.B TLS_CACERT
is always used before
.B TLS_CACERTDIR.
+This parameter is ignored with GNUtls.
.TP
.B TLS_CERT <filename>
Specifies the file that contains the client certificate.
Specifies the file to obtain random bits from when /dev/[u]random is
not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
+This parameter is ignored with GNUtls.
.TP
.B TLS_REQCERT <level>
Specifies what checks to perform on server certificates in a TLS session,
used to verify if the server certificates have not been revoked. This
requires
.B TLS_CACERTDIR
-parameter to be set.
+parameter to be set. This parameter is ignored with GNUtls.
.B <level>
can be specified as one of the following keywords:
.RS
.B all
Check the CRL for a whole certificate chain
.RE
+.TP
+.B TLS_CRLFILE <filename>
+Specifies the file containing a Certificate Revocation List to be used
+to verify if the server certificates have not been revoked. This
+parameter is only supported with GNUtls.
.SH "ENVIRONMENT VARIABLES"
.TP
LDAPNOINIT
olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
-To check what ciphers a given spec selects, use:
+To check what ciphers a given spec selects in OpenSSL, use:
-openssl ciphers -v <cipher-suite-spec>
+.nf
+ openssl ciphers -v <cipher-suite-spec>
+.fi
+
+To obtain the list of ciphers in GNUtls use:
+
+.nf
+ gnutls-cli -l
+.fi
.TP
.B olcTLSCACertificateFile: <filename>
Specifies the file that contains certificates for all of the Certificate
Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. Usually only one of this
or the olcTLSCACertificateFile is defined. If both are specified, both
-locations will be used.
+locations will be used. This directive is not supported
+when using GNUtls.
.TP
.B olcTLSCertificateFile: <filename>
Specifies the file that contains the
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
You should append "!ADH" to your cipher suites if you have changed them
from the default, otherwise no certificate exchanges or verification will
-be done.
+be done. When using GNUtls these parameters are always generated randomly
+so this directive is ignored.
.TP
.B olcTLSRandFile: <filename>
Specifies the file to obtain random bits from when /dev/[u]random
is not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
+This directive is ignored with GNUtls.
.TP
.B olcTLSVerifyClient: <level>
Specifies what checks to perform on client certificates in an
used to verify if the client certificates have not been revoked. This
requires
.B olcTLSCACertificatePath
-parameter to be set.
+parameter to be set. This parameter is ignored with GNUtls.
.B <level>
can be specified as one of the following keywords:
.RS
.B all
Check the CRL for a whole certificate chain
.RE
+.TP
+.B olcTLSCRLFile: <filename>
+Specifies a file containing a Certificate Revocation List to be used
+for verifying that certificates have not been revoked. This parameter
+is only valid when using GNUtls.
.SH DYNAMIC MODULE OPTIONS
If
.B slapd
To check what ciphers a given spec selects, use:
-openssl ciphers -v <cipher-suite-spec>
+.nf
+ openssl ciphers -v <cipher-suite-spec>
+.fi
+
+To obtain the list of ciphers in GNUtls use:
+
+.nf
+ gnutls-cli -l
+.fi
+
.TP
.B TLSCACertificateFile <filename>
Specifies the file that contains certificates for all of the Certificate
.B TLSCACertificatePath <path>
Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. Usually only one of this
-or the TLSCACertificateFile is used.
+or the TLSCACertificateFile is used. This directive is not supported
+when using GNUtls.
.TP
.B TLSCertificateFile <filename>
Specifies the file that contains the
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
You should append "!ADH" to your cipher suites if you have changed them
from the default, otherwise no certificate exchanges or verification will
-be done.
+be done. When using GNUtls these parameters are always generated randomly so
+this directive is ignored.
.TP
.B TLSRandFile <filename>
Specifies the file to obtain random bits from when /dev/[u]random
is not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
+This directive is ignored with GNUtls.
.TP
.B TLSVerifyClient <level>
Specifies what checks to perform on client certificates in an
used to verify if the client certificates have not been revoked. This
requires
.B TLSCACertificatePath
-parameter to be set.
+parameter to be set. This directive is ignored with GNUtls.
.B <level>
can be specified as one of the following keywords:
.RS
.B all
Check the CRL for a whole certificate chain
.RE
+.TP
+.B TLSCRLFile <filename>
+Specifies a file containing a Certificate Revocation List to be used
+for verifying that certificates have not been revoked. This directive is
+only valid when using GNUtls.
.SH GENERAL BACKEND OPTIONS
Options in this section only apply to the configuration file section
for the specified backend. They are supported by every
projects / openldap / commitdiff