Changeset 60868d2 in mod_gnutls for doc/mod_gnutls_manual.mdwn


Ignore:
Timestamp:
Sep 30, 2018, 6:04:48 AM (14 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master
Children:
0d7660d
Parents:
bd1d8d3
git-author:
Fiona Klute <fiona.klute@…> (09/30/18 05:43:44)
git-committer:
Fiona Klute <fiona.klute@…> (09/30/18 06:04:48)
Message:

Default to NORMAL for the GnuTLS priority settings

This simplifies configuration and should be resonable for most users.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • doc/mod_gnutls_manual.mdwn

    rbd1d8d3 r60868d2  
    213213    GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
    214214
    215 Default: *none*\
    216 Context: server config, virtual host
    217 
    218 Takes a colon separated list of protocol version, ciphers, key
    219 exchange methods message authentication codes, and compression methods
    220 to enable. The allowed keywords are specified in the
    221 `gnutls_priority_init()` function of GnuTLS.
    222 
    223 Please refer to [the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings)
    224 for details. A few commonly used sets are listed below, note that
    225 their exact meaning may change with GnuTLS versions.
    226 
    227 `PERFORMANCE`
    228 :   A list with all the secure cipher combinations sorted in terms of
    229     performance.
    230 
    231 `NORMAL`
    232 :   A list with all the secure cipher combinations sorted
    233     with respect to security margin (subjective term).
    234 
    235 `SECURE128`
    236 :   A list with all the secure cipher suites that offer a security level
    237     of 128-bit or more.
    238 
    239 `PFS`
    240 :   Only cipher suites offering perfect forward secrecy (ECDHE and DHE),
    241     sorted by security margin.
    242 
    243 You can add or remove algorithms using the `+` and `!` prefixes
    244 respectively. For example, in order to use the `NORMAL` set but
    245 disable TLS 1.0 and 1.1 you can use the string
    246 `NORMAL:!VERS-TLS1.0:!VERS-TLS1.1`.
    247 
    248 You can find a list of all supported Ciphers, Versions, MACs, etc.  by
    249 running `gnutls-cli --list`.
     215Default: `NORMAL`\
     216Context: server config, virtual host
     217
     218Sets the allowed protocol version(s), ciphers, key exchange methods,
     219message authentication codes, and other TLS parameters for the server.
     220The parameter is a GnuTLS priority string as described in the
     221[the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html).
     222
     223For example, to disable TLS 1.0 use `NORMAL:-VERS-TLS1.0`.
    250224
    251225### GnuTLSP11Module
     
    490464    GnuTLSProxyPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
    491465
    492 Default: *none*\
    493 Context: server config, virtual host
    494 
    495 This option is used to set the allowed ciphers, key exchange
    496 algorithms, MACs and compression methods for proxy connections. It
    497 takes the same parameters as `GnuTLSPriorities`. Required if
    498 `GnuTLSProxyEngine` is `On`.
     466Default: `NORMAL`\
     467Context: server config, virtual host
     468
     469Sets the allowed protocol version(s), ciphers, key exchange methods,
     470message authentication codes, and other TLS parameters for TLS proxy
     471connections. Like for `GnuTLSPriorities` the parameter is a GnuTLS
     472priority string as described in the
     473[the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html).
    499474
    500475OCSP Stapling Configuration
     
    754729         GnuTLSEnable on
    755730         GnuTLSSessionTickets on
    756          GnuTLSPriorities NORMAL
    757731         DocumentRoot /www/site1.example.com/html
    758732         ServerName site1.example.com:443
     
    763737     <VirtualHost _default_:443>
    764738         GnuTLSEnable on
    765          GnuTLSPriorities NORMAL
    766739         DocumentRoot /www/site2.example.com/html
    767740         ServerName site2.example.com:443
     
    772745     <VirtualHost _default_:443>
    773746         GnuTLSEnable on
    774          GnuTLSPriorities NORMAL
    775747         DocumentRoot /www/site3.example.com/html
    776748         ServerName site3.example.com:443
     
    781753     <VirtualHost _default_:443>
    782754         GnuTLSEnable on
    783          GnuTLSPriorities NORMAL
    784755         DocumentRoot /www/site4.example.com/html
    785756         ServerName site4.example.com:443
     
    804775     <VirtualHost _default_:443>
    805776         GnuTLSEnable          On
    806          GnuTLSPriorities      NORMAL
    807777         DocumentRoot          /www/site1.example.com/html
    808778         ServerName            site1.example.com:443
    809779         GnuTLSCertificateFile conf/tls/site1.crt
    810780         GnuTLSKeyFile         conf/tls/site1.key
    811          GnuTLSPriorities      NORMAL
    812781         GnuTLSOCSPStapling    On
    813782     </VirtualHost>
Note: See TracChangeset for help on using the changeset viewer.