Commit 9688a3ae authored by Howard Chu's avatar Howard Chu
Browse files

Added GNUtls notes

parent bdd8bf41
......@@ -278,6 +278,7 @@ certificates in separate individual files. The
.B TLS_CACERT
is always used before
.B TLS_CACERTDIR.
This parameter is ignored with GNUtls.
.TP
.B TLS_CERT <filename>
Specifies the file that contains the client certificate.
......@@ -300,6 +301,7 @@ e.g., HIGH:MEDIUM:+SSLv2.
Specifies the file to obtain random bits from when /dev/[u]random is
not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
This parameter is ignored with GNUtls.
.TP
.B TLS_REQCERT <level>
Specifies what checks to perform on server certificates in a TLS session,
......@@ -332,7 +334,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
used to verify if the server certificates have not been revoked. This
requires
.B TLS_CACERTDIR
parameter to be set.
parameter to be set. This parameter is ignored with GNUtls.
.B <level>
can be specified as one of the following keywords:
.RS
......@@ -346,6 +348,11 @@ Check the CRL of the peer certificate
.B all
Check the CRL for a whole certificate chain
.RE
.TP
.B TLS_CRLFILE <filename>
Specifies the file containing a Certificate Revocation List to be used
to verify if the server certificates have not been revoked. This
parameter is only supported with GNUtls.
.SH "ENVIRONMENT VARIABLES"
.TP
LDAPNOINIT
......
......@@ -781,9 +781,17 @@ Permits configuring what ciphers will be accepted and the preference order.
olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
To check what ciphers a given spec selects, use:
To check what ciphers a given spec selects in OpenSSL, use:
openssl ciphers -v <cipher-suite-spec>
.nf
openssl ciphers -v <cipher-suite-spec>
.fi
To obtain the list of ciphers in GNUtls use:
.nf
gnutls-cli -l
.fi
.TP
.B olcTLSCACertificateFile: <filename>
Specifies the file that contains certificates for all of the Certificate
......@@ -795,7 +803,8 @@ will recognize.
Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. Usually only one of this
or the olcTLSCACertificateFile is defined. If both are specified, both
locations will be used.
locations will be used. This directive is not supported
when using GNUtls.
.TP
.B olcTLSCertificateFile: <filename>
Specifies the file that contains the
......@@ -821,12 +830,14 @@ them will be processed. Note that setting this option may also enable
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
You should append "!ADH" to your cipher suites if you have changed them
from the default, otherwise no certificate exchanges or verification will
be done.
be done. When using GNUtls these parameters are always generated randomly
so this directive is ignored.
.TP
.B olcTLSRandFile: <filename>
Specifies the file to obtain random bits from when /dev/[u]random
is not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
This directive is ignored with GNUtls.
.TP
.B olcTLSVerifyClient: <level>
Specifies what checks to perform on client certificates in an
......@@ -868,7 +879,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
used to verify if the client certificates have not been revoked. This
requires
.B olcTLSCACertificatePath
parameter to be set.
parameter to be set. This parameter is ignored with GNUtls.
.B <level>
can be specified as one of the following keywords:
.RS
......@@ -882,6 +893,11 @@ Check the CRL of the peer certificate
.B all
Check the CRL for a whole certificate chain
.RE
.TP
.B olcTLSCRLFile: <filename>
Specifies a file containing a Certificate Revocation List to be used
for verifying that certificates have not been revoked. This parameter
is only valid when using GNUtls.
.SH DYNAMIC MODULE OPTIONS
If
.B slapd
......
......@@ -919,7 +919,16 @@ TLSCipherSuite HIGH:MEDIUM:+SSLv2
To check what ciphers a given spec selects, use:
openssl ciphers -v <cipher-suite-spec>
.nf
openssl ciphers -v <cipher-suite-spec>
.fi
To obtain the list of ciphers in GNUtls use:
.nf
gnutls-cli -l
.fi
.TP
.B TLSCACertificateFile <filename>
Specifies the file that contains certificates for all of the Certificate
......@@ -930,7 +939,8 @@ will recognize.
.B TLSCACertificatePath <path>
Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. Usually only one of this
or the TLSCACertificateFile is used.
or the TLSCACertificateFile is used. This directive is not supported
when using GNUtls.
.TP
.B TLSCertificateFile <filename>
Specifies the file that contains the
......@@ -953,12 +963,14 @@ them will be processed. Note that setting this option may also enable
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
You should append "!ADH" to your cipher suites if you have changed them
from the default, otherwise no certificate exchanges or verification will
be done.
be done. When using GNUtls these parameters are always generated randomly so
this directive is ignored.
.TP
.B TLSRandFile <filename>
Specifies the file to obtain random bits from when /dev/[u]random
is not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
This directive is ignored with GNUtls.
.TP
.B TLSVerifyClient <level>
Specifies what checks to perform on client certificates in an
......@@ -1000,7 +1012,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
used to verify if the client certificates have not been revoked. This
requires
.B TLSCACertificatePath
parameter to be set.
parameter to be set. This directive is ignored with GNUtls.
.B <level>
can be specified as one of the following keywords:
.RS
......@@ -1014,6 +1026,11 @@ Check the CRL of the peer certificate
.B all
Check the CRL for a whole certificate chain
.RE
.TP
.B TLSCRLFile <filename>
Specifies a file containing a Certificate Revocation List to be used
for verifying that certificates have not been revoked. This directive is
only valid when using GNUtls.
.SH GENERAL BACKEND OPTIONS
Options in this section only apply to the configuration file section
for the specified backend. They are supported by every
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment