diff --git a/doc/man/man5/lloadd.conf.5 b/doc/man/man5/lloadd.conf.5 index 2e67a7a9bf..e98ec108c7 100644 --- a/doc/man/man5/lloadd.conf.5 +++ b/doc/man/man5/lloadd.conf.5 @@ -467,7 +467,7 @@ option. .B TLSCipherSuite Permits configuring what ciphers will be accepted and the preference order. should be a cipher specification for the TLS library -in use (OpenSSL, GnuTLS, or Mozilla NSS). +in use (OpenSSL or GnuTLS). Example: .RS .RS @@ -498,13 +498,6 @@ In older versions of GnuTLS, where gnutls\-cli does not support the option gnutls\-cli \-l .fi -When using Mozilla NSS, the OpenSSL cipher suite specifications are used and -translated into the format used internally by Mozilla NSS. There isn't an easy -way to list the cipher suites from the command line. The authoritative list -is in the source code for Mozilla NSS in the file sslinfo.c in the structure -.nf - static const SSLCipherSuiteInfo suiteInfo[] -.fi .RE .TP .B TLSCACertificateFile @@ -523,32 +516,11 @@ Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. Usually only one of this or the TLSCACertificateFile is used. This directive is not supported when using GnuTLS. - -When using Mozilla NSS, may contain a Mozilla NSS cert/key -database. If contains a Mozilla NSS cert/key database and -CA cert files, OpenLDAP will use the cert/key database and will -ignore the CA cert files. .TP .B TLSCertificateFile Specifies the file that contains the .B lloadd server certificate. - -When using Mozilla NSS, if using a cert/key database (specified with -TLSCACertificatePath), TLSCertificateFile specifies -the name of the certificate to use: -.nf - TLSCertificateFile Server-Cert -.fi -If using a token other than the internal built in token, specify the -token name first, followed by a colon: -.nf - TLSCertificateFile my hardware device:Server-Cert -.fi -Use certutil \-L to list the certificates by name: -.nf - certutil \-d /path/to/certdbdir \-L -.fi .TP .B TLSCertificateKeyFile Specifies the file that contains the @@ -557,18 +529,6 @@ server private key that matches the certificate stored in the .B TLSCertificateFile file. Currently, the private key must not be protected with a password, so it is of critical importance that it is protected carefully. - -When using Mozilla NSS, TLSCertificateKeyFile specifies the name of -a file that contains the password for the key for the certificate specified with -TLSCertificateFile. The modutil command can be used to turn off password -protection for the cert/key database. For example, if TLSCACertificatePath -specifies /etc/openldap/certdb as the location of the cert/key database, use -modutil to change the password to the empty string: -.nf - modutil \-dbdir /etc/openldap/certdb \-changepw 'NSS Certificate DB' -.fi -You must have the old password, if any. Ignore the WARNING about the running -browser. Press 'Enter' for the new password. .TP .B TLSDHParamFile This directive specifies the file that contains parameters for Diffie-Hellman @@ -581,15 +541,12 @@ actual client or server authentication and provide no protection against man-in-the-middle attacks. You should append "!ADH" to your cipher suites to ensure that these suites are not used. -When using Mozilla NSS these parameters are always generated randomly -so this directive is ignored. .TP .B TLSECName Specify the name of a curve to use for Elliptic curve Diffie-Hellman ephemeral key exchange. This is required to enable ECDHE algorithms in OpenSSL. This option is not used with GnuTLS; the curves may be -chosen in the GnuTLS ciphersuite specification. This option is also -ignored for Mozilla NSS. +chosen in the GnuTLS ciphersuite specification. .TP .B TLSProtocolMin [.] Specifies minimum SSL/TLS protocol version that will be negotiated. @@ -612,7 +569,7 @@ This directive is ignored with GnuTLS. Specifies the file to obtain random bits from when /dev/[u]random is not available. Generally set to the name of the EGD/PRNGD socket. The environment variable RANDFILE can also be used to specify the filename. -This directive is ignored with GnuTLS and Mozilla NSS. +This directive is ignored with GnuTLS. .TP .B TLSVerifyClient Specifies what checks to perform on client certificates in an @@ -647,7 +604,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be used to verify if the client certificates have not been revoked. This requires .B TLSCACertificatePath -parameter to be set. This directive is ignored with GnuTLS and Mozilla NSS. +parameter to be set. This directive is ignored with GnuTLS. .B can be specified as one of the following keywords: .RS @@ -665,7 +622,7 @@ Check the CRL for a whole certificate chain .B TLSCRLFile Specifies a file containing a Certificate Revocation List to be used for verifying that certificates have not been revoked. This directive is -only valid when using GnuTLS and Mozilla NSS. +only valid when using GnuTLS. .SH BACKEND CONFIGURATION Options in this section describe how the