mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-27 03:20:22 +08:00
ITS#6816 MozNSS doc additions from Rich Megginson @ Red Hat. Needs cleanup.
This commit is contained in:
parent
4064e3c15d
commit
c721b2b7a0
@ -17,6 +17,7 @@ Feature|Software|Version
|
||||
{{TERM[expand]TLS}}:
|
||||
|{{PRD:OpenSSL}}|0.9.7+
|
||||
|{{PRD:GnuTLS}}|2.0.1
|
||||
|{{PRD:MozNSS}}|3.12.9
|
||||
{{TERM[expand]SASL}}|{{PRD:Cyrus SASL}}|2.1.21+
|
||||
{{TERM[expand]Kerberos}}:
|
||||
|{{PRD:Heimdal}}|Version
|
||||
|
@ -1363,6 +1363,9 @@ lookups
|
||||
GnuTLS
|
||||
GNUtls
|
||||
gnutls
|
||||
MozNSS
|
||||
MOZNSS
|
||||
moznss
|
||||
LTONLY
|
||||
SNMP
|
||||
timelimit
|
||||
|
@ -63,15 +63,16 @@ installation instructions provided with it.
|
||||
|
||||
H3: {{TERM[expand]TLS}}
|
||||
|
||||
OpenLDAP clients and servers require installation of either {{PRD:OpenSSL}}
|
||||
or {{PRD:GnuTLS}}
|
||||
OpenLDAP clients and servers require installation of {{PRD:OpenSSL}},
|
||||
{{PRD:GnuTLS}}, or {{PRD:MozNSS}}
|
||||
{{TERM:TLS}} libraries to provide {{TERM[expand]TLS}} services. Though
|
||||
some operating systems may provide these libraries as part of the
|
||||
base system or as an optional software component, OpenSSL and GnuTLS often
|
||||
require separate installation.
|
||||
base system or as an optional software component, OpenSSL, GnuTLS, and
|
||||
Mozilla NSS often require separate installation.
|
||||
|
||||
OpenSSL is available from {{URL: http://www.openssl.org/}}.
|
||||
GnuTLS is available from {{URL: http://www.gnu.org/software/gnutls/}}.
|
||||
Mozilla NSS is available from {{URL: http://developer.mozilla.org/en/NSS}}.
|
||||
|
||||
OpenLDAP Software will not be fully LDAPv3 compliant unless OpenLDAP's
|
||||
{{EX:configure}} detects a usable TLS library.
|
||||
|
@ -384,7 +384,8 @@ SASL}} software which supports a number of mechanisms including
|
||||
{{B:{{TERM[expand]TLS}}}}: {{slapd}} supports certificate-based
|
||||
authentication and data security (integrity and confidentiality)
|
||||
services through the use of TLS (or SSL). {{slapd}}'s TLS
|
||||
implementation can utilize either {{PRD:OpenSSL}} or {{PRD:GnuTLS}} software.
|
||||
implementation can utilize {{PRD:OpenSSL}}, {{PRD:GnuTLS}},
|
||||
or {{PRD:MozNSS}} software.
|
||||
|
||||
{{B:Topology control}}: {{slapd}} can be configured to restrict
|
||||
access at the socket layer based upon network topology information.
|
||||
|
@ -19,7 +19,8 @@ identities. All servers are required to have valid certificates,
|
||||
whereas client certificates are optional. Clients must have a
|
||||
valid certificate in order to authenticate via SASL EXTERNAL.
|
||||
For more information on creating and managing certificates,
|
||||
see the {{PRD:OpenSSL}} documentation.
|
||||
see the {{PRD:OpenSSL}}, {{PRD:GnuTLS}}, or {{PRD:MozNSS}} documentation,
|
||||
depending on which TLS implementation libraries you are using.
|
||||
|
||||
H3: Server Certificates
|
||||
|
||||
@ -89,12 +90,37 @@ this option can only be used with a filesystem that actually supports
|
||||
symbolic links. In general, it is simpler to use the
|
||||
{{EX:TLSCACertificateFile}} directive instead.
|
||||
|
||||
When using Mozilla NSS, this directive can be used to specify the
|
||||
path of the directory containing the NSS certificate and key database
|
||||
files. The certutil command can be used to add a {{TERM:CA}} certificate:
|
||||
|
||||
> certutil -d <path> -A -n "name of CA cert" -t CT,, -a -i /path/to/cacertfile.pem
|
||||
|
||||
This command will add a CA certficate stored in the PEM (ASCII) formatted
|
||||
file named /path/to/cacertfile.pem. -t CT,, means that the certificate is
|
||||
trusted to be a CA issuing certs for use in TLS clients and servers.
|
||||
|
||||
H4: TLSCertificateFile <filename>
|
||||
|
||||
This directive specifies the file that contains the slapd server
|
||||
certificate. Certificates are generally public information and
|
||||
require no special protection.
|
||||
|
||||
When using Mozilla NSS, if using a cert/key database (specified with
|
||||
{{EX:TLSCACertificatePath}}), this directive specifies
|
||||
the name of the certificate to use:
|
||||
|
||||
> TLSCertificateFile Server-Cert
|
||||
|
||||
If using a token other than the internal built in token, specify the
|
||||
token name first, followed by a colon:
|
||||
|
||||
> TLSCertificateFile my hardware device:Server-Cert
|
||||
|
||||
Use certutil -L to list the certificates by name:
|
||||
|
||||
> certutil -d /path/to/certdbdir -L
|
||||
|
||||
H4: TLSCertificateKeyFile <filename>
|
||||
|
||||
This directive specifies the file that contains the private key
|
||||
@ -104,6 +130,18 @@ password encrypted for protection. However, the current implementation
|
||||
doesn't support encrypted keys so the key must not be encrypted
|
||||
and the file itself must be protected carefully.
|
||||
|
||||
When using Mozilla NSS, this directive specifies the name of
|
||||
a file that contains the password for the key for the certificate specified with
|
||||
{{EX:TLSCertificateFile}}. The modutil command can be used to turn off password
|
||||
protection for the cert/key database. For example, if {{EX:TLSCACertificatePath}}
|
||||
specifes /etc/openldap/certdb as the location of the cert/key database, use
|
||||
modutil to change the password to the empty string:
|
||||
|
||||
> modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
|
||||
|
||||
You must have the old password, if any. Ignore the WARNING about the running
|
||||
browser. Press 'Enter' for the new password.
|
||||
|
||||
H4: TLSCipherSuite <cipher-suite-spec>
|
||||
|
||||
This directive configures what ciphers will be accepted and the
|
||||
@ -123,6 +161,13 @@ Besides the individual cipher names, the specifiers {{EX:HIGH}},
|
||||
may be helpful, along with {{EX:TLSv1}}, {{EX:SSLv3}},
|
||||
and {{EX:SSLv2}}.
|
||||
|
||||
When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
|
||||
translated into the format used internally by Mozilla NSS. There isn't an easy
|
||||
way to list the cipher suites from the command line. The authoritative list
|
||||
is in the source code for Mozilla NSS in the file sslinfo.c in the structure
|
||||
|
||||
> static const SSLCipherSuiteInfo suiteInfo[]
|
||||
|
||||
H4: TLSRandFile <filename>
|
||||
|
||||
This directive specifies the file to obtain random bits from when
|
||||
@ -141,6 +186,8 @@ copy a few hundred bytes of arbitrary data into the file. The file
|
||||
is only used to provide a seed for the pseudo-random number generator,
|
||||
and it doesn't need very much data to work.
|
||||
|
||||
This directive is ignored with GNUtls and Mozilla NSS.
|
||||
|
||||
H4: TLSEphemeralDHParamFile <filename>
|
||||
|
||||
This directive specifies the file that contains parameters for
|
||||
@ -152,6 +199,8 @@ processed. Parameters can be generated using the following command
|
||||
|
||||
> openssl dhparam [-dsaparam] -out <filename> <numbits>
|
||||
|
||||
This directive is ignored with GNUtls and Mozilla NSS.
|
||||
|
||||
H4: TLSVerifyClient { never | allow | try | demand }
|
||||
|
||||
This directive specifies what checks to perform on client certificates
|
||||
@ -210,13 +259,28 @@ H4: TLS_CACERTDIR <path>
|
||||
|
||||
This is equivalent to the server's {{EX:TLSCACertificatePath}} option. The
|
||||
specified directory must be managed with the OpenSSL {{c_rehash}}
|
||||
utility as well.
|
||||
utility as well. If using Mozilla NSS, <path> may contain a cert/key database.
|
||||
|
||||
H4: TLS_CERT <filename>
|
||||
|
||||
This directive specifies the file that contains the client certificate.
|
||||
This is a user-only directive and can only be specified in a user's
|
||||
{{.ldaprc}} file.
|
||||
When using Mozilla NSS, if using a cert/key database (specified with
|
||||
{{EX:TLS_CACERTDIR}}), this directive specifies
|
||||
the name of the certificate to use:
|
||||
|
||||
> TLS_CERT Certificate for Sam Carter
|
||||
|
||||
If using a token other than the internal built in token, specify the
|
||||
token name first, followed by a colon:
|
||||
|
||||
> TLS_CERT my hardware device:Certificate for Sam Carter
|
||||
|
||||
Use certutil -L to list the certificates by name:
|
||||
|
||||
> certutil -d /path/to/certdbdir -L
|
||||
|
||||
|
||||
H4: TLS_KEY <filename>
|
||||
|
||||
|
@ -136,6 +136,7 @@ GnuTLS|http://www.gnu.org/software/gnutls/
|
||||
Heimdal|http://www.pdc.kth.se/heimdal/
|
||||
JLDAP|http://www.openldap.org/jldap/
|
||||
MIT Kerberos|http://web.mit.edu/kerberos/www/
|
||||
MozNSS|http://developer.mozilla.org/en/NSS
|
||||
OpenLDAP|http://www.openldap.org/
|
||||
OpenLDAP FAQ|http://www.openldap.org/faq/
|
||||
OpenLDAP ITS|http://www.openldap.org/its/
|
||||
|
@ -686,7 +686,7 @@ must be
|
||||
.BR "char **" ,
|
||||
and its contents need to be freed by the caller using
|
||||
.BR ldap_memfree (3).
|
||||
Ignored by GnuTLS.
|
||||
Ignored by GnuTLS and Mozilla NSS.
|
||||
.TP
|
||||
.B LDAP_OPT_X_TLS_KEYFILE
|
||||
Sets/gets the full-path of the certificate key file.
|
||||
@ -731,7 +731,7 @@ must be
|
||||
.BR "char **" ,
|
||||
and its contents need to be freed by the caller using
|
||||
.BR ldap_memfree (3).
|
||||
Ignored by GnuTLS older than version 2.2.
|
||||
Ignored by GnuTLS older than version 2.2. Ignored by Mozilla NSS.
|
||||
.TP
|
||||
.B LDAP_OPT_X_TLS_REQUIRE_CERT
|
||||
Sets/gets the peer certificate checking strategy,
|
||||
|
@ -318,10 +318,29 @@ certificates in separate individual files. The
|
||||
is always used before
|
||||
.B TLS_CACERTDIR.
|
||||
This parameter is ignored with GNUtls.
|
||||
|
||||
When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
|
||||
database. If <path> contains a Mozilla NSS cert/key database and
|
||||
CA cert files, OpenLDAP will use the cert/key database and will
|
||||
ignore the CA cert files.
|
||||
.TP
|
||||
.B TLS_CERT <filename>
|
||||
Specifies the file that contains the client certificate.
|
||||
.B This is a user-only option.
|
||||
When using Mozilla NSS, if using a cert/key database (specified with
|
||||
TLS_CACERTDIR), TLS_CERT specifies the name of the certificate to use:
|
||||
.nf
|
||||
TLS_CERT Certificate for Sam Carter
|
||||
.fi
|
||||
If using a token other than the internal built in token, specify the
|
||||
token name first, followed by a colon:
|
||||
.nf
|
||||
TLS_CERT my hardware device:Certificate for Sam Carter
|
||||
.fi
|
||||
Use certutil -L to list the certificates by name:
|
||||
.nf
|
||||
certutil -d /path/to/certdbdir -L
|
||||
.fi
|
||||
.TP
|
||||
.B TLS_KEY <filename>
|
||||
Specifies the file that contains the private key that matches the certificate
|
||||
@ -330,6 +349,18 @@ stored in the
|
||||
file. Currently, the private key must not be protected with a password, so
|
||||
it is of critical importance that the key file is protected carefully.
|
||||
.B This is a user-only option.
|
||||
When using Mozilla NSS, TLS_KEY specifies the name of a file that contains
|
||||
the password for the key for the certificate specified with TLS_CERT. The
|
||||
modutil command can be used to turn off password protection for the cert/key
|
||||
database. For example, if TLS_CACERTDIR specifes /home/scarter/.moznss as
|
||||
the location of the cert/key database, use modutil to change the password
|
||||
to the empty string:
|
||||
.nf
|
||||
modutil -dbdir ~/.moznss -changepw 'NSS Certificate DB'
|
||||
.fi
|
||||
You must have the old password, if any. Ignore the WARNING about the running
|
||||
browser. Press 'Enter' for the new password.
|
||||
|
||||
.TP
|
||||
.B TLS_CIPHER_SUITE <cipher-suite-spec>
|
||||
Specifies acceptable cipher suite and preference order.
|
||||
@ -364,13 +395,20 @@ In older versions of GNUtls, where gnutls\-cli does not support the option
|
||||
.nf
|
||||
gnutls\-cli \-l
|
||||
.fi
|
||||
When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
|
||||
translated into the format used internally by Mozilla NSS. There isn't an easy
|
||||
way to list the cipher suites from the command line. The authoritative list
|
||||
is in the source code for Mozilla NSS in the file sslinfo.c in the structure
|
||||
.nf
|
||||
static const SSLCipherSuiteInfo suiteInfo[]
|
||||
.fi
|
||||
.RE
|
||||
.TP
|
||||
.B TLS_RANDFILE <filename>
|
||||
Specifies the file to obtain random bits from when /dev/[u]random is
|
||||
not available. Generally set to the name of the EGD/PRNGD socket.
|
||||
The environment variable RANDFILE can also be used to specify the filename.
|
||||
This parameter is ignored with GNUtls.
|
||||
This parameter is ignored with GNUtls and Mozilla NSS.
|
||||
.TP
|
||||
.B TLS_REQCERT <level>
|
||||
Specifies what checks to perform on server certificates in a TLS session,
|
||||
@ -403,7 +441,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
|
||||
used to verify if the server certificates have not been revoked. This
|
||||
requires
|
||||
.B TLS_CACERTDIR
|
||||
parameter to be set. This parameter is ignored with GNUtls.
|
||||
parameter to be set. This parameter is ignored with GNUtls and Mozilla NSS.
|
||||
.B <level>
|
||||
can be specified as one of the following keywords:
|
||||
.RS
|
||||
@ -421,7 +459,7 @@ Check the CRL for a whole certificate chain
|
||||
.B TLS_CRLFILE <filename>
|
||||
Specifies the file containing a Certificate Revocation List to be used
|
||||
to verify if the server certificates have not been revoked. This
|
||||
parameter is only supported with GNUtls.
|
||||
parameter is only supported with GNUtls and Mozilla NSS.
|
||||
.SH "ENVIRONMENT VARIABLES"
|
||||
.TP
|
||||
LDAPNOINIT
|
||||
|
@ -847,6 +847,13 @@ In older versions of GNUtls, where gnutls\-cli does not support the option
|
||||
.nf
|
||||
gnutls\-cli \-l
|
||||
.fi
|
||||
When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
|
||||
translated into the format used internally by Mozilla NSS. There isn't an easy
|
||||
way to list the cipher suites from the command line. The authoritative list
|
||||
is in the source code for Mozilla NSS in the file sslinfo.c in the structure
|
||||
.nf
|
||||
static const SSLCipherSuiteInfo suiteInfo[]
|
||||
.fi
|
||||
.RE
|
||||
.TP
|
||||
.B olcTLSCACertificateFile: <filename>
|
||||
@ -861,11 +868,30 @@ certificates in separate individual files. Usually only one of this
|
||||
or the olcTLSCACertificateFile is defined. If both are specified, both
|
||||
locations will be used. This directive is not supported
|
||||
when using GNUtls.
|
||||
When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
|
||||
database. If <path> contains a Mozilla NSS cert/key database and
|
||||
CA cert files, OpenLDAP will use the cert/key database and will
|
||||
ignore the CA cert files.
|
||||
.TP
|
||||
.B olcTLSCertificateFile: <filename>
|
||||
Specifies the file that contains the
|
||||
.B slapd
|
||||
server certificate.
|
||||
When using Mozilla NSS, if using a cert/key database (specified with
|
||||
olcTLSCACertificatePath), olcTLSCertificateFile specifies
|
||||
the name of the certificate to use:
|
||||
.nf
|
||||
olcTLSCertificateFile: Server-Cert
|
||||
.fi
|
||||
If using a token other than the internal built in token, specify the
|
||||
token name first, followed by a colon:
|
||||
.nf
|
||||
olcTLSCertificateFile: my hardware device:Server-Cert
|
||||
.fi
|
||||
Use certutil -L to list the certificates by name:
|
||||
.nf
|
||||
certutil -d /path/to/certdbdir -L
|
||||
.fi
|
||||
.TP
|
||||
.B olcTLSCertificateKeyFile: <filename>
|
||||
Specifies the file that contains the
|
||||
@ -877,6 +903,18 @@ be manually typed in when slapd starts. Usually the private key is not
|
||||
protected with a password, to allow slapd to start without manual
|
||||
intervention, so
|
||||
it is of critical importance that the file is protected carefully.
|
||||
When using Mozilla NSS, olcTLSCertificateKeyFile specifies the name of
|
||||
a file that contains the password for the key for the certificate specified with
|
||||
olcTLSCertificateFile. The modutil command can be used to turn off password
|
||||
protection for the cert/key database. For example, if olcTLSCACertificatePath
|
||||
specifes /etc/openldap/certdb as the location of the cert/key database, use
|
||||
modutil to change the password to the empty string:
|
||||
.nf
|
||||
modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
|
||||
.fi
|
||||
You must have the old password, if any. Ignore the WARNING about the running
|
||||
browser. Press 'Enter' for the new password.
|
||||
|
||||
.TP
|
||||
.B olcTLSDHParamFile: <filename>
|
||||
This directive specifies the file that contains parameters for Diffie-Hellman
|
||||
@ -886,14 +924,14 @@ them will be processed. Note that setting this option may also enable
|
||||
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
|
||||
You should append "!ADH" to your cipher suites if you have changed them
|
||||
from the default, otherwise no certificate exchanges or verification will
|
||||
be done. When using GNUtls these parameters are always generated randomly
|
||||
be done. When using GNUtls or Mozilla NSS these parameters are always generated randomly
|
||||
so this directive is ignored.
|
||||
.TP
|
||||
.B olcTLSRandFile: <filename>
|
||||
Specifies the file to obtain random bits from when /dev/[u]random
|
||||
is not available. Generally set to the name of the EGD/PRNGD socket.
|
||||
The environment variable RANDFILE can also be used to specify the filename.
|
||||
This directive is ignored with GNUtls.
|
||||
This directive is ignored with GNUtls and Mozilla NSS.
|
||||
.TP
|
||||
.B olcTLSVerifyClient: <level>
|
||||
Specifies what checks to perform on client certificates in an
|
||||
@ -935,7 +973,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
|
||||
used to verify if the client certificates have not been revoked. This
|
||||
requires
|
||||
.B olcTLSCACertificatePath
|
||||
parameter to be set. This parameter is ignored with GNUtls.
|
||||
parameter to be set. This parameter is ignored with GNUtls and Mozilla NSS.
|
||||
.B <level>
|
||||
can be specified as one of the following keywords:
|
||||
.RS
|
||||
|
@ -1064,6 +1064,13 @@ In older versions of GNUtls, where gnutls\-cli does not support the option
|
||||
.nf
|
||||
gnutls\-cli \-l
|
||||
.fi
|
||||
When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
|
||||
translated into the format used internally by Mozilla NSS. There isn't an easy
|
||||
way to list the cipher suites from the command line. The authoritative list
|
||||
is in the source code for Mozilla NSS in the file sslinfo.c in the structure
|
||||
.nf
|
||||
static const SSLCipherSuiteInfo suiteInfo[]
|
||||
.fi
|
||||
.RE
|
||||
.TP
|
||||
.B TLSCACertificateFile <filename>
|
||||
@ -1077,11 +1084,30 @@ Specifies the path of a directory that contains Certificate Authority
|
||||
certificates in separate individual files. Usually only one of this
|
||||
or the TLSCACertificateFile is used. This directive is not supported
|
||||
when using GNUtls.
|
||||
When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
|
||||
database. If <path> contains a Mozilla NSS cert/key database and
|
||||
CA cert files, OpenLDAP will use the cert/key database and will
|
||||
ignore the CA cert files.
|
||||
.TP
|
||||
.B TLSCertificateFile <filename>
|
||||
Specifies the file that contains the
|
||||
.B slapd
|
||||
server certificate.
|
||||
When using Mozilla NSS, if using a cert/key database (specified with
|
||||
TLSCACertificatePath), TLSCertificateFile specifies
|
||||
the name of the certificate to use:
|
||||
.nf
|
||||
TLSCertificateFile Server-Cert
|
||||
.fi
|
||||
If using a token other than the internal built in token, specify the
|
||||
token name first, followed by a colon:
|
||||
.nf
|
||||
TLSCertificateFile my hardware device:Server-Cert
|
||||
.fi
|
||||
Use certutil -L to list the certificates by name:
|
||||
.nf
|
||||
certutil -d /path/to/certdbdir -L
|
||||
.fi
|
||||
.TP
|
||||
.B TLSCertificateKeyFile <filename>
|
||||
Specifies the file that contains the
|
||||
@ -1090,6 +1116,17 @@ server private key that matches the certificate stored in the
|
||||
.B TLSCertificateFile
|
||||
file. Currently, the private key must not be protected with a password, so
|
||||
it is of critical importance that it is protected carefully.
|
||||
When using Mozilla NSS, TLSCertificateKeyFile specifies the name of
|
||||
a file that contains the password for the key for the certificate specified with
|
||||
TLSCertificateFile. The modutil command can be used to turn off password
|
||||
protection for the cert/key database. For example, if TLSCACertificatePath
|
||||
specifes /etc/openldap/certdb as the location of the cert/key database, use
|
||||
modutil to change the password to the empty string:
|
||||
.nf
|
||||
modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
|
||||
.fi
|
||||
You must have the old password, if any. Ignore the WARNING about the running
|
||||
browser. Press 'Enter' for the new password.
|
||||
.TP
|
||||
.B TLSDHParamFile <filename>
|
||||
This directive specifies the file that contains parameters for Diffie-Hellman
|
||||
@ -1100,13 +1137,13 @@ Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
|
||||
You should append "!ADH" to your cipher suites if you have changed them
|
||||
from the default, otherwise no certificate exchanges or verification will
|
||||
be done. When using GNUtls these parameters are always generated randomly so
|
||||
this directive is ignored.
|
||||
this directive is ignored. This directive is ignored when using Mozilla NSS.
|
||||
.TP
|
||||
.B TLSRandFile <filename>
|
||||
Specifies the file to obtain random bits from when /dev/[u]random
|
||||
is not available. Generally set to the name of the EGD/PRNGD socket.
|
||||
The environment variable RANDFILE can also be used to specify the filename.
|
||||
This directive is ignored with GNUtls.
|
||||
This directive is ignored with GNUtls and Mozilla NSS.
|
||||
.TP
|
||||
.B TLSVerifyClient <level>
|
||||
Specifies what checks to perform on client certificates in an
|
||||
@ -1148,7 +1185,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
|
||||
used to verify if the client certificates have not been revoked. This
|
||||
requires
|
||||
.B TLSCACertificatePath
|
||||
parameter to be set. This directive is ignored with GNUtls.
|
||||
parameter to be set. This directive is ignored with GNUtls and Mozilla NSS.
|
||||
.B <level>
|
||||
can be specified as one of the following keywords:
|
||||
.RS
|
||||
@ -1166,7 +1203,7 @@ Check the CRL for a whole certificate chain
|
||||
.B TLSCRLFile <filename>
|
||||
Specifies a file containing a Certificate Revocation List to be used
|
||||
for verifying that certificates have not been revoked. This directive is
|
||||
only valid when using GNUtls.
|
||||
only valid when using GNUtls and Mozilla NSS.
|
||||
.SH GENERAL BACKEND OPTIONS
|
||||
Options in this section only apply to the configuration file section
|
||||
for the specified backend. They are supported by every
|
||||
|
Loading…
Reference in New Issue
Block a user