nginx-site: xml/en/docs/mail/ngx_mail_ssl

annotate xml/en/docs/mail/ngx_mail_ssl_module.xml @ 2769:16f6fa718be2

Updated TLSv1.3 support notes. Previous notes described some early development snapshot of OpenSSL 1.1.1 with disabled TLSv1.3 by default. It was then enabled in the first alpha. Further, the updated text covers later major releases such as OpenSSL 3.0.

author	Sergey Kandaurov <pluknet@nginx.com>
date	Thu, 30 Sep 2021 16:29:20 +0300
parents	78161967514f
children	4add6ae1296f

rev	line source
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	1 <?xml version="1.0"?>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	2
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	3 <!--
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	4 Copyright (C) 2006, 2007 Anton Yuzhaninov
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	5 Copyright (C) Nginx, Inc.
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	6 -->
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	7
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	8 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	9
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	10 <module name="Module ngx_mail_ssl_module"
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	11 link="/en/docs/mail/ngx_mail_ssl_module.html"
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	12 lang="en"
2769 16f6fa718be2 Updated TLSv1.3 support notes. Sergey Kandaurov <pluknet@nginx.com> parents: 2648 diff changeset	13 rev="23">
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	14
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	15 <section id="summary">
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	16
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	17 <para>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 751 diff changeset	18 The <literal>ngx_mail_ssl_module</literal> module provides the necessary
95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 751 diff changeset	19 support for a mail proxy server to work with the SSL/TLS protocol.
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	20 </para>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	21
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	22 <para>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	23 This module is not built by default, it should be enabled with
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	24 the <literal>--with-mail_ssl_module</literal>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	25 configuration parameter.
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	26 <note>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	27 This module requires the <link url="http://www.openssl.org">OpenSSL</link>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	28 library.
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	29 </note>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	30 </para>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	31
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	32 </section>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	33
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	34
1521 e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	35 <section id="example" name="Example Configuration">
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	36
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	37 <para>
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	38 To reduce the processor load, it is recommended to
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	39 <list type="bullet">
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	40
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	41 <listitem>
2068 3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	42 set the number of
3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	43 <link doc="../ngx_core_module.xml" id="worker_processes">worker processes</link>
3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	44 equal to the number of processors,
1521 e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	45 </listitem>
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	46
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	47 <listitem>
2068 3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	48 enable the <link id="ssl_session_cache_shared">shared</link> session cache,
1521 e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	49 </listitem>
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	50
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	51 <listitem>
2068 3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	52 disable the <link id="ssl_session_cache_builtin">built-in</link> session cache,
1521 e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	53 </listitem>
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	54
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	55 <listitem>
2068 3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	56 and possibly increase the session <link id="ssl_session_timeout">lifetime</link>
3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	57 (by default, 5 minutes):
1521 e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	58 </listitem>
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	59
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	60 </list>
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	61
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	62 <example>
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	63 <emphasis>worker_processes auto;</emphasis>
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	64
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	65 mail {
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	66
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	67 ...
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	68
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	69 server {
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	70 listen 993 ssl;
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	71
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	72 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	73 ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	74 ssl_certificate /usr/local/nginx/conf/cert.pem;
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	75 ssl_certificate_key /usr/local/nginx/conf/cert.key;
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	76 <emphasis>ssl_session_cache shared:SSL:10m;</emphasis>
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	77 <emphasis>ssl_session_timeout 10m;</emphasis>
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	78
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	79 ...
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	80 }
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	81 </example>
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	82 </para>
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	83
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	84 </section>
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	85
e3d3e2ed4275 Added example configuration to mail and stream ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1499 diff changeset	86
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	87 <section id="directives" name="Directives">
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	88
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	89 <directive name="ssl">
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	90 <syntax><literal>on</literal> \| <literal>off</literal></syntax>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	91 <default>off</default>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	92 <context>mail</context>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	93 <context>server</context>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	94
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	95 <para>
2168 3535437f97d2 Deprecated the "ssl" directive for http and mail. Yaroslav Zhuravlev <yar@nginx.com> parents: 2068 diff changeset	96 This directive was made obsolete in version 1.15.0.
3535437f97d2 Deprecated the "ssl" directive for http and mail. Yaroslav Zhuravlev <yar@nginx.com> parents: 2068 diff changeset	97 The <literal>ssl</literal> parameter
3535437f97d2 Deprecated the "ssl" directive for http and mail. Yaroslav Zhuravlev <yar@nginx.com> parents: 2068 diff changeset	98 of the <link doc="ngx_mail_core_module.xml" id="listen"/> directive
3535437f97d2 Deprecated the "ssl" directive for http and mail. Yaroslav Zhuravlev <yar@nginx.com> parents: 2068 diff changeset	99 should be used instead.
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	100 </para>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	101
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	102 </directive>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	103
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	104
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	105 <directive name="ssl_certificate">
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	106 <syntax><value>file</value></syntax>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	107 <default/>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	108 <context>mail</context>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	109 <context>server</context>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	110
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	111 <para>
1456 acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1429 diff changeset	112 Specifies a <value>file</value> with the certificate in the PEM format
acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1429 diff changeset	113 for the given server.
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	114 If intermediate certificates should be specified in addition to a primary
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	115 certificate, they should be specified in the same file in the following
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	116 order: the primary certificate comes first, then the intermediate certificates.
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	117 A secret key in the PEM format may be placed in the same file.
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	118 </para>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	119
1726 a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	120 <para>
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	121 Since version 1.11.0,
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	122 this directive can be specified multiple times
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	123 to load certificates of different types, for example, RSA and ECDSA:
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	124 <example>
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	125 server {
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	126 listen 993 ssl;
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	127
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	128 ssl_certificate example.com.rsa.crt;
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	129 ssl_certificate_key example.com.rsa.key;
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	130
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	131 ssl_certificate example.com.ecdsa.crt;
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	132 ssl_certificate_key example.com.ecdsa.key;
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	133
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	134 ...
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	135 }
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	136 </example>
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	137 <note>
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	138 Only OpenSSL 1.0.2 or higher supports separate certificate chains
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	139 for different certificates.
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	140 With older versions, only one certificate chain can be used.
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	141 </note>
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	142 </para>
a0bc284941f6 Documented multiple certificates support. Maxim Dounin <mdounin@mdounin.ru> parents: 1711 diff changeset	143
2350 8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	144 <para id="ssl_certificate_data">
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	145 The value
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	146 <literal>data</literal>:<value>certificate</value>
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	147 can be specified instead of the <value>file</value> (1.15.10),
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	148 which loads a certificate without using intermediate files.
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	149 Note that inappropriate use of this syntax may have its security implications,
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	150 such as writing secret key data to
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	151 <link doc="../ngx_core_module.xml" id="error_log">error log</link>.
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	152 </para>
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	153
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	154 </directive>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	155
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	156
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	157 <directive name="ssl_certificate_key">
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	158 <syntax><value>file</value></syntax>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	159 <default/>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	160 <context>mail</context>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	161 <context>server</context>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	162
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	163 <para>
1456 acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1429 diff changeset	164 Specifies a <value>file</value> with the secret key in the PEM format
acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1429 diff changeset	165 for the given server.
acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1429 diff changeset	166 </para>
acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1429 diff changeset	167
acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1429 diff changeset	168 <para>
acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1429 diff changeset	169 The value
acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1429 diff changeset	170 <literal>engine</literal>:<value>name</value>:<value>id</value>
acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1429 diff changeset	171 can be specified instead of the <value>file</value> (1.7.9),
acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1429 diff changeset	172 which loads a secret key with a specified <value>id</value>
acba294382d6 Documented engine support in ssl_certificate_key and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1429 diff changeset	173 from the OpenSSL engine <value>name</value>.
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	174 </para>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	175
2350 8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	176 <para id="ssl_certificate_key_data">
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	177 The value
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	178 <literal>data</literal>:<value>key</value>
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	179 can be specified instead of the <value>file</value> (1.15.10),
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	180 which loads a secret key without using intermediate files.
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	181 Note that inappropriate use of this syntax may have its security implications,
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	182 such as writing secret key data to
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	183 <link doc="../ngx_core_module.xml" id="error_log">error log</link>.
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	184 </para>
8e35f3af574b Documented the "data:" syntax for ssl_certificate and key. Yaroslav Zhuravlev <yar@nginx.com> parents: 2296 diff changeset	185
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	186 </directive>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	187
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	188
1266 35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	189 <directive name="ssl_ciphers">
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	190 <syntax><value>ciphers</value></syntax>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	191 <default>HIGH:!aNULL:!MD5</default>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	192 <context>mail</context>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	193 <context>server</context>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	194
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	195 <para>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	196 Specifies the enabled ciphers.
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	197 The ciphers are specified in the format understood by the
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	198 OpenSSL library, for example:
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	199 <example>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	200 ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	201 </example>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	202 </para>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	203
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	204 <para>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	205 The full list can be viewed using the
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	206 “<command>openssl ciphers</command>” command.
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	207 </para>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	208
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	209 <para>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	210 <note>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	211 The previous versions of nginx used
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	212 <link doc="../http/configuring_https_servers.xml" id="compatibility">different</link>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	213 ciphers by default.
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	214 </note>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	215 </para>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	216
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	217 </directive>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	218
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	219
1429 06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	220 <directive name="ssl_client_certificate">
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	221 <syntax><value>file</value></syntax>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	222 <default/>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	223 <context>mail</context>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	224 <context>server</context>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	225 <appeared-in>1.7.11</appeared-in>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	226
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	227 <para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	228 Specifies a <value>file</value> with trusted CA certificates in the PEM format
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	229 used to <link id="ssl_verify_client">verify</link> client certificates.
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	230 </para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	231
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	232 <para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	233 The list of certificates will be sent to clients.
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	234 If this is not desired, the <link id="ssl_trusted_certificate"/>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	235 directive can be used.
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	236 </para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	237
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	238 </directive>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	239
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	240
2616 d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	241 <directive name="ssl_conf_command">
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	242 <syntax><value>command</value></syntax>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	243 <default/>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	244 <context>mail</context>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	245 <context>server</context>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	246 <appeared-in>1.19.4</appeared-in>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	247
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	248 <para>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	249 Sets arbitrary OpenSSL configuration
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	250 <link url="https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html">commands</link>.
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	251 <note>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	252 The directive is supported when using OpenSSL 1.0.2 or higher.
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	253 </note>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	254 </para>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	255
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	256 <para>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	257 Several <literal>ssl_conf_command</literal> directives
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	258 can be specified on the same level:
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	259 <example>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	260 ssl_conf_command Options PrioritizeChaCha;
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	261 ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	262 </example>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	263 These directives are inherited from the previous configuration level
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	264 if and only if there are no <literal>ssl_conf_command</literal> directives
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	265 defined on the current level.
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	266 </para>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	267
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	268 <para>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	269 <note>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	270 Note that configuring OpenSSL directly
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	271 might result in unexpected behavior.
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	272 </note>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	273 </para>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	274
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	275 </directive>
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	276
d8bf37d20449 Documented the ssl_conf_command directive. Yaroslav Zhuravlev <yar@nginx.com> parents: 2350 diff changeset	277
1429 06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	278 <directive name="ssl_crl">
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	279 <syntax><value>file</value></syntax>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	280 <default/>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	281 <context>mail</context>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	282 <context>server</context>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	283 <appeared-in>1.7.11</appeared-in>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	284
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	285 <para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	286 Specifies a <value>file</value> with revoked certificates (CRL)
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	287 in the PEM format used to <link id="ssl_verify_client">verify</link>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	288 client certificates.
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	289 </para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	290
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	291 </directive>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	292
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	293
1266 35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	294 <directive name="ssl_dhparam">
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	295 <syntax><value>file</value></syntax>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	296 <default/>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	297 <context>mail</context>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	298 <context>server</context>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	299 <appeared-in>0.7.2</appeared-in>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	300
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	301 <para>
1706 6f5497797cde Changed "EDH ciphers" to "DHE ciphers". Maxim Dounin <mdounin@mdounin.ru> parents: 1521 diff changeset	302 Specifies a <value>file</value> with DH parameters for DHE ciphers.
1266 35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	303 </para>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	304
2296 e2e71f9477a8 Added note about ssl_dhparam defaults. Sergey Kandaurov <pluknet@nginx.com> parents: 2168 diff changeset	305 <para>
e2e71f9477a8 Added note about ssl_dhparam defaults. Sergey Kandaurov <pluknet@nginx.com> parents: 2168 diff changeset	306 By default no parameters are set,
e2e71f9477a8 Added note about ssl_dhparam defaults. Sergey Kandaurov <pluknet@nginx.com> parents: 2168 diff changeset	307 and therefore DHE ciphers will not be used.
e2e71f9477a8 Added note about ssl_dhparam defaults. Sergey Kandaurov <pluknet@nginx.com> parents: 2168 diff changeset	308 <note>
e2e71f9477a8 Added note about ssl_dhparam defaults. Sergey Kandaurov <pluknet@nginx.com> parents: 2168 diff changeset	309 Prior to version 1.11.0, builtin parameters were used by default.
e2e71f9477a8 Added note about ssl_dhparam defaults. Sergey Kandaurov <pluknet@nginx.com> parents: 2168 diff changeset	310 </note>
e2e71f9477a8 Added note about ssl_dhparam defaults. Sergey Kandaurov <pluknet@nginx.com> parents: 2168 diff changeset	311 </para>
e2e71f9477a8 Added note about ssl_dhparam defaults. Sergey Kandaurov <pluknet@nginx.com> parents: 2168 diff changeset	312
1266 35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	313 </directive>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	314
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	315
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	316 <directive name="ssl_ecdh_curve">
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	317 <syntax><value>curve</value></syntax>
1711 38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	318 <default>auto</default>
1266 35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	319 <context>mail</context>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	320 <context>server</context>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	321 <appeared-in>1.1.0</appeared-in>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	322 <appeared-in>1.0.6</appeared-in>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	323
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	324 <para>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	325 Specifies a <value>curve</value> for ECDHE ciphers.
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	326 </para>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	327
1711 38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	328 <para>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	329 When using OpenSSL 1.0.2 or higher,
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	330 it is possible to specify multiple curves (1.11.0), for example:
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	331 <example>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	332 ssl_ecdh_curve prime256v1:secp384r1;
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	333 </example>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	334 </para>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	335
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	336 <para>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	337 The special value <literal>auto</literal> (1.11.0) instructs nginx to use
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	338 a list built into the OpenSSL library when using OpenSSL 1.0.2 or higher,
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	339 or <literal>prime256v1</literal> with older versions.
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	340 </para>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	341
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	342 <para>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	343 <note>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	344 Prior to version 1.11.0,
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	345 the <literal>prime256v1</literal> curve was used by default.
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	346 </note>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	347 </para>
38fb3e6b71e8 Documented ssl_ecdh_curve changes in 1.11.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1706 diff changeset	348
2648 78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	349 <para>
78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	350 <note>
78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	351 When using OpenSSL 1.0.2 or higher,
78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	352 this directive sets the list of curves supported by the server.
78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	353 Thus, in order for ECDSA certificates to work,
78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	354 it is important to include the curves used in the certificates.
78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	355 </note>
78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	356 </para>
78161967514f Mentioned ECDSA in ssl_ecdh_curve. Yaroslav Zhuravlev <yar@nginx.com> parents: 2616 diff changeset	357
1266 35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	358 </directive>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	359
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	360
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	361 <directive name="ssl_password_file">
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	362 <syntax><value>file</value></syntax>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	363 <default/>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	364 <context>mail</context>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	365 <context>server</context>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	366 <appeared-in>1.7.3</appeared-in>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	367
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	368 <para>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	369 Specifies a <value>file</value> with passphrases for
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	370 <link id="ssl_certificate_key">secret keys</link>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	371 where each passphrase is specified on a separate line.
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	372 Passphrases are tried in turn when loading the key.
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	373 </para>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	374
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	375 <para>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	376 Example:
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	377 <example>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	378 mail {
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	379 ssl_password_file /etc/keys/global.pass;
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	380 ...
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	381
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	382 server {
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	383 server_name mail1.example.com;
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	384 ssl_certificate_key /etc/keys/first.key;
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	385 }
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	386
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	387 server {
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	388 server_name mail2.example.com;
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	389
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	390 # named pipe can also be used instead of a file
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	391 ssl_password_file /etc/keys/fifo;
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	392 ssl_certificate_key /etc/keys/second.key;
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	393 }
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	394 }
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	395 </example>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	396 </para>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	397
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	398 </directive>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	399
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	400
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	401 <directive name="ssl_prefer_server_ciphers">
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	402 <syntax><literal>on</literal> \| <literal>off</literal></syntax>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	403 <default>off</default>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	404 <context>mail</context>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	405 <context>server</context>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	406
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	407 <para>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	408 Specifies that server ciphers should be preferred over client ciphers
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 751 diff changeset	409 when the SSLv3 and TLS protocols are used.
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	410 </para>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	411
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	412 </directive>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	413
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	414
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	415 <directive name="ssl_protocols">
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	416 <syntax>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	417 [<literal>SSLv2</literal>]
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	418 [<literal>SSLv3</literal>]
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	419 [<literal>TLSv1</literal>]
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	420 [<literal>TLSv1.1</literal>]
1978 8f1a568a8bbf Documented "TLSv1.3" parameter of the "ssl_protocols" directive. Sergey Kandaurov <pluknet@nginx.com> parents: 1924 diff changeset	421 [<literal>TLSv1.2</literal>]
8f1a568a8bbf Documented "TLSv1.3" parameter of the "ssl_protocols" directive. Sergey Kandaurov <pluknet@nginx.com> parents: 1924 diff changeset	422 [<literal>TLSv1.3</literal>]</syntax>
1499 3687cc9a3592 Removed SSLv3 from the default value of ssl_protocols and friends. Yaroslav Zhuravlev <yar@nginx.com> parents: 1456 diff changeset	423 <default>TLSv1 TLSv1.1 TLSv1.2</default>
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	424 <context>mail</context>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	425 <context>server</context>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	426
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	427 <para>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	428 Enables the specified protocols.
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	429 <note>
1978 8f1a568a8bbf Documented "TLSv1.3" parameter of the "ssl_protocols" directive. Sergey Kandaurov <pluknet@nginx.com> parents: 1924 diff changeset	430 The <literal>TLSv1.1</literal> and <literal>TLSv1.2</literal> parameters
8f1a568a8bbf Documented "TLSv1.3" parameter of the "ssl_protocols" directive. Sergey Kandaurov <pluknet@nginx.com> parents: 1924 diff changeset	431 (1.1.13, 1.0.12) work only when OpenSSL 1.0.1 or higher is used.
8f1a568a8bbf Documented "TLSv1.3" parameter of the "ssl_protocols" directive. Sergey Kandaurov <pluknet@nginx.com> parents: 1924 diff changeset	432 </note>
8f1a568a8bbf Documented "TLSv1.3" parameter of the "ssl_protocols" directive. Sergey Kandaurov <pluknet@nginx.com> parents: 1924 diff changeset	433 <note>
8f1a568a8bbf Documented "TLSv1.3" parameter of the "ssl_protocols" directive. Sergey Kandaurov <pluknet@nginx.com> parents: 1924 diff changeset	434 The <literal>TLSv1.3</literal> parameter (1.13.0) works only when
2769 16f6fa718be2 Updated TLSv1.3 support notes. Sergey Kandaurov <pluknet@nginx.com> parents: 2648 diff changeset	435 OpenSSL 1.1.1 or higher is used.
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	436 </note>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	437 </para>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	438
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	439 </directive>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	440
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	441
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	442 <directive name="ssl_session_cache">
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	443 <syntax>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	444 <literal>off</literal> \|
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	445 <literal>none</literal> \|
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	446 [<literal>builtin</literal>[:<value>size</value>]]
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	447 [<literal>shared</literal>:<value>name</value>:<value>size</value>]</syntax>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	448 <default>none</default>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	449 <context>mail</context>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	450 <context>server</context>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	451
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	452 <para>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 751 diff changeset	453 Sets the types and sizes of caches that store session parameters.
95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 751 diff changeset	454 A cache can be of any of the following types:
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	455 <list type="tag">
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	456
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	457 <tag-name><literal>off</literal></tag-name>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	458 <tag-desc>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 751 diff changeset	459 the use of a session cache is strictly prohibited:
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	460 nginx explicitly tells a client that sessions may not be reused.
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	461 </tag-desc>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	462
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	463 <tag-name><literal>none</literal></tag-name>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	464 <tag-desc>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 751 diff changeset	465 the use of a session cache is gently disallowed:
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	466 nginx tells a client that sessions may be reused, but does not
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 751 diff changeset	467 actually store session parameters in the cache.
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	468 </tag-desc>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	469
2068 3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	470 <tag-name id="ssl_session_cache_builtin"><literal>builtin</literal></tag-name>
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	471 <tag-desc>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	472 a cache built in OpenSSL; used by one worker process only.
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	473 The cache size is specified in sessions.
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	474 If size is not given, it is equal to 20480 sessions.
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	475 Use of the built-in cache can cause memory fragmentation.
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	476 </tag-desc>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	477
2068 3d9e7993c201 Added links to directives in the example of ssl modules. Yaroslav Zhuravlev <yar@nginx.com> parents: 1978 diff changeset	478 <tag-name id="ssl_session_cache_shared"><literal>shared</literal></tag-name>
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	479 <tag-desc>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 751 diff changeset	480 a cache shared between all worker processes.
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	481 The cache size is specified in bytes; one megabyte can store
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	482 about 4000 sessions.
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	483 Each shared cache should have an arbitrary name.
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	484 A cache with the same name can be used in several
751 9c1ffd02f1b7 Removed "virtual" and HTTPS references from mail modules. Vladimir Homutov <vl@nginx.com> parents: 664 diff changeset	485 servers.
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	486 </tag-desc>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	487
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	488 </list>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	489 </para>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	490
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	491 <para>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	492 Both cache types can be used simultaneously, for example:
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	493 <example>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	494 ssl_session_cache builtin:1000 shared:SSL:10m;
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	495 </example>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	496 but using only shared cache without the built-in cache should
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	497 be more efficient.
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	498 </para>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	499
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	500 </directive>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	501
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	502
1019 2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	503 <directive name="ssl_session_ticket_key">
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	504 <syntax><value>file</value></syntax>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	505 <default/>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	506 <context>mail</context>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	507 <context>server</context>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	508 <appeared-in>1.5.7</appeared-in>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	509
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	510 <para>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	511 Sets a <value>file</value> with the secret key used to encrypt
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	512 and decrypt TLS session tickets.
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	513 The directive is necessary if the same key has to be shared between
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	514 multiple servers.
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	515 By default, a randomly generated key is used.
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	516 </para>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	517
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	518 <para>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	519 If several keys are specified, only the first key is
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	520 used to encrypt TLS session tickets.
1144 ac131944d349 Changed infinitive to gerund after "allow". Yaroslav Zhuravlev <yar@nginx.com> parents: 1019 diff changeset	521 This allows configuring key rotation, for example:
1019 2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	522 <example>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	523 ssl_session_ticket_key current.key;
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	524 ssl_session_ticket_key previous.key;
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	525 </example>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	526 </para>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	527
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	528 <para>
1877 aa29a64a5e9d Documented ssl_session_ticket_key 80-byte keys. Maxim Dounin <mdounin@mdounin.ru> parents: 1785 diff changeset	529 The <value>file</value> must contain 80 or 48 bytes
aa29a64a5e9d Documented ssl_session_ticket_key 80-byte keys. Maxim Dounin <mdounin@mdounin.ru> parents: 1785 diff changeset	530 of random data and can be created using the following command:
1019 2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	531 <example>
1877 aa29a64a5e9d Documented ssl_session_ticket_key 80-byte keys. Maxim Dounin <mdounin@mdounin.ru> parents: 1785 diff changeset	532 openssl rand 80 > ticket.key
1019 2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	533 </example>
1877 aa29a64a5e9d Documented ssl_session_ticket_key 80-byte keys. Maxim Dounin <mdounin@mdounin.ru> parents: 1785 diff changeset	534 Depending on the file size either AES256 (for 80-byte keys, 1.11.8)
aa29a64a5e9d Documented ssl_session_ticket_key 80-byte keys. Maxim Dounin <mdounin@mdounin.ru> parents: 1785 diff changeset	535 or AES128 (for 48-byte keys) is used for encryption.
1019 2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	536 </para>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	537
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	538 </directive>
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	539
2b6a858c60dc Documented the "ssl_session_ticket_key" directive in http and mail. Vladimir Homutov <vl@nginx.com> parents: 966 diff changeset	540
1266 35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	541 <directive name="ssl_session_tickets">
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	542 <syntax><literal>on</literal> \| <literal>off</literal></syntax>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	543 <default>on</default>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	544 <context>mail</context>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	545 <context>server</context>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	546 <appeared-in>1.5.9</appeared-in>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	547
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	548 <para>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	549 Enables or disables session resumption through
1923 66a30a380fba Fixed links to tools.ietf.org. Ruslan Ermilov <ru@nginx.com> parents: 1877 diff changeset	550 <link url="https://tools.ietf.org/html/rfc5077">TLS session tickets</link>.
1266 35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	551 </para>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	552
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	553 </directive>
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	554
35d6ac64bf27 Documented five directives in the mail ssl module. Yaroslav Zhuravlev <yar@nginx.com> parents: 1144 diff changeset	555
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	556 <directive name="ssl_session_timeout">
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	557 <syntax><value>time</value></syntax>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	558 <default>5m</default>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	559 <context>mail</context>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	560 <context>server</context>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	561
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	562 <para>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	563 Specifies a time during which a client may reuse the
1785 3fa0944ddc6a Removed info about session cache from ssl_session_timeout. Yaroslav Zhuravlev <yar@nginx.com> parents: 1726 diff changeset	564 session parameters.
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	565 </para>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	566
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	567 </directive>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	568
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	569
1429 06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	570 <directive name="ssl_trusted_certificate">
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	571 <syntax><value>file</value></syntax>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	572 <default/>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	573 <context>mail</context>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	574 <context>server</context>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	575 <appeared-in>1.7.11</appeared-in>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	576
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	577 <para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	578 Specifies a <value>file</value> with trusted CA certificates in the PEM format
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	579 used to <link id="ssl_verify_client">verify</link> client certificates.
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	580 </para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	581
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	582 <para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	583 In contrast to the certificate set by <link id="ssl_client_certificate"/>,
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	584 the list of these certificates will not be sent to clients.
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	585 </para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	586
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	587 </directive>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	588
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	589
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	590 <directive name="ssl_verify_client">
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	591 <syntax>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	592 <literal>on</literal> \| <literal>off</literal> \|
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	593 <literal>optional</literal> \| <literal>optional_no_ca</literal></syntax>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	594 <default>off</default>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	595 <context>mail</context>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	596 <context>server</context>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	597 <appeared-in>1.7.11</appeared-in>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	598
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	599 <para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	600 Enables verification of client certificates.
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	601 The verification result is passed in the
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	602 <header>Auth-SSL-Verify</header> header of the
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	603 <link doc="ngx_mail_auth_http_module.xml" id="auth_http">authentication</link>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	604 request.
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	605 </para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	606
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	607 <para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	608 The <literal>optional</literal> parameter requests the client
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	609 certificate and verifies it if the certificate is present.
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	610 </para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	611
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	612 <para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	613 The <literal>optional_no_ca</literal> parameter
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	614 requests the client
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	615 certificate but does not require it to be signed by a trusted CA certificate.
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	616 This is intended for the use in cases when a service that is external to nginx
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	617 performs the actual certificate verification.
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	618 The contents of the certificate is accessible through requests
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	619 <link doc="ngx_mail_auth_http_module.xml"
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	620 id="auth_http_pass_client_cert">sent</link>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	621 to the authentication server.
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	622 </para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	623
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	624 </directive>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	625
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	626
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	627 <directive name="ssl_verify_depth">
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	628 <syntax><value>number</value></syntax>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	629 <default>1</default>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	630 <context>mail</context>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	631 <context>server</context>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	632 <appeared-in>1.7.11</appeared-in>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	633
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	634 <para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	635 Sets the verification depth in the client certificates chain.
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	636 </para>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	637
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	638 </directive>
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	639
06322891b4e3 Client certificate directives in mail_ssl_module and associates. Sergey Kandaurov <pluknet@nginx.com> parents: 1266 diff changeset	640
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	641 <directive name="starttls">
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	642 <syntax>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	643 <literal>on</literal> \|
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	644 <literal>off</literal> \|
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	645 <literal>only</literal></syntax>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	646 <default>off</default>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	647 <context>mail</context>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	648 <context>server</context>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	649
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	650 <para>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	651 <list type="tag">
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	652
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	653 <tag-name><literal>on</literal></tag-name>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	654 <tag-desc>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 751 diff changeset	655 allow usage of the <literal>STLS</literal> command for the POP3
1924 237a10fb98d2 Clarified imap/pop3/smtp_capabilities and starttls interaction. Sergey Kandaurov <pluknet@nginx.com> parents: 1923 diff changeset	656 and the <literal>STARTTLS</literal> command for the IMAP and SMTP;
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	657 </tag-desc>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	658
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	659 <tag-name><literal>off</literal></tag-name>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	660 <tag-desc>
966 95c3c3bbf1ce Text review. Egor Nikitin <yegor.nikitin@gmail.com> parents: 751 diff changeset	661 deny usage of the <literal>STLS</literal>
664 8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	662 and <literal>STARTTLS</literal> commands;
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	663 </tag-desc>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	664
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	665 <tag-name><literal>only</literal></tag-name>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	666 <tag-desc>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	667 require preliminary TLS transition.
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	668 </tag-desc>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	669
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	670 </list>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	671 </para>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	672
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	673 </directive>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	674
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	675 </section>
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	676
8283b1048b27 Translated mail modules into English. Vladimir Homutov <vl@nginx.com> parents: diff changeset	677 </module>

Mercurial > hg > nginx-site

annotate xml/en/docs/mail/ngx_mail_ssl_module.xml @ 2769:16f6fa718be2