ITS#6816 cleanup

2025-03-01 14:15:49 +08:00 · 2011-01-31 21:45:24 +00:00 · 2011-01-31 21:45:24 +00:00 · 307fd754ec
commit 307fd754ec
parent 4eb8fcdb48
3 changed files with 40 additions and 27 deletions
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@ -317,7 +317,7 @@ certificates in separate individual files. The
 .B TLS_CACERT
 is always used before
 .B TLS_CACERTDIR.
-This parameter is ignored with GNUtls.
+This parameter is ignored with GnuTLS.

 When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
 database.  If <path> contains a Mozilla NSS cert/key database and
@ -327,6 +327,7 @@ ignore the CA cert files.
 .B TLS_CERT <filename>
 Specifies the file that contains the client certificate.
 .B This is a user-only option.
+
 When using Mozilla NSS, if using a cert/key database (specified with
 TLS_CACERTDIR), TLS_CERT specifies the name of the certificate to use:
 .nf
@ -349,6 +350,7 @@ stored in the
 file. Currently, the private key must not be protected with a password, so
 it is of critical importance that the key file is protected carefully.
 .B This is a user-only option.
+
 When using Mozilla NSS, TLS_KEY specifies the name of a file that contains
 the password for the key for the certificate specified with TLS_CERT.  The
 modutil command can be used to turn off password protection for the cert/key
@ -364,8 +366,8 @@ browser.  Press 'Enter' for the new password.
 .TP
 .B TLS_CIPHER_SUITE <cipher-suite-spec>
 Specifies acceptable cipher suite and preference order.
-<cipher-suite-spec> should be a cipher specification for OpenSSL,
-<cipher-suite-spec> should be a cipher specification for OpenSSL resp. GNUtls.
+<cipher-suite-spec> should be a cipher specification for 
+the TLS library in use (OpenSSL, GnuTLS, or Mozilla NSS).
 Example:
 .RS
 .RS
@ -373,7 +375,7 @@ Example:
 .I OpenSSL:
 TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv2
 .TP
-.I GNUtls:
+.I GnuTLS:
 TLS_CIPHER_SUITE SECURE256:!AES-128-CBC
 .RE

@ -383,18 +385,19 @@ To check what ciphers a given spec selects in OpenSSL, use:
 	openssl ciphers \-v <cipher-suite-spec>
 .fi

-With GNUtls the available specs can be found in the manual page of 
+With GnuTLS the available specs can be found in the manual page of 
 .BR gnutls\-cli (1)
 (see the description of the 
 option
 .BR \-\-priority ).

-In older versions of GNUtls, where gnutls\-cli does not support the option
+In older versions of GnuTLS, where gnutls\-cli does not support the option
 \-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling:

 .nf
 	gnutls\-cli \-l
 .fi
+
 When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
 translated into the format used internally by Mozilla NSS.  There isn't an easy
 way to list the cipher suites from the command line.  The authoritative list
@ -408,7 +411,7 @@ is in the source code for Mozilla NSS in the file sslinfo.c in the structure
 Specifies the file to obtain random bits from when /dev/[u]random is
 not available. Generally set to the name of the EGD/PRNGD socket.
 The environment variable RANDFILE can also be used to specify the filename.
-This parameter is ignored with GNUtls and Mozilla NSS.
+This parameter is ignored with GnuTLS and Mozilla NSS.
 .TP
 .B TLS_REQCERT <level>
 Specifies what checks to perform on server certificates in a TLS session,
@ -441,7 +444,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
 used to verify if the server certificates have not been revoked. This
 requires
 .B TLS_CACERTDIR
-parameter to be set. This parameter is ignored with GNUtls and Mozilla NSS.
+parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS.
 .B <level>
 can be specified as one of the following keywords:
 .RS
@ -459,7 +462,7 @@ Check the CRL for a whole certificate chain
 .B TLS_CRLFILE <filename>
 Specifies the file containing a Certificate Revocation List to be used
 to verify if the server certificates have not been revoked. This
-parameter is only supported with GNUtls and Mozilla NSS.
+parameter is only supported with GnuTLS and Mozilla NSS.
 .SH "ENVIRONMENT VARIABLES"
 .TP
 LDAPNOINIT
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@ -817,7 +817,8 @@ you can specify.
 .TP
 .B olcTLSCipherSuite: <cipher-suite-spec>
 Permits configuring what ciphers will be accepted and the preference order.
-<cipher-suite-spec> should be a cipher specification for OpenSSL resp. GNUtls.
+<cipher-suite-spec> should be a cipher specification for
+the TLS library in use (OpenSSL, GnuTLS, or Mozilla NSS).
 Example:
 .RS
 .RS
@ -825,7 +826,7 @@ Example:
 .I OpenSSL:
 olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
 .TP
-.I GNUtls:
+.I GnuTLS:
 TLSCiphersuite SECURE256:!AES-128-CBC
 .RE

@ -835,18 +836,19 @@ To check what ciphers a given spec selects in OpenSSL, use:
 	openssl ciphers \-v <cipher-suite-spec>
 .fi

-With GNUtls the available specs can be found in the manual page of
+With GnuTLS the available specs can be found in the manual page of
 .BR gnutls\-cli (1)
 (see the description of the
 option
 .BR \-\-priority ).

-In older versions of GNUtls, where gnutls\-cli does not support the option
+In older versions of GnuTLS, where gnutls\-cli does not support the option
 \-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling:

 .nf
 	gnutls\-cli \-l
 .fi
+
 When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
 translated into the format used internally by Mozilla NSS.  There isn't an easy
 way to list the cipher suites from the command line.  The authoritative list
@ -867,7 +869,8 @@ Specifies the path of a directory that contains Certificate Authority
 certificates in separate individual files. Usually only one of this
 or the olcTLSCACertificateFile is defined. If both are specified, both
 locations will be used. This directive is not supported
-when using GNUtls.
+when using GnuTLS.
+
 When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
 database.  If <path> contains a Mozilla NSS cert/key database and
 CA cert files, OpenLDAP will use the cert/key database and will
@ -877,6 +880,7 @@ ignore the CA cert files.
 Specifies the file that contains the
 .B slapd
 server certificate.
+
 When using Mozilla NSS, if using a cert/key database (specified with
 olcTLSCACertificatePath), olcTLSCertificateFile specifies
 the name of the certificate to use:
@ -903,6 +907,7 @@ be manually typed in when slapd starts.  Usually the private key is not
 protected with a password, to allow slapd to start without manual
 intervention, so
 it is of critical importance that the file is protected carefully. 
+
 When using Mozilla NSS, olcTLSCertificateKeyFile specifies the name of
 a file that contains the password for the key for the certificate specified with
 olcTLSCertificateFile.  The modutil command can be used to turn off password
@ -924,14 +929,14 @@ them will be processed.  Note that setting this option may also enable
 Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
 You should append "!ADH" to your cipher suites if you have changed them
 from the default, otherwise no certificate exchanges or verification will
-be done. When using GNUtls or Mozilla NSS these parameters are always generated randomly
+be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly
 so this directive is ignored.
 .TP
 .B olcTLSRandFile: <filename>
 Specifies the file to obtain random bits from when /dev/[u]random
 is not available.  Generally set to the name of the EGD/PRNGD socket.
 The environment variable RANDFILE can also be used to specify the filename.
-This directive is ignored with GNUtls and Mozilla NSS.
+This directive is ignored with GnuTLS and Mozilla NSS.
 .TP
 .B olcTLSVerifyClient: <level>
 Specifies what checks to perform on client certificates in an
@ -973,7 +978,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
 used to verify if the client certificates have not been revoked. This
 requires
 .B olcTLSCACertificatePath
-parameter to be set. This parameter is ignored with GNUtls and Mozilla NSS.
+parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS.
 .B <level>
 can be specified as one of the following keywords:
 .RS
@ -991,7 +996,7 @@ Check the CRL for a whole certificate chain
 .B olcTLSCRLFile: <filename>
 Specifies a file containing a Certificate Revocation List to be used
 for verifying that certificates have not been revoked. This parameter
-is only valid when using GNUtls.
+is only valid when using GnuTLS or Mozilla NSS.
 .SH DYNAMIC MODULE OPTIONS
 If
 .B slapd
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@ -1034,7 +1034,8 @@ you can specify.
 .TP
 .B TLSCipherSuite <cipher-suite-spec>
 Permits configuring what ciphers will be accepted and the preference order.
-<cipher-suite-spec> should be a cipher specification for OpenSSL resp. GNUtls.
+<cipher-suite-spec> should be a cipher specification for the TLS library
+in use (OpenSSL, GnuTLS, or Mozilla NSS).
 Example:
 .RS
 .RS
@ -1042,7 +1043,7 @@ Example:
 .I OpenSSL:
 TLSCipherSuite HIGH:MEDIUM:+SSLv2
 .TP
-.I GNUtls:
+.I GnuTLS:
 TLSCiphersuite SECURE256:!AES-128-CBC
 .RE

@ -1052,18 +1053,19 @@ To check what ciphers a given spec selects in OpenSSL, use:
 	openssl ciphers \-v <cipher-suite-spec>
 .fi

-With GNUtls the available specs can be found in the manual page of 
+With GnuTLS the available specs can be found in the manual page of 
 .BR gnutls\-cli (1)
 (see the description of the 
 option
 .BR \-\-priority ).

-In older versions of GNUtls, where gnutls\-cli does not support the option
+In older versions of GnuTLS, where gnutls\-cli does not support the option
 \-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling:

 .nf
 	gnutls\-cli \-l
 .fi
+
 When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
 translated into the format used internally by Mozilla NSS.  There isn't an easy
 way to list the cipher suites from the command line.  The authoritative list
@ -1083,7 +1085,8 @@ will recognize.
 Specifies the path of a directory that contains Certificate Authority
 certificates in separate individual files. Usually only one of this
 or the TLSCACertificateFile is used. This directive is not supported
-when using GNUtls.
+when using GnuTLS.
+
 When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
 database.  If <path> contains a Mozilla NSS cert/key database and
 CA cert files, OpenLDAP will use the cert/key database and will
@ -1093,6 +1096,7 @@ ignore the CA cert files.
 Specifies the file that contains the
 .B slapd
 server certificate.
+
 When using Mozilla NSS, if using a cert/key database (specified with
 TLSCACertificatePath), TLSCertificateFile specifies
 the name of the certificate to use:
@ -1116,6 +1120,7 @@ server private key that matches the certificate stored in the
 .B TLSCertificateFile
 file.  Currently, the private key must not be protected with a password, so
 it is of critical importance that it is protected carefully. 
+
 When using Mozilla NSS, TLSCertificateKeyFile specifies the name of
 a file that contains the password for the key for the certificate specified with
 TLSCertificateFile.  The modutil command can be used to turn off password
@ -1136,14 +1141,14 @@ them will be processed.  Note that setting this option may also enable
 Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
 You should append "!ADH" to your cipher suites if you have changed them
 from the default, otherwise no certificate exchanges or verification will
-be done. When using GNUtls these parameters are always generated randomly so
+be done. When using GnuTLS these parameters are always generated randomly so
 this directive is ignored.  This directive is ignored when using Mozilla NSS.
 .TP
 .B TLSRandFile <filename>
 Specifies the file to obtain random bits from when /dev/[u]random
 is not available.  Generally set to the name of the EGD/PRNGD socket.
 The environment variable RANDFILE can also be used to specify the filename.
-This directive is ignored with GNUtls and Mozilla NSS.
+This directive is ignored with GnuTLS and Mozilla NSS.
 .TP
 .B TLSVerifyClient <level>
 Specifies what checks to perform on client certificates in an
@ -1185,7 +1190,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
 used to verify if the client certificates have not been revoked. This
 requires
 .B TLSCACertificatePath
-parameter to be set. This directive is ignored with GNUtls and Mozilla NSS.
+parameter to be set. This directive is ignored with GnuTLS and Mozilla NSS.
 .B <level>
 can be specified as one of the following keywords:
 .RS
@ -1203,7 +1208,7 @@ Check the CRL for a whole certificate chain
 .B TLSCRLFile <filename>
 Specifies a file containing a Certificate Revocation List to be used
 for verifying that certificates have not been revoked. This directive is
-only valid when using GNUtls and Mozilla NSS.
+only valid when using GnuTLS and Mozilla NSS.
 .SH GENERAL BACKEND OPTIONS
 Options in this section only apply to the configuration file section
 for the specified backend.  They are supported by every