- Timestamp:
- Oct 1, 2018, 1:03:16 PM (2 years ago)
- Branches:
- asyncio, debian/master, master, proxy-ticket
- Children:
- 5f15295
- Parents:
- bac1a32
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
doc/mod_gnutls_manual.mdwn
rbac1a32 r1a3068c 295 295 ### GnuTLSCertificateFile 296 296 297 Set t o the PEM Encoded Server Certificate297 Set the PEM encoded server certificate or certificate chain 298 298 299 299 GnuTLSCertificateFile FILEPATH … … 302 302 Context: server config, virtual host 303 303 304 Takes an absolute or relative path to a PEM-encoded X.509 certificate to 305 use as this Server's End Entity (EE) certificate. If you need to supply 306 certificates for intermediate Certificate Authorities (iCAs), they 307 should be listed in sequence in the file, from EE to the iCA closest to 308 the root CA. Optionally, you can also include the root CA's certificate 309 as the last certificate in the list. 310 311 Since version 0.7 this can be a PKCS #11 URL. 304 FILEPATH is an absolute or relative path to a file containing the 305 PEM-encoded X.509 certificate to use as this Server's End Entity (EE) 306 certificate, and optionally those of the issuing Certificate 307 Authorities (CAs). If the file contains multiple certificates they 308 should be ordered from EE to the CA closest to the root CA (or the 309 root CA itself). 310 311 Including at least the immediately issuing CA is highly recommended 312 because it is required for OCSP stapling. 313 314 Since version 0.7 this can be a PKCS #11 URL instead of a file. 315 316 On Linux and other Unix-like systems you can create the file with a 317 command like this (assuming "CA 1" issued the server certificate and 318 has been issued by "Root CA" itself): 319 320 $ cat server.pem ca-1.pem root-ca.pem >server-chain.pem 312 321 313 322 ### GnuTLSKeyFile … … 485 494 GnuTLSOCSPStapling [On|Off] 486 495 487 Default: *o ff*\496 Default: *on* if requirements are met, *off* otherwise\ 488 497 Context: server config, virtual host 489 498 490 499 OCSP stapling, formally known as the TLS Certificate Status Request 491 extension, allows the server to provide the client with an OCSP 492 response for its certificate during the handshake. This way the client 493 does not have to send an OCSP request to the CA to check the 494 certificate status, which offers privacy and performance advantages. 500 extension, allows the server to provide the client with a cached OCSP 501 response for its certificate during the handshake. With OCSP stapling 502 the client does not have to send an OCSP request to the issuer CA to 503 check the certificate status, which offers privacy and performance 504 advantages, and avoids the security issue of how to handle errors that 505 prevent the client from getting a response. 495 506 496 507 Using OCSP stapling has a few requirements: 497 508 498 * Caching OCSP responses requires a cache, so `GnuTLSCache` must not499 be `none`.500 509 * `GnuTLSCertificateFile` must contain the issuer CA certificate in 501 510 addition to the server certificate so responses can be verified. 502 * The certificate must either contain an OCSP access URI using HTTP, 503 or `GnuTLSOCSPResponseFile` must be set. 511 * The server certificate must either contain an OCSP access URI using 512 HTTP, or `GnuTLSOCSPResponseFile` must be set. 513 * Caching OCSP responses requires a cache to store responses. If 514 `mod_socache_shmcb` is loaded `mod_gnutls` can set up the cache 515 automatically without additional configuration, see 516 `GnuTLSOCSPCache`. 517 518 Stapling is activated by default if these requirements are met. If 519 `GnuTLSOCSPStapling` is explicitly set to `on` unmet requirements are 520 an error. 504 521 505 522 OCSP cache updates are serialized using the `gnutls-ocsp` mutex. 523 524 ### GnuTLSOCSPCache 525 526 OCSP stapling cache configuration 527 528 GnuTLSOCSPCache (shmcb|memcache|...|none)[:PARAMETERS] 529 530 Default: `shmcb:gnutls_ocsp_cache`\ 531 Context: server config 532 533 This directive configures the OCSP stapling cache, and uses the same 534 syntax as `GnuTLSOCSPCache`. Please check there for details. 535 536 The default should be reasonable for most servers and requires 537 `mod_socache_shmcb` to be loaded. Servers with very many virtual hosts 538 may need to increase the default cache size via the parameters string, 539 those with few virtual hosts and constrains could save a few KB by 540 reducing it. Note that `mod_socache_dbm` has a size constraint for 541 entries that is generally too small for OCSP responses. 542 543 If the selected cache implementation is not thread-safe, access 544 is serialized using the `gnutls-ocsp-cache` mutex. 506 545 507 546 ### GnuTLSOCSPAutoRefresh
Note: See TracChangeset
for help on using the changeset viewer.