upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2026-01-22 06:43:17 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

ITS#6816 cleanup

Browse source
This commit is contained in:
Howard Chu 2011-01-31 21:27:17 +00:00
parent 539a6902de
commit e1f928023e
2 changed files with 19 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
doc/guide/admin/aspell.en.pws
View file

@ -1361,7 +1361,6 @@ AuthcId
MChAODQ
lookups
GnuTLS
GNUtls
gnutls
MozNSS
MOZNSS

37
doc/guide/admin/tls.sdf
View file

@ -92,13 +92,13 @@ symbolic links. In general, it is simpler to use the
When using Mozilla NSS, this directive can be used to specify the
path of the directory containing the NSS certificate and key database
files. The certutil command can be used to add a {{TERM:CA}} certificate:
files. The {{certutil}} command can be used to add a {{TERM:CA}} certificate:
> certutil -d <path> -A -n "name of CA cert" -t CT,, -a -i /path/to/cacertfile.pem
This command will add a CA certficate stored in the PEM (ASCII) formatted
file named /path/to/cacertfile.pem. -t CT,, means that the certificate is
trusted to be a CA issuing certs for use in TLS clients and servers.
. This command will add a CA certficate stored in the PEM (ASCII) formatted
. file named /path/to/cacertfile.pem. {{EX:-t CT,,}} means that the certificate is
. trusted to be a CA issuing certs for use in TLS clients and servers.
H4: TLSCertificateFile <filename>
@ -112,12 +112,12 @@ the name of the certificate to use:
> TLSCertificateFile Server-Cert
If using a token other than the internal built in token, specify the
token name first, followed by a colon:
. If using a token other than the internal built in token, specify the
. token name first, followed by a colon:
> TLSCertificateFile my hardware device:Server-Cert
Use certutil -L to list the certificates by name:
. Use {{EX:certutil -L}} to list the certificates by name:
> certutil -d /path/to/certdbdir -L
@ -139,8 +139,8 @@ modutil to change the password to the empty string:
> modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
You must have the old password, if any. Ignore the WARNING about the running
browser. Press 'Enter' for the new password.
. You must have the old password, if any. Ignore the WARNING about the running
. browser. Press 'Enter' for the new password.
H4: TLSCipherSuite <cipher-suite-spec>
@ -152,15 +152,15 @@ specification for OpenSSL. You can use the command
to obtain a verbose list of available cipher specifications.
To obtain the list of ciphers in GNUtls use:
> gnutls-cli -l
Besides the individual cipher names, the specifiers {{EX:HIGH}},
{{EX:MEDIUM}}, {{EX:LOW}}, {{EX:EXPORT}}, and {{EX:EXPORT40}}
may be helpful, along with {{EX:TLSv1}}, {{EX:SSLv3}},
and {{EX:SSLv2}}.
To obtain the list of ciphers in GnuTLS use:
> gnutls-cli -l
When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
translated into the format used internally by Mozilla NSS. There isn't an easy
way to list the cipher suites from the command line. The authoritative list
@ -186,7 +186,7 @@ copy a few hundred bytes of arbitrary data into the file. The file
is only used to provide a seed for the pseudo-random number generator,
and it doesn't need very much data to work.
This directive is ignored with GNUtls and Mozilla NSS.
This directive is ignored with GnuTLS and Mozilla NSS.
H4: TLSEphemeralDHParamFile <filename>
@ -199,7 +199,7 @@ processed. Parameters can be generated using the following command
> openssl dhparam [-dsaparam] -out <filename> <numbits>
This directive is ignored with GNUtls and Mozilla NSS.
This directive is ignored with GnuTLS and Mozilla NSS.
H4: TLSVerifyClient { never | allow | try | demand }
@ -266,18 +266,19 @@ H4: TLS_CERT <filename>
This directive specifies the file that contains the client certificate.
This is a user-only directive and can only be specified in a user's
{{.ldaprc}} file.
When using Mozilla NSS, if using a cert/key database (specified with
{{EX:TLS_CACERTDIR}}), this directive specifies
the name of the certificate to use:
> TLS_CERT Certificate for Sam Carter
If using a token other than the internal built in token, specify the
token name first, followed by a colon:
. If using a token other than the internal built in token, specify the
. token name first, followed by a colon:
> TLS_CERT my hardware device:Certificate for Sam Carter
Use certutil -L to list the certificates by name:
. Use {{EX:certutil -L}} to list the certificates by name:
> certutil -d /path/to/certdbdir -L