# $OpenLDAP$
-# Copyright 1999-2011 The OpenLDAP Foundation, All Rights Reserved.
+# Copyright 1999-2012 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Using TLS
When using Mozilla NSS, this directive can be used to specify the
path of the directory containing the NSS certificate and key database
-files. The certutil command can be used to add a {{TERM:CA}} certificate:
+files. The {{certutil}} command can be used to add a {{TERM:CA}} certificate:
> certutil -d <path> -A -n "name of CA cert" -t CT,, -a -i /path/to/cacertfile.pem
-This command will add a CA certficate stored in the PEM (ASCII) formatted
-file named /path/to/cacertfile.pem. -t CT,, means that the certificate is
-trusted to be a CA issuing certs for use in TLS clients and servers.
+. This command will add a CA certficate stored in the PEM (ASCII) formatted
+. file named /path/to/cacertfile.pem. {{EX:-t CT,,}} means that the certificate is
+. trusted to be a CA issuing certs for use in TLS clients and servers.
H4: TLSCertificateFile <filename>
> TLSCertificateFile Server-Cert
-If using a token other than the internal built in token, specify the
-token name first, followed by a colon:
+. If using a token other than the internal built in token, specify the
+. token name first, followed by a colon:
> TLSCertificateFile my hardware device:Server-Cert
-Use certutil -L to list the certificates by name:
+. Use {{EX:certutil -L}} to list the certificates by name:
> certutil -d /path/to/certdbdir -L
> modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
-You must have the old password, if any. Ignore the WARNING about the running
-browser. Press 'Enter' for the new password.
+. You must have the old password, if any. Ignore the WARNING about the running
+. browser. Press 'Enter' for the new password.
H4: TLSCipherSuite <cipher-suite-spec>
to obtain a verbose list of available cipher specifications.
-To obtain the list of ciphers in GNUtls use:
-
-> gnutls-cli -l
-
Besides the individual cipher names, the specifiers {{EX:HIGH}},
{{EX:MEDIUM}}, {{EX:LOW}}, {{EX:EXPORT}}, and {{EX:EXPORT40}}
may be helpful, along with {{EX:TLSv1}}, {{EX:SSLv3}},
and {{EX:SSLv2}}.
+To obtain the list of ciphers in GnuTLS use:
+
+> gnutls-cli -l
+
When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
translated into the format used internally by Mozilla NSS. There isn't an easy
way to list the cipher suites from the command line. The authoritative list
is only used to provide a seed for the pseudo-random number generator,
and it doesn't need very much data to work.
-This directive is ignored with GNUtls and Mozilla NSS.
+This directive is ignored with GnuTLS and Mozilla NSS.
H4: TLSEphemeralDHParamFile <filename>
> openssl dhparam [-dsaparam] -out <filename> <numbits>
-This directive is ignored with GNUtls and Mozilla NSS.
+This directive is ignored with GnuTLS and Mozilla NSS.
H4: TLSVerifyClient { never | allow | try | demand }
This directive specifies the file that contains the client certificate.
This is a user-only directive and can only be specified in a user's
{{.ldaprc}} file.
+
When using Mozilla NSS, if using a cert/key database (specified with
{{EX:TLS_CACERTDIR}}), this directive specifies
the name of the certificate to use:
> TLS_CERT Certificate for Sam Carter
-If using a token other than the internal built in token, specify the
-token name first, followed by a colon:
+. If using a token other than the internal built in token, specify the
+. token name first, followed by a colon:
> TLS_CERT my hardware device:Certificate for Sam Carter
-Use certutil -L to list the certificates by name:
+. Use {{EX:certutil -L}} to list the certificates by name:
> certutil -d /path/to/certdbdir -L
projects / openldap / blobdiff