.B TLS_CACERT
is always used before
.B TLS_CACERTDIR.
-This parameter is ignored with GNUtls.
+This parameter is ignored with GnuTLS.
When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
database. If <path> contains a Mozilla NSS cert/key database and
.B TLS_CERT <filename>
Specifies the file that contains the client certificate.
.B This is a user-only option.
+
When using Mozilla NSS, if using a cert/key database (specified with
TLS_CACERTDIR), TLS_CERT specifies the name of the certificate to use:
.nf
file. Currently, the private key must not be protected with a password, so
it is of critical importance that the key file is protected carefully.
.B This is a user-only option.
+
When using Mozilla NSS, TLS_KEY specifies the name of a file that contains
the password for the key for the certificate specified with TLS_CERT. The
modutil command can be used to turn off password protection for the cert/key
.TP
.B TLS_CIPHER_SUITE <cipher-suite-spec>
Specifies acceptable cipher suite and preference order.
-<cipher-suite-spec> should be a cipher specification for OpenSSL,
-<cipher-suite-spec> should be a cipher specification for OpenSSL resp. GNUtls.
+<cipher-suite-spec> should be a cipher specification for
+the TLS library in use (OpenSSL, GnuTLS, or Mozilla NSS).
Example:
.RS
.RS
.I OpenSSL:
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv2
.TP
-.I GNUtls:
+.I GnuTLS:
TLS_CIPHER_SUITE SECURE256:!AES-128-CBC
.RE
openssl ciphers \-v <cipher-suite-spec>
.fi
-With GNUtls the available specs can be found in the manual page of
+With GnuTLS the available specs can be found in the manual page of
.BR gnutls\-cli (1)
(see the description of the
option
.BR \-\-priority ).
-In older versions of GNUtls, where gnutls\-cli does not support the option
+In older versions of GnuTLS, where gnutls\-cli does not support the option
\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling:
.nf
gnutls\-cli \-l
.fi
+
When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
translated into the format used internally by Mozilla NSS. There isn't an easy
way to list the cipher suites from the command line. The authoritative list
Specifies the file to obtain random bits from when /dev/[u]random is
not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
-This parameter is ignored with GNUtls and Mozilla NSS.
+This parameter is ignored with GnuTLS and Mozilla NSS.
.TP
.B TLS_REQCERT <level>
Specifies what checks to perform on server certificates in a TLS session,
used to verify if the server certificates have not been revoked. This
requires
.B TLS_CACERTDIR
-parameter to be set. This parameter is ignored with GNUtls and Mozilla NSS.
+parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS.
.B <level>
can be specified as one of the following keywords:
.RS
.B TLS_CRLFILE <filename>
Specifies the file containing a Certificate Revocation List to be used
to verify if the server certificates have not been revoked. This
-parameter is only supported with GNUtls and Mozilla NSS.
+parameter is only supported with GnuTLS and Mozilla NSS.
.SH "ENVIRONMENT VARIABLES"
.TP
LDAPNOINIT
projects / openldap / blobdiff