ssl — format of ssl component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the ssl component configuration.
Repeatable sections/items are marked by
the '*' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in ssl configuration directives:
ssl-ver (name-usage obligatory)SSL/TLS protocol versions.
SSLv2SSL version 2
SSLv3SSL version 3
TLSv1TLS version 1
Configuration of ssl library component consists of following prototypes:
ssl-session-cache { ... }
* ssl-params name { ... }
* ssl-cert-match ... ;
ssl-session-cache {
capacity ... ;
dir ... ;
lock ... ;
}
Cache of active SSL/TLS sessions usable for session resumption.
Item DIR (session cache directory) must be set..
capacity [server [client]];Maximum number of sessions in the cache.
server (type: uint16, optional, default: 0)sessions in which proxy on server side
client (type: uint16, optional, default: 0)sessions in which proxy on client side
dir val;Directory used to store files with session information.
val (type: str)lock [path];Lock for exclusive access to the cache.
path (type: str, optional, default: <NULL>)If set to directory, file in that directory is created with name PREFIX.PID.XXXXXX, where PREFIX is a string defined by the proxy, PID is the proxy parent process ID and X is a random suffix. If not set, directory /tmp is assumed. Automatic generation of lock file name is strongly recommended, because each lock must have a unique name.
[End of section ssl-session-cache description.]
ssl-params name {
versions ... ;
ciphers ... ;
id ... ;
auth-cert ... ;
dont-check-crl ... ;
* crl ... ;
verify-peer ... ;
cache-timeout ... ;
enable-renegotiation ... ;
}
SSL parameters.
versions ver;SSL/TLS protocol versions supported.
ver (type: ssl-ver-set)ciphers val;List of permitted ciphers, see ciphers(1).
val (type: str)id private-key certificate;Private key and certificate.
auth-cert [file file] [dir dir];Certificates of trusted certification authorities.
dont-check-crl;Do not check CRL validity when verifying certificates.
crl [missing] file;Certification revocation list (loaded once during proxy startup).
missing (type: key, optional)CRL may be missing
file (type: name of shared-file, see common(5))verify-peer [allow-no-cert];SSL/TLS handshake fails if peer does not send a certificate or it sends a certificate that cannot be verified. Client does not send a certificate until it is requested by VERIFY-PEER.
allow-no-cert (type: key, optional)Allow clients which do not present a certificate.
cache-timeout [sec];Maximum time since a session creation when the session can be resumed. After this time, no new connections may be established in the same session, although the existing connection can continue. Setting this to zero disables session resumption.
sec (type: uint32, optional, default: 0)enable-renegotiation;Permits session renegotiation. Do not enable this unless you understand all related negative security consequences!
[End of section ssl-params description.]
ssl-cert-match [subject subject] [issuer issuer] [serial serial];Matching values from SSL certificate. If not used, peer need not present a cerficate or the client certificate need not be verified correctly. If used, peer must send a valid certificate and its content must match.
subject subject (type: str-set, optional, default: *)acceptable certificate subjects
issuer issuer (type: str-set, optional, default: *)acceptable certificate issuers
serial serial (type: uint32-set, optional, default: *)acceptable serial numbers