Changeset 999cdec in mod_gnutls


Ignore:
Timestamp:
Feb 23, 2014, 1:00:08 PM (6 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, upstream
Children:
2aaf4f5
Parents:
04f48a2
git-author:
Daniel Kahn Gillmor <dkg@…> (02/23/14 12:59:05)
git-committer:
Daniel Kahn Gillmor <dkg@…> (02/23/14 13:00:08)
Message:

GnuTLSExportCertificates should control maximum size of exported certs

The server administrator should be able to control the maximum size of
the exported certificate environment variables. This will be done via
the existing GnuTLSExportCertificates environment variable.

This patch adds documentation of intended new feature and a test for
support. The test currently fails because the feature is not
implemented.

Files:
4 added
1 edited

Legend:

Unmodified
Added
Removed
  • docs/mod_gnutls_manual.mdwn

    r04f48a2 r999cdec  
    373373Export the PEM encoded certificates to CGIs
    374374
    375     GnuTLSExportCertificates [on|off]
     375    GnuTLSExportCertificates [off|on|SIZE]
    376376
    377377Default: `off`\
    378378Context: server config, virtual host
    379379
    380 This directive enables exporting the full certificates of the server and
    381 the client to CGI scripts. The exported certificates will be PEM-encoded
    382 (if X.509) or ASCII-armored (if OpenPGP).
     380This directive configures exporting the full certificates of the
     381server and the client to CGI scripts via the `SSL_SERVER_CERT` and
     382`SSL_CLIENT_CERT` environment variables. The exported certificates
     383will be PEM-encoded (if X.509) or ASCII-armored (if OpenPGP) up to the
     384size given.  The type of the certificate will be exported in
     385`SSL_SERVER_CERT_TYPE` and `SSL_CLIENT_CERT_TYPE`.
     386
     387SIZE should be an integer number of bytes, or may be written with a
     388trailing `K` to indicate kibibytes.  `off` means the same thing as
     389`0`, in which case the certificates will not be exported to the
     390environment.  `on` is an alias for `16K`.  If a non-zero size is
     391specified for this directive, but a certificate is too large to fit in
     392the buffer, then the corresponding environment variable will contain
     393the fixed string `GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED`.
     394
    383395With GnuTLSExportCertificates enabled, `mod_gnutls` exports the same
    384396environment variables to the CGI process as `mod_ssl`.
     
    671683The public key algorithm in server's certificate.
    672684
    673 `SSL_SERVER1_CERT`
     685`SSL_SERVER_CERT`
    674686------------------
    675687
    676 The PEM-encoded server certificate.
     688The PEM-encoded (X.509) or ASCII-armored (OpenPGP) server certificate
     689(see the `GnuTLSExportCertificates` directive).
    677690
    678691`SSL_SERVER_CERT_TYPE`
     
    681694The certificate type can be `X.509` or `OPENPGP`.
    682695
     696`SSL_CLIENT_CERT`
     697------------------
     698
     699The PEM-encoded (X.509) or ASCII-armored (OpenPGP) client certificate
     700(see the `GnuTLSExportCertificates` directive).
     701
    683702`SSL_CLIENT_CERT_TYPE`
    684703----------------------
Note: See TracChangeset for help on using the changeset viewer.