Changeset df49a2d in mod_gnutls for doc


Ignore:
Timestamp:
Jun 20, 2016, 3:23:21 PM (18 months ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
master, debian, upstream
Children:
9c456a9
Parents:
c3c96ca
Message:

Handbook: Sort options into subsections

File:
1 edited

Legend:

Unmodified
Added
Removed
  • doc/mod_gnutls_manual.mdwn

    rc3c96ca rdf49a2d  
    5353========================
    5454
    55 `GnuTLSEnable`
    56 --------------
     55General Options
     56---------------
     57
     58### GnuTLSEnable
    5759
    5860Enable GnuTLS for this virtual host
     
    6567This directive enables SSL/TLS Encryption for a Virtual Host.
    6668
    67 `GnuTLSCache`
    68 -------------
     69### GnuTLSCache
    6970
    7071Configure TLS Session Cache
     
    108109    requires no configuration.
    109110
    110 `GnuTLSCacheTimeout`
    111 --------------------
     111### GnuTLSCacheTimeout
    112112
    113113Timeout for TLS Session Cache expiration
     
    122122expiration time of the ticket in seconds.
    123123
    124 `GnuTLSSessionTickets`
    125 ----------------------
     124### GnuTLSSessionTickets
    126125
    127126Enable Session Tickets for the server
     
    147146attacker gains access to server memory.
    148147
    149 `GnuTLSCertificateFile`
    150 -----------------------
    151 
    152 Set to the PEM Encoded Server Certificate
    153 
    154     GnuTLSCertificateFile FILEPATH
    155 
    156 Default: *none*\
    157 Context: server config, virtual host
    158 
    159 Takes an absolute or relative path to a PEM-encoded X.509 certificate to
    160 use as this Server's End Entity (EE) certificate. If you need to supply
    161 certificates for intermediate Certificate Authorities (iCAs), they
    162 should be listed in sequence in the file, from EE to the iCA closest to
    163 the root CA. Optionally, you can also include the root CA's certificate
    164 as the last certificate in the list.
    165 
    166 Since version 0.7 this can be a PKCS #11 URL.
    167 
    168 `GnuTLSKeyFile`
    169 ---------------
    170 
    171 Set to the PEM Encoded Server Private Key
    172 
    173     GnuTLSKeyFile FILEPATH
    174 
    175 Default: *none*\
    176 Context: server config, virtual host
    177 
    178 Takes an absolute or relative path to the Server Private Key. Set
    179 `GnuTLSPIN` if the key file is encrypted.
    180 
    181 Since version 0.7 this can be a PKCS #11 URL.
    182 
    183 **Security Warning:**\
    184 This private key must be protected. It is read while Apache is still
    185 running as root, and does not need to be readable by the nobody or
    186 apache user.
    187 
    188 `GnuTLSPGPCertificateFile`
    189 --------------------------
    190 
    191 Set to a base64 Encoded Server OpenPGP Certificate
    192 
    193     GnuTLSPGPCertificateFile FILEPATH
    194 
    195 Default: *none*\
    196 Context: server config, virtual host
    197 
    198 Takes an absolute or relative path to a base64 Encoded OpenPGP
    199 Certificate to use as this Server's Certificate.
    200 
    201 `GnuTLSPGPKeyFile`
    202 ------------------
    203 
    204 Set to the Server OpenPGP Secret Key
    205 
    206     GnuTLSPGPKeyFile FILEPATH
    207 
    208 Default: *none*\
    209 Context: server config, virtual host
    210 
    211 Takes an absolute or relative path to the Server Private Key. This key
    212 cannot currently be password protected.
    213 
    214 **Security Warning:**\
    215  This private key must be protected. It is read while Apache is still
    216 running as root, and does not need to be readable by the nobody or
    217 apache user.
    218 
    219 `GnuTLSClientVerify`
    220 --------------------
    221 
    222 Enable Client Certificate Verification\
     148### GnuTLSClientVerify
     149
     150Enable Client Certificate Verification
    223151
    224152    GnuTLSClientVerify [ignore|request|require]
     
    246174    environment variable will only be set to `SUCCESS`.
    247175
    248 `GnuTLSClientCAFile`
    249 --------------------
    250 
    251 Set to the PEM Encoded Certificate Authority Certificate
    252 
    253     GnuTLSClientCAFile FILEPATH
    254 
    255 Default: *none*
    256 Context: server config, virtual host
    257 
    258 Takes an absolute or relative path to a PEM Encoded Certificate to use
    259 as a Certificate Authority with Client Certificate Authentication.
    260 This file may contain a list of trusted authorities.
    261 
    262 `GnuTLSPGPKeyringFile`
    263 ----------------------
    264 
    265 Set to a base64 Encoded key ring
    266 
    267     GnuTLSPGPKeyringFile FILEPATH
    268 
    269 Default: *none*\
    270 Context: server config, virtual host
    271 
    272 Takes an absolute or relative path to a base64 Encoded Certificate
    273 list (key ring) to use as a means of verification of Client
    274 Certificates.  This file should contain a list of trusted signers.
    275 
    276 `GnuTLSDHFile`
    277 --------------
     176### GnuTLSDHFile
    278177
    279178Set to the PKCS \#3 encoded Diffie Hellman parameters
     
    2891882048`.  If not set `mod_gnutls` will use the included parameters.
    290189
    291 `GnuTLSSRPPasswdFile`
    292 ---------------------
    293 
    294 Set to the SRP password file for SRP ciphersuites
    295 
    296     GnuTLSSRPPasswdFile FILEPATH
    297 
    298 Default: *none*\
    299 Context: server config, virtual host
    300 
    301 Takes an absolute or relative path to an SRP password file. This is
    302 the same format as used in libsrp.  You can generate such file using
    303 the command `srptool --passwd /etc/tpasswd --passwd-conf
    304 /etc/tpasswd.conf -u test` to set a password for user test.  This
    305 password file holds the username, a password verifier and the
    306 dependency to the SRP parameters.
    307 
    308 `GnuTLSSRPPasswdConfFile`
    309 -------------------------
    310 
    311 Set to the SRP password.conf file for SRP ciphersuites
    312 
    313     GnuTLSSRPPasswdConfFile FILEPATH
    314 
    315 Default: *none*\
    316 Context: server config, virtual host
    317 
    318 Takes an absolute or relative path to an SRP password.conf file. This
    319 is the same format as used in `libsrp`.  You can generate such file
    320 using the command `srptool --create-conf /etc/tpasswd.conf`.  This
    321 file holds the SRP parameters and is associate with the password file
    322 (the verifiers depends on these parameters).
    323 
    324 `GnuTLSPriorities`
    325 ------------------
     190### GnuTLSPriorities
    326191
    327192Set the allowed protocol versions, ciphers, key exchange algorithms,
     
    366231running `gnutls-cli --list`.
    367232
    368 `GnuTLSP11Module`
    369 ------------------
     233### GnuTLSP11Module
    370234
    371235Load this PKCS #11 module.
     
    379243defaults. May occur multiple times to load multiple modules.
    380244
    381 `GnuTLSPIN`
    382 ------------------
     245### GnuTLSPIN
    383246
    384247Set the PIN to be used to access encrypted key files or PKCS #11 objects.
     
    393256or openssl encrypted keys.
    394257
    395 `GnuTLSSRKPIN`
    396 ------------------
    397 
    398 Set the SRK PIN to be used to unlaccess the TPM.
     258### GnuTLSSRKPIN
     259
     260Set the SRK PIN to be used to access the TPM.
    399261
    400262    GnuTLSSRKPIN XXXXXX
     
    406268the TPM module.
    407269
    408 `GnuTLSExportCertificates`
    409 --------------------------
     270### GnuTLSExportCertificates
    410271
    411272Export the PEM encoded certificates to CGIs
     
    434295environment variables to the CGI process as `mod_ssl`.
    435296
    436 
    437 `GnuTLSProxyEngine`
    438 --------------
     297X.509 Certificate Authentication
     298--------------------------------
     299
     300### GnuTLSCertificateFile
     301
     302Set to the PEM Encoded Server Certificate
     303
     304    GnuTLSCertificateFile FILEPATH
     305
     306Default: *none*\
     307Context: server config, virtual host
     308
     309Takes an absolute or relative path to a PEM-encoded X.509 certificate to
     310use as this Server's End Entity (EE) certificate. If you need to supply
     311certificates for intermediate Certificate Authorities (iCAs), they
     312should be listed in sequence in the file, from EE to the iCA closest to
     313the root CA. Optionally, you can also include the root CA's certificate
     314as the last certificate in the list.
     315
     316Since version 0.7 this can be a PKCS #11 URL.
     317
     318### GnuTLSKeyFile
     319
     320Set to the PEM Encoded Server Private Key
     321
     322    GnuTLSKeyFile FILEPATH
     323
     324Default: *none*\
     325Context: server config, virtual host
     326
     327Takes an absolute or relative path to the Server Private Key. Set
     328`GnuTLSPIN` if the key file is encrypted.
     329
     330Since version 0.7 this can be a PKCS #11 URL.
     331
     332**Security Warning:**\
     333This private key must be protected. It is read while Apache is still
     334running as root, and does not need to be readable by the nobody or
     335apache user.
     336
     337### GnuTLSClientCAFile
     338
     339Set the PEM encoded Certificate Authority list to use for X.509 base
     340client authentication
     341
     342    GnuTLSClientCAFile FILEPATH
     343
     344Default: *none*
     345Context: server config, virtual host
     346
     347Takes an absolute or relative path to a PEM Encoded Certificate to use
     348as a Certificate Authority with Client Certificate Authentication.
     349This file may contain a list of trusted authorities.
     350
     351OpenPGP Certificate Authentication
     352----------------------------------
     353
     354### GnuTLSPGPCertificateFile
     355
     356Set to a base64 Encoded Server OpenPGP Certificate
     357
     358    GnuTLSPGPCertificateFile FILEPATH
     359
     360Default: *none*\
     361Context: server config, virtual host
     362
     363Takes an absolute or relative path to a base64 Encoded OpenPGP
     364Certificate to use as this Server's Certificate.
     365
     366### GnuTLSPGPKeyFile
     367
     368Set to the Server OpenPGP Secret Key
     369
     370    GnuTLSPGPKeyFile FILEPATH
     371
     372Default: *none*\
     373Context: server config, virtual host
     374
     375Takes an absolute or relative path to the Server Private Key. This key
     376cannot currently be password protected.
     377
     378**Security Warning:**\
     379 This private key must be protected. It is read while Apache is still
     380running as root, and does not need to be readable by the nobody or
     381apache user.
     382
     383### GnuTLSPGPKeyringFile
     384
     385Set to a base64 Encoded key ring
     386
     387    GnuTLSPGPKeyringFile FILEPATH
     388
     389Default: *none*\
     390Context: server config, virtual host
     391
     392Takes an absolute or relative path to a base64 Encoded Certificate
     393list (key ring) to use as a means of verification of Client
     394Certificates.  This file should contain a list of trusted signers.
     395
     396SRP Authentication
     397------------------
     398
     399### GnuTLSSRPPasswdFile
     400
     401Set to the SRP password file for SRP ciphersuites
     402
     403    GnuTLSSRPPasswdFile FILEPATH
     404
     405Default: *none*\
     406Context: server config, virtual host
     407
     408Takes an absolute or relative path to an SRP password file. This is
     409the same format as used in libsrp.  You can generate such file using
     410the command `srptool --passwd /etc/tpasswd --passwd-conf
     411/etc/tpasswd.conf -u test` to set a password for user test.  This
     412password file holds the username, a password verifier and the
     413dependency to the SRP parameters.
     414
     415### GnuTLSSRPPasswdConfFile
     416
     417Set to the SRP password.conf file for SRP ciphersuites
     418
     419    GnuTLSSRPPasswdConfFile FILEPATH
     420
     421Default: *none*\
     422Context: server config, virtual host
     423
     424Takes an absolute or relative path to an SRP password.conf file. This
     425is the same format as used in `libsrp`.  You can generate such file
     426using the command `srptool --create-conf /etc/tpasswd.conf`.  This
     427file holds the SRP parameters and is associate with the password file
     428(the verifiers depends on these parameters).
     429
     430TLS Proxy Configuration
     431-----------------------
     432
     433### GnuTLSProxyEngine
    439434
    440435Enable TLS proxy connections for this virtual host
     
    448443host.
    449444
    450 `GnuTLSProxyCAFile`
    451 --------------------
     445### GnuTLSProxyCAFile
    452446
    453447Set to the PEM encoded Certificate Authority Certificate
     
    464458always fail due to lack of a trusted CA.
    465459
    466 `GnuTLSProxyCRLFile`
    467 --------------------
     460### GnuTLSProxyCRLFile
    468461
    469462Set to the PEM encoded Certificate Revocation List
     
    478471back end servers. The file may contain a list of CRLs.
    479472
    480 `GnuTLSProxyCertificateFile`
    481 -----------------------
     473### GnuTLSProxyCertificateFile
    482474
    483475Set to the PEM encoded Client Certificate
     
    500492provide the matching private key.
    501493
    502 `GnuTLSProxyKeyFile`
    503 ---------------
     494### GnuTLSProxyKeyFile
    504495
    505496Set to the PEM encoded Private Key
     
    519510apache user.
    520511
    521 `GnuTLSProxyPriorities`
    522 ------------------
     512### GnuTLSProxyPriorities
    523513
    524514Set the allowed ciphers, key exchange algorithms, MACs and compression
     
    535525`GnuTLSProxyEngine` is `On`.
    536526
    537 `GnuTLSOCSPStapling`
    538 ------------------
     527OCSP Stapling Configuration
     528---------------------------
     529
     530### GnuTLSOCSPStapling
    539531
    540532EXPERIMENTAL: Enable OCSP stapling for this (virtual) host.
     
    562554OCSP cache updates are serialized using the `gnutls-ocsp` mutex.
    563555
    564 `GnuTLSOCSPResponseFile`
    565 ------------------
     556### GnuTLSOCSPResponseFile
    566557
    567558EXPERIMENTAL: Read the OCSP response for stapling from this file
     
    582573* Testing
    583574
    584 `GnuTLSOCSPGraceTime`
    585 ------------------
     575### GnuTLSOCSPGraceTime
    586576
    587577EXPERIMENTAL: Replace cached OCSP responses this many seconds before
Note: See TracChangeset for help on using the changeset viewer.