source: mod_gnutls/docs/manual.mdwn @ 5674676

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since 5674676 was 5674676, checked in by Daniel Kahn Gillmor <dkg@…>, 6 years ago

add SSL_DH_PRIME_BITS to expose the size of the DH modulus to CGI

  • Property mode set to 100644
File size: 22.1 KB
Line 
1mod\_gnutls Manual
2=======================
3
4Compilation & Installation
5--------------------------
6
7mod\_gnutls uses the `configure && make && make install` mechanism common to
8many Open Source programs.\
9 Most of the dirty work is handled by either configure or Apache's apxs
10utility.\
11 If you have built Apache modules before, there shouldn't be any
12surprises for you.\
13 The interesting options you can pass to configure are:\
14 \
15 --with-apxs=PATH\
16 This option is used to specify the location of the apxs utility that
17was installed as part of apache.\
18 Specify the location of the binary, not the directory it is located
19in.\
20 \
21 --with-libgnutls=PATH\
22 Full path to the libgnutls-config program.\
23 \
24 --with-apr-memcache=PREFIX\
25 Prefix to where apr\_memcache is installed.\
26 \
27 --help\
28 Provides a list of all available configure options.
29
30* * * * *
31
32Integration
33-----------
34
35To activate mod\_gnutls just add the following line to your httpd.conf
36and restart Apache:
37
38`LoadModule gnutls_module modules/mod_gnutls.so`
39
40* * * * *
41
42Configuration Directives:
43-------------------------
44
45#### GnuTLSCache
46
47##### Description:
48
49Configure SSL Session Cache\
50
51##### Syntax:
52
53       GnuTLSCache [*dbm*|*gdbm*|*memcache*|*none*] [path|server
54list|-]\
55
56##### Default:
57
58      GnuTLSCache none\
59
60##### Context:
61
62      server config\
63
64This directive configures the SSL Session Cache for mod\_gnutls.\
65 This could be shared between machines of different architectures.
66
67**dbm (Requires Berkeley DBM)**\
68 Uses the default Berkeley DB backend of APR DBM to cache SSL Sessions
69results.\
70 The argument is a relative or absolute path to be used as the DBM Cache
71file.\
72 This is compatible with most operating systems, but needs the Apache
73Runtime to be compiled with Berkeley DBM support.\
74 **gdbm**\
75 Uses the GDBM backend of APR DBM to cache SSL Sessions results.\
76 The argument is a relative or absolute path to be used as the DBM Cache
77file.\
78 This is the recommended option.\
79 **memcache**\
80 Uses a memcached server to cache the SSL Session.\
81 The argument is a space separated list of servers. If no port number is
82supplied, the default of 11211 is used.\
83 This can be used to share a session cache between all servers in a
84cluster.\
85 **none**\
86 Turns off all caching of SSL Sessions.\
87 This can significantly reduce the performance of mod\_gnutls since even
88followup connections by a client must renegotiate parameters instead of
89reusing old ones.\
90 This is the default, since it requires no configuration.\
91
92#### GnuTLSCacheTimeout
93
94##### Description:
95
96Timeout for SSL Session Cache expiration\
97
98##### Syntax:
99
100       GnuTLSCacheTimeout *seconds*\
101
102##### Default:
103
104      GnuTLSCacheTimeout 300\
105
106##### Context:
107
108      server config\
109
110Sets the timeout for SSL Session Cache entries expiration.\
111 This directive is valid even if Session Tickets are used, and indicates
112the expiration time of the ticket in seconds.
113
114#### GnuTLSSessionTickets
115
116##### Description:
117
118Enable Session Tickets for the server\
119
120##### Syntax:
121
122       GnuTLSSessionTickets [ *on* | *off* ]\
123
124##### Default:
125
126      *off*\
127
128##### Context:
129
130      server config, virtual host\
131
132To avoid storing data for TLS session resumption it is allowed to
133provide client with a ticket, to use on return.\
134 Use for servers with limited storage, and don't combine with
135GnuTLSCache.\
136 For a pool of servers this option is not recommended since the tickets
137are unique for the issuing server only.
138
139#### GnuTLSCertificateFile
140
141##### Description:
142
143Set to the PEM Encoded Server Certificate\
144
145##### Syntax:
146
147       GnuTLSCertificateFile *file-path*\
148
149##### Default:
150
151      *none*\
152
153##### Context:
154
155      server config, virtual host\
156
157Takes an absolute or relative path to a PEM-encoded X.509 certificate to
158use as this Server's End Entity (EE) certificate. If you need to supply
159certificates for intermediate Certificate Authorities (iCAs), they
160should be listed in sequence in the file, from EE to the iCA closest to
161the root CA. Optionally, you can also include the root CA's certificate
162as the last certificate in the list.
163
164#### GnuTLSKeyFile
165
166##### Description:
167
168Set to the PEM Encoded Server Certificate\
169
170##### Syntax:
171
172       GnuTLSCertificateFile *file-path*\
173
174##### Default:
175
176      *none*\
177
178##### Context:
179
180      server config, virtual host\
181
182Takes an absolute or relative path to the Server Private Key.\
183 This key cannot currently be password protected.
184
185**Security Warning:**\
186 This private key must be protected. It is read while Apache is still
187running as root, and does not need to be readable by the nobody or
188apache user.
189
190#### GnuTLSPGPCertificateFile
191
192##### Description:
193
194Set to a base64 Encoded Server OpenPGP Certificate\
195
196##### Syntax:
197
198       GnuTLSPGPCertificateFile *file-path*\
199
200##### Default:
201
202      *none*\
203
204##### Context:
205
206      server config, virtual host\
207
208Takes an absolute or relative path to a base64 Encoded OpenPGP
209Certificate to use as this Server's Certificate.
210
211#### GnuTLSPGPKeyFile
212
213##### Description:
214
215Set to the Server OpenPGP Secret Key\
216
217##### Syntax:
218
219       GnuTLSPGPKeyFile *file-path*\
220
221##### Default:
222
223      *none*\
224
225##### Context:
226
227      server config, virtual host\
228
229Takes an absolute or relative path to the Server Private Key. This key
230cannot currently be password protected.
231
232**Security Warning:**\
233 This private key must be protected. It is read while Apache is still
234running as root, and does not need to be readable by the nobody or
235apache user.
236
237#### GnuTLSClientVerify
238
239##### Description:
240
241Enable Client Certificate Verification\
242
243##### Syntax:
244
245       GnuTLSClientVerify [ *ignore* | *request* | *require* ]\
246
247##### Default:
248
249      *ignore*\
250
251##### Context:
252
253      server config, virtual host, directory, .htaccess\
254
255This directive controls the use of SSL Client Certificate
256Authentication.\
257 If used in the .htaccess or directory contexts, it can force TLS re-negotiation.
258
259**ignore**\
260 mod\_gnutls will ignore the contents of any SSL Client Certificates
261sent.\
262 It will not request that the client sends a certificate.\
263 **request**\
264 The client certificate will be requested, but not required.\
265 The Certificate will be validated if sent.\
266 The output of the validation status will be stored in the
267SSL\_CLIENT\_VERIFY environment variable and can be "SUCCESS", "FAILED"
268or "NONE".\
269 **require**\
270 A Client certificate will be required. Any requests without a valid
271client certificate will be denied.\
272 The SSL\_CLIENT\_VERIFY environment variable will only be set to
273"SUCCESS".
274
275#### GnuTLSClientVerifyMethod
276
277##### Description:
278
279Client Certificate Verification Method\
280
281##### Syntax:
282
283       GnuTLSClientVerifyMethod [ *cartel* | *msva* ]\
284
285##### Default:
286
287      *cartel*\
288
289##### Context:
290
291      server config, virtual host\
292
293This directive controls how any supplied client
294certificate is verified by the web server.
295Depending on this choice, different environment variables
296may be exposed to any CGI scripts.
297
298**cartel**\
299When the client presents an X.509 certificate, mod\_gnutls will verify
300it against a list of "trusted" X.509 root certificate authorities.
301You need to specify GnuTLSClientCAFile.\
302When the client presents an OpenPGP certificate, mod\_gnutls will
303verify it against a list of "trusted" OpenPGP certificates.  You need
304to specify GnuTLSPGPKeyringFile.\
305**msva**\
306se a running Monkeysphere Validation Agent to verify the identity of
307the client.  If this is set, and a client is successfully validated,
308the validated identity will be stored in the "user" field of the
309Apache request object.
310
311#### GnuTLSClientCAFile
312
313##### Description:
314
315Set to the PEM Encoded Certificate Authority Certificate\
316
317##### Syntax:
318
319       GnuTLSClientCAFile *file-path*\
320
321##### Default:
322
323      *none*\
324
325##### Context:
326
327      server config, virtual host\
328
329Takes an absolute or relative path to a PEM Encoded Certificate to use
330as a Certificate Authority with Client Certificate Authentication.\
331 This file may contain a list of trusted authorities.\
332
333#### GnuTLSPGPKeyringFile
334
335##### Description:
336
337Set to a base64 Encoded key ring\
338
339##### Syntax:
340
341       GnuTLSPGPKeyringFile *file-path*\
342
343##### Default:
344
345      *none*\
346
347##### Context:
348
349      server config, virtual host\
350
351Takes an absolute or relative path to a base64 Encoded Certificate list
352(key ring) to use as a means of verification of Client Certificates.\
353 This file should contain a list of trusted signers.
354
355#### GnuTLSEnable
356
357##### Description:
358
359Enable GnuTLS for this virtual host\
360
361##### Syntax:
362
363       GnuTLSEnable [ *on* | *off* ] \
364
365##### Default:
366
367      *off*\
368
369##### Context:
370
371      virtual host\
372
373This directive enables SSL/TLS Encryption for a Virtual Host.
374
375#### GnuTLSDHFile
376
377##### Description:
378
379Set to the PKCS \#3 encoded Diffie Hellman parameters\
380
381##### Syntax:
382
383       GnuTLSDHFile *file-path* \
384
385##### Default:
386
387      *none*\
388
389##### Context:
390
391      server config, virtual host\
392
393Takes an absolute or relative path to a PKCS \#3 encoded DH parameters.\
394 Those are used when the DHE key exchange method is enabled.\
395 You can generate this file using "certtool --generate-dh-params --bits
3962048".\
397 If not set mod\_gnutls will use the included parameters.
398
399#### GnuTLSSRPPasswdFile
400
401##### Description:
402
403Set to the SRP password file for SRP ciphersuites\
404
405##### Syntax:
406
407       GnuTLSSRPPasswdFile *file-path* \
408
409##### Default:
410
411      *none*\
412
413##### Context:
414
415      server config, virtual host\
416
417Takes an absolute or relative path to an SRP password file. This is the
418same format as used in libsrp.\
419 You can generate such file using the command "srptool --passwd
420/etc/tpasswd --passwd-conf /etc/tpasswd.conf -u test" to set a password
421for user test.\
422 This password file holds the username, a password verifier and the
423dependency to the SRP parameters.
424
425#### GnuTLSSRPPasswdConfFile
426
427##### Description:
428
429Set to the SRP password.conf file for SRP ciphersuites\
430
431##### Syntax:
432
433       GnuTLSSRPPasswdConfFile *file-path* \
434
435##### Default:
436
437      *none*\
438
439##### Context:
440
441      server config, virtual host\
442
443Takes an absolute or relative path to an SRP password.conf file. This is
444the same format as used in libsrp.\
445 You can generate such file using the command "srptool --create-conf
446/etc/tpasswd.conf".\
447 This file holds the SRP parameters and is associate with the password
448file (the verifiers depends on these parameters).
449
450#### GnuTLSPriorities
451
452##### Description:
453
454Set the allowed ciphers, key exchange algorithms, MACs and compression
455methods\
456
457##### Syntax:
458
459       GnuTLSPriorities *+cipher0:+cipher1:...:+cipherN*\
460
461##### Default:
462
463      *none*\
464
465##### Context:
466
467      server config, virtual host\
468
469Takes a semi-colon separated list of ciphers, key exchange methods\
470 Message authentication codes and compression methods to enable.\
471 The allowed keywords are specified in the gnutls\_priority\_init()
472function of GnuTLS.\
473 It's documentation can be found at [Core GnuTLS
474functions](http://www.gnu.org/software/gnutls/manual/html_node/Core-functions.html#Core-functions).\
475 In brief you can specify a set of ciphersuites from the choices:\
476
477-   **NONE**: The empty list.
478-   **EXPORT**: A list with all the supported cipher combinations
479    including the "EXPORT" strength algorithms.
480-   **PERFORMANCE**: A list with all the secure cipher combinations
481    sorted in terms of performance.
482-   **NORMAL**: A list with all the secure cipher combinations sorted
483    with respect to security margin (subjective term).
484-   **SECURE**: A list with all the secure cipher combinations including
485    the 256-bit ciphers sorted with respect to security margin.
486
487Additionally you can add or remove algorithms using the "+" and "!"
488prefixes respectively.\
489 That is in order to disable the ARCFOUR cipher from the "NORMAL" set
490you can use the string **NORMAL**:!ARCFOUR-128\
491 Other options such as the protocol version and the compression method
492can be specified using the **VERS-** and **COMP-** prefixes.\
493 So in order to remove or add a specific TLS version from the "NORMAL"
494set use **NORMAL:!VERS-SSL3.0**.\
495 To enable zlib compression use **NORMAL:+COMP-DEFLATE**.\
496 However it is recommended not to add compression at this level.\
497 With the "NONE" set, in order to be usable, you have to specify a
498complete set of combinations of protocol versions,\
499 cipher algorithms (**AES-128-CBC**), key exchange algorithms (**RSA**),
500message authentication codes (**SHA1**) and compression methods
501(**COMP-NULL**).\
502 \
503 All the supported algorithms are:\
504
505-   **Ciphers**: AES-256-CBC, AES-128-CBC, CAMELLIA-256-CBC,
506    CAMELLIA-128-CBC, ARCFOUR-128, 3DES-CBC, ARCFOUR-40
507-   **Key exchange methods**: RSA, DHE-RSA, DHE-DSS, SRP, SRP-RSA,
508    SRP-DSS, ANON-DH
509-   **Message authentication codes**: SHA1, MD5
510-   **Compression methods**: COMP-DEFLATE, COMP-NULL
511-   **Protocol versions**: VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0
512
513The special keyword "%COMPAT" will disable some security features such
514as protection against statistical attacks to ciphertext data in order to
515achieve maximum compatibility (some broken mobile clients need this).
516
517#### GnuTLSExportCertificates
518
519##### Description:
520
521Export the PEM encoded certificates to CGIs\
522
523##### Syntax:
524
525       GnuTLSExportCertificates [ *on* | *off* ]\
526
527##### Default:
528
529      *off*\
530
531##### Context:
532
533      server config, virtual host\
534
535This directive enables exporting the full certificates of the server and
536the client to CGI scripts. The exported certificates will be PEM-encoded
537(if X.509) or ASCII-armored (if OpenPGP).\
538With GnuTLSExportCertificates enabled, mod\_gnutls exports the same
539environment variables as mod\_ssl.
540
541* * * * *
542
543Configuration Examples
544----------------------
545
546#### Simple Standard SSL Example:
547
548The following is an example of standard SSL Hosting, using one IP
549Addresses for each virtual host
550
551`             # Load the module into Apache.             LoadModule gnutls_module modules/mod_gnutls.so             GnuTLSCache gdbm /var/cache/www-tls-cache             GnuTLSCacheTimeout 500             # With normal SSL Websites, you need one IP Address per-site.             Listen 1.2.3.1:443             Listen 1.2.3.2:443             Listen 1.2.3.3:443             Listen 1.2.3.4:443             <VirtualHost 1.2.3.1:443>             GnuTLSEnable on             GnuTLSPriorities NONE:+AES-128-CBC:+3DES-CBC:+ARCFOUR-128:+RSA:+DHE-RSA:+DHE-DSS:+SHA1:+MD5:+COMP-NULL             DocumentRoot /www/site1.example.com/html             ServerName site1.example.com:443             GnuTLSCertificateFile conf/ssl/site1.crt             GnuTLSKeyFile conf/ss/site1.key             </VirtualHost>             <VirtualHost 1.2.3.2:443>             # This virtual host enables SRP authentication             GnuTLSEnable on             GnuTLSPriorities NORMAL:+SRP             DocumentRoot /www/site2.example.com/html             ServerName site2.example.com:443             GnuTLSSRPPasswdFile conf/ssl/tpasswd.site2             GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site2.conf             </VirtualHost>             <VirtualHost 1.2.3.3:443>             # This server enables SRP, OpenPGP and X.509 authentication.             GnuTLSEnable on             GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS             DocumentRoot /www/site3.example.com/html             ServerName site3.example.com:443             GnuTLSCertificateFile conf/ssl/site3.crt             GnuTLSKeyFile conf/ss/site3.key             GnuTLSClientVerify ignore             GnuTLSPGPCertificateFile conf/ss/site3.pub.asc             GnuTLSPGPKeyFile conf/ss/site3.sec.asc             GnuTLSSRPPasswdFile conf/ssl/tpasswd.site3             GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site3.conf             </VirtualHost>             <VirtualHost 1.2.3.4:443>             GnuTLSEnable on             # %COMPAT disables some security features to enable maximum compatibility with clients.             GnuTLSPriorities NONE:+AES-128-CBC:+ARCFOUR-128:+RSA:+SHA1:+MD5:+COMP-NULL:%COMPAT             DocumentRoot /www/site4.example.com/html             ServerName site4.example.com:443             GnuTLSCertificateFile conf/ssl/site4.crt             GnuTLSKeyFile conf/ss/site4.key             </VirtualHost>             `
552
553#### Server Name Indication Example:
554
555mod\_gnutls can also use 'Server Name Indication', as specified in RFC
5563546.\
557 This allows hosting many SSL Websites, with a Single IP Address.\
558 Currently all the recent browsers support this standard.\
559 Here is an example, using SNI:\
560 `             `
561
562\# Load the module into Apache.\
563 LoadModule gnutls\_module modules/mod\_gnutls.so\
564 \# With normal SSL Websites, you need one IP Address per-site.\
565 Listen 1.2.3.1:443\
566 \# This could also be 'Listen \*:443',\
567 \# just like '\*:80' is common for non-https\
568 \# No caching. Enable session tickets. Timeout is still used for\
569 \# ticket expiration.\
570 GnuTLSCacheTimeout 600\
571 \# This tells apache, that for this IP/Port combination, we want to
572use\
573 \# Name Based Virtual Hosting. In the case of Server Name Indication,\
574 \# it lets mod\_gnutls pick the correct Server Certificate.\
575 NameVirtualHost 1.2.3.1:443\
576 \<VirtualHost 1.2.3.1:443\>\
577 GnuTLSEnable on\
578 GnuTLSSessionTickets on\
579 GnuTLSPriorities NORMAL\
580 DocumentRoot /www/site1.example.com/html\
581 ServerName site1.example.com:443\
582 GnuTLSCertificateFile conf/ssl/site1.crt\
583 GnuTLSKeyFile conf/ss/site1.key\
584 \</VirtualHost\>\
585 \<VirtualHost 1.2.3.1:443\>\
586 GnuTLSEnable on\
587 GnuTLSPriorities NORMAL\
588 DocumentRoot /www/site2.example.com/html\
589 ServerName site2.example.com:443\
590 GnuTLSCertificateFile conf/ssl/site2.crt\
591 GnuTLSKeyFile conf/ss/site2.key\
592 \</VirtualHost\>\
593 \<VirtualHost 1.2.3.1:443\>\
594 GnuTLSEnable on\
595 GnuTLSPriorities NORMAL\
596 DocumentRoot /www/site3.example.com/html\
597 ServerName site3.example.com:443\
598 GnuTLSCertificateFile conf/ssl/site3.crt\
599 GnuTLSKeyFile conf/ss/site3.key\
600 \</VirtualHost\>\
601 \<VirtualHost 1.2.3.1:443\>\
602 GnuTLSEnable on\
603 GnuTLSPriorities NORMAL\
604 DocumentRoot /www/site4.example.com/html\
605 ServerName site4.example.com:443\
606 GnuTLSCertificateFile conf/ssl/site4.crt\
607 GnuTLSKeyFile conf/ss/site4.key\
608 \</VirtualHost\>\
609
610* * * * *
611
612Performance Issues:
613-------------------
614
615mod\_gnutls by default uses conservative settings for the server.\
616 You can fine tune the configuration to reduce the load on a busy
617server.\
618 The following examples do exactly this:\
619
620`             # Load the module into Apache.             LoadModule gnutls_module modules/mod_gnutls.so             # Using 4 memcache servers to distribute the SSL Session Cache.             GnuTLSCache memcache "mc1.example.com mc2.example.com mc3.example.com mc4.example.com"             GnuTLSCacheTimeout 600             Listen 1.2.3.1:443             NameVirtualHost 1.2.3.1:443             <VirtualHost 1.2.3.1:443>             GnuTLSEnable on             # Here we disable the Perfect forward secrecy ciphersuites (DHE)             # and disallow AES-256 since AES-128 is just fine.             GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT             DocumentRoot /www/site1.example.com/html             ServerName site1.example.com:443             GnuTLSCertificateFile conf/ssl/site1.crt             GnuTLSKeyFile conf/ss/site1.key             </VirtualHost>             <VirtualHost 1.2.3.1:443>             GnuTLSEnable on             # Here we instead of disabling the DHE ciphersuites we use             # Diffie Hellman parameters of smaller size than the default (2048 bits).             # Using small numbers from 768 to 1024 bits should be ok once they are             # regenerated every few hours.             # Use "certtool --generate-dh-params --bits 1024" to get those             GnuTLSDHFile /etc/apache2/dh.params             GnuTLSPriorities NORMAL:!AES-256-CBC:%COMPAT             DocumentRoot /www/site2.example.com/html             ServerName site2.example.com:443             GnuTLSCertificateFile conf/ssl/site2.crt             GnuTLSKeyFile conf/ss/site2.key             </VirtualHost>             `
621
622* * * * *
623
624Environment Variables:
625----------------------
626
627mod\_gnutls exports the following environment variables to scripts.\
628 These are compatible with mod\_ssl.
629
630###### HTTPS
631
632Can be "on" or "off"
633
634###### SSL\_VERSION\_LIBRARY
635
636The version of the gnutls library
637
638###### SSL\_VERSION\_INTERFACE
639
640The version of this module
641
642###### SSL\_PROTOCOL
643
644The SSL or TLS protocol name (such as "TLS 1.0" etc.)
645
646###### SSL\_CIPHER
647
648The SSL or TLS cipher suite name
649
650###### SSL\_COMPRESS\_METHOD
651
652The negotiated compression method (NULL or DEFLATE)
653
654###### SSL\_SRP\_USER
655
656The SRP username used for authentication (only set when
657GnuTLSSRPPasswdFile and GnuTLSSRPPasswdConfFile are configured).
658
659###### SSL\_CIPHER\_USEKEYSIZE & SSL\_CIPHER\_ALGKEYSIZE
660
661The number if bits used in the used cipher algorithm.
662
663This does not fully reflect the security level since the size of
664RSA or DHE key exchange parameters affect the security level too.
665
666###### SSL\_DH\_PRIME\_BITS
667
668The number if bits in the modulus for the DH group, if DHE or static
669DH is used.
670
671This will not be set if DH is not used.
672
673###### SSL\_CIPHER\_EXPORT
674
675True or False. Whether the cipher suite negotiated is an export one.
676
677###### SSL\_SESSION\_ID
678
679The session ID negotiated in this session. Can be the same during client
680reloads.
681
682###### SSL\_CLIENT\_V\_REMAIN
683
684The number of days until the client's certificate is expired.
685
686###### SSL\_CLIENT\_V\_START
687
688The activation time of client's certificate.
689
690###### SSL\_CLIENT\_V\_END
691
692The expiration time of client's certificate.
693
694###### SSL\_CLIENT\_S\_DN
695
696The distinguished name of client's certificate in RFC2253 format.
697
698###### SSL\_CLIENT\_I\_DN
699
700The SSL or TLS cipher suite name
701
702###### SSL\_CLIENT\_S\_AN%
703
704These will contain the alternative names of the client certificate (% is
705a number starting from zero).
706
707The values will be prepended by "DNSNAME:", "RFC822NAME:" or "URI:"
708depending on the type.
709
710If it is not supported the value "UNSUPPORTED" will be set.
711
712###### SSL\_SERVER\_M\_SERIAL
713
714The serial number of the server's certificate.
715
716###### SSL\_SERVER\_M\_VERSION
717
718The version of the server's certificate.
719
720###### SSL\_SERVER\_A\_SIG
721
722The algorithm used for the signature in server's certificate.
723
724###### SSL\_SERVER\_A\_KEY
725
726The public key algorithm in server's certificate.
727
728###### SSL\_SERVER\_CERT
729
730The PEM-encoded server certificate.
731
732###### SSL\_SERVER\_CERT\_TYPE
733
734The certificate type can be X.509 or OPENPGP.
735
Note: See TracBrowser for help on using the repository browser.