environment variables</h3> |
---|
246 | <p><code>mod_gnutls</code> exports the following environment variables to |
---|
247 | scripts. |
---|
248 | </p> |
---|
249 | |
---|
250 | <table class="directive"> |
---|
251 | <tr><th>HTTPS:</th><td>can be "on" or "off"</td></tr> |
---|
252 | <tr><th>SSL_VERSION_LIBRARY:</th><td> The version of the gnutls library</td></tr> |
---|
253 | <tr><th>SSL_VERSION_INTERFACE:</th><td> The version of this module</td></tr> |
---|
254 | <tr><th>SSL_PROTOCOL:</th><td> The SSL or TLS protocol name (such as "TLS 1.0" etc.)</td></tr> |
---|
255 | <tr><th>SSL_CIPHER:</th><td> The SSL or TLS cipher suite name.</td></tr> |
---|
256 | <tr><th>SSL_COMPRESS_METHOD:</th><td> The negotiated compression method (NULL or DEFLATE)</td></tr> |
---|
257 | <tr><th>SSL_SRP_USER:</th><td> The SRP username used for authentication.</td></tr> |
---|
258 | <tr><th>SSL_CIPHER_USEKEYSIZE and SSL_CIPHER_ALGKEYSIZE:</th><td> The number if bits used in the used cipher |
---|
259 | algorithm. This does not fully reflect the security level since the size of |
---|
260 | RSA or DHE key exchange parameters affect the security level too.</td></tr> |
---|
261 | <tr><th>SSL_CIPHER_EXPORT:</th><td> true or false. Whether the cipher suite negotiated is an export one.</td></tr> |
---|
262 | <tr><th>SSL_SESSION_ID:</th><td> The session ID negotiated in this session. Can be the same during |
---|
263 | client reloads.</td></tr> |
---|
264 | <tr><th>SSL_CLIENT_V_REMAIN:</th><td> The number of days until the client's certificate is expired.</td></tr> |
---|
265 | <tr><th>SSL_CLIENT_V_START:</th><td> The activation time of client's certificate.</td></tr> |
---|
266 | <tr><th>SSL_CLIENT_V_END:</th><td> The expiration time of client's certificate.</td></tr> |
---|
267 | <tr><th>SSL_CLIENT_S_DN:</th><td> The distinguished name of client's certificate in RFC2253 format.</td></tr> |
---|
268 | <tr><th>SSL_CLIENT_I_DN:</th><td> The distinguished name of client's issuer certificate in RFC2253 format.</td></tr> |
---|
269 | <tr><th>SSL_CLIENT_S_AN%:</th><td> These will contain the alternative names of the client certificate |
---|
270 | (% is a number starting from zero). The values will be prepended by "DNSNAME:", |
---|
271 | "RFC822NAME:" or "URI:" depending on the type. If it is not supported the value |
---|
272 | "UNSUPPORTED" will be set.</td></tr> |
---|
273 | <tr><th>SSL_CLIENT_M_SERIAL:</th><td> The serial number of the client's certificate.</td></tr> |
---|
274 | <tr><th>SSL_CLIENT_M_VERSION:</th><td> The version of the client's certificate.</td></tr> |
---|
275 | <tr><th>SSL_CLIENT_A_SIG:</th><td> The algorithm used for the signature in client's certificate.</td></tr> |
---|
276 | <tr><th>SSL_CLIENT_A_KEY:</th><td> The public key algorithm in client's certificate.</td></tr> |
---|
277 | <tr><th>SSL_CLIENT_CERT:</th><td> The PEM-encoded client certificate</td></tr> |
---|
278 | <tr><th>SSL_CLIENT_VERIFY:</th><td> whether the client's certificate was verified. (NONE if none was sent, or SUCCESS or FAILED)</td></tr> |
---|
279 | <tr><th>SSL_CLIENT_CERT_TYPE:</th><td> The certificate type can be X.509 or OPENPGP.</td></tr> |
---|
280 | <tr><th>SSL_SERVER_V_START:</th><td> The activation time of server's certificate.</td></tr> |
---|
281 | <tr><th>SSL_SERVER_V_END:</th><td> The expiration time of server's certificate.</td></tr> |
---|
282 | <tr><th>SSL_SERVER_S_DN:</th><td> The distinguished name of the server's certificate in RFC2253 format.</td></tr> |
---|
283 | <tr><th>SSL_SERVER_I_DN:</th><td> The distinguished name of the server's issuer certificate in RFC2253 format.</td></tr> |
---|
284 | <tr><th>SSL_SERVER_S_AN%:</th><td> These will contain the alternative names of the server certificate |
---|
285 | (% is a number starting from zero). The values will be prepended by "DNSNAME:", |
---|
286 | "RFC822NAME:" or "URI:" depending on the type. If it is not supported the value |
---|
287 | "UNSUPPORTED" will be set.</td></tr> |
---|
288 | <tr><th>SSL_SERVER_M_SERIAL:</th><td> The serial number of the server's certificate.</td></tr> |
---|
289 | <tr><th>SSL_SERVER_M_VERSION:</th><td> The version of the server's certificate.</td></tr> |
---|
290 | <tr><th>SSL_SERVER_A_SIG:</th><td> The algorithm used for the signature in server's certificate.</td></tr> |
---|
291 | <tr><th>SSL_SERVER_A_KEY:</th><td> The public key algorithm in server's certificate.</td></tr> |
---|
292 | <tr><th>SSL_SERVER_CERT:</th><td> The PEM-encoded server certificate</td></tr> |
---|
293 | <tr><th>SSL_SERVER_CERT_TYPE:</th><td> The certificate type can be X.509 or |
---|
294 | OPENPGP.</td></tr> |
---|
295 | </table> |
---|
296 | </div> |
---|
297 | |
---|
298 | <div id="GnuTLSCache" class="apache_directive"> |
---|
299 | <h3>GnuTLSCache</h3> |
---|
300 | <table class="directive"> |
---|
301 | <tr> |
---|
302 | <th>Description:</th> |
---|
303 | <td>Configure SSL Session Cache</td> |
---|
304 | </tr> |
---|
305 | <tr> |
---|
306 | <th>Syntax:</th> |
---|
307 | <td><code>GnuTLSCache <var>[dbm|gdbm|memcache|none]</var> <var>[path|server list|-]</var></code></td> |
---|
308 | </tr> |
---|
309 | <tr> |
---|
310 | <th>Default:</th> |
---|
311 | <td><code>dbm "conf/gnutls_cache"</code></td> |
---|
312 | </tr> |
---|
313 | <tr> |
---|
314 | <th>Context:</th> |
---|
315 | <td> |
---|
316 | global config |
---|
317 | </td> |
---|
318 | </tr> |
---|
319 | </table> |
---|
320 | <p>This directive configures the SSL Session Cache for <code>mod_gnutls</code>. |
---|
321 | This could be shared between machines of different architectures. |
---|
322 | </p> |
---|
323 | <dl> |
---|
324 | <dt>dbm</dt> |
---|
325 | <dd> |
---|
326 | Uses the default Berkeley DB backend of APR DBM to cache SSL Sessions results. The argument is a relative or absolute path to be used |
---|
327 | as the DBM Cache file. This is compatible with most operating systems. |
---|
328 | </dd> |
---|
329 | |
---|
330 | <dt>gdbm</dt> |
---|
331 | <dd> |
---|
332 | Uses the GDBM backend of APR DBM to cache SSL Sessions results. The argument is a relative or absolute path to be used |
---|
333 | as the DBM Cache file. |
---|
334 | </dd> |
---|
335 | |
---|
336 | <dt>memcache</dt> |
---|
337 | <dd> |
---|
338 | Uses a <a href="http://www.danga.com/memcached/">memcached</a> server to cache the SSL Session. |
---|
339 | The argument is a space separated list of servers. If no port number is supplied, |
---|
340 | the default of 11211 is used. This can be used to share a session cache between all servers in a cluster. |
---|
341 | </dd> |
---|
342 | |
---|
343 | <dt>None</dt> |
---|
344 | <dd> |
---|
345 | Turns off all caching of SSL Sessions. This can significantly reduce the performance of <code>mod_gnutls</code> |
---|
346 | since even followup connections by a client must renegotiate |
---|
347 | parameters instead of reusing old ones. |
---|
348 | </dd> |
---|
349 | </dl> |
---|
350 | Example Usage: |
---|
351 | <pre class="example">GnuTLSCache memcache "10.0.0.1 10.0.0.2 10.0.0.3"</pre> |
---|
352 | </div> |
---|
353 | |
---|
354 | <div id="GnuTLSCacheTimeout" class="apache_directive"> |
---|
355 | <h3>GnuTLSCacheTimeout</h3> |
---|
356 | <table class="directive"> |
---|
357 | <tr> |
---|
358 | <th>Description:</th> |
---|
359 | <td>Timeout for SSL Session Cache expiration.</td> |
---|
360 | </tr> |
---|
361 | <tr> |
---|
362 | <th>Syntax:</th> |
---|
363 | <td><code>GnuTLSCacheTimeout <var>seconds</var></code></td> |
---|
364 | </tr> |
---|
365 | <tr> |
---|
366 | <th>Default:</th> |
---|
367 | <td><code>300</code></td> |
---|
368 | </tr> |
---|
369 | <tr> |
---|
370 | <th>Context:</th> |
---|
371 | <td> |
---|
372 | global config |
---|
373 | </td> |
---|
374 | </tr> |
---|
375 | </table> |
---|
376 | <p> |
---|
377 | Sets the timeout for SSL Session Cache entries expiration. This directive |
---|
378 | is valid even if Session Tickets are used, and indicates the |
---|
379 | expiration time of the ticket. |
---|
380 | </p> |
---|
381 | </div> |
---|
382 | |
---|
383 | <div id="GnuTLSSessionTickets" class="apache_directive"> |
---|
384 | <h3>GnuTLSSessionTickets</h3> |
---|
385 | <table class="directive"> |
---|
386 | <tr> |
---|
387 | <th>Description:</th> |
---|
388 | <td>Enable Session Tickets for the server.</td> |
---|
389 | </tr> |
---|
390 | <tr> |
---|
391 | <th>Syntax:</th> |
---|
392 | <td><code>GnuTLSSessionTickets <var>[on|off]</var></code></td> |
---|
393 | </tr> |
---|
394 | <tr> |
---|
395 | <th>Default:</th> |
---|
396 | <td><code>off</code></td> |
---|
397 | </tr> |
---|
398 | <tr> |
---|
399 | <th>Context:</th> |
---|
400 | <td> |
---|
401 | server config, |
---|
402 | virtual host. |
---|
403 | </td> |
---|
404 | </tr> |
---|
405 | </table> |
---|
406 | <p> |
---|
407 | To avoid storing data for TLS session resumption it is allowed |
---|
408 | to provide client with a ticket, to use on return. Use for servers |
---|
409 | with limited storage, and don't combine with GnuTLSCache. For a pool |
---|
410 | of servers this option is not recommended since the tickets are |
---|
411 | unique for the issuing server only. |
---|
412 | </p> |
---|
413 | </div> |
---|
414 | |
---|
415 | <div id="GnuTLSCertificateFile" class="apache_directive"> |
---|
416 | <h3>GnuTLSCertificateFile</h3> |
---|
417 | <table class="directive"> |
---|
418 | <tr> |
---|
419 | <th>Description:</th> |
---|
420 | <td>Set to the PEM Encoded Server Certificate.</td> |
---|
421 | </tr> |
---|
422 | <tr> |
---|
423 | <th>Syntax:</th> |
---|
424 | <td><code>GnuTLSCertificateFile <var>file-path</var></code></td> |
---|
425 | </tr> |
---|
426 | <tr> |
---|
427 | <th>Default:</th> |
---|
428 | <td><code>none</code></td> |
---|
429 | </tr> |
---|
430 | <tr> |
---|
431 | <th>Context:</th> |
---|
432 | <td> |
---|
433 | server config, |
---|
434 | virtual host. |
---|
435 | </td> |
---|
436 | </tr> |
---|
437 | </table> |
---|
438 | <p>Takes an absolute or relative path to a PEM Encoded Certificate to use as this Server's |
---|
439 | Certificate. |
---|
440 | </p> |
---|
441 | Example Usage: |
---|
442 | <pre class="example">GnuTLSCertificateFile conf/ssl/server.crt</pre> |
---|
443 | </div> |
---|
444 | |
---|
445 | <div id="GnuTLSPGPCertificateFile" class="apache_directive"> |
---|
446 | <h3>GnuTLSPGPCertificateFile</h3> |
---|
447 | <table class="directive"> |
---|
448 | <tr> |
---|
449 | <th>Description:</th> |
---|
450 | <td>Set to a base64 Encoded Server OpenPGP Certificate.</td> |
---|
451 | </tr> |
---|
452 | <tr> |
---|
453 | <th>Syntax:</th> |
---|
454 | <td><code>GnuTLSPGPCertificateFile <var>file-path</var></code></td> |
---|
455 | </tr> |
---|
456 | <tr> |
---|
457 | <th>Default:</th> |
---|
458 | <td><code>none</code></td> |
---|
459 | </tr> |
---|
460 | <tr> |
---|
461 | <th>Context:</th> |
---|
462 | <td> |
---|
463 | server config, |
---|
464 | virtual host. |
---|
465 | </td> |
---|
466 | </tr> |
---|
467 | </table> |
---|
468 | <p>Takes an absolute or relative path to a base64 Encoded OpenPGP Certificate to use as this Server's |
---|
469 | Certificate. |
---|
470 | </p> |
---|
471 | Example Usage: |
---|
472 | <pre class="example">GnuTLSPGPCertificateFile conf/ssl/server.asc</pre> |
---|
473 | </div> |
---|
474 | |
---|
475 | |
---|
476 | <div id="GnuTLSClientVerify" class="apache_directive"> |
---|
477 | <h3>GnuTLSClientVerify</h3> |
---|
478 | <table class="directive"> |
---|
479 | <tr> |
---|
480 | <th>Description:</th> |
---|
481 | <td>Enable Client Certificate Verification </td> |
---|
482 | </tr> |
---|
483 | <tr> |
---|
484 | <th>Syntax:</th> |
---|
485 | <td><code>GnuTLSClientVerify <var>[ignore|request|require|</var></code></td> |
---|
486 | </tr> |
---|
487 | <tr> |
---|
488 | <th>Default:</th> |
---|
489 | <td><code>ignore</code></td> |
---|
490 | </tr> |
---|
491 | <tr> |
---|
492 | <th>Context:</th> |
---|
493 | <td> |
---|
494 | server config, |
---|
495 | virtual host, |
---|
496 | directory, |
---|
497 | .htaccess |
---|
498 | </td> |
---|
499 | </tr> |
---|
500 | </table> |
---|
501 | <p>This directive controls the use of SSL Client Certificate Authentication. If used in the <code>.htaccess</code> |
---|
502 | context, it can force TLS re-negotiation. |
---|
503 | </p> |
---|
504 | <dl> |
---|
505 | <dt>ignore</dt> |
---|
506 | <dd><code>mod_gnutls</code> will ignore the contents of any SSL Client Certificates sent. |
---|
507 | It will not request that the client sends a certificate. |
---|
508 | </dd> |
---|
509 | |
---|
510 | <dt>request</dt> |
---|
511 | <dd>The client certificate will be requested, but not required. The Certificate will be validated if sent. The output of the validation status will be stored in the <code>SSL_CLIENT_VERIFY</code> environment variable and can be "SUCCESS", "FAILED" or "NONE".</dd> |
---|
512 | |
---|
513 | <dt>require</dt> |
---|
514 | <dd>A Client certificate will be required. Any requests without a valid client certificate will be denied. The <code>SSL_CLIENT_VERIFY</code> environment variable will only be set to "SUCCESS".</dd> |
---|
515 | </dl> |
---|
516 | <pre class="example"><Directory "/path/to/my/docroot"> |
---|
517 | GnuTLSClientVerify require |
---|
518 | </Directory></pre> |
---|
519 | </div> |
---|
520 | |
---|
521 | <div id="GnuTLSClientCAFile" class="apache_directive"> |
---|
522 | <h3>GnuTLSClientCAFile</h3> |
---|
523 | <table class="directive"> |
---|
524 | <tr> |
---|
525 | <th>Description:</th> |
---|
526 | <td>Set to the PEM Encoded Certificate Authority Certificate.</td> |
---|
527 | </tr> |
---|
528 | <tr> |
---|
529 | <th>Syntax:</th> |
---|
530 | <td><code>GnuTLSClientCAFile <var>file-path</var></code></td> |
---|
531 | </tr> |
---|
532 | <tr> |
---|
533 | <th>Default:</th> |
---|
534 | <td><code>none</code></td> |
---|
535 | </tr> |
---|
536 | <tr> |
---|
537 | <th>Context:</th> |
---|
538 | <td> |
---|
539 | server config, |
---|
540 | virtual host. |
---|
541 | </td> |
---|
542 | </tr> |
---|
543 | </table> |
---|
544 | <p>Takes an absolute or relative path to a PEM Encoded Certificate to use as a Certificate Authority with Client Certificate Authentication. This file may contain a list of trusted authorities. |
---|
545 | </p> |
---|
546 | Example Usage: |
---|
547 | <pre class="example">GnuTLSClientCAFile conf/ssl/ca.crt</pre> |
---|
548 | </div> |
---|
549 | |
---|
550 | <div id="GnuTLSPGPKeyringFile" class="apache_directive"> |
---|
551 | <h3>GnuTLSPGPKeyringFile</h3> |
---|
552 | <table class="directive"> |
---|
553 | <tr> |
---|
554 | <th>Description:</th> |
---|
555 | <td>Set to a base64 Encoded key ring.</td> |
---|
556 | </tr> |
---|
557 | <tr> |
---|
558 | <th>Syntax:</th> |
---|
559 | <td><code>GnuTLSPGPKeyringFile <var>file-path</var></code></td> |
---|
560 | </tr> |
---|
561 | <tr> |
---|
562 | <th>Default:</th> |
---|
563 | <td><code>none</code></td> |
---|
564 | </tr> |
---|
565 | <tr> |
---|
566 | <th>Context:</th> |
---|
567 | <td> |
---|
568 | server config, |
---|
569 | virtual host. |
---|
570 | </td> |
---|
571 | </tr> |
---|
572 | </table> |
---|
573 | <p>Takes an absolute or relative path to a base64 Encoded Certificate |
---|
574 | list (key ring) to use as a means of verification of Client |
---|
575 | Certificates. This file should contain a list of trusted signers. |
---|
576 | </p> |
---|
577 | Example Usage: |
---|
578 | <pre class="example">GnuTLSPGPKeyringFile conf/ssl/ring.asc</pre> |
---|
579 | </div> |
---|
580 | |
---|
581 | <div id="GnuTLSEnable" class="apache_directive"> |
---|
582 | <h3>GnuTLSEnable</h3> |
---|
583 | <table class="directive"> |
---|
584 | <tr> |
---|
585 | <th>Description:</th> |
---|
586 | <td>Enable GnuTLS for this virtual host.</td> |
---|
587 | </tr> |
---|
588 | <tr> |
---|
589 | <th>Syntax:</th> |
---|
590 | <td><code>GnuTLSEnable <var>[on|off]</var></code></td> |
---|
591 | </tr> |
---|
592 | <tr> |
---|
593 | <th>Default:</th> |
---|
594 | <td><code>off</code></td> |
---|
595 | </tr> |
---|
596 | <tr> |
---|
597 | <th>Context:</th> |
---|
598 | <td> |
---|
599 | virtual host |
---|
600 | </td> |
---|
601 | </tr> |
---|
602 | </table> |
---|
603 | <p>This directive enables SSL/TLS Encryption for a Virtual Host. |
---|
604 | </p> |
---|
605 | <pre class="example"><VirtualHost 1.2.3.4:443> |
---|
606 | GnuTLSEnable on |
---|
607 | # other directives for the Virtual Host. |
---|
608 | </VirtualHost></pre> |
---|
609 | </div> |
---|
610 | |
---|
611 | <div id="GnuTLSExportCertificates" class="apache_directive"> |
---|
612 | <h3>GnuTLSExportCertificates</h3> |
---|
613 | <table class="directive"> |
---|
614 | <tr> |
---|
615 | <th>Description:</th> |
---|
616 | <td>Export the PEM encoded certificates to CGIs.</td> |
---|
617 | </tr> |
---|
618 | <tr> |
---|
619 | <th>Syntax:</th> |
---|
620 | <td><code>GnuTLSExportCertificates <var>[on|off]</var></code></td> |
---|
621 | </tr> |
---|
622 | <tr> |
---|
623 | <th>Default:</th> |
---|
624 | <td><code>off</code></td> |
---|
625 | </tr> |
---|
626 | <tr> |
---|
627 | <th>Context:</th> |
---|
628 | <td> |
---|
629 | virtual host |
---|
630 | </td> |
---|
631 | </tr> |
---|
632 | </table> |
---|
633 | <p>This directive enables exporting the full PEM encoded certificates of |
---|
634 | the server and the client to CGIs. This makes <code>mod_gnutls</code> export exactly the same environment variables as <code>mod_ssl</code>. |
---|
635 | </p> |
---|
636 | <pre class="example"><VirtualHost 1.2.3.4:443> |
---|
637 | GnuTLSExportCertificates on |
---|
638 | # other directives for the Virtual Host. |
---|
639 | </VirtualHost></pre> |
---|
640 | </div> |
---|
641 | |
---|
642 | |
---|
643 | <div id="GnuTLSKeyFile" class="apache_directive"> |
---|
644 | <h3>GnuTLSKeyFile</h3> |
---|
645 | <table class="directive"> |
---|
646 | <tr> |
---|
647 | <th>Description:</th> |
---|
648 | <td>Set to the Server Private Key.</td> |
---|
649 | </tr> |
---|
650 | <tr> |
---|
651 | <th>Syntax:</th> |
---|
652 | <td><code>GnuTLSKeyFile <var>file-path</var></code></td> |
---|
653 | </tr> |
---|
654 | <tr> |
---|
655 | <th>Default:</th> |
---|
656 | <td><code>none</code></td> |
---|
657 | </tr> |
---|
658 | <tr> |
---|
659 | <th>Context:</th> |
---|
660 | <td> |
---|
661 | server config, |
---|
662 | virtual host. |
---|
663 | </td> |
---|
664 | </tr> |
---|
665 | </table> |
---|
666 | <p>Takes an absolute or relative path to the Server Private Key. This key cannot currently be password protected. |
---|
667 | </p> |
---|
668 | Example Usage: |
---|
669 | <pre class="example">GnuTLSKeyFile conf/ssl/server.key</pre> |
---|
670 | <div class="warning"> |
---|
671 | <strong>Security Warning</strong>: This private key must be protected. It is read while Apache is still running as root, |
---|
672 | and does not need to be readable by the <code>nobody</code> or <code>apache</code> user. |
---|
673 | </div> |
---|
674 | </div> |
---|
675 | |
---|
676 | <div id="GnuTLSPGPKeyFile" class="apache_directive"> |
---|
677 | <h3>GnuTLSPGPKeyFile</h3> |
---|
678 | <table class="directive"> |
---|
679 | <tr> |
---|
680 | <th>Description:</th> |
---|
681 | <td>Set to the Server OpenPGP Secret Key.</td> |
---|
682 | </tr> |
---|
683 | <tr> |
---|
684 | <th>Syntax:</th> |
---|
685 | <td><code>GnuTLSPGPKeyFile <var>file-path</var></code></td> |
---|
686 | </tr> |
---|
687 | <tr> |
---|
688 | <th>Default:</th> |
---|
689 | <td><code>none</code></td> |
---|
690 | </tr> |
---|
691 | <tr> |
---|
692 | <th>Context:</th> |
---|
693 | <td> |
---|
694 | server config, |
---|
695 | virtual host. |
---|
696 | </td> |
---|
697 | </tr> |
---|
698 | </table> |
---|
699 | <p>Takes an absolute or relative path to the Server Private Key. This key cannot currently be password protected. |
---|
700 | </p> |
---|
701 | Example Usage: |
---|
702 | <pre class="example">GnuTLSPGPKeyFile conf/ssl/server.asc</pre> |
---|
703 | <div class="warning"> |
---|
704 | <strong>Security Warning</strong>: This private key must be protected. It is read while Apache is still running as root, |
---|
705 | and does not need to be readable by the <code>nobody</code> or <code>apache</code> user. |
---|
706 | </div> |
---|
707 | </div> |
---|
708 | |
---|
709 | |
---|
710 | <div id="GnuTLSDHFile" class="apache_directive"> |
---|
711 | <h3>GnuTLSDHFile</h3> |
---|
712 | <table class="directive"> |
---|
713 | <tr> |
---|
714 | <th>Description:</th> |
---|
715 | <td>Set to the PKCS #3 encoded Diffie Hellman parameters.</td> |
---|
716 | </tr> |
---|
717 | <tr> |
---|
718 | <th>Syntax:</th> |
---|
719 | <td><code>GnuTLSDHFile <var>file-path</var></code></td> |
---|
720 | </tr> |
---|
721 | <tr> |
---|
722 | <th>Default:</th> |
---|
723 | <td><code>none</code></td> |
---|
724 | </tr> |
---|
725 | <tr> |
---|
726 | <th>Context:</th> |
---|
727 | <td> |
---|
728 | server config, |
---|
729 | virtual host. |
---|
730 | </td> |
---|
731 | </tr> |
---|
732 | </table> |
---|
733 | <p>Takes an absolute or relative path to a PKCS #3 encoded DH parameters. Those are used when the DHE key exchange method is enabled. You can generate this file using |
---|
734 | "certtool --generate-dh-params --bits 2048". If not set <code>mod_gnutls</code> will use the included parameters. |
---|
735 | </p> |
---|
736 | Example Usage: |
---|
737 | <pre class="example">GnuTLSDHFile conf/ssl/dhparams</pre> |
---|
738 | </div> |
---|
739 | |
---|
740 | <div id="GnuTLSRSAFile" class="apache_directive"> |
---|
741 | <h3>GnuTLSRSAFile</h3> |
---|
742 | <table class="directive"> |
---|
743 | <tr> |
---|
744 | <th>Description:</th> |
---|
745 | <td>Set to the PKCS #1 encoded RSA parameters for 'EXPORT' ciphersuites.</td> |
---|
746 | </tr> |
---|
747 | <tr> |
---|
748 | <th>Syntax:</th> |
---|
749 | <td><code>GnuTLSRSAFile <var>file-path</var></code></td> |
---|
750 | </tr> |
---|
751 | <tr> |
---|
752 | <th>Default:</th> |
---|
753 | <td><code>none</code></td> |
---|
754 | </tr> |
---|
755 | <tr> |
---|
756 | <th>Context:</th> |
---|
757 | <td> |
---|
758 | server config, |
---|
759 | virtual host. |
---|
760 | </td> |
---|
761 | </tr> |
---|
762 | </table> |
---|
763 | <p>Takes an absolute or relative path to a PKCS #1 encoded RSA parameters. Those are used when the RSA-EXPORT key exchange method is enabled. You can generate this file using "certtool --generate-privkey --bits 512". These parameters should not contain key of longer of 512 bits (due to the export restrictions). If not set <code>mod_gnutls</code> will not negotiate the 'EXPORT' ciphersuites. It is recommended not to enable those ciphersuites. If you do make sure you regenerate this file at every few hours. |
---|
764 | </p> |
---|
765 | Example Usage: |
---|
766 | <pre class="example">GnuTLSRSAFile conf/ssl/rsaparams</pre> |
---|
767 | </div> |
---|
768 | |
---|
769 | <div id="GnuTLSSRPPasswdFile" class="apache_directive"> |
---|
770 | <h3>GnuTLSSRPPasswdFile</h3> |
---|
771 | <table class="directive"> |
---|
772 | <tr> |
---|
773 | <th>Description:</th> |
---|
774 | <td>Set to the SRP password file for SRP ciphersuites.</td> |
---|
775 | </tr> |
---|
776 | <tr> |
---|
777 | <th>Syntax:</th> |
---|
778 | <td><code>GnuTLSSRPPasswdFile <var>file-path</var></code></td> |
---|
779 | </tr> |
---|
780 | <tr> |
---|
781 | <th>Default:</th> |
---|
782 | <td><code>none</code></td> |
---|
783 | </tr> |
---|
784 | <tr> |
---|
785 | <th>Context:</th> |
---|
786 | <td> |
---|
787 | server config, |
---|
788 | virtual host. |
---|
789 | </td> |
---|
790 | </tr> |
---|
791 | </table> |
---|
792 | <p>Takes an absolute or relative path to an SRP password file. This is the same format as used in libsrp. You can generate such file using the command "srptool --passwd /etc/tpasswd --passwd-conf /etc/tpasswd.conf -u test" to set a password for user test. This password file holds the username, a password verifier and the dependency to the SRP parameters. |
---|
793 | </p> |
---|
794 | Example Usage: |
---|
795 | <pre class="example">GnuTLSSRPPasswdFile conf/ssl/tpasswd</pre> |
---|
796 | </div> |
---|
797 | |
---|
798 | <div id="GnuTLSSRPPasswdConfFile" class="apache_directive"> |
---|
799 | <h3>GnuTLSSRPPasswdConfFile</h3> |
---|
800 | <table class="directive"> |
---|
801 | <tr> |
---|
802 | <th>Description:</th> |
---|
803 | <td>Set to the SRP password.conf file for SRP ciphersuites.</td> |
---|
804 | </tr> |
---|
805 | <tr> |
---|
806 | <th>Syntax:</th> |
---|
807 | <td><code>GnuTLSSRPPasswdConfFile <var>file-path</var></code></td> |
---|
808 | </tr> |
---|
809 | <tr> |
---|
810 | <th>Default:</th> |
---|
811 | <td><code>none</code></td> |
---|
812 | </tr> |
---|
813 | <tr> |
---|
814 | <th>Context:</th> |
---|
815 | <td> |
---|
816 | server config, |
---|
817 | virtual host. |
---|
818 | </td> |
---|
819 | </tr> |
---|
820 | </table> |
---|
821 | <p>Takes an absolute or relative path to an SRP password.conf file. This is the same format as used in libsrp. You can generate such file using the command "srptool --create-conf /etc/tpasswd.conf". This file holds the SRP parameters and is associate with the password file (the verifiers depends on these parameters). |
---|
822 | </p> |
---|
823 | Example Usage: |
---|
824 | <pre class="example">GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.conf</pre> |
---|
825 | </div> |
---|
826 | |
---|
827 | <div id="GnuTLSPriorities" class="apache_directive"> |
---|
828 | <h3>GnuTLSPriorities</h3> |
---|
829 | <table class="directive"> |
---|
830 | <tr> |
---|
831 | <th>Description:</th> |
---|
832 | <td>Set the allowed ciphers, key exchange algorithms, MACs and |
---|
833 | compression methods.</td> |
---|
834 | </tr> |
---|
835 | <tr> |
---|
836 | <th>Syntax:</th> |
---|
837 | <td><code>GnuTLSPriorities <var>+cipher0:+cipher1:...:+cipherN</var></code></td> |
---|
838 | </tr> |
---|
839 | <tr> |
---|
840 | <th>Default:</th> |
---|
841 | <td><code>none</code></td> |
---|
842 | </tr> |
---|
843 | <tr> |
---|
844 | <th>Context:</th> |
---|
845 | <td> |
---|
846 | server config, |
---|
847 | virtual host. |
---|
848 | </td> |
---|
849 | </tr> |
---|
850 | </table> |
---|
851 | <p>Takes a semi-colon separated list of ciphers, key exchange methods |
---|
852 | Message authentication codes and compression methods to enable. The |
---|
853 | allowed keywords are specified in the <code>gnutls_priority_init()</code> |
---|
854 | function of <code>GnuTLS</code>. It's documentation can be found at |
---|
855 | <a |
---|
856 | href="http://www.gnu.org/software/gnutls/manual/html_node/Core-functions.html#Core-functions">Core |
---|
857 | GnuTLS functions.</a> |
---|
858 | </p><p> |
---|
859 | In brief you can specify a set of ciphersuites from the choices: |
---|
860 | <ul> |
---|
861 | <li>NONE: The empty list.</li> |
---|
862 | <li>EXPORT: A list with all the supported cipher combinations |
---|
863 | including the "EXPORT" strength algorithms.</li> |
---|
864 | <li>PERFORMANCE: A list with all the secure cipher combinations |
---|
865 | sorted in terms of performance.</li> |
---|
866 | <li>NORMAL: A list with all the secure cipher combinations |
---|
867 | sorted with respect to security margin (subjective term).</li> |
---|
868 | <li>SECURE: A list with all the secure cipher combinations including the |
---|
869 | 256-bit ciphers sorted with respect to security margin.</li> |
---|
870 | </ul> |
---|
871 | Additionally you can add or remove algorithms using the "+" and "!" |
---|
872 | prefixes respectively. That is in order to disable the ARCFOUR cipher |
---|
873 | from the "NORMAL" set you can use the string |
---|
874 | <code>NORMAL:!ARCFOUR-128</code>. Other options such as the protocol |
---|
875 | version and the compression method can be specified using the |
---|
876 | <code>VERS-</code> and <code>COMP-</code> prefixes. So in order to |
---|
877 | remove or add a specific TLS version from the "NORMAL" set use |
---|
878 | <code>NORMAL:!VERS-SSL3.0</code>. To enable |
---|
879 | zlib compression use <code>NORMAL:+COMP-DEFLATE</code>. |
---|
880 | However it is recommended not to add compression at this level. |
---|
881 | With the "NONE" set, in order to be usable, you have to specify a complete |
---|
882 | set of combinations of protocol versions, cipher algorithms |
---|
883 | (AES-128-CBC), key exchange algorithms (RSA), message authentication |
---|
884 | codes (SHA1) and compression methods (COMP-NULL). |
---|
885 | </p><p> |
---|
886 | All the supported algorithms are: |
---|
887 | <ul> |
---|
888 | <li>Ciphers: AES-256-CBC, AES-128-CBC, CAMELLIA-256-CBC, |
---|
889 | CAMELLIA-128-CBC, ARCFOUR-128, 3DES-CBC, ARCFOUR-40</li> |
---|
890 | <li>Key exchange methods: RSA, DHE-RSA, DHE-DSS, SRP, SRP-RSA, |
---|
891 | SRP-DSS, ANON-DH</li> |
---|
892 | <li>Message authentication codes: SHA1, MD5</li> |
---|
893 | <li>Compression methods: COMP-DEFLATE, COMP-NULL</li> |
---|
894 | <li>Protocol versions: VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0</li> |
---|
895 | </ul> |
---|
896 | </p> |
---|
897 | <p>The special keyword "%COMPAT" will disable some security features |
---|
898 | such as protection against statistical attacks to ciphertext data in |
---|
899 | order to achieve maximum compatibility (some broken mobile clients need |
---|
900 | this). |
---|
901 | </p> |
---|
902 | Example Usage: |
---|
903 | <pre class="example">GnuTLSPriorities NORMAL:!AES-256-CBC:!DHE-RSA</pre> |
---|
904 | <pre class="example">GnuTLSPriorities EXPORT:!VERS-TLS1.0:+COMP-DEFLATE:+CTYPE-OPENPGP</pre> |
---|
905 | <pre class="example">GnuTLSPriorities NONE:+VERS-TLS1.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL</pre> |
---|
906 | <pre class="example">GnuTLSPriorities NORMAL:+COMP-DEFLATE</pre> |
---|
907 | <pre class="example">GnuTLSPriorities NORMAL:%COMPAT</pre> |
---|
908 | <pre class="example">GnuTLSPriorities NORMAL:+ANON-DH</pre> |
---|
909 | </div> |
---|
910 | |
---|
911 | </div> |
---|
912 | </content> |
---|
913 | </section> |
---|
914 | </ooo> |
---|
915 | |
---|