Changeset ea9c699 in mod_gnutls for doc


Ignore:
Timestamp:
Jan 28, 2019, 2:50:38 PM (22 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master
Children:
19e80a5
Parents:
8a264b0 (diff), 510764a (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

New upstream version 0.9.0

Location:
doc
Files:
2 added
2 edited

Legend:

Unmodified
Added
Removed
  • doc/Makefile.am

    r8a264b0 rea9c699  
    1 EXTRA_DIST = mod_gnutls_manual.mdwn
     1EXTRA_DIST = mod_gnutls_manual.mdwn mod_gnutls_manual.yaml.in
    22
    33if USE_PANDOC
    44html_DATA = mod_gnutls_manual.html
     5man3_MANS = mod_gnutls_manual.man
    56if USE_PDFLATEX
    67# pandoc && pdflatex
     
    1415endif
    1516
    16 MOSTLYCLEANFILES = $(html_DATA) $(pdf_DATA)
     17MOSTLYCLEANFILES = $(html_DATA) $(pdf_DATA) $(man3_MANS)
    1718
    18 # pdf_DATA will be empty if pandoc isn't available
    19 $(html_DATA) $(pdf_DATA): mod_gnutls_manual.mdwn
     19%.yaml: %.yaml.in
     20        sed -e s/__MOD_GNUTLS_VERSION__/@MOD_GNUTLS_VERSION@/ < $< > $@
     21
     22if USE_PANDOC
     23%.man: %.mdwn %.yaml
     24        $(PANDOC) --standalone -f markdown -t man -o $@ $^
     25
     26if USE_PDFLATEX
     27%.pdf: %.mdwn
     28        $(PANDOC) --toc -f markdown -o $@ $<
     29endif
     30endif
     31
     32%.html: %.mdwn
    2033if USE_PANDOC
    2134        $(PANDOC) --toc --standalone -f markdown -o $@ $<
  • doc/mod_gnutls_manual.mdwn

    r8a264b0 rea9c699  
    44
    55`mod_gnutls` is a module for the Apache web server that provides HTTPS
    6 (HTTP over Transport Layer Security (TLS) or the older Secure Sockets
    7 Layer (SSL)) using the GnuTLS library.  More information about the
    8 module can be found at [the project's website](https://mod.gnutls.org/).
     6(HTTP over Transport Layer Security (TLS)) using the GnuTLS library.
     7More information about the module can be found at
     8[the project's website](https://mod.gnutls.org/).
    99
    1010* * * * *
     
    4848    LoadModule gnutls_module modules/mod_gnutls.so
    4949
     50Note on HTTP/2
     51--------------
     52
     53HTTP/2 is supported with `mod_gnutls`. However, full support requires
     54compiling with GnuTLS 3.6.3 or later. When using lower versions all
     55virtual hosts using `mod_gnutls` with overlapping IP/port combinations
     56need to use identical `Protocols` directives for protocol negotiation
     57to work correctly.
     58
     59The technical reason is that using HTTP/2 requires ALPN (Application
     60Layer Protocol Negotiation) to be set up before GnuTLS parses the TLS
     61ClientHello message, but earlier hooks cannot use
     62`gnutls_server_name_get()` to retrieve SNI (Server Name Indication)
     63data for virtual host selection. Because of this `mod_gnutls` provides
     64its own early SNI parser, which requires the `gnutls_ext_raw_parse()`
     65function introduced in GnuTLS 3.6.3 to retrieve the extension data in
     66a *pre* client hello hook.
     67
     68During build `./configure` will report "Early SNI: yes" if your
     69version of GnuTLS is new enough.
     70
    5071* * * * *
    5172
     
    5374========================
    5475
    55 `GnuTLSEnable`
    56 --------------
     76General Options
     77---------------
     78
     79### GnuTLSEnable
    5780
    5881Enable GnuTLS for this virtual host
     
    6588This directive enables SSL/TLS Encryption for a Virtual Host.
    6689
    67 `GnuTLSCache`
    68 -------------
    69 
    70 Configure SSL Session Cache
    71 
    72     GnuTLSCache [dbm|gdbm|memcache|none] [PATH|SERVERLIST|-]
     90### GnuTLSCache
     91
     92Configure TLS Session Cache
     93
     94    GnuTLSCache (shmcb|dbm|memcache|...|none)[:PARAMETERS]
    7395
    7496Default: `GnuTLSCache none`\
    7597Context: server config
    7698
    77 This directive configures the SSL Session Cache for `mod_gnutls`.
    78 This could be shared between machines of different architectures.
    79 
    80 `dbm` (Requires Berkeley DBM)
    81 :   Uses the default Berkeley DB backend of APR DBM to cache SSL
    82     Sessions results.  The argument is a relative or absolute path to
    83     be used as the DBM Cache file. This is compatible with most
    84     operating systems, but needs the Apache Runtime to be compiled
    85     with Berkeley DBM support.
    86 
    87 `gdbm`
    88 :   Uses the GDBM backend of APR DBM to cache SSL Sessions results.
    89 
    90     The argument is a relative or absolute path to be used as the DBM Cache
    91     file.  This is the recommended option.
     99This directive configures the TLS Session Cache for `mod_gnutls`. This
     100could be shared between machines of different architectures. If the
     101selected cache implementation is not thread-safe, access is serialized
     102using the `gnutls-cache` mutex.
     103
     104Which cache implementations are available depends on your Apache
     105installation and configuration, `mod_gnutls` can use any socache
     106provider. In general you will need to load a `mod_socache_PROVIDER`
     107module. Common options are described below, please check the Apache
     108HTTPD documentation for details on available providers and their
     109configuration.
     110
     111`shmcb`
     112:   Uses a shared memory segment. This is a high performance local
     113    cache. The parameter is a relative or absolute path to be used if
     114    the local shared memory implementation requires one, followed by
     115    the cache size in bytes enclosed in parentheses.
     116
     117    Example: `shmcb:cache/gnutls_cache(65536)`
     118
     119`dbm`
     120:   Uses a DBM cache file. The parameter is a relative or absolute
     121    path to be used as the DBM cache file.
     122
     123    Example: `dbm:cache/gnutls_cache`
    92124
    93125`memcache`
    94 :   Uses a memcached server to cache the SSL Session.
    95 
    96     The argument is a space separated list of servers. If no port
    97     number is supplied, the default of 11211 is used.  This can be
    98     used to share a session cache between all servers in a cluster.
     126:   Uses memcached server(s) to cache TLS session data. The parameter
     127    is a comma separated list of servers (host:port). This can be used
     128    to share a session cache between all servers in a cluster.
     129
     130    Example: `memcache:memcache.example.com:12345,memcache2.example.com:12345`
    99131
    100132`none`
    101 :   Turns off all caching of SSL Sessions.
    102 
    103     This can significantly reduce the performance of `mod_gnutls` since
    104     even followup connections by a client must renegotiate parameters
    105     instead of reusing old ones.  This is the default, since it
    106     requires no configuration.
    107 
    108 `GnuTLSCacheTimeout`
    109 --------------------
    110 
    111 Timeout for SSL Session Cache expiration
     133:   Turns off all caching of TLS sessions.
     134
     135    This can significantly reduce the performance of `mod_gnutls`
     136    since even followup connections by a client must renegotiate
     137    parameters instead of reusing old ones. This is the default, since
     138    it requires no configuration.
     139
     140    Session tickets are an alternative to using a session cache,
     141    please see `GnuTLSSessionTickets`. Note that for TLS 1.3 GnuTLS
     142    supports resumption using session tickets only as of version
     143    3.6.4.
     144
     145### GnuTLSCacheTimeout
     146
     147Timeout for TLS Session Cache expiration
    112148
    113149    GnuTLSCacheTimeout SECONDS
    114150
    115151Default: `GnuTLSCacheTimeout 300`\
    116 Context: server config
    117 
    118 Sets the timeout for SSL Session Cache entries expiration.  This
    119 directive is valid even if Session Tickets are used, and indicates the
    120 expiration time of the ticket in seconds.
    121 
    122 `GnuTLSSessionTickets`
    123 ----------------------
     152Context: server config, virtual host
     153
     154Sets the expiration timeout for cached TLS sessions.
     155
     156### GnuTLSSessionTickets
    124157
    125158Enable Session Tickets for the server
     
    127160    GnuTLSSessionTickets [on|off]
    128161
    129 Default: `off`\
    130 Context: server config, virtual host
    131 
    132 To avoid storing data for TLS session resumption it is allowed to
    133 provide client with a ticket, to use on return.  Use for servers with
    134 limited storage, and don't combine with GnuTLSCache. For a pool of
    135 servers this option is not recommended since the tickets are unique
    136 for the issuing server only.
    137 
    138 
    139 `GnuTLSCertificateFile`
    140 -----------------------
    141 
    142 Set to the PEM Encoded Server Certificate
    143 
    144     GnuTLSCertificateFile FILEPATH
    145 
    146 Default: *none*\
    147 Context: server config, virtual host
    148 
    149 Takes an absolute or relative path to a PEM-encoded X.509 certificate to
    150 use as this Server's End Entity (EE) certificate. If you need to supply
    151 certificates for intermediate Certificate Authorities (iCAs), they
    152 should be listed in sequence in the file, from EE to the iCA closest to
    153 the root CA. Optionally, you can also include the root CA's certificate
    154 as the last certificate in the list.
    155 
    156 Since version 0.7 this can be a PKCS #11 URL.
    157 
    158 `GnuTLSKeyFile`
    159 ---------------
    160 
    161 Set to the PEM Encoded Server Private Key
    162 
    163     GnuTLSKeyFile FILEPATH
    164 
    165 Default: *none*\
    166 Context: server config, virtual host
    167 
    168 Takes an absolute or relative path to the Server Private Key. Set
    169 `GnuTLSPIN` if the key file is encrypted.
    170 
    171 Since version 0.7 this can be a PKCS #11 URL.
    172 
    173 **Security Warning:**\
    174 This private key must be protected. It is read while Apache is still
    175 running as root, and does not need to be readable by the nobody or
    176 apache user.
    177 
    178 `GnuTLSPGPCertificateFile`
    179 --------------------------
    180 
    181 Set to a base64 Encoded Server OpenPGP Certificate
    182 
    183     GnuTLSPGPCertificateFile FILEPATH
    184 
    185 Default: *none*\
    186 Context: server config, virtual host
    187 
    188 Takes an absolute or relative path to a base64 Encoded OpenPGP
    189 Certificate to use as this Server's Certificate.
    190 
    191 `GnuTLSPGPKeyFile`
    192 ------------------
    193 
    194 Set to the Server OpenPGP Secret Key
    195 
    196     GnuTLSPGPKeyFile FILEPATH
    197 
    198 Default: *none*\
    199 Context: server config, virtual host
    200 
    201 Takes an absolute or relative path to the Server Private Key. This key
    202 cannot currently be password protected.
    203 
    204 **Security Warning:**\
    205  This private key must be protected. It is read while Apache is still
    206 running as root, and does not need to be readable by the nobody or
    207 apache user.
    208 
    209 `GnuTLSClientVerify`
    210 --------------------
    211 
    212 Enable Client Certificate Verification\
     162Default: `on` with GnuTLS 3.6.4 and newer, `off` otherwise\
     163Context: server config, virtual host
     164
     165Session tickets allow TLS session resumption without session state
     166stored on the server, using encrypted tickets provided to the clients
     167instead. Tickets are an alternative to using a session cache, and
     168currently the only session resumption mechanism in TLS 1.3. For a pool
     169of servers this option is not recommended since the tickets are bound
     170to the issuing server only.
     171
     172If this option is set in the global configuration, virtual hosts
     173without a `GnuTLSSessionTickets` setting will use the global setting.
     174
     175*Warning:* With GnuTLS version before 3.6.4 the master key that
     176protects the tickets is generated only on server start, and there is
     177no mechanism to roll over the key. If session tickets are enabled it
     178is highly recommended to restart the server regularly to protect past
     179sessions in case an attacker gains access to server memory. GnuTLS
     1803.6.4 introduced an automatic TOTP-based key rollover, so this warning
     181does not apply any more and tickets are enabled by default.
     182
     183### GnuTLSClientVerify
     184
     185Enable Client Certificate Verification
    213186
    214187    GnuTLSClientVerify [ignore|request|require]
     
    217190Context: server config, virtual host, directory, .htaccess
    218191
    219 This directive controls the use of SSL Client Certificate
     192This directive controls the use of TLS Client Certificate
    220193Authentication. If used in the .htaccess context, it can force TLS
    221194re-negotiation.
    222195
    223196`ignore`
    224 :   `mod_gnutls` will ignore the contents of any SSL Client Certificates
     197:   `mod_gnutls` will ignore the contents of any TLS Client Certificates
    225198    sent. It will not request that the client sends a certificate.
    226199
     
    236209    environment variable will only be set to `SUCCESS`.
    237210
    238 `GnuTLSClientCAFile`
    239 --------------------
    240 
    241 Set to the PEM Encoded Certificate Authority Certificate
     211### GnuTLSDHFile
     212
     213Use the provided PKCS \#3 encoded Diffie-Hellman parameters
     214
     215    GnuTLSDHFile FILEPATH
     216
     217Default: *none*\
     218Context: server config, virtual host
     219
     220By default, `mod_gnutls` uses the DH parameters included with GnuTLS
     221corresponding to the security level of the configured private keys if
     222compiled with GnuTLS 3.5.6 or newer, and the ffdhe2048 DH group as
     223defined in RFC 7919, Appendix A.1 otherwise.
     224
     225If you need to use different DH parameters, you can provide a PEM file
     226containing them in PKCS \#3 encoding using this option. Please see the
     227"[Parameter
     228generation](https://gnutls.org/manual/html_node/Parameter-generation.html)"
     229section of the GnuTLS documentation for a short discussion of the
     230security implications.
     231
     232### GnuTLSPriorities
     233
     234Set the allowed protocol versions, ciphers, key exchange algorithms,
     235MACs and compression methods
     236
     237    GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
     238
     239Default: `NORMAL`\
     240Context: server config, virtual host
     241
     242Sets the allowed protocol version(s), ciphers, key exchange methods,
     243message authentication codes, and other TLS parameters for the server.
     244The parameter is a GnuTLS priority string as described in the
     245[the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html).
     246
     247For example, to disable TLS 1.0 use `NORMAL:-VERS-TLS1.0`.
     248
     249### GnuTLSP11Module
     250
     251Load this PKCS #11 module.
     252
     253    GnuTLSP11Module PATH_TO_LIBRARY
     254
     255Default: *none*\
     256Context: server config
     257
     258Load this PKCS #11 provider module, instead of the system
     259defaults. May occur multiple times to load multiple modules.
     260
     261### GnuTLSPIN
     262
     263Set the PIN to be used to access encrypted key files or PKCS #11 objects.
     264
     265    GnuTLSPIN XXXXXX
     266
     267Default: *none*\
     268Context: server config, virtual host
     269
     270Takes a string to be used as a PIN for the protected objects in
     271a security module, or as a key to be used to decrypt PKCS #8, PKCS #12,
     272or openssl encrypted keys.
     273
     274### GnuTLSSRKPIN
     275
     276Set the SRK PIN to be used to access the TPM.
     277
     278    GnuTLSSRKPIN XXXXXX
     279
     280Default: *none*\
     281Context: server config, virtual host
     282
     283Takes a string to be used as a PIN for the protected objects in
     284the TPM module.
     285
     286### GnuTLSExportCertificates
     287
     288Export the PEM encoded certificates to CGIs
     289
     290    GnuTLSExportCertificates [off|on|SIZE]
     291
     292Default: `off`\
     293Context: server config, virtual host
     294
     295This directive configures exporting the full certificates of the
     296server and the client to CGI scripts via the `SSL_SERVER_CERT` and
     297`SSL_CLIENT_CERT` environment variables. The exported certificates
     298will be PEM-encoded, limited to the given size. The type of the
     299certificate will be exported in `SSL_SERVER_CERT_TYPE` and
     300`SSL_CLIENT_CERT_TYPE`.
     301
     302SIZE should be an integer number of bytes, or may be written with a
     303trailing `K` to indicate kibibytes.  `off` means the same thing as
     304`0`, in which case the certificates will not be exported to the
     305environment. `on` is an alias for `16K`. If a non-zero size is
     306specified for this directive, but a certificate is too large to fit in
     307the buffer, then the corresponding environment variable will contain
     308the fixed string `GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED`.
     309
     310With GnuTLSExportCertificates enabled, `mod_gnutls` exports the same
     311environment variables to the CGI process as `mod_ssl`.
     312
     313X.509 Certificate Authentication
     314--------------------------------
     315
     316### GnuTLSCertificateFile
     317
     318Set the PEM encoded server certificate or certificate chain
     319
     320    GnuTLSCertificateFile FILEPATH
     321
     322Default: *none*\
     323Context: server config, virtual host
     324
     325FILEPATH is an absolute or relative path to a file containing the
     326PEM-encoded X.509 certificate to use as this Server's End Entity (EE)
     327certificate, and optionally those of the issuing Certificate
     328Authorities (CAs). If the file contains multiple certificates they
     329should be ordered from EE to the CA closest to the root CA (or the
     330root CA itself).
     331
     332Including at least the immediately issuing CA is highly recommended
     333because it is required for OCSP stapling.
     334
     335Since version 0.7 this can be a PKCS #11 URL instead of a file.
     336
     337On Linux and other Unix-like systems you can create the file with a
     338command like this (assuming "CA 1" issued the server certificate and
     339has been issued by "Root CA" itself):
     340
     341        $ cat server.pem ca-1.pem root-ca.pem >server-chain.pem
     342
     343### GnuTLSKeyFile
     344
     345Set to the PEM Encoded Server Private Key
     346
     347    GnuTLSKeyFile FILEPATH
     348
     349Default: *none*\
     350Context: server config, virtual host
     351
     352Takes an absolute or relative path to the Server Private Key. Set
     353`GnuTLSPIN` if the key file is encrypted.
     354
     355Since version 0.7 this can be a PKCS #11 URL.
     356
     357**Security Warning:**\
     358This private key must be protected. It is read while Apache is still
     359running as root, and does not need to be readable by the nobody or
     360apache user.
     361
     362### GnuTLSClientCAFile
     363
     364Set the PEM encoded Certificate Authority list to use for X.509 base
     365client authentication
    242366
    243367    GnuTLSClientCAFile FILEPATH
     
    250374This file may contain a list of trusted authorities.
    251375
    252 `GnuTLSPGPKeyringFile`
    253 ----------------------
    254 
    255 Set to a base64 Encoded key ring
    256 
    257     GnuTLSPGPKeyringFile FILEPATH
    258 
    259 Default: *none*\
    260 Context: server config, virtual host
    261 
    262 Takes an absolute or relative path to a base64 Encoded Certificate
    263 list (key ring) to use as a means of verification of Client
    264 Certificates.  This file should contain a list of trusted signers.
    265 
    266 `GnuTLSDHFile`
    267 --------------
    268 
    269 Set to the PKCS \#3 encoded Diffie Hellman parameters
    270 
    271     GnuTLSDHFile FILEPATH
    272 
    273 Default: *none*\
    274 Context: server config, virtual host
    275 
    276 Takes an absolute or relative path to a PKCS \#3 encoded DH
    277 parameters.Those are used when the DHE key exchange method is enabled.
    278 You can generate this file using `certtool --generate-dh-params --bits
    279 2048`.  If not set `mod_gnutls` will use the included parameters.
    280 
    281 `GnuTLSSRPPasswdFile`
    282 ---------------------
     376SRP Authentication
     377------------------
     378
     379### GnuTLSSRPPasswdFile
    283380
    284381Set to the SRP password file for SRP ciphersuites
     
    296393dependency to the SRP parameters.
    297394
    298 `GnuTLSSRPPasswdConfFile`
    299 -------------------------
     395### GnuTLSSRPPasswdConfFile
    300396
    301397Set to the SRP password.conf file for SRP ciphersuites
    302398
    303     GnuTLSSRPPasswdConfFile FILEPATH 
     399    GnuTLSSRPPasswdConfFile FILEPATH
    304400
    305401Default: *none*\
     
    312408(the verifiers depends on these parameters).
    313409
    314 `GnuTLSPriorities`
    315 ------------------
    316 
    317 Set the allowed ciphers, key exchange algorithms, MACs and compression
    318 methods
    319 
    320     GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
    321 
    322 Default: *none*\
    323 Context: server config, virtual host
    324 
    325 Takes a semi-colon separated list of ciphers, key exchange methods
    326 Message authentication codes and compression methods to enable.
    327 The allowed keywords are specified in the `gnutls_priority_init()`
    328 function of GnuTLS.
    329 
    330 Full details can be found at [the GnuTLS documentation](http://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings).
    331 In brief you can specify a set of ciphersuites from the choices:
    332 
    333 `NONE`
    334 :   The empty list.
    335 
    336 `EXPORT`
    337 :   A list with all the supported cipher combinations
    338     including the `EXPORT` strength algorithms.
    339 
    340 `PERFORMANCE`
    341 :   A list with all the secure cipher combinations sorted in terms of performance.
    342 
    343 `NORMAL`
    344 :   A list with all the secure cipher combinations sorted
    345     with respect to security margin (subjective term).
    346 
    347 `SECURE`
    348 :   A list with all the secure cipher combinations including
    349     the 256-bit ciphers sorted with respect to security margin.
    350 
    351 Additionally you can add or remove algorithms using the `+` and `!`
    352 prefixes respectively.
    353 
    354 For example, in order to disable the `ARCFOUR` cipher from the `NORMAL` set
    355 you can use the string `NORMAL:!ARCFOUR-128`
    356 
    357 Other options such as the protocol version and the compression method
    358 can be specified using the `VERS-` and `COMP-` prefixes.
    359 
    360 So in order to remove or add a specific TLS version from the `NORMAL`
    361 set, use `NORMAL:!VERS-SSL3.0`.  And to enable zlib compression use
    362 `NORMAL:+COMP-DEFLATE`.
    363 
    364 
    365 However it is recommended not to add compression at this level.  With
    366 the `NONE` set, in order to be usable, you have to specify a complete
    367 set of combinations of protocol versions, cipher algorithms
    368 (`AES-128-CBC`), key exchange algorithms (`RSA`), message
    369 authentication codes (`SHA1`) and compression methods (`COMP-NULL`).
    370 
    371 You can find a list of all supported Ciphers, Versions, MACs, etc.  by
    372 running `gnutls-cli --list`.
    373 
    374 The special keyword `%COMPAT` will disable some security features such
    375 as protection against statistical attacks to ciphertext data in order to
    376 achieve maximum compatibility (some broken mobile clients need this).
    377 
    378 `GnuTLSP11Module`
    379 ------------------
    380 
    381 Load this PKCS #11 module.
    382 
    383     GnuTLSP11Module PATH_TO_LIBRARY
    384 
    385 Default: *none*\
    386 Context: server config
    387 
    388 Load this PKCS #11 provider module, instead of the system
    389 defaults. May occur multiple times to load multiple modules.
    390 
    391 `GnuTLSPIN`
    392 ------------------
    393 
    394 Set the PIN to be used to access encrypted key files or PKCS #11 objects.
    395 
    396     GnuTLSPIN XXXXXX
    397 
    398 Default: *none*\
    399 Context: server config, virtual host
    400 
    401 Takes a string to be used as a PIN for the protected objects in
    402 a security module, or as a key to be used to decrypt PKCS #8, PKCS #12,
    403 or openssl encrypted keys.
    404 
    405 `GnuTLSSRKPIN`
    406 ------------------
    407 
    408 Set the SRK PIN to be used to unlaccess the TPM.
    409 
    410     GnuTLSSRKPIN XXXXXX
    411 
    412 Default: *none*\
    413 Context: server config, virtual host
    414 
    415 Takes a string to be used as a PIN for the protected objects in
    416 the TPM module.
    417 
    418 `GnuTLSExportCertificates`
    419 --------------------------
    420 
    421 Export the PEM encoded certificates to CGIs
    422 
    423     GnuTLSExportCertificates [off|on|SIZE]
    424 
    425 Default: `off`\
    426 Context: server config, virtual host
    427 
    428 This directive configures exporting the full certificates of the
    429 server and the client to CGI scripts via the `SSL_SERVER_CERT` and
    430 `SSL_CLIENT_CERT` environment variables. The exported certificates
    431 will be PEM-encoded (if X.509) or ASCII-armored (if OpenPGP) up to the
    432 size given.  The type of the certificate will be exported in
    433 `SSL_SERVER_CERT_TYPE` and `SSL_CLIENT_CERT_TYPE`.
    434 
    435 SIZE should be an integer number of bytes, or may be written with a
    436 trailing `K` to indicate kibibytes.  `off` means the same thing as
    437 `0`, in which case the certificates will not be exported to the
    438 environment.  `on` is an alias for `16K`.  If a non-zero size is
    439 specified for this directive, but a certificate is too large to fit in
    440 the buffer, then the corresponding environment variable will contain
    441 the fixed string `GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED`.
    442 
    443 With GnuTLSExportCertificates enabled, `mod_gnutls` exports the same
    444 environment variables to the CGI process as `mod_ssl`.
    445 
    446 
    447 `GnuTLSProxyEngine`
    448 --------------
     410TLS Proxy Configuration
     411-----------------------
     412
     413### GnuTLSProxyEngine
    449414
    450415Enable TLS proxy connections for this virtual host
     
    458423host.
    459424
    460 `GnuTLSProxyCAFile`
    461 --------------------
     425### GnuTLSProxyCAFile
    462426
    463427Set to the PEM encoded Certificate Authority Certificate
     
    474438always fail due to lack of a trusted CA.
    475439
    476 `GnuTLSProxyCRLFile`
    477 --------------------
     440### GnuTLSProxyCRLFile
    478441
    479442Set to the PEM encoded Certificate Revocation List
     
    488451back end servers. The file may contain a list of CRLs.
    489452
    490 `GnuTLSProxyCertificateFile`
    491 -----------------------
     453### GnuTLSProxyCertificateFile
    492454
    493455Set to the PEM encoded Client Certificate
     
    510472provide the matching private key.
    511473
    512 `GnuTLSProxyKeyFile`
    513 ---------------
     474### GnuTLSProxyKeyFile
    514475
    515476Set to the PEM encoded Private Key
     
    529490apache user.
    530491
    531 `GnuTLSProxyPriorities`
    532 ------------------
     492### GnuTLSProxyPriorities
    533493
    534494Set the allowed ciphers, key exchange algorithms, MACs and compression
     
    537497    GnuTLSProxyPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
    538498
    539 Default: *none*\
    540 Context: server config, virtual host
    541 
    542 This option is used to set the allowed ciphers, key exchange
    543 algorithms, MACs and compression methods for proxy connections. It
    544 takes the same parameters as `GnuTLSPriorities`. Required if
    545 `GnuTLSProxyEngine` is `On`.
     499Default: `NORMAL`\
     500Context: server config, virtual host
     501
     502Sets the allowed protocol version(s), ciphers, key exchange methods,
     503message authentication codes, and other TLS parameters for TLS proxy
     504connections. Like for `GnuTLSPriorities` the parameter is a GnuTLS
     505priority string as described in the
     506[the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html).
     507
     508OCSP Stapling Configuration
     509---------------------------
     510
     511### GnuTLSOCSPStapling
     512
     513Enable OCSP stapling for this (virtual) host.
     514
     515    GnuTLSOCSPStapling [On|Off]
     516
     517Default: *on* if requirements are met, *off* otherwise\
     518Context: server config, virtual host
     519
     520OCSP stapling, formally known as the TLS Certificate Status Request
     521extension, allows the server to provide the client with a cached OCSP
     522response for its certificate during the handshake. With OCSP stapling
     523the client does not have to send an OCSP request to the issuer CA to
     524check the certificate status, which offers privacy and performance
     525advantages, and avoids the security issue of how to handle errors that
     526prevent the client from getting a response.
     527
     528Using OCSP stapling has a few requirements:
     529
     530* `GnuTLSCertificateFile` must contain the issuer CA certificate in
     531  addition to the server certificate so responses can be verified.
     532* The server certificate must either contain an OCSP access URI using
     533  HTTP, or `GnuTLSOCSPResponseFile` must be set.
     534* Caching OCSP responses requires a cache to store responses. If
     535  `mod_socache_shmcb` is loaded `mod_gnutls` can set up the cache
     536  automatically without additional configuration, see
     537  `GnuTLSOCSPCache`.
     538
     539Stapling is activated by default if these requirements are met. If
     540`GnuTLSOCSPStapling` is explicitly set to `on` unmet requirements are
     541an error.
     542
     543OCSP cache updates are serialized using the `gnutls-ocsp` mutex.
     544
     545### GnuTLSOCSPCache
     546
     547OCSP stapling cache configuration
     548
     549        GnuTLSOCSPCache (shmcb|memcache|...|none)[:PARAMETERS]
     550
     551Default: `shmcb:gnutls_ocsp_cache`\
     552Context: server config
     553
     554This directive configures the OCSP stapling cache, and uses the same
     555syntax as `GnuTLSOCSPCache`. Please check there for details.
     556
     557The default should be reasonable for most servers and requires
     558[mod\_socache\_shmcb](http://httpd.apache.org/docs/current/en/mod/mod_socache_shmcb.html)
     559to be loaded. Servers with very many virtual hosts may need to
     560increase the default cache size via the parameters string, those with
     561few virtual hosts and memory constraints could save a few KB by reducing
     562it. Note that `mod_socache_dbm` has a size constraint for entries that
     563is generally too small for OCSP responses.
     564
     565If the selected cache implementation is not thread-safe, access
     566is serialized using the `gnutls-ocsp-cache` mutex.
     567
     568### GnuTLSOCSPAutoRefresh
     569
     570Regularly refresh cached OCSP response independent of TLS handshakes?
     571
     572    GnuTLSOCSPAutoRefresh [On|Off]
     573
     574Default: *on*\
     575Context: server config, virtual host
     576
     577By default `mod_gnutls` will regularly refresh the cached OCSP
     578response for hosts that have OCSP stapling enabled, regardless of
     579whether it is used. This has advantages over updating the OCSP
     580response only if a TLS handshake needs it:
     581
     582* Updating the cached response before it expires can hide short
     583  unavailability of the OCSP responder, if a repeated request is
     584  successful before the cache expires (see below).
     585
     586* Handshakes are not slowed down by fetching responses.
     587
     588The interval to the next request is determined as follows: After a
     589successful OCSP request the next one is scheduled for a random period
     590between `GnuTLSOCSPFuzzTime` and half of it before
     591`GnuTLSOCSPCacheTimeout` expires. For example, if the cache timeout is
     5923600 seconds and the fuzz time 600 seconds, the next request will be
     593sent after 3000 to 3300 seconds. If the validity period of the
     594response expires before then, the selected interval is halved until it
     595is smaller than the time until expiry. If an OCSP request fails, it is
     596retried after `GnuTLSOCSPFailureTimeout`.
     597
     598Regularly updating the OCSP cache requires `mod_watchdog`,
     599`mod_gnutls` will fall back to updating the OCSP cache during
     600handshakes if `mod_watchdog` is not available or this option is set to
     601`Off`.
     602
     603### GnuTLSOCSPCheckNonce
     604
     605Check the nonce in OCSP responses?
     606
     607    GnuTLSOCSPCheckNonce [On|Off]
     608
     609Default: *on*\
     610Context: server config, virtual host
     611
     612Some CAs refuse to send nonces in their OCSP responses, probably
     613because that way they can cache responses. If your CA is one of them
     614you can use this flag to disable nonce verification. Note that
     615`mod_gnutls` will _send_ a nonce either way.
     616
     617### GnuTLSOCSPResponseFile
     618
     619Read the OCSP response for stapling from this file instead of sending
     620a request over HTTP.
     621
     622    GnuTLSOCSPResponseFile /path/to/response.der
     623
     624Default: *empty*\
     625Context: server config, virtual host
     626
     627The response file must be updated externally, for example using a cron
     628job. This option is an alternative to the server fetching OCSP
     629responses over HTTP. Reasons to use this option include:
     630
     631* Performing OCSP requests separate from the web server, to prevent slow
     632  responses from stalling handshakes.
     633* The issuer CA uses an access method other than HTTP.
     634* Testing
     635
     636You can use a GnuTLS `ocsptool` command like the following to create
     637and update the response file:
     638
     639    ocsptool --ask --nonce --load-issuer ca_cert.pem \
     640        --load-cert server_cert.pem --outfile ocsp_response.der
     641
     642Additional error checking is highly recommended. You may have to
     643remove the `--nonce` option if the OCSP responder of your CA does not
     644support nonces.
     645
     646### GnuTLSOCSPCacheTimeout
     647
     648Cache timeout for OCSP responses
     649
     650    GnuTLSOCSPCacheTimeout SECONDS
     651
     652Default: *3600*\
     653Context: server config, virtual host
     654
     655Cached OCSP responses will be refreshed after the configured number of
     656seconds. How long this timeout should reasonably be depends on your
     657CA, namely how often its OCSP responder is updated and how long
     658responses are valid. Note that a response will not be cached beyond
     659its lifetime as denoted in the `nextUpdate` field of the response.
     660
     661### GnuTLSOCSPFailureTimeout
     662
     663Wait this many seconds before retrying a failed OCSP request.
     664
     665    GnuTLSOCSPFailureTimeout SECONDS
     666
     667Default: *300*\
     668Context: server config, virtual host
     669
     670Retries of failed OCSP requests must be rate limited to avoid
     671overloading both the server using mod_gnutls and the CA's OCSP
     672responder. A shorter value increases the load on both sides, a longer
     673one means that stapling will remain disabled for longer after a failed
     674request.
     675
     676### GnuTLSOCSPFuzzTime
     677
     678Update the cached OCSP response up to this time before the cache expires
     679
     680    GnuTLSOCSPFuzzTime SECONDS
     681
     682Default: *larger of GnuTLSOCSPCacheTimeout / 8 and GnuTLSOCSPFailureTimeout \* 2*\
     683Context: server config, virtual host
     684
     685Refreshing the cached response before it expires hides short OCSP
     686responder unavailability. See `GnuTLSOCSPAutoRefresh` for how this
     687value is used, using at least twice `GnuTLSOCSPFailureTimeout` is
     688recommended.
     689
     690### GnuTLSOCSPSocketTimeout
     691
     692Timeout for TCP sockets used to send OCSP requests
     693
     694    GnuTLSOCSPFailureTimeout SECONDS
     695
     696Default: *6*\
     697Context: server config, virtual host
     698
     699Stalled OCSP requests must time out after a while to prevent stalling
     700the server too much. However, if the timeout is too short requests may
     701fail with a slow OCSP responder or high latency network
     702connection. This parameter allows you to adjust the timeout if
     703necessary.
     704
     705Note that this is not an upper limit for the completion of an OCSP
     706request but a socket timeout. The connection will time out if there is
     707no activity (successful send or receive) at all for the configured
     708time.
    546709
    547710* * * * *
     
    550713======================
    551714
    552 Simple Standard SSL Example
    553 ---------------------------
    554 
    555 The following is an example of standard SSL Hosting, using one IP
    556 Addresses for each virtual host
     715Minimal Example
     716---------------
     717
     718A minimal server configuration using mod_gnutls might look like this
     719(other than the default setup):
     720
     721     # Load mod_gnutls into Apache.
     722     LoadModule gnutls_module modules/mod_gnutls.so
     723
     724         Listen 192.0.2.1:443
     725
     726     <VirtualHost _default_:443>
     727             # Standard virtual host stuff
     728         DocumentRoot /www/site1.example.com/html
     729         ServerName site1.example.com:443
     730         
     731                 # Minimal mod_gnutls setup: enable, and set credentials
     732                 GnuTLSEnable on
     733         GnuTLSCertificateFile conf/tls/site1_cert_chain.pem
     734         GnuTLSKeyFile conf/tls/site1_key.pem
     735     </VirtualHost>
     736
     737This gives you an HTTPS site using the GnuTLS `NORMAL` set of
     738ciphersuites. OCSP stapling will be enabled if the server certificate
     739contains an OCSP URI, `conf/tls/site1_cert_chain.pem` contains the
     740issuer certificate in addition to the server's, and
     741[mod\_socache\_shmcb](http://httpd.apache.org/docs/current/en/mod/mod_socache_shmcb.html)
     742is loaded. With Gnutls 3.6.4 or newer session tickets are enabled,
     743too.
     744
     745Virtual Hosts with Server Name Indication
     746-----------------------------------------
     747
     748`mod_gnutls` supports Server Name Indication (SNI), as specified in
     749[RFC 6066, Section 3](https://tools.ietf.org/html/rfc6066#section-3).
     750This allows hosting many TLS websites with a single IP address, you
     751can just add virtual host configurations. All recent browsers support
     752this standard. Here is an example using SNI:
    557753
    558754     # Load the module into Apache.
    559755     LoadModule gnutls_module modules/mod_gnutls.so
    560      GnuTLSCache gdbm /var/cache/www-tls-cache
    561      GnuTLSCacheTimeout 500
    562      # With normal SSL Websites, you need one IP Address per-site.
    563      Listen 1.2.3.1:443
    564      Listen 1.2.3.2:443
    565      Listen 1.2.3.3:443
    566      Listen 1.2.3.4:443
    567      <VirtualHost 1.2.3.1:443>
    568      GnuTLSEnable on
    569      GnuTLSPriorities NONE:+AES-128-CBC:+3DES-CBC:+ARCFOUR-128:+RSA:+DHE-RSA:+DHE-DSS:+SHA1:+MD5:+COMP-NULL
    570      DocumentRoot /www/site1.example.com/html
    571      ServerName site1.example.com:443
    572      GnuTLSCertificateFile conf/ssl/site1.crt
    573      GnuTLSKeyFile conf/ss/site1.key
     756         # This example server uses session tickets, no cache.
     757     GnuTLSSessionTickets on
     758
     759     # SNI allows hosting multiple sites using one IP address. This
     760     # could also be 'Listen *:443', just like '*:80' is common for
     761     # non-HTTPS
     762     Listen 198.51.100.1:443
     763
     764     <VirtualHost _default_:443>
     765         GnuTLSEnable on
     766         DocumentRoot /www/site1.example.com/html
     767         ServerName site1.example.com:443
     768         GnuTLSCertificateFile conf/tls/site1.crt
     769         GnuTLSKeyFile conf/tls/site1.key
    574770     </VirtualHost>
    575      <VirtualHost 1.2.3.2:443>
    576      # This virtual host enables SRP authentication
    577      GnuTLSEnable on
    578      GnuTLSPriorities NORMAL:+SRP
    579      DocumentRoot /www/site2.example.com/html
    580      ServerName site2.example.com:443
    581      GnuTLSSRPPasswdFile conf/ssl/tpasswd.site2
    582      GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site2.conf
     771
     772     <VirtualHost _default_:443>
     773         GnuTLSEnable on
     774         DocumentRoot /www/site2.example.com/html
     775         ServerName site2.example.com:443
     776         GnuTLSCertificateFile conf/tls/site2.crt
     777         GnuTLSKeyFile conf/tls/site2.key
    583778     </VirtualHost>
    584      <VirtualHost 1.2.3.3:443>
    585      # This server enables SRP, OpenPGP and X.509 authentication.
    586      GnuTLSEnable on
    587      GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS
    588      DocumentRoot /www/site3.example.com/html
    589      ServerName site3.example.com:443
    590      GnuTLSCertificateFile conf/ssl/site3.crt
    591      GnuTLSKeyFile conf/ss/site3.key
    592      GnuTLSClientVerify ignore
    593      GnuTLSPGPCertificateFile conf/ss/site3.pub.asc
    594      GnuTLSPGPKeyFile conf/ss/site3.sec.asc
    595      GnuTLSSRPPasswdFile conf/ssl/tpasswd.site3
    596      GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site3.conf
     779
     780     <VirtualHost _default_:443>
     781         GnuTLSEnable on
     782         DocumentRoot /www/site3.example.com/html
     783         ServerName site3.example.com:443
     784         GnuTLSCertificateFile conf/tls/site3.crt
     785         GnuTLSKeyFile conf/tls/site3.key
     786         # Enable HTTP/2. With GnuTLS before version 3.6.3 all
     787         # virtual hosts in this example would have to share this
     788         # directive to work correctly.
     789         Protocols h2 http/1.1
    597790     </VirtualHost>
    598      <VirtualHost 1.2.3.4:443>
    599      GnuTLSEnable on
    600      # %COMPAT disables some security features to enable maximum compatibility with clients.
    601      GnuTLSPriorities NONE:+AES-128-CBC:+ARCFOUR-128:+RSA:+SHA1:+MD5:+COMP-NULL:%COMPAT
    602      DocumentRoot /www/site4.example.com/html
    603      ServerName site4.example.com:443
    604      GnuTLSCertificateFile conf/ssl/site4.crt
    605      GnuTLSKeyFile conf/ss/site4.key
    606      </VirtualHost>
    607 
    608 Server Name Indication Example
    609 ------------------------------
    610 
    611 `mod_gnutls` can also use "Server Name Indication", as specified in
    612 RFC 3546.  This allows hosting many SSL Websites, with a Single IP
    613 Address.  Currently all the recent browsers support this
    614 standard. Here is an example, using SNI: ` `
    615 
     791
     792Virtual Hosts without SNI
     793-------------------------
     794
     795If you need to support clients that do not use SNI, you have to use a
     796unique IP address/port combination for each virtual host. In this
     797example all virtual hosts use the default port for HTTPS (443) and
     798different IP addresses.
    616799
    617800     # Load the module into Apache.
    618801     LoadModule gnutls_module modules/mod_gnutls.so
    619      # With normal SSL Websites, you need one IP Address per-site.
    620      Listen 1.2.3.1:443
    621      # This could also be 'Listen *:443',
    622      # just like '*:80' is common for non-https
    623      # No caching. Enable session tickets. Timeout is still used for
    624      # ticket expiration.
    625      GnuTLSCacheTimeout 600
    626      # This tells apache, that for this IP/Port combination, we want to use
    627      # Name Based Virtual Hosting. In the case of Server Name Indication,
    628      # it lets mod_gnutls pick the correct Server Certificate.
    629      NameVirtualHost 1.2.3.1:443
    630      <VirtualHost 1.2.3.1:443>
    631      GnuTLSEnable on
    632      GnuTLSSessionTickets on
    633      GnuTLSPriorities NORMAL
    634      DocumentRoot /www/site1.example.com/html
    635      ServerName site1.example.com:443
    636      GnuTLSCertificateFile conf/ssl/site1.crt
    637      GnuTLSKeyFile conf/ss/site1.key
     802         # This example server uses a session cache.
     803     GnuTLSCache dbm:/var/cache/www-tls-cache
     804     GnuTLSCacheTimeout 1200
     805
     806     # Without SNI you need one IP Address per site. The IP addresses
     807         # are listed separately for clarity, you could also use "Listen 443"
     808         # to use that port on all available IP addresses.
     809     Listen 192.0.2.1:443
     810     Listen 192.0.2.2:443
     811     Listen 192.0.2.3:443
     812
     813     <VirtualHost 192.0.2.1:443>
     814         GnuTLSEnable on
     815         GnuTLSPriorities SECURE128
     816         DocumentRoot /www/site1.example.com/html
     817         ServerName site1.example.com:443
     818         GnuTLSCertificateFile conf/tls/site1.crt
     819         GnuTLSKeyFile conf/tls/site1.key
    638820     </VirtualHost>
    639      <VirtualHost 1.2.3.1:443>
    640      GnuTLSEnable on
    641      GnuTLSPriorities NORMAL
    642      DocumentRoot /www/site2.example.com/html
    643      ServerName site2.example.com:443
    644      GnuTLSCertificateFile conf/ssl/site2.crt
    645      GnuTLSKeyFile conf/ss/site2.key
     821
     822     <VirtualHost 192.0.2.2:443>
     823         # This virtual host enables SRP authentication
     824         GnuTLSEnable on
     825         GnuTLSPriorities NORMAL:+SRP
     826         DocumentRoot /www/site2.example.com/html
     827         ServerName site2.example.com:443
     828         GnuTLSSRPPasswdFile conf/tls/tpasswd.site2
     829         GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site2.conf
    646830     </VirtualHost>
    647      <VirtualHost 1.2.3.1:443>
    648      GnuTLSEnable on
    649      GnuTLSPriorities NORMAL
    650      DocumentRoot /www/site3.example.com/html
    651      ServerName site3.example.com:443
    652      GnuTLSCertificateFile conf/ssl/site3.crt
    653      GnuTLSKeyFile conf/ss/site3.key
     831
     832     <VirtualHost 192.0.2.3:443>
     833         # This server enables SRP and X.509 authentication.
     834         GnuTLSEnable on
     835         GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS
     836         DocumentRoot /www/site3.example.com/html
     837         ServerName site3.example.com:443
     838         GnuTLSCertificateFile conf/tls/site3.crt
     839         GnuTLSKeyFile conf/tls/site3.key
     840         GnuTLSClientVerify ignore
     841         GnuTLSSRPPasswdFile conf/tls/tpasswd.site3
     842         GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site3.conf
    654843     </VirtualHost>
    655      <VirtualHost 1.2.3.1:443>
    656      GnuTLSEnable on
    657      GnuTLSPriorities NORMAL
    658      DocumentRoot /www/site4.example.com/html
    659      ServerName site4.example.com:443
    660      GnuTLSCertificateFile conf/ssl/site4.crt
    661      GnuTLSKeyFile conf/ss/site4.key
    662      </VirtualHost>
    663 
    664 
    665 * * * * *
    666 
    667 Performance Issues
    668 ==================
    669 
    670 `mod_gnutls` by default uses conservative settings for the server.
    671 You can fine tune the configuration to reduce the load on a busy
    672 server.  The following examples do exactly this:
    673 
     844
     845OCSP Stapling Example
     846---------------------
     847
     848This is an example with a customized OCSP stapling configuration. What
     849is a resonable cache timeout varies depending on how long your CA's
     850OCSP responses are valid. Some CAs provide responses that are valid
     851for multiple days, in that case timeout and fuzz time could be
     852significantly larger.
    674853
    675854     # Load the module into Apache.
    676855     LoadModule gnutls_module modules/mod_gnutls.so
    677      # Using 4 memcache servers to distribute the SSL Session Cache.
    678      GnuTLSCache memcache "mc1.example.com mc2.example.com mc3.example.com mc4.example.com"
    679      GnuTLSCacheTimeout 600
    680      Listen 1.2.3.1:443
    681      NameVirtualHost 1.2.3.1:443
    682      <VirtualHost 1.2.3.1:443>
    683      GnuTLSEnable on
    684      # Here we disable the Perfect forward secrecy ciphersuites (DHE)
    685      # and disallow AES-256 since AES-128 is just fine.
    686      GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT
    687      DocumentRoot /www/site1.example.com/html
    688      ServerName site1.example.com:443
    689      GnuTLSCertificateFile conf/ssl/site1.crt
    690      GnuTLSKeyFile conf/ss/site1.key
    691      </VirtualHost>
    692      <VirtualHost 1.2.3.1:443>
    693      GnuTLSEnable on
    694      # Here we instead of disabling the DHE ciphersuites we use
    695      # Diffie Hellman parameters of smaller size than the default (2048 bits).
    696      # Using small numbers from 768 to 1024 bits should be ok once they are
    697      # regenerated every few hours.
    698      # Use "certtool --generate-dh-params --bits 1024" to get those
    699      GnuTLSDHFile /etc/apache2/dh.params
    700      GnuTLSPriorities NORMAL:!AES-256-CBC:%COMPAT
    701      DocumentRoot /www/site2.example.com/html
    702      ServerName site2.example.com:443
    703      GnuTLSCertificateFile conf/ssl/site2.crt
    704      GnuTLSKeyFile conf/ss/site2.key
     856         # A 64K cache is more than enough for one response
     857     GnuTLSOCSPCache shmcb:ocsp_cache(65536)
     858
     859     Listen 192.0.2.1:443
     860
     861     <VirtualHost _default_:443>
     862         GnuTLSEnable           On
     863         DocumentRoot           /www/site1.example.com/html
     864         ServerName             site1.example.com:443
     865         GnuTLSCertificateFile  conf/tls/site1_cert_chain.pem
     866         GnuTLSKeyFile          conf/tls/site1_key.pem
     867         GnuTLSOCSPStapling     On
     868                 # The cached OCSP response is kept for up to 4 hours,
     869                 # with updates scheduled every 3 to 3.5 hours.
     870         GnuTLSOCSPCacheTimeout 21600
     871                 GnuTLSOCSPFuzzTime     3600
    705872     </VirtualHost>
    706873
     
    799966-----------------
    800967
    801 The SSL or TLS cipher suite name
     968The distinguished name of the issuer of the client's certificate in
     969RFC2253 format.
    802970
    803971`SSL_CLIENT_S_AN%`
     
    8351003------------------
    8361004
    837 The PEM-encoded (X.509) or ASCII-armored (OpenPGP) server certificate
    838 (see the `GnuTLSExportCertificates` directive).
     1005The PEM-encoded (X.509) server certificate (see the
     1006`GnuTLSExportCertificates` directive).
    8391007
    8401008`SSL_SERVER_CERT_TYPE`
    8411009----------------------
    8421010
    843 The certificate type can be `X.509` or `OPENPGP`.
     1011The certificate type will be `X.509`.
    8441012
    8451013`SSL_CLIENT_CERT`
    8461014------------------
    8471015
    848 The PEM-encoded (X.509) or ASCII-armored (OpenPGP) client certificate
    849 (see the `GnuTLSExportCertificates` directive).
     1016PEM-encoded (X.509) client certificate, if any (see the
     1017`GnuTLSExportCertificates` directive).
    8501018
    8511019`SSL_CLIENT_CERT_TYPE`
    8521020----------------------
    8531021
    854 The certificate type can be `X.509` or `OPENPGP`.
     1022The certificate type will be `X.509`, if any.
Note: See TracChangeset for help on using the changeset viewer.