diff options
Diffstat (limited to 'tcpd/README.couriertls')
| -rw-r--r-- | tcpd/README.couriertls | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/tcpd/README.couriertls b/tcpd/README.couriertls new file mode 100644 index 0000000..21187f9 --- /dev/null +++ b/tcpd/README.couriertls @@ -0,0 +1,68 @@ +# couriertls uses the following variables to initialize SSL/TLS: +# +# WARNING: Peer certificate verification has NOT yet been tested. Proceed +# at your own risk. Only the basic SSL/TLS functionality is known to be +# working. Keep this in mind as you play with the following variables. +# +# TLS_PROTOCOL sets the protocol version. The possible versions are: +# +# SSL2 - SSLv2 +# SSL3 - SSLv3 +# TLS1 - TLS1 + +TLS_PROTOCOL=TLS1 + +# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the +# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST +# undefined +# +# TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH" + +# TLS_TIMEOUT is currently not implemented, and reserved for future use. +# This is supposed to be an inactivity timeout, but its not yet implemented. + +# TLS_DHCERTFILE - PEM file that stores our Diffie-Hellman cipher pair. +# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA +# you must generate a DH pair that will be used. In most situations the +# DH pair is to be treated as confidential, and the file specified by +# TLS_DHCERTFILE must not be world-readable. +# +# TLS_DHCERTFILE= + +# TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS +# servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually +# treated as confidential, and must not be world-readable. +# +# TLS_CERTFILE= + + +# TLS_PEERCERTDIR, TLS_OURCACERT - when it is required that all peer +# certificates are signed by a specific certificate authority, set +# TLS_OURCACERT to the name of the file containing the certificate authority +# root key, and set TLS_PEERCERTDIR to the name of the directory containing +# the allowed certificates. +# +# TLS_PEERCERTDIR= +# TLS_OURCACERT= + +# +# TLS_VERIFYPEER - how to verify peer certificates. The possible values of +# this setting are: +# +# NONE - do not verify anything +# +# PEER - verify the peer certificate, if one's presented +# +# REQUIREPEER - require a peer certificate, fail if one's not presented +# +# SSL/TLS servers will usually set TLS_VERIFYPEER to NONE. SSL/TLS clients +# will usually set TLS_VERIFYPEER to REQUIREPEER. +# +# TLS_VERIFYPEER=PEER + +# TLS_ALLOWSELFSIGNEDCERT - this is an alternative to clients using +# TLS_VERIFYPEER=NONE. TLS_ALLOWSELFSIGNEDCERT ignores server certificates +# that are not signed by a recognized certificate authority. This allows +# clients to simply verify that a server certificate is available. +# +# TLS_ALLOWSELFSIGNEDCERT=1 |