Changeset df49a2d in mod_gnutls for doc

Timestamp:

Jun 20, 2016, 3:23:21 PM (7 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

asyncio, debian/master, debian/stretch-backports, main, master, proxy-ticket, upstream

Children:

9c456a9

Parents:

c3c96ca

Message:

Handbook: Sort options into subsections

File:

• doc/mod_gnutls_manual.mdwn (modified) (20 diffs)

doc/mod_gnutls_manual.mdwn

@@ -53 +53 @@
 ========================
 
-`GnuTLSEnable`
---------------
+General Options
+---------------
+
+### GnuTLSEnable
 
 Enable GnuTLS for this virtual host
@@ -65 +67 @@
 This directive enables SSL/TLS Encryption for a Virtual Host.
 
-`GnuTLSCache`
--------------
+### GnuTLSCache
 
 Configure TLS Session Cache
@@ -108 +109 @@
     requires no configuration.
 
-`GnuTLSCacheTimeout`
---------------------
+### GnuTLSCacheTimeout
 
 Timeout for TLS Session Cache expiration
@@ -122 +122 @@
 expiration time of the ticket in seconds.
 
-`GnuTLSSessionTickets`
-----------------------
+### GnuTLSSessionTickets
 
 Enable Session Tickets for the server
@@ -147 +146 @@
 attacker gains access to server memory.
 
-`GnuTLSCertificateFile`
------------------------
-
-Set to the PEM Encoded Server Certificate
-
-    GnuTLSCertificateFile FILEPATH
-
-Default: *none*\
-Context: server config, virtual host
-
-Takes an absolute or relative path to a PEM-encoded X.509 certificate to
-use as this Server's End Entity (EE) certificate. If you need to supply
-certificates for intermediate Certificate Authorities (iCAs), they
-should be listed in sequence in the file, from EE to the iCA closest to
-the root CA. Optionally, you can also include the root CA's certificate
-as the last certificate in the list.
-
-Since version 0.7 this can be a PKCS #11 URL.
-
-`GnuTLSKeyFile`
----------------
-
-Set to the PEM Encoded Server Private Key
-
-    GnuTLSKeyFile FILEPATH
-
-Default: *none*\
-Context: server config, virtual host
-
-Takes an absolute or relative path to the Server Private Key. Set
-`GnuTLSPIN` if the key file is encrypted.
-
-Since version 0.7 this can be a PKCS #11 URL.
-
-**Security Warning:**\
-This private key must be protected. It is read while Apache is still
-running as root, and does not need to be readable by the nobody or
-apache user.
-
-`GnuTLSPGPCertificateFile`
---------------------------
-
-Set to a base64 Encoded Server OpenPGP Certificate
-
-    GnuTLSPGPCertificateFile FILEPATH
-
-Default: *none*\
-Context: server config, virtual host
-
-Takes an absolute or relative path to a base64 Encoded OpenPGP
-Certificate to use as this Server's Certificate.
-
-`GnuTLSPGPKeyFile`
-------------------
-
-Set to the Server OpenPGP Secret Key
-
-    GnuTLSPGPKeyFile FILEPATH
-
-Default: *none*\
-Context: server config, virtual host
-
-Takes an absolute or relative path to the Server Private Key. This key
-cannot currently be password protected.
-
-**Security Warning:**\
- This private key must be protected. It is read while Apache is still
-running as root, and does not need to be readable by the nobody or
-apache user.
-
-`GnuTLSClientVerify`
---------------------
-
-Enable Client Certificate Verification\
+### GnuTLSClientVerify
+
+Enable Client Certificate Verification
 
     GnuTLSClientVerify [ignore|request|require]
@@ -246 +174 @@
     environment variable will only be set to `SUCCESS`.
 
-`GnuTLSClientCAFile`
---------------------
-
-Set to the PEM Encoded Certificate Authority Certificate
-
-    GnuTLSClientCAFile FILEPATH
-
-Default: *none*
-Context: server config, virtual host
-
-Takes an absolute or relative path to a PEM Encoded Certificate to use
-as a Certificate Authority with Client Certificate Authentication.
-This file may contain a list of trusted authorities.
-
-`GnuTLSPGPKeyringFile`
-----------------------
-
-Set to a base64 Encoded key ring
-
-    GnuTLSPGPKeyringFile FILEPATH
-
-Default: *none*\
-Context: server config, virtual host
-
-Takes an absolute or relative path to a base64 Encoded Certificate
-list (key ring) to use as a means of verification of Client
-Certificates.  This file should contain a list of trusted signers.
-
-`GnuTLSDHFile`
---------------
+### GnuTLSDHFile
 
 Set to the PKCS \#3 encoded Diffie Hellman parameters
@@ -289 +188 @@
 2048`.  If not set `mod_gnutls` will use the included parameters.
 
-`GnuTLSSRPPasswdFile`
----------------------
-
-Set to the SRP password file for SRP ciphersuites
-
-    GnuTLSSRPPasswdFile FILEPATH
-
-Default: *none*\
-Context: server config, virtual host
-
-Takes an absolute or relative path to an SRP password file. This is
-the same format as used in libsrp.  You can generate such file using
-the command `srptool --passwd /etc/tpasswd --passwd-conf
-/etc/tpasswd.conf -u test` to set a password for user test.  This
-password file holds the username, a password verifier and the
-dependency to the SRP parameters.
-
-`GnuTLSSRPPasswdConfFile`
--------------------------
-
-Set to the SRP password.conf file for SRP ciphersuites
-
-    GnuTLSSRPPasswdConfFile FILEPATH 
-
-Default: *none*\
-Context: server config, virtual host
-
-Takes an absolute or relative path to an SRP password.conf file. This
-is the same format as used in `libsrp`.  You can generate such file
-using the command `srptool --create-conf /etc/tpasswd.conf`.  This
-file holds the SRP parameters and is associate with the password file
-(the verifiers depends on these parameters).
-
-`GnuTLSPriorities`
-------------------
+### GnuTLSPriorities
 
 Set the allowed protocol versions, ciphers, key exchange algorithms,
@@ -366 +231 @@
 running `gnutls-cli --list`.
 
-`GnuTLSP11Module`
-------------------
+### GnuTLSP11Module
 
 Load this PKCS #11 module.
@@ -379 +243 @@
 defaults. May occur multiple times to load multiple modules.
 
-`GnuTLSPIN`
-------------------
+### GnuTLSPIN
 
 Set the PIN to be used to access encrypted key files or PKCS #11 objects.
@@ -393 +256 @@
 or openssl encrypted keys.
 
-`GnuTLSSRKPIN`
-------------------
-
-Set the SRK PIN to be used to unlaccess the TPM.
+### GnuTLSSRKPIN
+
+Set the SRK PIN to be used to access the TPM.
 
     GnuTLSSRKPIN XXXXXX
@@ -406 +268 @@
 the TPM module.
 
-`GnuTLSExportCertificates`
---------------------------
+### GnuTLSExportCertificates
 
 Export the PEM encoded certificates to CGIs
@@ -434 +295 @@
 environment variables to the CGI process as `mod_ssl`.
 
-
-`GnuTLSProxyEngine`
---------------
+X.509 Certificate Authentication
+--------------------------------
+
+### GnuTLSCertificateFile
+
+Set to the PEM Encoded Server Certificate
+
+    GnuTLSCertificateFile FILEPATH
+
+Default: *none*\
+Context: server config, virtual host
+
+Takes an absolute or relative path to a PEM-encoded X.509 certificate to
+use as this Server's End Entity (EE) certificate. If you need to supply
+certificates for intermediate Certificate Authorities (iCAs), they
+should be listed in sequence in the file, from EE to the iCA closest to
+the root CA. Optionally, you can also include the root CA's certificate
+as the last certificate in the list.
+
+Since version 0.7 this can be a PKCS #11 URL.
+
+### GnuTLSKeyFile
+
+Set to the PEM Encoded Server Private Key
+
+    GnuTLSKeyFile FILEPATH
+
+Default: *none*\
+Context: server config, virtual host
+
+Takes an absolute or relative path to the Server Private Key. Set
+`GnuTLSPIN` if the key file is encrypted.
+
+Since version 0.7 this can be a PKCS #11 URL.
+
+**Security Warning:**\
+This private key must be protected. It is read while Apache is still
+running as root, and does not need to be readable by the nobody or
+apache user.
+
+### GnuTLSClientCAFile
+
+Set the PEM encoded Certificate Authority list to use for X.509 base
+client authentication
+
+    GnuTLSClientCAFile FILEPATH
+
+Default: *none*
+Context: server config, virtual host
+
+Takes an absolute or relative path to a PEM Encoded Certificate to use
+as a Certificate Authority with Client Certificate Authentication.
+This file may contain a list of trusted authorities.
+
+OpenPGP Certificate Authentication
+----------------------------------
+
+### GnuTLSPGPCertificateFile
+
+Set to a base64 Encoded Server OpenPGP Certificate
+
+    GnuTLSPGPCertificateFile FILEPATH
+
+Default: *none*\
+Context: server config, virtual host
+
+Takes an absolute or relative path to a base64 Encoded OpenPGP
+Certificate to use as this Server's Certificate.
+
+### GnuTLSPGPKeyFile
+
+Set to the Server OpenPGP Secret Key
+
+    GnuTLSPGPKeyFile FILEPATH
+
+Default: *none*\
+Context: server config, virtual host
+
+Takes an absolute or relative path to the Server Private Key. This key
+cannot currently be password protected.
+
+**Security Warning:**\
+ This private key must be protected. It is read while Apache is still
+running as root, and does not need to be readable by the nobody or
+apache user.
+
+### GnuTLSPGPKeyringFile
+
+Set to a base64 Encoded key ring
+
+    GnuTLSPGPKeyringFile FILEPATH
+
+Default: *none*\
+Context: server config, virtual host
+
+Takes an absolute or relative path to a base64 Encoded Certificate
+list (key ring) to use as a means of verification of Client
+Certificates.  This file should contain a list of trusted signers.
+
+SRP Authentication
+------------------
+
+### GnuTLSSRPPasswdFile
+
+Set to the SRP password file for SRP ciphersuites
+
+    GnuTLSSRPPasswdFile FILEPATH
+
+Default: *none*\
+Context: server config, virtual host
+
+Takes an absolute or relative path to an SRP password file. This is
+the same format as used in libsrp.  You can generate such file using
+the command `srptool --passwd /etc/tpasswd --passwd-conf
+/etc/tpasswd.conf -u test` to set a password for user test.  This
+password file holds the username, a password verifier and the
+dependency to the SRP parameters.
+
+### GnuTLSSRPPasswdConfFile
+
+Set to the SRP password.conf file for SRP ciphersuites
+
+    GnuTLSSRPPasswdConfFile FILEPATH
+
+Default: *none*\
+Context: server config, virtual host
+
+Takes an absolute or relative path to an SRP password.conf file. This
+is the same format as used in `libsrp`.  You can generate such file
+using the command `srptool --create-conf /etc/tpasswd.conf`.  This
+file holds the SRP parameters and is associate with the password file
+(the verifiers depends on these parameters).
+
+TLS Proxy Configuration
+-----------------------
+
+### GnuTLSProxyEngine
 
 Enable TLS proxy connections for this virtual host
@@ -448 +443 @@
 host.
 
-`GnuTLSProxyCAFile`
---------------------
+### GnuTLSProxyCAFile
 
 Set to the PEM encoded Certificate Authority Certificate
@@ -464 +458 @@
 always fail due to lack of a trusted CA.
 
-`GnuTLSProxyCRLFile`
---------------------
+### GnuTLSProxyCRLFile
 
 Set to the PEM encoded Certificate Revocation List
@@ -478 +471 @@
 back end servers. The file may contain a list of CRLs.
 
-`GnuTLSProxyCertificateFile`
------------------------
+### GnuTLSProxyCertificateFile
 
 Set to the PEM encoded Client Certificate
@@ -500 +492 @@
 provide the matching private key.
 
-`GnuTLSProxyKeyFile`
----------------
+### GnuTLSProxyKeyFile
 
 Set to the PEM encoded Private Key
@@ -519 +510 @@
 apache user.
 
-`GnuTLSProxyPriorities`
-------------------
+### GnuTLSProxyPriorities
 
 Set the allowed ciphers, key exchange algorithms, MACs and compression
@@ -535 +525 @@
 `GnuTLSProxyEngine` is `On`.
 
-`GnuTLSOCSPStapling`
-------------------
+OCSP Stapling Configuration
+---------------------------
+
+### GnuTLSOCSPStapling
 
 EXPERIMENTAL: Enable OCSP stapling for this (virtual) host.
@@ -562 +554 @@
 OCSP cache updates are serialized using the `gnutls-ocsp` mutex.
 
-`GnuTLSOCSPResponseFile`
-------------------
+### GnuTLSOCSPResponseFile
 
 EXPERIMENTAL: Read the OCSP response for stapling from this file
@@ -582 +573 @@
 * Testing
 
-`GnuTLSOCSPGraceTime`
-------------------
+### GnuTLSOCSPGraceTime
 
 EXPERIMENTAL: Replace cached OCSP responses this many seconds before