Changeset 4addf74 in mod_gnutls for doc/mod_gnutls_manual.mdwn


Ignore:
Timestamp:
Aug 22, 2015, 3:30:24 PM (5 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, upstream
Children:
71e9a5c, 89f863f
Parents:
ae29683 (diff), a1c4c2d (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Imported Upstream version 0.7

File:
1 moved

Legend:

Unmodified
Added
Removed
  • doc/mod_gnutls_manual.mdwn

    rae29683 r4addf74  
    150150as the last certificate in the list.
    151151
     152Since version 0.7 this can be a PKCS #11 URL.
     153
    152154`GnuTLSKeyFile`
    153155---------------
    154156
    155 Set to the PEM Encoded Server Certificate
    156 
    157     GnuTLSCertificateFile FILEPATH
    158 
    159 Default: *none*\
    160 Context: server config, virtual host
    161 
    162 Takes an absolute or relative path to the Server Private Key.  This
    163 key cannot currently be password protected.
     157Set to the PEM Encoded Server Private Key
     158
     159    GnuTLSKeyFile FILEPATH
     160
     161Default: *none*\
     162Context: server config, virtual host
     163
     164Takes an absolute or relative path to the Server Private Key. Set
     165`GnuTLSPIN` if the key file is encrypted.
     166
     167Since version 0.7 this can be a PKCS #11 URL.
    164168
    165169**Security Warning:**\
    166  This private key must be protected. It is read while Apache is still
     170This private key must be protected. It is read while Apache is still
    167171running as root, and does not need to be readable by the nobody or
    168172apache user.
     
    368372achieve maximum compatibility (some broken mobile clients need this).
    369373
     374`GnuTLSP11Module`
     375------------------
     376
     377Load an additional PKCS #11 module.
     378
     379    GnuTLSP11Module PATH_TO_LIBRARY
     380
     381Default: *none*\
     382Context: server config
     383
     384Load this PKCS #11 provider module, in addition to the system
     385defaults.
     386
     387`GnuTLSPIN`
     388------------------
     389
     390Set the PIN to be used to access encrypted key files or PKCS #11 objects.
     391
     392    GnuTLSPIN XXXXXX
     393
     394Default: *none*\
     395Context: server config, virtual host
     396
     397Takes a string to be used as a PIN for the protected objects in
     398a security module, or as a key to be used to decrypt PKCS #8, PKCS #12,
     399or openssl encrypted keys.
     400
     401`GnuTLSSRKPIN`
     402------------------
     403
     404Set the SRK PIN to be used to unlaccess the TPM.
     405
     406    GnuTLSSRKPIN XXXXXX
     407
     408Default: *none*\
     409Context: server config, virtual host
     410
     411Takes a string to be used as a PIN for the protected objects in
     412the TPM module.
     413
    370414`GnuTLSExportCertificates`
    371415--------------------------
     
    373417Export the PEM encoded certificates to CGIs
    374418
    375     GnuTLSExportCertificates [on|off]
     419    GnuTLSExportCertificates [off|on|SIZE]
    376420
    377421Default: `off`\
    378422Context: server config, virtual host
    379423
    380 This directive enables exporting the full certificates of the server and
    381 the client to CGI scripts. The exported certificates will be PEM-encoded
    382 (if X.509) or ASCII-armored (if OpenPGP).
     424This directive configures exporting the full certificates of the
     425server and the client to CGI scripts via the `SSL_SERVER_CERT` and
     426`SSL_CLIENT_CERT` environment variables. The exported certificates
     427will be PEM-encoded (if X.509) or ASCII-armored (if OpenPGP) up to the
     428size given.  The type of the certificate will be exported in
     429`SSL_SERVER_CERT_TYPE` and `SSL_CLIENT_CERT_TYPE`.
     430
     431SIZE should be an integer number of bytes, or may be written with a
     432trailing `K` to indicate kibibytes.  `off` means the same thing as
     433`0`, in which case the certificates will not be exported to the
     434environment.  `on` is an alias for `16K`.  If a non-zero size is
     435specified for this directive, but a certificate is too large to fit in
     436the buffer, then the corresponding environment variable will contain
     437the fixed string `GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED`.
     438
    383439With GnuTLSExportCertificates enabled, `mod_gnutls` exports the same
    384440environment variables to the CGI process as `mod_ssl`.
     441
     442
     443`GnuTLSProxyEngine`
     444--------------
     445
     446Enable TLS proxy connections for this virtual host
     447
     448    GnuTLSProxyEngine [on|off]
     449
     450Default: *off*\
     451Context: virtual host
     452
     453This directive enables support for TLS proxy connections for a virtual
     454host.
     455
     456`GnuTLSProxyCAFile`
     457--------------------
     458
     459Set to the PEM encoded Certificate Authority Certificate
     460
     461    GnuTLSProxyCAFile FILEPATH
     462
     463Default: *none*\
     464Context: server config, virtual host
     465
     466Takes an absolute or relative path to a PEM encoded certificate to use
     467as a Certificate Authority when verifying certificates provided by
     468proxy back end servers. This file may contain a list of trusted
     469authorities. If not set, verification of TLS back end servers will
     470always fail due to lack of a trusted CA.
     471
     472`GnuTLSProxyCRLFile`
     473--------------------
     474
     475Set to the PEM encoded Certificate Revocation List
     476
     477    GnuTLSProxyCRLFile FILEPATH
     478
     479Default: *none*\
     480Context: server config, virtual host
     481
     482Takes an absolute or relative path to a PEM encoded Certificate
     483Revocation List to use when verifying certificates provided by proxy
     484back end servers. The file may contain a list of CRLs.
     485
     486`GnuTLSProxyCertificateFile`
     487-----------------------
     488
     489Set to the PEM encoded Client Certificate
     490
     491    GnuTLSProxyCertificateFile FILEPATH
     492
     493Default: *none*\
     494Context: server config, virtual host
     495
     496Takes an absolute or relative path to a PEM encoded X.509 certificate
     497to use as this Server's End Entity (EE) client certificate for TLS
     498client authentication in proxy TLS connections. If you need to supply
     499certificates for intermediate Certificate Authorities (iCAs), they
     500should be listed in sequence in the file, from EE to the iCA closest
     501to the root CA. Optionally, you can also include the root CA's
     502certificate as the last certificate in the list.
     503
     504If not set, TLS client authentication will be disabled for TLS proxy
     505connections. If set, `GnuTLSProxyKeyFile` must be set as well to
     506provide the matching private key.
     507
     508`GnuTLSProxyKeyFile`
     509---------------
     510
     511Set to the PEM encoded Private Key
     512
     513    GnuTLSProxyKeyFile FILEPATH
     514
     515Default: *none*\
     516Context: server config, virtual host
     517
     518Takes an absolute or relative path to the Private Key matching the
     519certificate configured using the `GnuTLSProxyCertificateFile`
     520directive. This key cannot currently be password protected.
     521
     522**Security Warning:**\
     523This private key must be protected. It is read while Apache is still
     524running as root, and does not need to be readable by the nobody or
     525apache user.
     526
     527`GnuTLSProxyPriorities`
     528------------------
     529
     530Set the allowed ciphers, key exchange algorithms, MACs and compression
     531methods for proxy connections
     532
     533    GnuTLSProxyPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
     534
     535Default: *none*\
     536Context: server config, virtual host
     537
     538This option is used to set the allowed ciphers, key exchange
     539algorithms, MACs and compression methods for proxy connections. It
     540takes the same parameters as `GnuTLSPriorities`. Required if
     541`GnuTLSProxyEngine` is `On`.
    385542
    386543* * * * *
     
    671828The public key algorithm in server's certificate.
    672829
    673 `SSL_SERVER1_CERT`
    674 ------------------
    675 
    676 The PEM-encoded server certificate.
     830`SSL_SERVER_CERT`
     831------------------
     832
     833The PEM-encoded (X.509) or ASCII-armored (OpenPGP) server certificate
     834(see the `GnuTLSExportCertificates` directive).
    677835
    678836`SSL_SERVER_CERT_TYPE`
     
    681839The certificate type can be `X.509` or `OPENPGP`.
    682840
     841`SSL_CLIENT_CERT`
     842------------------
     843
     844The PEM-encoded (X.509) or ASCII-armored (OpenPGP) client certificate
     845(see the `GnuTLSExportCertificates` directive).
     846
    683847`SSL_CLIENT_CERT_TYPE`
    684848----------------------
Note: See TracChangeset for help on using the changeset viewer.