source: mod_gnutls/docs/manual.mdwn @ 4ee45a1

asynciodebian/masterdebian/stretch-backportsjessie-backportsproxy-ticketupstream
Last change on this file since 4ee45a1 was 4ee45a1, checked in by Daniel Kahn Gillmor <dkg@…>, 8 years ago

Used pandoc to convert from html to markdown

  • Property mode set to 100644
File size: 21.7 KB
Line 
1mod\_gnutls Manual 0.1\
2July 2011
3=======================
4
5* * * * *
6
7Contents
8--------
9
101.  Compilation & Installation
112.  Integration
123.  Configuration Directives\
13    -   GnuTLSCache
14    -   GnuTLSCacheTimeout
15    -   GnuTLSSessionTickets
16    -   GnuTLSCertificateFile
17    -   GnuTLSKeyFile
18    -   GnuTLSPGPCertificateFile
19    -   GnuTLSPGPKeyFile
20    -   GnuTLSClientVerify
21    -   GnuTLSClientCAFile
22    -   GnuTLSPGPKeyringFile
23    -   GnuTLSEnable
24    -   GnuTLSDHFile
25    -   GnuTLSRSAFile
26    -   GnuTLSSRPPasswdFile
27    -   GnuTLSSRPPasswdConfFile
28    -   GnuTLSPriorities
29    -   GnuTLSExportCertificates
30
314.  Configuration Examples\
32    -   Simple Standard SSL Example
33    -   Server Name Indication Example
34
355.  Performance Issues
366.  Environment Variables
377.  Credits
38
39* * * * *
40
41Compilation & Installation
42--------------------------
43
44mod\_gnutls uses the "configure/make/make install" mechanism common to
45many Open Source programs.\
46 Most of the dirty work is handled by either configure or Apache's apxs
47utility.\
48 If you have built Apache modules before, there shouldn't be any
49surprises for you.\
50 The interesting options you can pass to configure are:\
51 \
52 --with-apxs=PATH\
53 This option is used to specify the location of the apxs utility that
54was installed as part of apache.\
55 Specify the location of the binary, not the directory it is located
56in.\
57 \
58 --with-libgnutls=PATH\
59 Full path to the libgnutls-config program.\
60 \
61 --with-apr-memcache=PREFIX\
62 Prefix to where apr\_memcache is installed.\
63 \
64 --help\
65 Provides a list of all available configure options.
66
67* * * * *
68
69Integration
70-----------
71
72To activate mod\_gnutls just add the following line to your httpd.conf
73and restart Apache:
74
75`LoadModule gnutls_module modules/mod_gnutls.so`
76
77* * * * *
78
79Configuration Directives:
80-------------------------
81
82#### GnuTLSCache
83
84##### Description:
85
86Configure SSL Session Cache\
87
88##### Syntax:
89
90       GnuTLSCache [*dbm*|*gdbm*|*memcache*|*none*] [path|server
91list|-]\
92
93##### Default:
94
95      GnuTLSCache none\
96
97##### Context:
98
99      server config\
100
101This directive configures the SSL Session Cache for mod\_gnutls.\
102 This could be shared between machines of different architectures.
103
104**dbm (Requires Berkeley DBM)**\
105 Uses the default Berkeley DB backend of APR DBM to cache SSL Sessions
106results.\
107 The argument is a relative or absolute path to be used as the DBM Cache
108file.\
109 This is compatible with most operating systems, but needs the Apache
110Runtime to be compiled with Berkeley DBM support.\
111 **gdbm**\
112 Uses the GDBM backend of APR DBM to cache SSL Sessions results.\
113 The argument is a relative or absolute path to be used as the DBM Cache
114file.\
115 This is the recommended option.\
116 **memcache**\
117 Uses a memcached server to cache the SSL Session.\
118 The argument is a space separated list of servers. If no port number is
119supplied, the default of 11211 is used.\
120 This can be used to share a session cache between all servers in a
121cluster.\
122 **none**\
123 Turns off all caching of SSL Sessions.\
124 This can significantly reduce the performance of mod\_gnutls since even
125followup connections by a client must renegotiate parameters instead of
126reusing old ones.\
127 This is the default, since it requires no configuration.\
128
129#### GnuTLSCacheTimeout
130
131##### Description:
132
133Timeout for SSL Session Cache expiration\
134
135##### Syntax:
136
137       GnuTLSCacheTimeout *seconds*\
138
139##### Default:
140
141      GnuTLSCacheTimeout 300\
142
143##### Context:
144
145      server config\
146
147Sets the timeout for SSL Session Cache entries expiration.\
148 This directive is valid even if Session Tickets are used, and indicates
149the expiration time of the ticket in seconds.
150
151#### GnuTLSSessionTickets
152
153##### Description:
154
155Enable Session Tickets for the server\
156
157##### Syntax:
158
159       GnuTLSSessionTickets [ *on* | *off* ]\
160
161##### Default:
162
163      *off*\
164
165##### Context:
166
167      server config, virtual host\
168
169To avoid storing data for TLS session resumption it is allowed to
170provide client with a ticket, to use on return.\
171 Use for servers with limited storage, and don't combine with
172GnuTLSCache.\
173 For a pool of servers this option is not recommended since the tickets
174are unique for the issuing server only.
175
176#### GnuTLSCertificateFile
177
178##### Description:
179
180Set to the PEM Encoded Server Certificate\
181
182##### Syntax:
183
184       GnuTLSCertificateFile *file-path*\
185
186##### Default:
187
188      *none*\
189
190##### Context:
191
192      server config, virtual host\
193
194Takes an absolute or relative path to a PEM-encoded X.509 certificate to
195use as this Server's End Entity (EE) certificate. If you need to supply
196certificates for intermediate Certificate Authorities (iCAs), they
197should be listed in sequence in the file, from EE to the iCA closest to
198the root CA. Optionally, you can also include the root CA's certificate
199as the last certificate in the list.
200
201#### GnuTLSKeyFile
202
203##### Description:
204
205Set to the PEM Encoded Server Certificate\
206
207##### Syntax:
208
209       GnuTLSCertificateFile *file-path*\
210
211##### Default:
212
213      *none*\
214
215##### Context:
216
217      server config, virtual host\
218
219Takes an absolute or relative path to the Server Private Key.\
220 This key cannot currently be password protected.
221
222**Security Warning:**\
223 This private key must be protected. It is read while Apache is still
224running as root, and does not need to be readable by the nobody or
225apache user.
226
227#### GnuTLSPGPCertificateFile
228
229##### Description:
230
231Set to a base64 Encoded Server OpenPGP Certificate\
232
233##### Syntax:
234
235       GnuTLSPGPCertificateFile *file-path*\
236
237##### Default:
238
239      *none*\
240
241##### Context:
242
243      server config, virtual host\
244
245Takes an absolute or relative path to a base64 Encoded OpenPGP
246Certificate to use as this Server's Certificate.
247
248#### GnuTLSPGPKeyFile
249
250##### Description:
251
252Set to the Server OpenPGP Secret Key\
253
254##### Syntax:
255
256       GnuTLSPGPKeyFile *file-path*\
257
258##### Default:
259
260      *none*\
261
262##### Context:
263
264      server config, virtual host\
265
266Takes an absolute or relative path to the Server Private Key. This key
267cannot currently be password protected.
268
269**Security Warning:**\
270 This private key must be protected. It is read while Apache is still
271running as root, and does not need to be readable by the nobody or
272apache user.
273
274#### GnuTLSClientVerify
275
276##### Description:
277
278Enable Client Certificate Verification\
279
280##### Syntax:
281
282       GnuTLSClientVerify [ *ignore* | *request* | *require* ]\
283
284##### Default:
285
286      *ignore*\
287
288##### Context:
289
290      server config, virtual host, directory, .htaccess\
291
292This directive controls the use of SSL Client Certificate
293Authentication.\
294 If used in the .htaccess context, it can force TLS re-negotiation.
295
296**ignore**\
297 mod\_gnutls will ignore the contents of any SSL Client Certificates
298sent.\
299 It will not request that the client sends a certificate.\
300 **request**\
301 The client certificate will be requested, but not required.\
302 The Certificate will be validated if sent.\
303 The output of the validation status will be stored in the
304SSL\_CLIENT\_VERIFY environment variable and can be "SUCCESS", "FAILED"
305or "NONE".\
306 **require**\
307 A Client certificate will be required. Any requests without a valid
308client certificate will be denied.\
309 The SSL\_CLIENT\_VERIFY environment variable will only be set to
310"SUCCESS".
311
312#### GnuTLSClientCAFile
313
314##### Description:
315
316Set to the PEM Encoded Certificate Authority Certificate\
317
318##### Syntax:
319
320       GnuTLSClientCAFile *file-path*\
321
322##### Default:
323
324      *none*\
325
326##### Context:
327
328      server config, virtual host\
329
330Takes an absolute or relative path to a PEM Encoded Certificate to use
331as a Certificate Authority with Client Certificate Authentication.\
332 This file may contain a list of trusted authorities.\
333
334#### GnuTLSPGPKeyringFile
335
336##### Description:
337
338Set to a base64 Encoded key ring\
339
340##### Syntax:
341
342       GnuTLSPGPKeyringFile *file-path*\
343
344##### Default:
345
346      *none*\
347
348##### Context:
349
350      server config, virtual host\
351
352Takes an absolute or relative path to a base64 Encoded Certificate list
353(key ring) to use as a means of verification of Client Certificates.\
354 This file should contain a list of trusted signers.
355
356#### GnuTLSEnable
357
358##### Description:
359
360Enable GnuTLS for this virtual host\
361
362##### Syntax:
363
364       GnuTLSEnable [ *on* | *off* ] \
365
366##### Default:
367
368      *off*\
369
370##### Context:
371
372      virtual host\
373
374This directive enables SSL/TLS Encryption for a Virtual Host.
375
376#### GnuTLSDHFile
377
378##### Description:
379
380Set to the PKCS \#3 encoded Diffie Hellman parameters\
381
382##### Syntax:
383
384       GnuTLSDHFile *file-path* \
385
386##### Default:
387
388      *none*\
389
390##### Context:
391
392      server config, virtual host\
393
394Takes an absolute or relative path to a PKCS \#3 encoded DH parameters.\
395 Those are used when the DHE key exchange method is enabled.\
396 You can generate this file using "certtool --generate-dh-params --bits
3972048".\
398 If not set mod\_gnutls will use the included parameters.
399
400#### GnuTLSSRPPasswdFile
401
402##### Description:
403
404Set to the SRP password file for SRP ciphersuites\
405
406##### Syntax:
407
408       GnuTLSSRPPasswdFile *file-path* \
409
410##### Default:
411
412      *none*\
413
414##### Context:
415
416      server config, virtual host\
417
418Takes an absolute or relative path to an SRP password file. This is the
419same format as used in libsrp.\
420 You can generate such file using the command "srptool --passwd
421/etc/tpasswd --passwd-conf /etc/tpasswd.conf -u test" to set a password
422for user test.\
423 This password file holds the username, a password verifier and the
424dependency to the SRP parameters.
425
426#### GnuTLSSRPPasswdConfFile
427
428##### Description:
429
430Set to the SRP password.conf file for SRP ciphersuites\
431
432##### Syntax:
433
434       GnuTLSSRPPasswdConfFile *file-path* \
435
436##### Default:
437
438      *none*\
439
440##### Context:
441
442      server config, virtual host\
443
444Takes an absolute or relative path to an SRP password.conf file. This is
445the same format as used in libsrp.\
446 You can generate such file using the command "srptool --create-conf
447/etc/tpasswd.conf".\
448 This file holds the SRP parameters and is associate with the password
449file (the verifiers depends on these parameters).
450
451#### GnuTLSPriorities
452
453##### Description:
454
455Set the allowed ciphers, key exchange algorithms, MACs and compression
456methods\
457
458##### Syntax:
459
460       GnuTLSPriorities *+cipher0:+cipher1:...:+cipherN*\
461
462##### Default:
463
464      *none*\
465
466##### Context:
467
468      server config, virtual host\
469
470Takes a semi-colon separated list of ciphers, key exchange methods\
471 Message authentication codes and compression methods to enable.\
472 The allowed keywords are specified in the gnutls\_priority\_init()
473function of GnuTLS.\
474 It's documentation can be found at [Core GnuTLS
475functions](http://www.gnu.org/software/gnutls/manual/html_node/Core-functions.html#Core-functions).\
476 In brief you can specify a set of ciphersuites from the choices:\
477
478-   **NONE**: The empty list.
479-   **EXPORT**: A list with all the supported cipher combinations
480    including the "EXPORT" strength algorithms.
481-   **PERFORMANCE**: A list with all the secure cipher combinations
482    sorted in terms of performance.
483-   **NORMAL**: A list with all the secure cipher combinations sorted
484    with respect to security margin (subjective term).
485-   **SECURE**: A list with all the secure cipher combinations including
486    the 256-bit ciphers sorted with respect to security margin.
487
488Additionally you can add or remove algorithms using the "+" and "!"
489prefixes respectively.\
490 That is in order to disable the ARCFOUR cipher from the "NORMAL" set
491you can use the string **NORMAL**:!ARCFOUR-128\
492 Other options such as the protocol version and the compression method
493can be specified using the **VERS-** and **COMP-** prefixes.\
494 So in order to remove or add a specific TLS version from the "NORMAL"
495set use **NORMAL:!VERS-SSL3.0**.\
496 To enable zlib compression use **NORMAL:+COMP-DEFLATE**.\
497 However it is recommended not to add compression at this level.\
498 With the "NONE" set, in order to be usable, you have to specify a
499complete set of combinations of protocol versions,\
500 cipher algorithms (**AES-128-CBC**), key exchange algorithms (**RSA**),
501message authentication codes (**SHA1**) and compression methods
502(**COMP-NULL**).\
503 \
504 All the supported algorithms are:\
505
506-   **Ciphers**: AES-256-CBC, AES-128-CBC, CAMELLIA-256-CBC,
507    CAMELLIA-128-CBC, ARCFOUR-128, 3DES-CBC, ARCFOUR-40
508-   **Key exchange methods**: RSA, DHE-RSA, DHE-DSS, SRP, SRP-RSA,
509    SRP-DSS, ANON-DH
510-   **Message authentication codes**: SHA1, MD5
511-   **Compression methods**: COMP-DEFLATE, COMP-NULL
512-   **Protocol versions**: VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0
513
514The special keyword "%COMPAT" will disable some security features such
515as protection against statistical attacks to ciphertext data in order to
516achieve maximum compatibility (some broken mobile clients need this).
517
518#### GnuTLSExportCertificates
519
520##### Description:
521
522Export the PEM encoded certificates to CGIs\
523
524##### Syntax:
525
526       GnuTLSExportCertificates [ *on* | *off* ]\
527
528##### Default:
529
530      *off*\
531
532##### Context:
533
534      server config, virtual host\
535
536This directive enables exporting the full certificates of the server and
537the client to CGI scripts. The exported certificates will be PEM-encoded
538(if X.509) or ASCII-armored (if OpenPGP).\
539With GnuTLSExportCertificates enabled, mod\_gnutls exports the same
540environment variables as mod\_ssl.
541
542* * * * *
543
544Configuration Examples
545----------------------
546
547#### Simple Standard SSL Example:
548
549The following is an example of standard SSL Hosting, using one IP
550Addresses for each virtual host
551
552`             # Load the module into Apache.             LoadModule gnutls_module modules/mod_gnutls.so             GnuTLSCache gdbm /var/cache/www-tls-cache             GnuTLSCacheTimeout 500             # With normal SSL Websites, you need one IP Address per-site.             Listen 1.2.3.1:443             Listen 1.2.3.2:443             Listen 1.2.3.3:443             Listen 1.2.3.4:443             <VirtualHost 1.2.3.1:443>             GnuTLSEnable on             GnuTLSPriorities NONE:+AES-128-CBC:+3DES-CBC:+ARCFOUR-128:+RSA:+DHE-RSA:+DHE-DSS:+SHA1:+MD5:+COMP-NULL             DocumentRoot /www/site1.example.com/html             ServerName site1.example.com:443             GnuTLSCertificateFile conf/ssl/site1.crt             GnuTLSKeyFile conf/ss/site1.key             </VirtualHost>             <VirtualHost 1.2.3.2:443>             # This virtual host enables SRP authentication             GnuTLSEnable on             GnuTLSPriorities NORMAL:+SRP             DocumentRoot /www/site2.example.com/html             ServerName site2.example.com:443             GnuTLSSRPPasswdFile conf/ssl/tpasswd.site2             GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site2.conf             </VirtualHost>             <VirtualHost 1.2.3.3:443>             # This server enables SRP, OpenPGP and X.509 authentication.             GnuTLSEnable on             GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS             DocumentRoot /www/site3.example.com/html             ServerName site3.example.com:443             GnuTLSCertificateFile conf/ssl/site3.crt             GnuTLSKeyFile conf/ss/site3.key             GnuTLSClientVerify ignore             GnuTLSPGPCertificateFile conf/ss/site3.pub.asc             GnuTLSPGPKeyFile conf/ss/site3.sec.asc             GnuTLSSRPPasswdFile conf/ssl/tpasswd.site3             GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site3.conf             </VirtualHost>             <VirtualHost 1.2.3.4:443>             GnuTLSEnable on             # %COMPAT disables some security features to enable maximum compatibility with clients.             GnuTLSPriorities NONE:+AES-128-CBC:+ARCFOUR-128:+RSA:+SHA1:+MD5:+COMP-NULL:%COMPAT             DocumentRoot /www/site4.example.com/html             ServerName site4.example.com:443             GnuTLSCertificateFile conf/ssl/site4.crt             GnuTLSKeyFile conf/ss/site4.key             </VirtualHost>             `
553
554#### Server Name Indication Example:
555
556mod\_gnutls can also use 'Server Name Indication', as specified in RFC
5573546.\
558 This allows hosting many SSL Websites, with a Single IP Address.\
559 Currently all the recent browsers support this standard.\
560 Here is an example, using SNI:\
561 `             `
562
563\# Load the module into Apache.\
564 LoadModule gnutls\_module modules/mod\_gnutls.so\
565 \# With normal SSL Websites, you need one IP Address per-site.\
566 Listen 1.2.3.1:443\
567 \# This could also be 'Listen \*:443',\
568 \# just like '\*:80' is common for non-https\
569 \# No caching. Enable session tickets. Timeout is still used for\
570 \# ticket expiration.\
571 GnuTLSCacheTimeout 600\
572 \# This tells apache, that for this IP/Port combination, we want to
573use\
574 \# Name Based Virtual Hosting. In the case of Server Name Indication,\
575 \# it lets mod\_gnutls pick the correct Server Certificate.\
576 NameVirtualHost 1.2.3.1:443\
577 \<VirtualHost 1.2.3.1:443\>\
578 GnuTLSEnable on\
579 GnuTLSSessionTickets on\
580 GnuTLSPriorities NORMAL\
581 DocumentRoot /www/site1.example.com/html\
582 ServerName site1.example.com:443\
583 GnuTLSCertificateFile conf/ssl/site1.crt\
584 GnuTLSKeyFile conf/ss/site1.key\
585 \</VirtualHost\>\
586 \<VirtualHost 1.2.3.1:443\>\
587 GnuTLSEnable on\
588 GnuTLSPriorities NORMAL\
589 DocumentRoot /www/site2.example.com/html\
590 ServerName site2.example.com:443\
591 GnuTLSCertificateFile conf/ssl/site2.crt\
592 GnuTLSKeyFile conf/ss/site2.key\
593 \</VirtualHost\>\
594 \<VirtualHost 1.2.3.1:443\>\
595 GnuTLSEnable on\
596 GnuTLSPriorities NORMAL\
597 DocumentRoot /www/site3.example.com/html\
598 ServerName site3.example.com:443\
599 GnuTLSCertificateFile conf/ssl/site3.crt\
600 GnuTLSKeyFile conf/ss/site3.key\
601 \</VirtualHost\>\
602 \<VirtualHost 1.2.3.1:443\>\
603 GnuTLSEnable on\
604 GnuTLSPriorities NORMAL\
605 DocumentRoot /www/site4.example.com/html\
606 ServerName site4.example.com:443\
607 GnuTLSCertificateFile conf/ssl/site4.crt\
608 GnuTLSKeyFile conf/ss/site4.key\
609 \</VirtualHost\>\
610
611* * * * *
612
613Performance Issues:
614-------------------
615
616mod\_gnutls by default uses conservative settings for the server.\
617 You can fine tune the configuration to reduce the load on a busy
618server.\
619 The following examples do exactly this:\
620
621`             # Load the module into Apache.             LoadModule gnutls_module modules/mod_gnutls.so             # Using 4 memcache servers to distribute the SSL Session Cache.             GnuTLSCache memcache "mc1.example.com mc2.example.com mc3.example.com mc4.example.com"             GnuTLSCacheTimeout 600             Listen 1.2.3.1:443             NameVirtualHost 1.2.3.1:443             <VirtualHost 1.2.3.1:443>             GnuTLSEnable on             # Here we disable the Perfect forward secrecy ciphersuites (DHE)             # and disallow AES-256 since AES-128 is just fine.             GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT             DocumentRoot /www/site1.example.com/html             ServerName site1.example.com:443             GnuTLSCertificateFile conf/ssl/site1.crt             GnuTLSKeyFile conf/ss/site1.key             </VirtualHost>             <VirtualHost 1.2.3.1:443>             GnuTLSEnable on             # Here we instead of disabling the DHE ciphersuites we use             # Diffie Hellman parameters of smaller size than the default (2048 bits).             # Using small numbers from 768 to 1024 bits should be ok once they are             # regenerated every few hours.             # Use "certtool --generate-dh-params --bits 1024" to get those             GnuTLSDHFile /etc/apache2/dh.params             GnuTLSPriorities NORMAL:!AES-256-CBC:%COMPAT             DocumentRoot /www/site2.example.com/html             ServerName site2.example.com:443             GnuTLSCertificateFile conf/ssl/site2.crt             GnuTLSKeyFile conf/ss/site2.key             </VirtualHost>             `
622
623* * * * *
624
625Environment Variables:
626----------------------
627
628mod\_gnutls exports the following environment variables to scripts.\
629 These are compatible with mod\_ssl.
630
631###### HTTPS
632
633Can be "on" or "off"
634
635###### SSL\_VERSION\_LIBRARY
636
637The version of the gnutls library
638
639###### SSL\_VERSION\_INTERFACE
640
641The version of this module
642
643###### SSL\_PROTOCOL
644
645The SSL or TLS protocol name (such as "TLS 1.0" etc.)
646
647###### SSL\_CIPHER
648
649The SSL or TLS cipher suite name
650
651###### SSL\_COMPRESS\_METHOD
652
653The negotiated compression method (NULL or DEFLATE)
654
655###### SSL\_SRP\_USER
656
657The SRP username used for authentication (only set when
658GnuTLSSRPPasswdFile and GnuTLSSRPPasswdConfFile are configured).
659
660###### SSL\_CIPHER\_USEKEYSIZE & SSL\_CIPHER\_ALGKEYSIZE
661
662The number if bits used in the used cipher algorithm.
663
664This does not fully reflect the security level since the size of
665
666RSA or DHE key exchange parameters affect the security level too.
667
668###### SSL\_CIPHER\_EXPORT
669
670True or False. Whether the cipher suite negotiated is an export one.
671
672###### SSL\_SESSION\_ID
673
674The session ID negotiated in this session. Can be the same during client
675reloads.
676
677###### SSL\_CLIENT\_V\_REMAIN
678
679The number of days until the client's certificate is expired.
680
681###### SSL\_CLIENT\_V\_START
682
683The activation time of client's certificate.
684
685###### SSL\_CLIENT\_V\_END
686
687The expiration time of client's certificate.
688
689###### SSL\_CLIENT\_S\_DN
690
691The distinguished name of client's certificate in RFC2253 format.
692
693###### SSL\_CLIENT\_I\_DN
694
695The SSL or TLS cipher suite name
696
697###### SSL\_CLIENT\_S\_AN%
698
699These will contain the alternative names of the client certificate (% is
700a number starting from zero).
701
702The values will be prepended by "DNSNAME:", "RFC822NAME:" or "URI:"
703depending on the type.
704
705If it is not supported the value "UNSUPPORTED" will be set.
706
707###### SSL\_SERVER\_M\_SERIAL
708
709The serial number of the server's certificate.
710
711###### SSL\_SERVER\_M\_VERSION
712
713The version of the server's certificate.
714
715###### SSL\_SERVER\_A\_SIG
716
717The algorithm used for the signature in server's certificate.
718
719###### SSL\_SERVER\_A\_KEY
720
721The public key algorithm in server's certificate.
722
723###### SSL\_SERVER\_CERT
724
725The PEM-encoded server certificate.
726
727###### SSL\_SERVER\_CERT\_TYPE
728
729The certificate type can be X.509 or OPENPGP.
Note: See TracBrowser for help on using the repository browser.