From: Howard Chu Date: Sun, 13 May 2007 01:59:46 +0000 (+0000) Subject: Added GNUtls notes X-Git-Tag: OPENLDAP_REL_ENG_2_4_MP~486 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=9688a3ae7ee538df66bdb3e5315557f22d2b3cfb;p=openldap Added GNUtls notes --- diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 index b581869638..df5604be81 100644 --- a/doc/man/man5/ldap.conf.5 +++ b/doc/man/man5/ldap.conf.5 @@ -278,6 +278,7 @@ certificates in separate individual files. The .B TLS_CACERT is always used before .B TLS_CACERTDIR. +This parameter is ignored with GNUtls. .TP .B TLS_CERT Specifies the file that contains the client certificate. @@ -300,6 +301,7 @@ e.g., HIGH:MEDIUM:+SSLv2. Specifies the file to obtain random bits from when /dev/[u]random is not available. Generally set to the name of the EGD/PRNGD socket. The environment variable RANDFILE can also be used to specify the filename. +This parameter is ignored with GNUtls. .TP .B TLS_REQCERT Specifies what checks to perform on server certificates in a TLS session, @@ -332,7 +334,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be used to verify if the server certificates have not been revoked. This requires .B TLS_CACERTDIR -parameter to be set. +parameter to be set. This parameter is ignored with GNUtls. .B can be specified as one of the following keywords: .RS @@ -346,6 +348,11 @@ Check the CRL of the peer certificate .B all Check the CRL for a whole certificate chain .RE +.TP +.B TLS_CRLFILE +Specifies the file containing a Certificate Revocation List to be used +to verify if the server certificates have not been revoked. This +parameter is only supported with GNUtls. .SH "ENVIRONMENT VARIABLES" .TP LDAPNOINIT diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 index c1551adb35..f66897b059 100644 --- a/doc/man/man5/slapd-config.5 +++ b/doc/man/man5/slapd-config.5 @@ -781,9 +781,17 @@ Permits configuring what ciphers will be accepted and the preference order. olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2 -To check what ciphers a given spec selects, use: +To check what ciphers a given spec selects in OpenSSL, use: -openssl ciphers -v +.nf + openssl ciphers -v +.fi + +To obtain the list of ciphers in GNUtls use: + +.nf + gnutls-cli -l +.fi .TP .B olcTLSCACertificateFile: Specifies the file that contains certificates for all of the Certificate @@ -795,7 +803,8 @@ will recognize. Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. Usually only one of this or the olcTLSCACertificateFile is defined. If both are specified, both -locations will be used. +locations will be used. This directive is not supported +when using GNUtls. .TP .B olcTLSCertificateFile: Specifies the file that contains the @@ -821,12 +830,14 @@ them will be processed. Note that setting this option may also enable Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. You should append "!ADH" to your cipher suites if you have changed them from the default, otherwise no certificate exchanges or verification will -be done. +be done. When using GNUtls these parameters are always generated randomly +so this directive is ignored. .TP .B olcTLSRandFile: Specifies the file to obtain random bits from when /dev/[u]random is not available. Generally set to the name of the EGD/PRNGD socket. The environment variable RANDFILE can also be used to specify the filename. +This directive is ignored with GNUtls. .TP .B olcTLSVerifyClient: Specifies what checks to perform on client certificates in an @@ -868,7 +879,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be used to verify if the client certificates have not been revoked. This requires .B olcTLSCACertificatePath -parameter to be set. +parameter to be set. This parameter is ignored with GNUtls. .B can be specified as one of the following keywords: .RS @@ -882,6 +893,11 @@ Check the CRL of the peer certificate .B all Check the CRL for a whole certificate chain .RE +.TP +.B olcTLSCRLFile: +Specifies a file containing a Certificate Revocation List to be used +for verifying that certificates have not been revoked. This parameter +is only valid when using GNUtls. .SH DYNAMIC MODULE OPTIONS If .B slapd diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 04d68780ef..43848deaf4 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -919,7 +919,16 @@ TLSCipherSuite HIGH:MEDIUM:+SSLv2 To check what ciphers a given spec selects, use: -openssl ciphers -v +.nf + openssl ciphers -v +.fi + +To obtain the list of ciphers in GNUtls use: + +.nf + gnutls-cli -l +.fi + .TP .B TLSCACertificateFile Specifies the file that contains certificates for all of the Certificate @@ -930,7 +939,8 @@ will recognize. .B TLSCACertificatePath Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. Usually only one of this -or the TLSCACertificateFile is used. +or the TLSCACertificateFile is used. This directive is not supported +when using GNUtls. .TP .B TLSCertificateFile Specifies the file that contains the @@ -953,12 +963,14 @@ them will be processed. Note that setting this option may also enable Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. You should append "!ADH" to your cipher suites if you have changed them from the default, otherwise no certificate exchanges or verification will -be done. +be done. When using GNUtls these parameters are always generated randomly so +this directive is ignored. .TP .B TLSRandFile Specifies the file to obtain random bits from when /dev/[u]random is not available. Generally set to the name of the EGD/PRNGD socket. The environment variable RANDFILE can also be used to specify the filename. +This directive is ignored with GNUtls. .TP .B TLSVerifyClient Specifies what checks to perform on client certificates in an @@ -1000,7 +1012,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be used to verify if the client certificates have not been revoked. This requires .B TLSCACertificatePath -parameter to be set. +parameter to be set. This directive is ignored with GNUtls. .B can be specified as one of the following keywords: .RS @@ -1014,6 +1026,11 @@ Check the CRL of the peer certificate .B all Check the CRL for a whole certificate chain .RE +.TP +.B TLSCRLFile +Specifies a file containing a Certificate Revocation List to be used +for verifying that certificates have not been revoked. This directive is +only valid when using GNUtls. .SH GENERAL BACKEND OPTIONS Options in this section only apply to the configuration file section for the specified backend. They are supported by every