Mercurial > hg > nginx-site
comparison xml/en/docs/mail/ngx_mail_ssl_module.xml @ 1429:06322891b4e3
Client certificate directives in mail_ssl_module and associates.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Sat, 28 Feb 2015 00:31:18 +0300 |
| parents | 35d6ac64bf27 |
| children | acba294382d6 |
comparison
equal
deleted
inserted
replaced
| 1428:933831d7bf0b | 1429:06322891b4e3 |
|---|---|
| 8 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> | 8 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> |
| 9 | 9 |
| 10 <module name="Module ngx_mail_ssl_module" | 10 <module name="Module ngx_mail_ssl_module" |
| 11 link="/en/docs/mail/ngx_mail_ssl_module.html" | 11 link="/en/docs/mail/ngx_mail_ssl_module.html" |
| 12 lang="en" | 12 lang="en" |
| 13 rev="4"> | 13 rev="5"> |
| 14 | 14 |
| 15 <section id="summary"> | 15 <section id="summary"> |
| 16 | 16 |
| 17 <para> | 17 <para> |
| 18 The <literal>ngx_mail_ssl_module</literal> module provides the necessary | 18 The <literal>ngx_mail_ssl_module</literal> module provides the necessary |
| 103 <note> | 103 <note> |
| 104 The previous versions of nginx used | 104 The previous versions of nginx used |
| 105 <link doc="../http/configuring_https_servers.xml" id="compatibility">different</link> | 105 <link doc="../http/configuring_https_servers.xml" id="compatibility">different</link> |
| 106 ciphers by default. | 106 ciphers by default. |
| 107 </note> | 107 </note> |
| 108 </para> | |
| 109 | |
| 110 </directive> | |
| 111 | |
| 112 | |
| 113 <directive name="ssl_client_certificate"> | |
| 114 <syntax><value>file</value></syntax> | |
| 115 <default/> | |
| 116 <context>mail</context> | |
| 117 <context>server</context> | |
| 118 <appeared-in>1.7.11</appeared-in> | |
| 119 | |
| 120 <para> | |
| 121 Specifies a <value>file</value> with trusted CA certificates in the PEM format | |
| 122 used to <link id="ssl_verify_client">verify</link> client certificates. | |
| 123 </para> | |
| 124 | |
| 125 <para> | |
| 126 The list of certificates will be sent to clients. | |
| 127 If this is not desired, the <link id="ssl_trusted_certificate"/> | |
| 128 directive can be used. | |
| 129 </para> | |
| 130 | |
| 131 </directive> | |
| 132 | |
| 133 | |
| 134 <directive name="ssl_crl"> | |
| 135 <syntax><value>file</value></syntax> | |
| 136 <default/> | |
| 137 <context>mail</context> | |
| 138 <context>server</context> | |
| 139 <appeared-in>1.7.11</appeared-in> | |
| 140 | |
| 141 <para> | |
| 142 Specifies a <value>file</value> with revoked certificates (CRL) | |
| 143 in the PEM format used to <link id="ssl_verify_client">verify</link> | |
| 144 client certificates. | |
| 108 </para> | 145 </para> |
| 109 | 146 |
| 110 </directive> | 147 </directive> |
| 111 | 148 |
| 112 | 149 |
| 344 </para> | 381 </para> |
| 345 | 382 |
| 346 </directive> | 383 </directive> |
| 347 | 384 |
| 348 | 385 |
| 386 <directive name="ssl_trusted_certificate"> | |
| 387 <syntax><value>file</value></syntax> | |
| 388 <default/> | |
| 389 <context>mail</context> | |
| 390 <context>server</context> | |
| 391 <appeared-in>1.7.11</appeared-in> | |
| 392 | |
| 393 <para> | |
| 394 Specifies a <value>file</value> with trusted CA certificates in the PEM format | |
| 395 used to <link id="ssl_verify_client">verify</link> client certificates. | |
| 396 </para> | |
| 397 | |
| 398 <para> | |
| 399 In contrast to the certificate set by <link id="ssl_client_certificate"/>, | |
| 400 the list of these certificates will not be sent to clients. | |
| 401 </para> | |
| 402 | |
| 403 </directive> | |
| 404 | |
| 405 | |
| 406 <directive name="ssl_verify_client"> | |
| 407 <syntax> | |
| 408 <literal>on</literal> | <literal>off</literal> | | |
| 409 <literal>optional</literal> | <literal>optional_no_ca</literal></syntax> | |
| 410 <default>off</default> | |
| 411 <context>mail</context> | |
| 412 <context>server</context> | |
| 413 <appeared-in>1.7.11</appeared-in> | |
| 414 | |
| 415 <para> | |
| 416 Enables verification of client certificates. | |
| 417 The verification result is passed in the | |
| 418 <header>Auth-SSL-Verify</header> header of the | |
| 419 <link doc="ngx_mail_auth_http_module.xml" id="auth_http">authentication</link> | |
| 420 request. | |
| 421 </para> | |
| 422 | |
| 423 <para> | |
| 424 The <literal>optional</literal> parameter requests the client | |
| 425 certificate and verifies it if the certificate is present. | |
| 426 </para> | |
| 427 | |
| 428 <para> | |
| 429 The <literal>optional_no_ca</literal> parameter | |
| 430 requests the client | |
| 431 certificate but does not require it to be signed by a trusted CA certificate. | |
| 432 This is intended for the use in cases when a service that is external to nginx | |
| 433 performs the actual certificate verification. | |
| 434 The contents of the certificate is accessible through requests | |
| 435 <link doc="ngx_mail_auth_http_module.xml" | |
| 436 id="auth_http_pass_client_cert">sent</link> | |
| 437 to the authentication server. | |
| 438 </para> | |
| 439 | |
| 440 </directive> | |
| 441 | |
| 442 | |
| 443 <directive name="ssl_verify_depth"> | |
| 444 <syntax><value>number</value></syntax> | |
| 445 <default>1</default> | |
| 446 <context>mail</context> | |
| 447 <context>server</context> | |
| 448 <appeared-in>1.7.11</appeared-in> | |
| 449 | |
| 450 <para> | |
| 451 Sets the verification depth in the client certificates chain. | |
| 452 </para> | |
| 453 | |
| 454 </directive> | |
| 455 | |
| 456 | |
| 349 <directive name="starttls"> | 457 <directive name="starttls"> |
| 350 <syntax> | 458 <syntax> |
| 351 <literal>on</literal> | | 459 <literal>on</literal> | |
| 352 <literal>off</literal> | | 460 <literal>off</literal> | |
| 353 <literal>only</literal></syntax> | 461 <literal>only</literal></syntax> |