nginx-site: xml/en/docs/http/ngx_http_ssl

annotate xml/en/docs/http/ngx_http_ssl_module.xml @ 2769:16f6fa718be2

Updated TLSv1.3 support notes. Previous notes described some early development snapshot of OpenSSL 1.1.1 with disabled TLSv1.3 by default. It was then enabled in the first alpha. Further, the updated text covers later major releases such as OpenSSL 3.0.

author	Sergey Kandaurov <pluknet@nginx.com>
date	Thu, 30 Sep 2021 16:29:20 +0300
parents	fb41de2d765a
children	d16409187314

rev	line source
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1 <?xml version="1.0"?>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	2
580 be54c443235a Added copyright markers to documentation sources. Ruslan Ermilov <ru@nginx.com> parents: 538 diff changeset	3 <!--
be54c443235a Added copyright markers to documentation sources. Ruslan Ermilov <ru@nginx.com> parents: 538 diff changeset	4 Copyright (C) Igor Sysoev
be54c443235a Added copyright markers to documentation sources. Ruslan Ermilov <ru@nginx.com> parents: 538 diff changeset	5 Copyright (C) Nginx, Inc.
be54c443235a Added copyright markers to documentation sources. Ruslan Ermilov <ru@nginx.com> parents: 538 diff changeset	6 -->
be54c443235a Added copyright markers to documentation sources. Ruslan Ermilov <ru@nginx.com> parents: 538 diff changeset	7
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	8 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	9
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	10 <module name="Module ngx_http_ssl_module"
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	11 link="/en/docs/http/ngx_http_ssl_module.html"
589 764fbac1b8b4 Added document revision. Ruslan Ermilov <ru@nginx.com> parents: 580 diff changeset	12 lang="en"
2769 16f6fa718be2 Updated TLSv1.3 support notes. Sergey Kandaurov <pluknet@nginx.com> parents: 2718 diff changeset	13 rev="54">
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	14
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	15 <section id="summary">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	16
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	17 <para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	18 The <literal>ngx_http_ssl_module</literal> module provides the
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	19 necessary support for HTTPS.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	20 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	21
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	22 <para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	23 This module is not built by default, it should be enabled with the
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	24 <literal>--with-http_ssl_module</literal>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	25 configuration parameter.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	26 <note>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	27 This module requires the
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	28 <link url="http://www.openssl.org">OpenSSL</link> library.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	29 </note>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	30 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	31
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	32 </section>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	33
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	34
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	35 <section id="example" name="Example Configuration">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	36
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	37 <para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	38 To reduce the processor load it is recommended to
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	39 <list type="bullet">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	40
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	41 <listitem>
2068 3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 2040 diff changeset	42 set the number of
3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 2040 diff changeset	43 <link doc="../ngx_core_module.xml" id="worker_processes">worker processes</link>
3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 2040 diff changeset	44 equal to the number of processors,
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	45 </listitem>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	46
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	47 <listitem>
2068 3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 2040 diff changeset	48 enable
3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 2040 diff changeset	49 <link doc="ngx_http_core_module.xml" id="keepalive_timeout">keep-alive</link>
3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 2040 diff changeset	50 connections,
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	51 </listitem>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	52
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	53 <listitem>
2068 3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 2040 diff changeset	54 enable the <link id="ssl_session_cache_shared">shared</link> session cache,
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	55 </listitem>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	56
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	57 <listitem>
2068 3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 2040 diff changeset	58 disable the <link id="ssl_session_cache_builtin">built-in</link> session cache,
3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 2040 diff changeset	59 </listitem>
3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 2040 diff changeset	60
3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 2040 diff changeset	61 <listitem>
3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 2040 diff changeset	62 and possibly increase the session <link id="ssl_session_timeout">lifetime</link>
3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 2040 diff changeset	63 (by default, 5 minutes):
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	64 </listitem>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	65
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	66 </list>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	67
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	68 <example>
817 4fecf0715bbf Introducing "worker_processes auto" in SSL configuration examples. Andrei Belov <defan@nginx.com> parents: 801 diff changeset	69 <emphasis>worker_processes auto;</emphasis>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	70
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	71 http {
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	72
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	73 ...
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	74
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	75 server {
801 b95a6d779c89 Documented that "listen ... ssl" is preferred over "ssl on". Ruslan Ermilov <ru@nginx.com> parents: 763 diff changeset	76 listen 443 ssl;
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	77 <emphasis>keepalive_timeout 70;</emphasis>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	78
1411 8fe28c6edaa1 Removed SSLv3 from ssl_protocols parameters list as insecure example. Sergey Budnevitch <sb@waeme.net> parents: 1239 diff changeset	79 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	80 ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	81 ssl_certificate /usr/local/nginx/conf/cert.pem;
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	82 ssl_certificate_key /usr/local/nginx/conf/cert.key;
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	83 <emphasis>ssl_session_cache shared:SSL:10m;</emphasis>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	84 <emphasis>ssl_session_timeout 10m;</emphasis>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	85
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	86 ...
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	87 }
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	88 </example>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	89 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	90
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	91 </section>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	92
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	93
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	94 <section id="directives" name="Directives">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	95
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	96 <directive name="ssl">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	97 <syntax><literal>on</literal> \| <literal>off</literal></syntax>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	98 <default>off</default>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	99 <context>http</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	100 <context>server</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	101
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	102 <para>
2168 3535437f97d2 Deprecated the "ssl" directive for http and mail. Yaroslav Zhuravlev <yar@nginx.com> parents: 2162 diff changeset	103 This directive was made obsolete in version 1.15.0.
3535437f97d2 Deprecated the "ssl" directive for http and mail. Yaroslav Zhuravlev <yar@nginx.com> parents: 2162 diff changeset	104 The <literal>ssl</literal> parameter
3535437f97d2 Deprecated the "ssl" directive for http and mail. Yaroslav Zhuravlev <yar@nginx.com> parents: 2162 diff changeset	105 of the <link doc="ngx_http_core_module.xml" id="listen"/> directive
3535437f97d2 Deprecated the "ssl" directive for http and mail. Yaroslav Zhuravlev <yar@nginx.com> parents: 2162 diff changeset	106 should be used instead.
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	107 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	108
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	109 </directive>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	110
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	111
1039 f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	112 <directive name="ssl_buffer_size">
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	113 <syntax><value>size</value></syntax>
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	114 <default>16k</default>
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	115 <context>http</context>
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	116 <context>server</context>
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	117 <appeared-in>1.5.9</appeared-in>
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	118
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	119 <para>
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	120 Sets the size of the buffer used for sending data.
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	121 </para>
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	122
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	123 <para>
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	124 By default, the buffer size is 16k, which corresponds to minimal
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	125 overhead when sending big responses.
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	126 To minimize Time To First Byte it may be beneficial to use smaller values,
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	127 for example:
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	128 <example>
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	129 ssl_buffer_size 4k;
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	130 </example>
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	131 </para>
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	132
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	133 </directive>
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	134
f7ca80263893 Documented the "ssl_buffer_size" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1019 diff changeset	135
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	136 <directive name="ssl_certificate">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	137 <syntax><value>file</value></syntax>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	138 <default/>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	139 <context>http</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	140 <context>server</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	141
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	142 <para>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	143 Specifies a <value>file</value> with the certificate in the PEM format
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	144 for the given virtual server.
1457 78ccd1af1400 Minimized diffs between http, mail, and stream. Ruslan Ermilov <ru@nginx.com> parents: 1456 diff changeset	145 If intermediate certificates should be specified in addition to a primary
78ccd1af1400 Minimized diffs between http, mail, and stream. Ruslan Ermilov <ru@nginx.com> parents: 1456 diff changeset	146 certificate, they should be specified in the same file in the following
78ccd1af1400 Minimized diffs between http, mail, and stream. Ruslan Ermilov <ru@nginx.com> parents: 1456 diff changeset	147 order: the primary certificate comes first, then the intermediate certificates.
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	148 A secret key in the PEM format may be placed in the same file.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	149 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	150
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	151 <para>
1726 a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	152 Since version 1.11.0,
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	153 this directive can be specified multiple times
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	154 to load certificates of different types, for example, RSA and ECDSA:
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	155 <example>
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	156 server {
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	157 listen 443 ssl;
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	158 server_name example.com;
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	159
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	160 ssl_certificate example.com.rsa.crt;
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	161 ssl_certificate_key example.com.rsa.key;
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	162
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	163 ssl_certificate example.com.ecdsa.crt;
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	164 ssl_certificate_key example.com.ecdsa.key;
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	165
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	166 ...
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	167 }
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	168 </example>
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	169 <note>
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	170 Only OpenSSL 1.0.2 or higher supports separate
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	171 <link doc="configuring_https_servers.xml" id="chains">certificate chains</link>
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	172 for different certificates.
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	173 With older versions, only one certificate chain can be used.
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	174 </note>
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	175 </para>
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	176
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1725 diff changeset	177 <para>
2334 dbe55598d3f6 Added variables support in ssl_certificate and ssl_certificate_key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	178 Since version 1.15.9, variables can be used in the <value>file</value> name
dbe55598d3f6 Added variables support in ssl_certificate and ssl_certificate_key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	179 when using OpenSSL 1.0.2 or higher:
dbe55598d3f6 Added variables support in ssl_certificate and ssl_certificate_key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	180 <example>
dbe55598d3f6 Added variables support in ssl_certificate and ssl_certificate_key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	181 ssl_certificate $ssl_server_name.crt;
dbe55598d3f6 Added variables support in ssl_certificate and ssl_certificate_key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	182 ssl_certificate_key $ssl_server_name.key;
dbe55598d3f6 Added variables support in ssl_certificate and ssl_certificate_key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	183 </example>
dbe55598d3f6 Added variables support in ssl_certificate and ssl_certificate_key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	184 Note that using variables implies that
dbe55598d3f6 Added variables support in ssl_certificate and ssl_certificate_key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	185 a certificate will be loaded for each SSL handshake,
dbe55598d3f6 Added variables support in ssl_certificate and ssl_certificate_key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	186 and this may have a negative impact on performance.
dbe55598d3f6 Added variables support in ssl_certificate and ssl_certificate_key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	187 </para>
dbe55598d3f6 Added variables support in ssl_certificate and ssl_certificate_key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	188
2350 8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	189 <para id="ssl_certificate_data">
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	190 The value
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	191 <literal>data</literal>:<value>$variable</value>
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	192 can be specified instead of the <value>file</value> (1.15.10),
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	193 which loads a certificate from a variable
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	194 without using intermediate files.
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	195 Note that inappropriate use of this syntax may have its security implications,
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	196 such as writing secret key data to
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	197 <link doc="../ngx_core_module.xml" id="error_log">error log</link>.
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	198 </para>
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	199
2334 dbe55598d3f6 Added variables support in ssl_certificate and ssl_certificate_key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	200 <para>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	201 It should be kept in mind that due to the HTTPS protocol limitations
2040 093855e77388 Updated info about SNI. Yaroslav Zhuravlev <yar@nginx.com> parents: 2027 diff changeset	202 for maximum interoperability virtual servers should listen on
093855e77388 Updated info about SNI. Yaroslav Zhuravlev <yar@nginx.com> parents: 2027 diff changeset	203 <link doc="configuring_https_servers.xml" id="name_based_https_servers">different
093855e77388 Updated info about SNI. Yaroslav Zhuravlev <yar@nginx.com> parents: 2027 diff changeset	204 IP addresses</link>.
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	205 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	206
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	207 </directive>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	208
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	209
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	210 <directive name="ssl_certificate_key">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	211 <syntax><value>file</value></syntax>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	212 <default/>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	213 <context>http</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	214 <context>server</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	215
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	216 <para>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	217 Specifies a <value>file</value> with the secret key in the PEM format
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	218 for the given virtual server.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	219 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	220
1456 acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1428 diff changeset	221 <para>
acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1428 diff changeset	222 The value
acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1428 diff changeset	223 <literal>engine</literal>:<value>name</value>:<value>id</value>
acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1428 diff changeset	224 can be specified instead of the <value>file</value> (1.7.9),
acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1428 diff changeset	225 which loads a secret key with a specified <value>id</value>
acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1428 diff changeset	226 from the OpenSSL engine <value>name</value>.
acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1428 diff changeset	227 </para>
acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1428 diff changeset	228
2350 8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	229 <para id="ssl_certificate_key_data">
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	230 The value
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	231 <literal>data</literal>:<value>$variable</value>
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	232 can be specified instead of the <value>file</value> (1.15.10),
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	233 which loads a secret key from a variable without using intermediate files.
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	234 Note that inappropriate use of this syntax may have its security implications,
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	235 such as writing secret key data to
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	236 <link doc="../ngx_core_module.xml" id="error_log">error log</link>.
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	237 </para>
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2334 diff changeset	238
2334 dbe55598d3f6 Added variables support in ssl_certificate and ssl_certificate_key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	239 <para>
dbe55598d3f6 Added variables support in ssl_certificate and ssl_certificate_key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	240 Since version 1.15.9, variables can be used in the <value>file</value> name
dbe55598d3f6 Added variables support in ssl_certificate and ssl_certificate_key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	241 when using OpenSSL 1.0.2 or higher.
dbe55598d3f6 Added variables support in ssl_certificate and ssl_certificate_key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	242 </para>
dbe55598d3f6 Added variables support in ssl_certificate and ssl_certificate_key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	243
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	244 </directive>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	245
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	246
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	247 <directive name="ssl_ciphers">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	248 <syntax><value>ciphers</value></syntax>
538 58dd64aef626 Documented ciphers used by default in modern nginx versions (closes #177). Ruslan Ermilov <ru@nginx.com> parents: 393 diff changeset	249 <default>HIGH:!aNULL:!MD5</default>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	250 <context>http</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	251 <context>server</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	252
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	253 <para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	254 Specifies the enabled ciphers.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	255 The ciphers are specified in the format understood by the
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	256 OpenSSL library, for example:
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	257 <example>
538 58dd64aef626 Documented ciphers used by default in modern nginx versions (closes #177). Ruslan Ermilov <ru@nginx.com> parents: 393 diff changeset	258 ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	259 </example>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	260 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	261
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	262 <para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	263 The full list can be viewed using the
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	264 “<command>openssl ciphers</command>” command.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	265 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	266
538 58dd64aef626 Documented ciphers used by default in modern nginx versions (closes #177). Ruslan Ermilov <ru@nginx.com> parents: 393 diff changeset	267 <para>
58dd64aef626 Documented ciphers used by default in modern nginx versions (closes #177). Ruslan Ermilov <ru@nginx.com> parents: 393 diff changeset	268 <note>
58dd64aef626 Documented ciphers used by default in modern nginx versions (closes #177). Ruslan Ermilov <ru@nginx.com> parents: 393 diff changeset	269 The previous versions of nginx used
58dd64aef626 Documented ciphers used by default in modern nginx versions (closes #177). Ruslan Ermilov <ru@nginx.com> parents: 393 diff changeset	270 <link doc="configuring_https_servers.xml" id="compatibility">different</link>
58dd64aef626 Documented ciphers used by default in modern nginx versions (closes #177). Ruslan Ermilov <ru@nginx.com> parents: 393 diff changeset	271 ciphers by default.
58dd64aef626 Documented ciphers used by default in modern nginx versions (closes #177). Ruslan Ermilov <ru@nginx.com> parents: 393 diff changeset	272 </note>
58dd64aef626 Documented ciphers used by default in modern nginx versions (closes #177). Ruslan Ermilov <ru@nginx.com> parents: 393 diff changeset	273 </para>
58dd64aef626 Documented ciphers used by default in modern nginx versions (closes #177). Ruslan Ermilov <ru@nginx.com> parents: 393 diff changeset	274
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	275 </directive>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	276
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	277
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	278 <directive name="ssl_client_certificate">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	279 <syntax><value>file</value></syntax>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	280 <default/>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	281 <context>http</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	282 <context>server</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	283
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	284 <para>
715 3f25469cbc49 Highlighted 'file' parameters in the http_ssl_module directives. Vladimir Homutov <vl@nginx.com> parents: 712 diff changeset	285 Specifies a <value>file</value> with trusted CA certificates in the PEM format
1428 933831d7bf0b Link to "ssl_verify_client" from client certificate directives. Sergey Kandaurov <pluknet@nginx.com> parents: 1411 diff changeset	286 used to <link id="ssl_verify_client">verify</link> client certificates and
695 2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	287 OCSP responses if <link id="ssl_stapling"/> is enabled.
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	288 </para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	289
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	290 <para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	291 The list of certificates will be sent to clients.
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	292 If this is not desired, the <link id="ssl_trusted_certificate"/>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	293 directive can be used.
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	294 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	295
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	296 </directive>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	297
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	298
2616 d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	299 <directive name="ssl_conf_command">
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	300 <syntax><value>command</value></syntax>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	301 <default/>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	302 <context>http</context>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	303 <context>server</context>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	304 <appeared-in>1.19.4</appeared-in>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	305
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	306 <para>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	307 Sets arbitrary OpenSSL configuration
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	308 <link url="https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html">commands</link>.
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	309 <note>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	310 The directive is supported when using OpenSSL 1.0.2 or higher.
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	311 </note>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	312 </para>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	313
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	314 <para>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	315 Several <literal>ssl_conf_command</literal> directives
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	316 can be specified on the same level:
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	317 <example>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	318 ssl_conf_command Options PrioritizeChaCha;
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	319 ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	320 </example>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	321 These directives are inherited from the previous configuration level
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	322 if and only if there are no <literal>ssl_conf_command</literal> directives
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	323 defined on the current level.
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	324 </para>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	325
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	326 <para>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	327 <note>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	328 Note that configuring OpenSSL directly
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	329 might result in unexpected behavior.
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	330 </note>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	331 </para>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	332
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	333 </directive>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	334
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2548 diff changeset	335
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	336 <directive name="ssl_crl">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	337 <syntax><value>file</value></syntax>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	338 <default/>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	339 <context>http</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	340 <context>server</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	341 <appeared-in>0.8.7</appeared-in>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	342
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	343 <para>
715 3f25469cbc49 Highlighted 'file' parameters in the http_ssl_module directives. Vladimir Homutov <vl@nginx.com> parents: 712 diff changeset	344 Specifies a <value>file</value> with revoked certificates (CRL)
1428 933831d7bf0b Link to "ssl_verify_client" from client certificate directives. Sergey Kandaurov <pluknet@nginx.com> parents: 1411 diff changeset	345 in the PEM format used to <link id="ssl_verify_client">verify</link>
933831d7bf0b Link to "ssl_verify_client" from client certificate directives. Sergey Kandaurov <pluknet@nginx.com> parents: 1411 diff changeset	346 client certificates.
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	347 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	348
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	349 </directive>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	350
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	351
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	352 <directive name="ssl_dhparam">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	353 <syntax><value>file</value></syntax>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	354 <default/>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	355 <context>http</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	356 <context>server</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	357 <appeared-in>0.7.2</appeared-in>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	358
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	359 <para>
1706 6f5497797cde Changed "EDH ciphers" to "DHE ciphers". Maxim Dounin <mdounin@mdounin.ru> parents: 1499 diff changeset	360 Specifies a <value>file</value> with DH parameters for DHE ciphers.
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	361 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	362
2296 e2e71f9477a8 Added note about ssl_dhparam defaults. Sergey Kandaurov <pluknet@nginx.com> parents: 2241 diff changeset	363 <para>
e2e71f9477a8 Added note about ssl_dhparam defaults. Sergey Kandaurov <pluknet@nginx.com> parents: 2241 diff changeset	364 By default no parameters are set,
e2e71f9477a8 Added note about ssl_dhparam defaults. Sergey Kandaurov <pluknet@nginx.com> parents: 2241 diff changeset	365 and therefore DHE ciphers will not be used.
e2e71f9477a8 Added note about ssl_dhparam defaults. Sergey Kandaurov <pluknet@nginx.com> parents: 2241 diff changeset	366 <note>
e2e71f9477a8 Added note about ssl_dhparam defaults. Sergey Kandaurov <pluknet@nginx.com> parents: 2241 diff changeset	367 Prior to version 1.11.0, builtin parameters were used by default.
e2e71f9477a8 Added note about ssl_dhparam defaults. Sergey Kandaurov <pluknet@nginx.com> parents: 2241 diff changeset	368 </note>
e2e71f9477a8 Added note about ssl_dhparam defaults. Sergey Kandaurov <pluknet@nginx.com> parents: 2241 diff changeset	369 </para>
e2e71f9477a8 Added note about ssl_dhparam defaults. Sergey Kandaurov <pluknet@nginx.com> parents: 2241 diff changeset	370
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	371 </directive>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	372
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	373
2219 f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	374 <directive name="ssl_early_data">
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	375 <syntax><literal>on</literal> \| <literal>off</literal></syntax>
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	376 <default>off</default>
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	377 <context>http</context>
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	378 <context>server</context>
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	379 <appeared-in>1.15.3</appeared-in>
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	380
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	381 <para>
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	382 Enables or disables TLS 1.3
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	383 <link url="https://tools.ietf.org/html/rfc8446#section-2.3">early data</link>.
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	384 <note>
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	385 Requests sent within early data are subject to
2238 0761b770a94e RFC8470. Sergey Kandaurov <pluknet@nginx.com> parents: 2234 diff changeset	386 <link url="https://tools.ietf.org/html/rfc8470">replay attacks</link>.
2234 20a189bdb15f Updated SSL early data documentation. Yaroslav Zhuravlev <yar@nginx.com> parents: 2219 diff changeset	387 To protect against such attacks at the application layer,
20a189bdb15f Updated SSL early data documentation. Yaroslav Zhuravlev <yar@nginx.com> parents: 2219 diff changeset	388 the <link id="var_ssl_early_data">$ssl_early_data</link> variable
20a189bdb15f Updated SSL early data documentation. Yaroslav Zhuravlev <yar@nginx.com> parents: 2219 diff changeset	389 should be used.
20a189bdb15f Updated SSL early data documentation. Yaroslav Zhuravlev <yar@nginx.com> parents: 2219 diff changeset	390 </note>
20a189bdb15f Updated SSL early data documentation. Yaroslav Zhuravlev <yar@nginx.com> parents: 2219 diff changeset	391
20a189bdb15f Updated SSL early data documentation. Yaroslav Zhuravlev <yar@nginx.com> parents: 2219 diff changeset	392 <example>
20a189bdb15f Updated SSL early data documentation. Yaroslav Zhuravlev <yar@nginx.com> parents: 2219 diff changeset	393 proxy_set_header Early-Data $ssl_early_data;
20a189bdb15f Updated SSL early data documentation. Yaroslav Zhuravlev <yar@nginx.com> parents: 2219 diff changeset	394 </example>
20a189bdb15f Updated SSL early data documentation. Yaroslav Zhuravlev <yar@nginx.com> parents: 2219 diff changeset	395
20a189bdb15f Updated SSL early data documentation. Yaroslav Zhuravlev <yar@nginx.com> parents: 2219 diff changeset	396 <note>
2241 b7ac730b96f3 Documented TLS 1.3 early data support with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 2238 diff changeset	397 The directive is supported when using OpenSSL 1.1.1 or higher (1.15.4) and
b7ac730b96f3 Documented TLS 1.3 early data support with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 2238 diff changeset	398 <link url="https://boringssl.googlesource.com/boringssl/">BoringSSL</link>.
2219 f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	399 </note>
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	400 </para>
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	401
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	402 </directive>
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	403
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	404
1054 c5793e5c30d4 Documented the "ssl_ecdh_curve" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1039 diff changeset	405 <directive name="ssl_ecdh_curve">
c5793e5c30d4 Documented the "ssl_ecdh_curve" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1039 diff changeset	406 <syntax><value>curve</value></syntax>
1711 38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	407 <default>auto</default>
1054 c5793e5c30d4 Documented the "ssl_ecdh_curve" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1039 diff changeset	408 <context>http</context>
c5793e5c30d4 Documented the "ssl_ecdh_curve" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1039 diff changeset	409 <context>server</context>
c5793e5c30d4 Documented the "ssl_ecdh_curve" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1039 diff changeset	410 <appeared-in>1.1.0</appeared-in>
c5793e5c30d4 Documented the "ssl_ecdh_curve" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1039 diff changeset	411 <appeared-in>1.0.6</appeared-in>
c5793e5c30d4 Documented the "ssl_ecdh_curve" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1039 diff changeset	412
c5793e5c30d4 Documented the "ssl_ecdh_curve" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1039 diff changeset	413 <para>
c5793e5c30d4 Documented the "ssl_ecdh_curve" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1039 diff changeset	414 Specifies a <value>curve</value> for ECDHE ciphers.
c5793e5c30d4 Documented the "ssl_ecdh_curve" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1039 diff changeset	415 </para>
c5793e5c30d4 Documented the "ssl_ecdh_curve" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1039 diff changeset	416
1711 38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	417 <para>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	418 When using OpenSSL 1.0.2 or higher,
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	419 it is possible to specify multiple curves (1.11.0), for example:
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	420 <example>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	421 ssl_ecdh_curve prime256v1:secp384r1;
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	422 </example>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	423 </para>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	424
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	425 <para>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	426 The special value <literal>auto</literal> (1.11.0) instructs nginx to use
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	427 a list built into the OpenSSL library when using OpenSSL 1.0.2 or higher,
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	428 or <literal>prime256v1</literal> with older versions.
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	429 </para>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	430
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	431 <para>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	432 <note>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	433 Prior to version 1.11.0,
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	434 the <literal>prime256v1</literal> curve was used by default.
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	435 </note>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	436 </para>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	437
2648 78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2618 diff changeset	438 <para>
78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2618 diff changeset	439 <note>
78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2618 diff changeset	440 When using OpenSSL 1.0.2 or higher,
78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2618 diff changeset	441 this directive sets the list of curves supported by the server.
78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2618 diff changeset	442 Thus, in order for ECDSA certificates to work,
78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2618 diff changeset	443 it is important to include the curves used in the certificates.
78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2618 diff changeset	444 </note>
78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2618 diff changeset	445 </para>
78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2618 diff changeset	446
1054 c5793e5c30d4 Documented the "ssl_ecdh_curve" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1039 diff changeset	447 </directive>
c5793e5c30d4 Documented the "ssl_ecdh_curve" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1039 diff changeset	448
c5793e5c30d4 Documented the "ssl_ecdh_curve" directive. Maxim Dounin <mdounin@mdounin.ru> parents: 1039 diff changeset	449
2548 ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	450 <directive name="ssl_ocsp">
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	451 <syntax><literal>on</literal> \|
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	452 <literal>off</literal> \|
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	453 <literal>leaf</literal></syntax>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	454 <default>off</default>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	455 <context>http</context>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	456 <context>server</context>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	457 <appeared-in>1.19.0</appeared-in>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	458
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	459 <para>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	460 Enables OCSP validation of the client certificate chain.
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	461 The <literal>leaf</literal> parameter
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	462 enables validation of the client certificate only.
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	463 </para>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	464
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	465 <para>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	466 For the OCSP validation to work,
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	467 the <link id="ssl_verify_client"/> directive should be set to
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	468 <literal>on</literal> or <literal>optional</literal>.
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	469 </para>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	470
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	471 <para>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	472 To resolve the OCSP responder hostname,
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	473 the <link doc="ngx_http_core_module.xml" id="resolver"/> directive
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	474 should also be specified.
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	475 </para>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	476
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	477 <para>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	478 Example:
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	479 <example>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	480 ssl_verify_client on;
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	481 ssl_ocsp on;
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	482 resolver 192.0.2.1;
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	483 </example>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	484 </para>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	485
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	486 </directive>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	487
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	488
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	489 <directive name="ssl_ocsp_cache">
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	490 <syntax>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	491 <literal>off</literal> \|
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	492 [<literal>shared</literal>:<value>name</value>:<value>size</value>]</syntax>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	493 <default>off</default>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	494 <context>http</context>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	495 <context>server</context>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	496 <appeared-in>1.19.0</appeared-in>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	497
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	498 <para>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	499 Sets <literal>name</literal> and <literal>size</literal> of the cache
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	500 that stores client certificates status for OCSP validation.
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	501 The cache is shared between all worker processes.
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	502 A cache with the same name can be used in several virtual servers.
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	503 </para>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	504
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	505 <para>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	506 The <literal>off</literal> parameter prohibits the use of the cache.
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	507 </para>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	508
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	509 </directive>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	510
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	511
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	512 <directive name="ssl_ocsp_responder">
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	513 <syntax><value>url</value></syntax>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	514 <default/>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	515 <context>http</context>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	516 <context>server</context>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	517 <appeared-in>1.19.0</appeared-in>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	518
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	519 <para>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	520 Overrides the URL of the OCSP responder specified in the
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	521 “<link url="https://tools.ietf.org/html/rfc5280#section-4.2.2.1">Authority
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	522 Information Access</link>” certificate extension
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	523 for <link id="ssl_ocsp">validation</link> of client certificates.
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	524 </para>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	525
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	526 <para>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	527 Only “<literal>http://</literal>” OCSP responders are supported:
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	528 <example>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	529 ssl_ocsp_responder http://ocsp.example.com/;
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	530 </example>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	531 </para>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	532
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	533 </directive>
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	534
ffc4083f5c7e Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives. Yaroslav Zhuravlev <yar@nginx.com> parents: 2460 diff changeset	535
1239 35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	536 <directive name="ssl_password_file">
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	537 <syntax><value>file</value></syntax>
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	538 <default/>
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	539 <context>http</context>
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	540 <context>server</context>
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	541 <appeared-in>1.7.3</appeared-in>
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	542
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	543 <para>
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	544 Specifies a <value>file</value> with passphrases for
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	545 <link id="ssl_certificate_key">secret keys</link>
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	546 where each passphrase is specified on a separate line.
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	547 Passphrases are tried in turn when loading the key.
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	548 </para>
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	549
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	550 <para>
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	551 Example:
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	552 <example>
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	553 http {
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	554 ssl_password_file /etc/keys/global.pass;
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	555 ...
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	556
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	557 server {
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	558 server_name www1.example.com;
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	559 ssl_certificate_key /etc/keys/first.key;
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	560 }
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	561
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	562 server {
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	563 server_name www2.example.com;
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	564
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	565 # named pipe can also be used instead of a file
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	566 ssl_password_file /etc/keys/fifo;
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	567 ssl_certificate_key /etc/keys/second.key;
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	568 }
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	569 }
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	570 </example>
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	571 </para>
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	572
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	573 </directive>
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	574
35cf5dca5fa4 SSL: added the ssl_password_file directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1201 diff changeset	575
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	576 <directive name="ssl_prefer_server_ciphers">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	577 <syntax><literal>on</literal> \| <literal>off</literal></syntax>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	578 <default>off</default>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	579 <context>http</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	580 <context>server</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	581
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	582 <para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	583 Specifies that server ciphers should be preferred over client
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	584 ciphers when using the SSLv3 and TLS protocols.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	585 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	586
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	587 </directive>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	588
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	589
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	590 <directive name="ssl_protocols">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	591 <syntax>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	592 [<literal>SSLv2</literal>]
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	593 [<literal>SSLv3</literal>]
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	594 [<literal>TLSv1</literal>]
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	595 [<literal>TLSv1.1</literal>]
1978 8f1a568a8bbf Documented "TLSv1.3" parameter of the "ssl_protocols" directive. Sergey Kandaurov <pluknet@nginx.com> parents: 1923 diff changeset	596 [<literal>TLSv1.2</literal>]
8f1a568a8bbf Documented "TLSv1.3" parameter of the "ssl_protocols" directive. Sergey Kandaurov <pluknet@nginx.com> parents: 1923 diff changeset	597 [<literal>TLSv1.3</literal>]</syntax>
1499 3687cc9a3592 Removed SSLv3 from the default value of ssl_protocols and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1457 diff changeset	598 <default>TLSv1 TLSv1.1 TLSv1.2</default>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	599 <context>http</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	600 <context>server</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	601
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	602 <para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	603 Enables the specified protocols.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	604 <note>
1978 8f1a568a8bbf Documented "TLSv1.3" parameter of the "ssl_protocols" directive. Sergey Kandaurov <pluknet@nginx.com> parents: 1923 diff changeset	605 The <literal>TLSv1.1</literal> and <literal>TLSv1.2</literal> parameters
8f1a568a8bbf Documented "TLSv1.3" parameter of the "ssl_protocols" directive. Sergey Kandaurov <pluknet@nginx.com> parents: 1923 diff changeset	606 (1.1.13, 1.0.12) work only when OpenSSL 1.0.1 or higher is used.
8f1a568a8bbf Documented "TLSv1.3" parameter of the "ssl_protocols" directive. Sergey Kandaurov <pluknet@nginx.com> parents: 1923 diff changeset	607 </note>
8f1a568a8bbf Documented "TLSv1.3" parameter of the "ssl_protocols" directive. Sergey Kandaurov <pluknet@nginx.com> parents: 1923 diff changeset	608 <note>
8f1a568a8bbf Documented "TLSv1.3" parameter of the "ssl_protocols" directive. Sergey Kandaurov <pluknet@nginx.com> parents: 1923 diff changeset	609 The <literal>TLSv1.3</literal> parameter (1.13.0) works only when
2769 16f6fa718be2 Updated TLSv1.3 support notes. Sergey Kandaurov <pluknet@nginx.com> parents: 2718 diff changeset	610 OpenSSL 1.1.1 or higher is used.
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	611 </note>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	612 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	613
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	614 </directive>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	615
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	616
2618 0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	617 <directive name="ssl_reject_handshake">
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	618 <syntax><literal>on</literal> \| <literal>off</literal></syntax>
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	619 <default>off</default>
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	620 <context>http</context>
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	621 <context>server</context>
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	622 <appeared-in>1.19.4</appeared-in>
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	623
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	624 <para>
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	625 If enabled, SSL handshakes in
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	626 the <link doc="ngx_http_core_module.xml" id="server"/> block will be rejected.
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	627 </para>
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	628
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	629 <para>
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	630 For example, in the following configuration, SSL handshakes with
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	631 server names other than <literal>example.com</literal> are rejected:
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	632 <example>
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	633 server {
2718 fb41de2d765a Added default_server to ssl_reject_handshake example. Yaroslav Zhuravlev <yar@nginx.com> parents: 2648 diff changeset	634 listen 443 ssl default_server;
2618 0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	635 ssl_reject_handshake on;
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	636 }
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	637
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	638 server {
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	639 listen 443 ssl;
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	640 server_name example.com;
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	641 ssl_certificate example.com.crt;
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	642 ssl_certificate_key example.com.key;
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	643 }
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	644 </example>
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	645 </para>
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	646
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	647 </directive>
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	648
0b98a81f196b Documented the ssl_reject_handshake directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	649
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	650 <directive name="ssl_session_cache">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	651 <syntax>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	652 <literal>off</literal> \|
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	653 <literal>none</literal> \|
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	654 [<literal>builtin</literal>[:<value>size</value>]]
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	655 [<literal>shared</literal>:<value>name</value>:<value>size</value>]</syntax>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	656 <default>none</default>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	657 <context>http</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	658 <context>server</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	659
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	660 <para>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	661 Sets the types and sizes of caches that store session parameters.
95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	662 A cache can be of any of the following types:
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	663 <list type="tag">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	664
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	665 <tag-name><literal>off</literal></tag-name>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	666 <tag-desc>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	667 the use of a session cache is strictly prohibited:
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	668 nginx explicitly tells a client that sessions may not be reused.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	669 </tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	670
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	671 <tag-name><literal>none</literal></tag-name>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	672 <tag-desc>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	673 the use of a session cache is gently disallowed:
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	674 nginx tells a client that sessions may be reused, but does not
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	675 actually store session parameters in the cache.
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	676 </tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	677
2068 3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 2040 diff changeset	678 <tag-name id="ssl_session_cache_builtin"><literal>builtin</literal></tag-name>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	679 <tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	680 a cache built in OpenSSL; used by one worker process only.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	681 The cache size is specified in sessions.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	682 If size is not given, it is equal to 20480 sessions.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	683 Use of the built-in cache can cause memory fragmentation.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	684 </tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	685
2068 3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 2040 diff changeset	686 <tag-name id="ssl_session_cache_shared"><literal>shared</literal></tag-name>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	687 <tag-desc>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	688 a cache shared between all worker processes.
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	689 The cache size is specified in bytes; one megabyte can store
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	690 about 4000 sessions.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	691 Each shared cache should have an arbitrary name.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	692 A cache with the same name can be used in several virtual servers.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	693 </tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	694
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	695 </list>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	696 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	697
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	698 <para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	699 Both cache types can be used simultaneously, for example:
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	700 <example>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	701 ssl_session_cache builtin:1000 shared:SSL:10m;
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	702 </example>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	703 but using only shared cache without the built-in cache should
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	704 be more efficient.
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	705 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	706
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	707 </directive>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	708
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	709
1019 2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	710 <directive name="ssl_session_ticket_key">
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	711 <syntax><value>file</value></syntax>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	712 <default/>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	713 <context>http</context>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	714 <context>server</context>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	715 <appeared-in>1.5.7</appeared-in>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	716
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	717 <para>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	718 Sets a <value>file</value> with the secret key used to encrypt
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	719 and decrypt TLS session tickets.
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	720 The directive is necessary if the same key has to be shared between
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	721 multiple servers.
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	722 By default, a randomly generated key is used.
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	723 </para>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	724
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	725 <para>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	726 If several keys are specified, only the first key is
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	727 used to encrypt TLS session tickets.
1144 ac131944d349 Changed infinitive to gerund after "allow". Yaroslav Zhuravlev <yar@nginx.com> parents: 1072 diff changeset	728 This allows configuring key rotation, for example:
1019 2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	729 <example>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	730 ssl_session_ticket_key current.key;
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	731 ssl_session_ticket_key previous.key;
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	732 </example>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	733 </para>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	734
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	735 <para>
1877 aa29a64a5e9d Documented ssl_session_ticket_key 80-byte keys. Maxim Dounin <mdounin@mdounin.ru> parents: 1871 diff changeset	736 The <value>file</value> must contain 80 or 48 bytes
aa29a64a5e9d Documented ssl_session_ticket_key 80-byte keys. Maxim Dounin <mdounin@mdounin.ru> parents: 1871 diff changeset	737 of random data and can be created using the following command:
1019 2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	738 <example>
1877 aa29a64a5e9d Documented ssl_session_ticket_key 80-byte keys. Maxim Dounin <mdounin@mdounin.ru> parents: 1871 diff changeset	739 openssl rand 80 > ticket.key
1019 2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	740 </example>
1877 aa29a64a5e9d Documented ssl_session_ticket_key 80-byte keys. Maxim Dounin <mdounin@mdounin.ru> parents: 1871 diff changeset	741 Depending on the file size either AES256 (for 80-byte keys, 1.11.8)
aa29a64a5e9d Documented ssl_session_ticket_key 80-byte keys. Maxim Dounin <mdounin@mdounin.ru> parents: 1871 diff changeset	742 or AES128 (for 48-byte keys) is used for encryption.
1019 2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	743 </para>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	744
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	745 </directive>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	746
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	747
1055 e26a9f598e40 Documented the "ssl_session_tickets" directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1054 diff changeset	748 <directive name="ssl_session_tickets">
e26a9f598e40 Documented the "ssl_session_tickets" directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1054 diff changeset	749 <syntax><literal>on</literal> \| <literal>off</literal></syntax>
e26a9f598e40 Documented the "ssl_session_tickets" directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1054 diff changeset	750 <default>on</default>
e26a9f598e40 Documented the "ssl_session_tickets" directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1054 diff changeset	751 <context>http</context>
e26a9f598e40 Documented the "ssl_session_tickets" directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1054 diff changeset	752 <context>server</context>
e26a9f598e40 Documented the "ssl_session_tickets" directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1054 diff changeset	753 <appeared-in>1.5.9</appeared-in>
e26a9f598e40 Documented the "ssl_session_tickets" directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1054 diff changeset	754
e26a9f598e40 Documented the "ssl_session_tickets" directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1054 diff changeset	755 <para>
e26a9f598e40 Documented the "ssl_session_tickets" directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1054 diff changeset	756 Enables or disables session resumption through
1923 66a30a380fba Fixed links to tools.ietf.org. Ruslan Ermilov <ru@nginx.com> parents: 1877 diff changeset	757 <link url="https://tools.ietf.org/html/rfc5077">TLS session tickets</link>.
1055 e26a9f598e40 Documented the "ssl_session_tickets" directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1054 diff changeset	758 </para>
e26a9f598e40 Documented the "ssl_session_tickets" directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1054 diff changeset	759
e26a9f598e40 Documented the "ssl_session_tickets" directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1054 diff changeset	760 </directive>
e26a9f598e40 Documented the "ssl_session_tickets" directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1054 diff changeset	761
e26a9f598e40 Documented the "ssl_session_tickets" directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 1054 diff changeset	762
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	763 <directive name="ssl_session_timeout">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	764 <syntax><value>time</value></syntax>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	765 <default>5m</default>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	766 <context>http</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	767 <context>server</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	768
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	769 <para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	770 Specifies a time during which a client may reuse the
1785 3fa0944ddc6a Removed info about session cache from ssl_session_timeout. Yaroslav Zhuravlev <yar@nginx.com> parents: 1726 diff changeset	771 session parameters.
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	772 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	773
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	774 </directive>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	775
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	776
695 2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	777 <directive name="ssl_stapling">
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	778 <syntax><literal>on</literal> \| <literal>off</literal></syntax>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	779 <default>off</default>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	780 <context>http</context>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	781 <context>server</context>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	782 <appeared-in>1.3.7</appeared-in>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	783
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	784 <para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	785 Enables or disables
2162 aa5d65fe4916 Updated link to TLS Certificate Status Request extension reference. Sergey Kandaurov <pluknet@nginx.com> parents: 2068 diff changeset	786 <link url="https://tools.ietf.org/html/rfc6066#section-8">stapling
695 2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	787 of OCSP responses</link> by the server.
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	788 Example:
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	789 <example>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	790 ssl_stapling on;
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	791 resolver 192.0.2.1;
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	792 </example>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	793 </para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	794
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	795 <para>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	796 For the OCSP stapling to work, the certificate of the server certificate
95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	797 issuer should be known.
712 2c9e8facc761 Resolved ambiguity regarding lists of certificates and fixed links. Vladimir Homutov <vl@nginx.com> parents: 696 diff changeset	798 If the <link id="ssl_certificate"/> file does
695 2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	799 not contain intermediate certificates,
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	800 the certificate of the server certificate issuer should be
695 2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	801 present in the
712 2c9e8facc761 Resolved ambiguity regarding lists of certificates and fixed links. Vladimir Homutov <vl@nginx.com> parents: 696 diff changeset	802 <link id="ssl_trusted_certificate"/> file.
695 2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	803 </para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	804
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	805 <para>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	806 For a resolution of the OCSP responder hostname,
95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	807 the <link doc="ngx_http_core_module.xml" id="resolver"/> directive
95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	808 should also be specified.
695 2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	809 </para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	810
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	811 </directive>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	812
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	813
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	814 <directive name="ssl_stapling_file">
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	815 <syntax><value>file</value></syntax>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	816 <default/>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	817 <context>http</context>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	818 <context>server</context>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	819 <appeared-in>1.3.7</appeared-in>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	820
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	821 <para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	822 When set, the stapled OCSP response will be taken from the
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	823 specified <value>file</value> instead of querying
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	824 the OCSP responder specified in the server certificate.
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	825 </para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	826
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	827 <para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	828 The file should be in the DER format as produced by the
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	829 “<literal>openssl ocsp</literal>” command.
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	830 </para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	831
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	832 </directive>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	833
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	834
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	835 <directive name="ssl_stapling_responder">
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	836 <syntax><value>url</value></syntax>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	837 <default/>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	838 <context>http</context>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	839 <context>server</context>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	840 <appeared-in>1.3.7</appeared-in>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	841
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	842 <para>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	843 Overrides the URL of the OCSP responder specified in the
1923 66a30a380fba Fixed links to tools.ietf.org. Ruslan Ermilov <ru@nginx.com> parents: 1877 diff changeset	844 “<link url="https://tools.ietf.org/html/rfc5280#section-4.2.2.1">Authority
695 2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	845 Information Access</link>” certificate extension.
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	846 </para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	847
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	848 <para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	849 Only “<literal>http://</literal>” OCSP responders are supported:
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	850 <example>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	851 ssl_stapling_responder http://ocsp.example.com/;
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	852 </example>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	853 </para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	854
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	855 </directive>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	856
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	857
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	858 <directive name="ssl_stapling_verify">
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	859 <syntax><literal>on</literal> \| <literal>off</literal></syntax>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	860 <default>off</default>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	861 <context>http</context>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	862 <context>server</context>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	863 <appeared-in>1.3.7</appeared-in>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	864
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	865 <para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	866 Enables or disables verification of OCSP responses by the server.
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	867 </para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	868
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	869 <para>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	870 For verification to work, the certificate of the server certificate
95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	871 issuer, the root certificate, and all intermediate certificates
695 2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	872 should be configured as trusted using the
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	873 <link id="ssl_trusted_certificate"/> directive.
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	874 </para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	875
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	876 </directive>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	877
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	878
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	879 <directive name="ssl_trusted_certificate">
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	880 <syntax><value>file</value></syntax>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	881 <default/>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	882 <context>http</context>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	883 <context>server</context>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	884 <appeared-in>1.3.7</appeared-in>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	885
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	886 <para>
715 3f25469cbc49 Highlighted 'file' parameters in the http_ssl_module directives. Vladimir Homutov <vl@nginx.com> parents: 712 diff changeset	887 Specifies a <value>file</value> with trusted CA certificates in the PEM format
1428 933831d7bf0b Link to "ssl_verify_client" from client certificate directives. Sergey Kandaurov <pluknet@nginx.com> parents: 1411 diff changeset	888 used to <link id="ssl_verify_client">verify</link> client certificates and
695 2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	889 OCSP responses if <link id="ssl_stapling"/> is enabled.
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	890 </para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	891
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	892 <para>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	893 In contrast to the certificate set by <link id="ssl_client_certificate"/>,
95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	894 the list of these certificates will not be sent to clients.
695 2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	895 </para>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	896
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	897 </directive>
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	898
2eb83e89b239 Added the OCSP stapling documentation in English. Vladimir Homutov <vl@nginx.com> parents: 589 diff changeset	899
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	900 <directive name="ssl_verify_client">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	901 <syntax>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	902 <literal>on</literal> \| <literal>off</literal> \|
717 c5facf2eff6f Documented the recently added "optional_no_ca" parameter of the Ruslan Ermilov <ru@nginx.com> parents: 715 diff changeset	903 <literal>optional</literal> \| <literal>optional_no_ca</literal></syntax>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	904 <default>off</default>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	905 <context>http</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	906 <context>server</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	907
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	908 <para>
717 c5facf2eff6f Documented the recently added "optional_no_ca" parameter of the Ruslan Ermilov <ru@nginx.com> parents: 715 diff changeset	909 Enables verification of client certificates.
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	910 The verification result is stored in the
1871 5f156621b8b5 Added links to $ssl_client_verify and $ssl_client_cert. Yaroslav Zhuravlev <yar@nginx.com> parents: 1870 diff changeset	911 <link id="var_ssl_client_verify">$ssl_client_verify</link> variable.
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	912 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	913
717 c5facf2eff6f Documented the recently added "optional_no_ca" parameter of the Ruslan Ermilov <ru@nginx.com> parents: 715 diff changeset	914 <para>
c5facf2eff6f Documented the recently added "optional_no_ca" parameter of the Ruslan Ermilov <ru@nginx.com> parents: 715 diff changeset	915 The <literal>optional</literal> parameter (0.8.7+) requests the client
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	916 certificate and verifies it if the certificate is present.
717 c5facf2eff6f Documented the recently added "optional_no_ca" parameter of the Ruslan Ermilov <ru@nginx.com> parents: 715 diff changeset	917 </para>
c5facf2eff6f Documented the recently added "optional_no_ca" parameter of the Ruslan Ermilov <ru@nginx.com> parents: 715 diff changeset	918
c5facf2eff6f Documented the recently added "optional_no_ca" parameter of the Ruslan Ermilov <ru@nginx.com> parents: 715 diff changeset	919 <para>
763 cd581dbdaf76 The "optional_no_ca" parameter of the "ssl_verify_client" directive Ruslan Ermilov <ru@nginx.com> parents: 717 diff changeset	920 The <literal>optional_no_ca</literal> parameter (1.3.8, 1.2.5)
cd581dbdaf76 The "optional_no_ca" parameter of the "ssl_verify_client" directive Ruslan Ermilov <ru@nginx.com> parents: 717 diff changeset	921 requests the client
717 c5facf2eff6f Documented the recently added "optional_no_ca" parameter of the Ruslan Ermilov <ru@nginx.com> parents: 715 diff changeset	922 certificate but does not require it to be signed by a trusted CA certificate.
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	923 This is intended for the use in cases when a service that is external to nginx
95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	924 performs the actual certificate verification.
95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	925 The contents of the certificate is accessible through the
1871 5f156621b8b5 Added links to $ssl_client_verify and $ssl_client_cert. Yaroslav Zhuravlev <yar@nginx.com> parents: 1870 diff changeset	926 <link id="var_ssl_client_cert">$ssl_client_cert</link> variable.
717 c5facf2eff6f Documented the recently added "optional_no_ca" parameter of the Ruslan Ermilov <ru@nginx.com> parents: 715 diff changeset	927 </para>
c5facf2eff6f Documented the recently added "optional_no_ca" parameter of the Ruslan Ermilov <ru@nginx.com> parents: 715 diff changeset	928
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	929 </directive>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	930
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	931
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	932 <directive name="ssl_verify_depth">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	933 <syntax><value>number</value></syntax>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	934 <default>1</default>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	935 <context>http</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	936 <context>server</context>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	937
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	938 <para>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	939 Sets the verification depth in the client certificates chain.
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	940 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	941
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	942 </directive>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	943
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	944 </section>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	945
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	946
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	947 <section id="errors" name="Error Processing">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	948
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	949 <para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	950 The <literal>ngx_http_ssl_module</literal> module supports several
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	951 non-standard error codes that can be used for redirects using the
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	952 <link doc="ngx_http_core_module.xml" id="error_page"/> directive:
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	953 <list type="tag">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	954
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	955 <tag-name>495</tag-name>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	956 <tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	957 an error has occurred during the client certificate verification;
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	958 </tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	959
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	960 <tag-name>496</tag-name>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	961 <tag-desc>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	962 a client has not presented the required certificate;
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	963 </tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	964
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	965 <tag-name>497</tag-name>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	966 <tag-desc>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	967 a regular request has been sent to the HTTPS port.
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	968 </tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	969
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	970 </list>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	971 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	972
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	973 <para>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	974 The redirection happens after the request is fully parsed and
95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	975 the variables, such as <var>$request_uri</var>,
95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 881 diff changeset	976 <var>$uri</var>, <var>$args</var> and others, are available.
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	977 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	978
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	979 </section>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	980
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	981
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	982 <section id="variables" name="Embedded Variables">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	983
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	984 <para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	985 The <literal>ngx_http_ssl_module</literal> module supports
2388 d323beea61ec An outdated adjective removed. Sergey Kandaurov <pluknet@nginx.com> parents: 2350 diff changeset	986 embedded variables:
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	987 <list type="tag">
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	988
1155 07402a11fd8d Assigned IDs to tags describing variables. Vladimir Homutov <vl@nginx.com> parents: 1144 diff changeset	989 <tag-name id="var_ssl_cipher"><var>$ssl_cipher</var></tag-name>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	990 <tag-desc>
2460 c60a8a15010c Clarified description of the $ssl_cipher variable. Sergey Kandaurov <pluknet@nginx.com> parents: 2388 diff changeset	991 returns the name of the cipher used
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	992 for an established SSL connection;
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	993 </tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	994
1857 0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	995 <tag-name id="var_ssl_ciphers"><var>$ssl_ciphers</var></tag-name>
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	996 <tag-desc>
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	997 returns the list of ciphers supported by the client (1.11.7).
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	998 Known ciphers are listed by names, unknown are shown in hexadecimal,
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	999 for example:
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1000 <example>
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1001 AES128-SHA:AES256-SHA:0x00ff
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1002 </example>
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1003 <note>
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1004 The variable is fully supported only when using OpenSSL version 1.0.2 or higher.
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1005 With older versions, the variable is available
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1006 only for new sessions and lists only known ciphers.
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1007 </note>
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1008 </tag-desc>
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1009
2027 dabca59da4ce Documented the $ssl_client_escaped_cert variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	1010 <tag-name id="var_ssl_client_escaped_cert"><var>$ssl_client_escaped_cert</var></tag-name>
dabca59da4ce Documented the $ssl_client_escaped_cert variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	1011 <tag-desc>
dabca59da4ce Documented the $ssl_client_escaped_cert variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	1012 returns the client certificate in the PEM format (urlencoded)
dabca59da4ce Documented the $ssl_client_escaped_cert variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	1013 for an established SSL connection (1.13.5);
dabca59da4ce Documented the $ssl_client_escaped_cert variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	1014 </tag-desc>
dabca59da4ce Documented the $ssl_client_escaped_cert variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	1015
1155 07402a11fd8d Assigned IDs to tags describing variables. Vladimir Homutov <vl@nginx.com> parents: 1144 diff changeset	1016 <tag-name id="var_ssl_client_cert"><var>$ssl_client_cert</var></tag-name>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1017 <tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1018 returns the client certificate in the PEM format
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1019 for an established SSL connection, with each line except the first
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1020 prepended with the tab character;
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1021 this is intended for the use in the
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1022 <link doc="ngx_http_proxy_module.xml" id="proxy_set_header"/> directive;
2027 dabca59da4ce Documented the $ssl_client_escaped_cert variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	1023 <note>
dabca59da4ce Documented the $ssl_client_escaped_cert variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	1024 The variable is deprecated,
dabca59da4ce Documented the $ssl_client_escaped_cert variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	1025 the <var>$ssl_client_escaped_cert</var> variable should be used instead.
dabca59da4ce Documented the $ssl_client_escaped_cert variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	1026 </note>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1027 </tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1028
1201 db4b017b5796 SSL: documented the ssl_client_fingerprint variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1167 diff changeset	1029 <tag-name id="var_ssl_client_fingerprint"><var>$ssl_client_fingerprint</var></tag-name>
db4b017b5796 SSL: documented the ssl_client_fingerprint variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1167 diff changeset	1030 <tag-desc>
db4b017b5796 SSL: documented the ssl_client_fingerprint variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1167 diff changeset	1031 returns the SHA1 fingerprint of the client certificate
db4b017b5796 SSL: documented the ssl_client_fingerprint variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1167 diff changeset	1032 for an established SSL connection (1.7.1);
db4b017b5796 SSL: documented the ssl_client_fingerprint variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1167 diff changeset	1033 </tag-desc>
db4b017b5796 SSL: documented the ssl_client_fingerprint variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1167 diff changeset	1034
1870 fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1035 <tag-name id="var_ssl_client_i_dn"><var>$ssl_client_i_dn</var></tag-name>
fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1036 <tag-desc>
fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1037 returns the “issuer DN” string of the client certificate
fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1038 for an established SSL connection according to
fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1039 <link url="https://tools.ietf.org/html/rfc2253">RFC 2253</link> (1.11.6);
fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1040 </tag-desc>
fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1041
fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1042 <tag-name id="var_ssl_client_i_dn_legacy"><var>$ssl_client_i_dn_legacy</var></tag-name>
fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1043 <tag-desc>
fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1044 returns the “issuer DN” string of the client certificate
fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1045 for an established SSL connection;
fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1046 <note>
fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1047 Prior to version 1.11.6, the variable name was <var>$ssl_client_i_dn</var>.
fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1048 </note>
fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1049 </tag-desc>
fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1050
1155 07402a11fd8d Assigned IDs to tags describing variables. Vladimir Homutov <vl@nginx.com> parents: 1144 diff changeset	1051 <tag-name id="var_ssl_client_raw_cert"><var>$ssl_client_raw_cert</var>
07402a11fd8d Assigned IDs to tags describing variables. Vladimir Homutov <vl@nginx.com> parents: 1144 diff changeset	1052 </tag-name>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1053 <tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1054 returns the client certificate in the PEM format
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1055 for an established SSL connection;
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1056 </tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1057
1155 07402a11fd8d Assigned IDs to tags describing variables. Vladimir Homutov <vl@nginx.com> parents: 1144 diff changeset	1058 <tag-name id="var_ssl_client_s_dn"><var>$ssl_client_s_dn</var></tag-name>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1059 <tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1060 returns the “subject DN” string of the client certificate
1824 e8811a423130 Added RFC2253-compliant $ssl_client_s_dn, $ssl_client_i_dn and legacy vars. Yaroslav Zhuravlev <yar@nginx.com> parents: 1785 diff changeset	1061 for an established SSL connection according to
e8811a423130 Added RFC2253-compliant $ssl_client_s_dn, $ssl_client_i_dn and legacy vars. Yaroslav Zhuravlev <yar@nginx.com> parents: 1785 diff changeset	1062 <link url="https://tools.ietf.org/html/rfc2253">RFC 2253</link> (1.11.6);
e8811a423130 Added RFC2253-compliant $ssl_client_s_dn, $ssl_client_i_dn and legacy vars. Yaroslav Zhuravlev <yar@nginx.com> parents: 1785 diff changeset	1063 </tag-desc>
e8811a423130 Added RFC2253-compliant $ssl_client_s_dn, $ssl_client_i_dn and legacy vars. Yaroslav Zhuravlev <yar@nginx.com> parents: 1785 diff changeset	1064
e8811a423130 Added RFC2253-compliant $ssl_client_s_dn, $ssl_client_i_dn and legacy vars. Yaroslav Zhuravlev <yar@nginx.com> parents: 1785 diff changeset	1065 <tag-name id="var_ssl_client_s_dn_legacy"><var>$ssl_client_s_dn_legacy</var></tag-name>
e8811a423130 Added RFC2253-compliant $ssl_client_s_dn, $ssl_client_i_dn and legacy vars. Yaroslav Zhuravlev <yar@nginx.com> parents: 1785 diff changeset	1066 <tag-desc>
e8811a423130 Added RFC2253-compliant $ssl_client_s_dn, $ssl_client_i_dn and legacy vars. Yaroslav Zhuravlev <yar@nginx.com> parents: 1785 diff changeset	1067 returns the “subject DN” string of the client certificate
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1068 for an established SSL connection;
1824 e8811a423130 Added RFC2253-compliant $ssl_client_s_dn, $ssl_client_i_dn and legacy vars. Yaroslav Zhuravlev <yar@nginx.com> parents: 1785 diff changeset	1069 <note>
e8811a423130 Added RFC2253-compliant $ssl_client_s_dn, $ssl_client_i_dn and legacy vars. Yaroslav Zhuravlev <yar@nginx.com> parents: 1785 diff changeset	1070 Prior to version 1.11.6, the variable name was <var>$ssl_client_s_dn</var>.
e8811a423130 Added RFC2253-compliant $ssl_client_s_dn, $ssl_client_i_dn and legacy vars. Yaroslav Zhuravlev <yar@nginx.com> parents: 1785 diff changeset	1071 </note>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1072 </tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1073
1870 fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1074 <tag-name id="var_ssl_client_serial"><var>$ssl_client_serial</var></tag-name>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1075 <tag-desc>
1870 fa7542e40381 Relocated $ssl_client_i_dn, $ssl_client_i_dn_legacy, $ssl_client_serial. Yaroslav Zhuravlev <yar@nginx.com> parents: 1863 diff changeset	1076 returns the serial number of the client certificate
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1077 for an established SSL connection;
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1078 </tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1079
1855 2ef67c4d2226 Documented $ssl_client_v_end, $ssl_client_v_start, $ssl_client_v_remain variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1824 diff changeset	1080 <tag-name id="var_ssl_client_v_end"><var>$ssl_client_v_end</var></tag-name>
2ef67c4d2226 Documented $ssl_client_v_end, $ssl_client_v_start, $ssl_client_v_remain variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1824 diff changeset	1081 <tag-desc>
2ef67c4d2226 Documented $ssl_client_v_end, $ssl_client_v_start, $ssl_client_v_remain variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1824 diff changeset	1082 returns the end date of the client certificate (1.11.7);
2ef67c4d2226 Documented $ssl_client_v_end, $ssl_client_v_start, $ssl_client_v_remain variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1824 diff changeset	1083 </tag-desc>
2ef67c4d2226 Documented $ssl_client_v_end, $ssl_client_v_start, $ssl_client_v_remain variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1824 diff changeset	1084
2ef67c4d2226 Documented $ssl_client_v_end, $ssl_client_v_start, $ssl_client_v_remain variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1824 diff changeset	1085 <tag-name id="var_ssl_client_v_remain"><var>$ssl_client_v_remain</var></tag-name>
2ef67c4d2226 Documented $ssl_client_v_end, $ssl_client_v_start, $ssl_client_v_remain variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1824 diff changeset	1086 <tag-desc>
2ef67c4d2226 Documented $ssl_client_v_end, $ssl_client_v_start, $ssl_client_v_remain variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1824 diff changeset	1087 returns the number of days
2ef67c4d2226 Documented $ssl_client_v_end, $ssl_client_v_start, $ssl_client_v_remain variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1824 diff changeset	1088 until the client certificate expires (1.11.7);
2ef67c4d2226 Documented $ssl_client_v_end, $ssl_client_v_start, $ssl_client_v_remain variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1824 diff changeset	1089 </tag-desc>
2ef67c4d2226 Documented $ssl_client_v_end, $ssl_client_v_start, $ssl_client_v_remain variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1824 diff changeset	1090
2ef67c4d2226 Documented $ssl_client_v_end, $ssl_client_v_start, $ssl_client_v_remain variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1824 diff changeset	1091 <tag-name id="var_ssl_client_v_start"><var>$ssl_client_v_start</var></tag-name>
2ef67c4d2226 Documented $ssl_client_v_end, $ssl_client_v_start, $ssl_client_v_remain variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1824 diff changeset	1092 <tag-desc>
2ef67c4d2226 Documented $ssl_client_v_end, $ssl_client_v_start, $ssl_client_v_remain variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1824 diff changeset	1093 returns the start date of the client certificate (1.11.7);
2ef67c4d2226 Documented $ssl_client_v_end, $ssl_client_v_start, $ssl_client_v_remain variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1824 diff changeset	1094 </tag-desc>
2ef67c4d2226 Documented $ssl_client_v_end, $ssl_client_v_start, $ssl_client_v_remain variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1824 diff changeset	1095
1155 07402a11fd8d Assigned IDs to tags describing variables. Vladimir Homutov <vl@nginx.com> parents: 1144 diff changeset	1096 <tag-name id="var_ssl_client_verify"><var>$ssl_client_verify</var></tag-name>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1097 <tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1098 returns the result of client certificate verification:
1856 7133004fa5b3 $ssl_client_verify extended with a failure reason. Yaroslav Zhuravlev <yar@nginx.com> parents: 1855 diff changeset	1099 “<literal>SUCCESS</literal>”, “<literal>FAILED:</literal><value>reason</value>”,
1863 fef4ab2d990c Removed unnecessary version for "FAILED:reason" in $ssl_client_verify. Yaroslav Zhuravlev <yar@nginx.com> parents: 1857 diff changeset	1100 and “<literal>NONE</literal>” if a certificate was not present;
1856 7133004fa5b3 $ssl_client_verify extended with a failure reason. Yaroslav Zhuravlev <yar@nginx.com> parents: 1855 diff changeset	1101 <note>
7133004fa5b3 $ssl_client_verify extended with a failure reason. Yaroslav Zhuravlev <yar@nginx.com> parents: 1855 diff changeset	1102 Prior to version 1.11.7, the “<literal>FAILED</literal>” result
7133004fa5b3 $ssl_client_verify extended with a failure reason. Yaroslav Zhuravlev <yar@nginx.com> parents: 1855 diff changeset	1103 did not contain the <value>reason</value> string.
7133004fa5b3 $ssl_client_verify extended with a failure reason. Yaroslav Zhuravlev <yar@nginx.com> parents: 1855 diff changeset	1104 </note>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1105 </tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1106
1857 0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1107 <tag-name id="var_ssl_curves"><var>$ssl_curves</var></tag-name>
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1108 <tag-desc>
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1109 returns the list of curves supported by the client (1.11.7).
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1110 Known curves are listed by names, unknown are shown in hexadecimal,
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1111 for example:
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1112 <example>
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1113 0x001d:prime256v1:secp521r1:secp384r1
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1114 </example>
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1115 <note>
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1116 The variable is supported only when using OpenSSL version 1.0.2 or higher.
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1117 With older versions, the variable value will be an empty string.
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1118 </note>
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1119 <note>
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1120 The variable is available only for new sessions.
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1121 </note>
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1122 </tag-desc>
0882ccb0c00f Documented the $ssl_curves and $ssl_ciphers variables. Yaroslav Zhuravlev <yar@nginx.com> parents: 1856 diff changeset	1123
2219 f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	1124 <tag-name id="var_ssl_early_data"><var>$ssl_early_data</var></tag-name>
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	1125 <tag-desc>
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	1126 returns “<literal>1</literal>” if
2234 20a189bdb15f Updated SSL early data documentation. Yaroslav Zhuravlev <yar@nginx.com> parents: 2219 diff changeset	1127 TLS 1.3 <link id="ssl_early_data">early data</link> is used
2219 f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	1128 and the handshake is not complete, otherwise “” (1.15.3).
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	1129 </tag-desc>
f1e12641fc8a Documented TLS 1.3 early data. Yaroslav Zhuravlev <yar@nginx.com> parents: 2168 diff changeset	1130
1155 07402a11fd8d Assigned IDs to tags describing variables. Vladimir Homutov <vl@nginx.com> parents: 1144 diff changeset	1131 <tag-name id="var_ssl_protocol"><var>$ssl_protocol</var></tag-name>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1132 <tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1133 returns the protocol of an established SSL connection;
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1134 </tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1135
1167 cac06b81957c Documented the $ssl_server_name variable. Ruslan Ermilov <ru@nginx.com> parents: 1155 diff changeset	1136 <tag-name id="var_ssl_server_name"><var>$ssl_server_name</var></tag-name>
cac06b81957c Documented the $ssl_server_name variable. Ruslan Ermilov <ru@nginx.com> parents: 1155 diff changeset	1137 <tag-desc>
cac06b81957c Documented the $ssl_server_name variable. Ruslan Ermilov <ru@nginx.com> parents: 1155 diff changeset	1138 returns the server name requested through
cac06b81957c Documented the $ssl_server_name variable. Ruslan Ermilov <ru@nginx.com> parents: 1155 diff changeset	1139 <link url="http://en.wikipedia.org/wiki/Server_Name_Indication">SNI</link>
cac06b81957c Documented the $ssl_server_name variable. Ruslan Ermilov <ru@nginx.com> parents: 1155 diff changeset	1140 (1.7.0);
cac06b81957c Documented the $ssl_server_name variable. Ruslan Ermilov <ru@nginx.com> parents: 1155 diff changeset	1141 </tag-desc>
cac06b81957c Documented the $ssl_server_name variable. Ruslan Ermilov <ru@nginx.com> parents: 1155 diff changeset	1142
1155 07402a11fd8d Assigned IDs to tags describing variables. Vladimir Homutov <vl@nginx.com> parents: 1144 diff changeset	1143 <tag-name id="var_ssl_session_id"><var>$ssl_session_id</var></tag-name>
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1144 <tag-desc>
1072 502f4be2d62e Documented the "ssl_session_reused" variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1055 diff changeset	1145 returns the session identifier of an established SSL connection;
502f4be2d62e Documented the "ssl_session_reused" variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1055 diff changeset	1146 </tag-desc>
502f4be2d62e Documented the "ssl_session_reused" variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1055 diff changeset	1147
1155 07402a11fd8d Assigned IDs to tags describing variables. Vladimir Homutov <vl@nginx.com> parents: 1144 diff changeset	1148 <tag-name id="var_ssl_session_reused"><var>$ssl_session_reused</var></tag-name>
1072 502f4be2d62e Documented the "ssl_session_reused" variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1055 diff changeset	1149 <tag-desc>
502f4be2d62e Documented the "ssl_session_reused" variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1055 diff changeset	1150 returns “<literal>r</literal>” if an SSL session was reused,
502f4be2d62e Documented the "ssl_session_reused" variable. Yaroslav Zhuravlev <yar@nginx.com> parents: 1055 diff changeset	1151 or “<literal>.</literal>” otherwise (1.5.11).
384 331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1152 </tag-desc>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1153
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1154 </list>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1155 </para>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1156
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1157 </section>
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1158
331a86bc51ff English translation of ngx_http_ssl_module. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1159 </module>

Mercurial > hg > nginx-site

annotate xml/en/docs/http/ngx_http_ssl_module.xml @ 2769:16f6fa718be2