mirror of
https://git.openldap.org/openldap/openldap.git
synced 2026-05-28 04:35:57 -04:00
Added GNUtls notes
This commit is contained in:
Howard Chu
parent
bdd8bf4133
commit
9688a3ae7e
3 changed files with 50 additions and 10 deletions
|
|
@ -278,6 +278,7 @@ certificates in separate individual files. The
|
|||
.B TLS_CACERT
|
||||
is always used before
|
||||
.B TLS_CACERTDIR.
|
||||
This parameter is ignored with GNUtls.
|
||||
.TP
|
||||
.B TLS_CERT <filename>
|
||||
Specifies the file that contains the client certificate.
|
||||
|
|
@ -300,6 +301,7 @@ e.g., HIGH:MEDIUM:+SSLv2.
|
|||
Specifies the file to obtain random bits from when /dev/[u]random is
|
||||
not available. Generally set to the name of the EGD/PRNGD socket.
|
||||
The environment variable RANDFILE can also be used to specify the filename.
|
||||
This parameter is ignored with GNUtls.
|
||||
.TP
|
||||
.B TLS_REQCERT <level>
|
||||
Specifies what checks to perform on server certificates in a TLS session,
|
||||
|
|
@ -332,7 +334,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
|
|||
used to verify if the server certificates have not been revoked. This
|
||||
requires
|
||||
.B TLS_CACERTDIR
|
||||
parameter to be set.
|
||||
parameter to be set. This parameter is ignored with GNUtls.
|
||||
.B <level>
|
||||
can be specified as one of the following keywords:
|
||||
.RS
|
||||
|
|
@ -346,6 +348,11 @@ Check the CRL of the peer certificate
|
|||
.B all
|
||||
Check the CRL for a whole certificate chain
|
||||
.RE
|
||||
.TP
|
||||
.B TLS_CRLFILE <filename>
|
||||
Specifies the file containing a Certificate Revocation List to be used
|
||||
to verify if the server certificates have not been revoked. This
|
||||
parameter is only supported with GNUtls.
|
||||
.SH "ENVIRONMENT VARIABLES"
|
||||
.TP
|
||||
LDAPNOINIT
|
||||
|
|
|
|||
|
|
@ -781,9 +781,17 @@ Permits configuring what ciphers will be accepted and the preference order.
|
|||
|
||||
olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
|
||||
|
||||
To check what ciphers a given spec selects, use:
|
||||
To check what ciphers a given spec selects in OpenSSL, use:
|
||||
|
||||
openssl ciphers -v <cipher-suite-spec>
|
||||
.nf
|
||||
openssl ciphers -v <cipher-suite-spec>
|
||||
.fi
|
||||
|
||||
To obtain the list of ciphers in GNUtls use:
|
||||
|
||||
.nf
|
||||
gnutls-cli -l
|
||||
.fi
|
||||
.TP
|
||||
.B olcTLSCACertificateFile: <filename>
|
||||
Specifies the file that contains certificates for all of the Certificate
|
||||
|
|
@ -795,7 +803,8 @@ will recognize.
|
|||
Specifies the path of a directory that contains Certificate Authority
|
||||
certificates in separate individual files. Usually only one of this
|
||||
or the olcTLSCACertificateFile is defined. If both are specified, both
|
||||
locations will be used.
|
||||
locations will be used. This directive is not supported
|
||||
when using GNUtls.
|
||||
.TP
|
||||
.B olcTLSCertificateFile: <filename>
|
||||
Specifies the file that contains the
|
||||
|
|
@ -821,12 +830,14 @@ them will be processed. Note that setting this option may also enable
|
|||
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
|
||||
You should append "!ADH" to your cipher suites if you have changed them
|
||||
from the default, otherwise no certificate exchanges or verification will
|
||||
be done.
|
||||
be done. When using GNUtls these parameters are always generated randomly
|
||||
so this directive is ignored.
|
||||
.TP
|
||||
.B olcTLSRandFile: <filename>
|
||||
Specifies the file to obtain random bits from when /dev/[u]random
|
||||
is not available. Generally set to the name of the EGD/PRNGD socket.
|
||||
The environment variable RANDFILE can also be used to specify the filename.
|
||||
This directive is ignored with GNUtls.
|
||||
.TP
|
||||
.B olcTLSVerifyClient: <level>
|
||||
Specifies what checks to perform on client certificates in an
|
||||
|
|
@ -868,7 +879,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
|
|||
used to verify if the client certificates have not been revoked. This
|
||||
requires
|
||||
.B olcTLSCACertificatePath
|
||||
parameter to be set.
|
||||
parameter to be set. This parameter is ignored with GNUtls.
|
||||
.B <level>
|
||||
can be specified as one of the following keywords:
|
||||
.RS
|
||||
|
|
@ -882,6 +893,11 @@ Check the CRL of the peer certificate
|
|||
.B all
|
||||
Check the CRL for a whole certificate chain
|
||||
.RE
|
||||
.TP
|
||||
.B olcTLSCRLFile: <filename>
|
||||
Specifies a file containing a Certificate Revocation List to be used
|
||||
for verifying that certificates have not been revoked. This parameter
|
||||
is only valid when using GNUtls.
|
||||
.SH DYNAMIC MODULE OPTIONS
|
||||
If
|
||||
.B slapd
|
||||
|
|
|
|||
|
|
@ -919,7 +919,16 @@ TLSCipherSuite HIGH:MEDIUM:+SSLv2
|
|||
|
||||
To check what ciphers a given spec selects, use:
|
||||
|
||||
openssl ciphers -v <cipher-suite-spec>
|
||||
.nf
|
||||
openssl ciphers -v <cipher-suite-spec>
|
||||
.fi
|
||||
|
||||
To obtain the list of ciphers in GNUtls use:
|
||||
|
||||
.nf
|
||||
gnutls-cli -l
|
||||
.fi
|
||||
|
||||
.TP
|
||||
.B TLSCACertificateFile <filename>
|
||||
Specifies the file that contains certificates for all of the Certificate
|
||||
|
|
@ -930,7 +939,8 @@ will recognize.
|
|||
.B TLSCACertificatePath <path>
|
||||
Specifies the path of a directory that contains Certificate Authority
|
||||
certificates in separate individual files. Usually only one of this
|
||||
or the TLSCACertificateFile is used.
|
||||
or the TLSCACertificateFile is used. This directive is not supported
|
||||
when using GNUtls.
|
||||
.TP
|
||||
.B TLSCertificateFile <filename>
|
||||
Specifies the file that contains the
|
||||
|
|
@ -953,12 +963,14 @@ them will be processed. Note that setting this option may also enable
|
|||
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
|
||||
You should append "!ADH" to your cipher suites if you have changed them
|
||||
from the default, otherwise no certificate exchanges or verification will
|
||||
be done.
|
||||
be done. When using GNUtls these parameters are always generated randomly so
|
||||
this directive is ignored.
|
||||
.TP
|
||||
.B TLSRandFile <filename>
|
||||
Specifies the file to obtain random bits from when /dev/[u]random
|
||||
is not available. Generally set to the name of the EGD/PRNGD socket.
|
||||
The environment variable RANDFILE can also be used to specify the filename.
|
||||
This directive is ignored with GNUtls.
|
||||
.TP
|
||||
.B TLSVerifyClient <level>
|
||||
Specifies what checks to perform on client certificates in an
|
||||
|
|
@ -1000,7 +1012,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
|
|||
used to verify if the client certificates have not been revoked. This
|
||||
requires
|
||||
.B TLSCACertificatePath
|
||||
parameter to be set.
|
||||
parameter to be set. This directive is ignored with GNUtls.
|
||||
.B <level>
|
||||
can be specified as one of the following keywords:
|
||||
.RS
|
||||
|
|
@ -1014,6 +1026,11 @@ Check the CRL of the peer certificate
|
|||
.B all
|
||||
Check the CRL for a whole certificate chain
|
||||
.RE
|
||||
.TP
|
||||
.B TLSCRLFile <filename>
|
||||
Specifies a file containing a Certificate Revocation List to be used
|
||||
for verifying that certificates have not been revoked. This directive is
|
||||
only valid when using GNUtls.
|
||||
.SH GENERAL BACKEND OPTIONS
|
||||
Options in this section only apply to the configuration file section
|
||||
for the specified backend. They are supported by every
|
||||
|
|
|
|||
Loading…
Reference in a new issue