User Tools

Site Tools


configuring_the_vscp_daemon

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
configuring_the_vscp_daemon [2018/05/08 10:52]
admin
configuring_the_vscp_daemon [2018/05/08 13:10] (current)
admin [encryption]
Line 407: Line 407:
  
 Default is no encryption. Default is no encryption.
 +
 +
 +====  ssl_certificate ==== 
 +
 +Valid from version 13.1
 +
 +Path to SSL certificate file. This option is only required when at least one of the listening\_ports is SSL The file must be in PEM format, and it must have both private key and certificate,​ see for example [[https://​github.com/​civetweb/​civetweb/​blob/​master/​resources/​ssl_cert.pem|ssl_cert.pem]]. If this option is set, then the webserver serves SSL connections on the port set up to listen on. 
 +
 +**Default:​** /​srv/​vscp/​certs/​server.pem
 +
 +
 +
 +
 +==== ssl_certificate_chain ====
 +
 +Valid from version 13.1
 +
 +T.B.D.
 +
 +
 +
 +
 +==== ssl_verify_peer ====
 +
 +Valid from version 13.1
 +
 +Enable client'​s certificate verification by the server.
 +
 +**Default:​** false
 +
 +==== ssl_ca_path ====
 +
 +Valid from version 13.1
 +
 +Name of a directory containing trusted CA certificates for peers. Each file in the directory must contain only a single CA certificate. The files must be named by the subject name’s hash and an extension of “.0”. If there is more than one certificate with the same subject name they should have extensions "​.0",​ "​.1",​ "​.2"​ and so on respectively.
 +
 +
 +
 +
 +==== ssl_ca_file ====
 +
 +Valid from version 13.1
 +
 +Path to a .pem file containing trusted certificates for peers. The file may contain more than one certificate.
 +
 +==== ssl_verify_depth ====
 +
 +Valid from version 13.1
 +
 +Sets maximum depth of certificate chain. If client'​s certificate chain is longer than the depth set here connection is refused.
 +
 +**Default:​** 9
 +
 +
 +
 +
 +==== ssl_default_verify_paths ====
 +
 +Valid from version 13.1
 +
 +Loads default trusted certificates locations set at openssl compile time. 
 +
 +**Default:​** true
 +
 +
 +
 +
 +==== ssl_cipher_list ====
 +
 +Valid from version 13.1
 +
 +List of ciphers to present to the client. Entries should be separated by colons, commas or spaces.
 +
 +^ Selection ^ Description ^
 +| ALL         | All available ciphers |
 +| ALL:​!eNULL ​ | All ciphers excluding NULL ciphers |
 +| AES128:!MD5 | AES 128 with digests other than MD5 |
 +
 +See [[https://​www.openssl.org/​docs/​manmaster/​apps/​ciphers.html|this entry in OpenSSL documentation]] for full list of options and additional examples.
 +
 +
 +
 +
 +==== ssl_protocol_version ====
 +
 +Valid from version 13.1
 +
 +Sets the minimal accepted version of SSL/TLS protocol according to the table:
 +
 +^ Selected protocols ^ setting ^
 +| SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 |  0  |
 +| SSL3+TLS1.0+TLS1.1+TLS1.2 |  1  |
 +| TLS1.0+TLS1.1+TLS1.2 |  2  |
 +| TLS1.1+TLS1.2 |  3  |
 +| TLS1.2 |  4  |
 +
 +Default = 4.
 +
 +==== ssl_short_trust ====
 +Enables the use of short lived certificates. This will allow for the certificates and keys specified in ssl_certificate,​ ssl_ca_file and ssl_ca_path to be exchanged and reloaded while the server is running.
 +
 +In an automated environment it is advised to first write the new pem file to a different filename and then to rename it to the configured pem file name to increase performance while swapping the certificate.
 +
 +Disk IO performance can be improved when keeping the certificates and keys stored on a tmpfs (linux) on a system with very high throughput.
 +
 +**Default:​** false
 +
 +
  
  
configuring_the_vscp_daemon.txt · Last modified: 2018/05/08 13:10 by admin