Mercurial > hg > nginx-site
comparison xml/en/docs/mail/ngx_mail_ssl_module.xml @ 1429:06322891b4e3
Client certificate directives in mail_ssl_module and associates.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Sat, 28 Feb 2015 00:31:18 +0300 |
parents | 35d6ac64bf27 |
children | acba294382d6 |
comparison
equal
deleted
inserted
replaced
1428:933831d7bf0b | 1429:06322891b4e3 |
---|---|
8 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> | 8 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> |
9 | 9 |
10 <module name="Module ngx_mail_ssl_module" | 10 <module name="Module ngx_mail_ssl_module" |
11 link="/en/docs/mail/ngx_mail_ssl_module.html" | 11 link="/en/docs/mail/ngx_mail_ssl_module.html" |
12 lang="en" | 12 lang="en" |
13 rev="4"> | 13 rev="5"> |
14 | 14 |
15 <section id="summary"> | 15 <section id="summary"> |
16 | 16 |
17 <para> | 17 <para> |
18 The <literal>ngx_mail_ssl_module</literal> module provides the necessary | 18 The <literal>ngx_mail_ssl_module</literal> module provides the necessary |
103 <note> | 103 <note> |
104 The previous versions of nginx used | 104 The previous versions of nginx used |
105 <link doc="../http/configuring_https_servers.xml" id="compatibility">different</link> | 105 <link doc="../http/configuring_https_servers.xml" id="compatibility">different</link> |
106 ciphers by default. | 106 ciphers by default. |
107 </note> | 107 </note> |
108 </para> | |
109 | |
110 </directive> | |
111 | |
112 | |
113 <directive name="ssl_client_certificate"> | |
114 <syntax><value>file</value></syntax> | |
115 <default/> | |
116 <context>mail</context> | |
117 <context>server</context> | |
118 <appeared-in>1.7.11</appeared-in> | |
119 | |
120 <para> | |
121 Specifies a <value>file</value> with trusted CA certificates in the PEM format | |
122 used to <link id="ssl_verify_client">verify</link> client certificates. | |
123 </para> | |
124 | |
125 <para> | |
126 The list of certificates will be sent to clients. | |
127 If this is not desired, the <link id="ssl_trusted_certificate"/> | |
128 directive can be used. | |
129 </para> | |
130 | |
131 </directive> | |
132 | |
133 | |
134 <directive name="ssl_crl"> | |
135 <syntax><value>file</value></syntax> | |
136 <default/> | |
137 <context>mail</context> | |
138 <context>server</context> | |
139 <appeared-in>1.7.11</appeared-in> | |
140 | |
141 <para> | |
142 Specifies a <value>file</value> with revoked certificates (CRL) | |
143 in the PEM format used to <link id="ssl_verify_client">verify</link> | |
144 client certificates. | |
108 </para> | 145 </para> |
109 | 146 |
110 </directive> | 147 </directive> |
111 | 148 |
112 | 149 |
344 </para> | 381 </para> |
345 | 382 |
346 </directive> | 383 </directive> |
347 | 384 |
348 | 385 |
386 <directive name="ssl_trusted_certificate"> | |
387 <syntax><value>file</value></syntax> | |
388 <default/> | |
389 <context>mail</context> | |
390 <context>server</context> | |
391 <appeared-in>1.7.11</appeared-in> | |
392 | |
393 <para> | |
394 Specifies a <value>file</value> with trusted CA certificates in the PEM format | |
395 used to <link id="ssl_verify_client">verify</link> client certificates. | |
396 </para> | |
397 | |
398 <para> | |
399 In contrast to the certificate set by <link id="ssl_client_certificate"/>, | |
400 the list of these certificates will not be sent to clients. | |
401 </para> | |
402 | |
403 </directive> | |
404 | |
405 | |
406 <directive name="ssl_verify_client"> | |
407 <syntax> | |
408 <literal>on</literal> | <literal>off</literal> | | |
409 <literal>optional</literal> | <literal>optional_no_ca</literal></syntax> | |
410 <default>off</default> | |
411 <context>mail</context> | |
412 <context>server</context> | |
413 <appeared-in>1.7.11</appeared-in> | |
414 | |
415 <para> | |
416 Enables verification of client certificates. | |
417 The verification result is passed in the | |
418 <header>Auth-SSL-Verify</header> header of the | |
419 <link doc="ngx_mail_auth_http_module.xml" id="auth_http">authentication</link> | |
420 request. | |
421 </para> | |
422 | |
423 <para> | |
424 The <literal>optional</literal> parameter requests the client | |
425 certificate and verifies it if the certificate is present. | |
426 </para> | |
427 | |
428 <para> | |
429 The <literal>optional_no_ca</literal> parameter | |
430 requests the client | |
431 certificate but does not require it to be signed by a trusted CA certificate. | |
432 This is intended for the use in cases when a service that is external to nginx | |
433 performs the actual certificate verification. | |
434 The contents of the certificate is accessible through requests | |
435 <link doc="ngx_mail_auth_http_module.xml" | |
436 id="auth_http_pass_client_cert">sent</link> | |
437 to the authentication server. | |
438 </para> | |
439 | |
440 </directive> | |
441 | |
442 | |
443 <directive name="ssl_verify_depth"> | |
444 <syntax><value>number</value></syntax> | |
445 <default>1</default> | |
446 <context>mail</context> | |
447 <context>server</context> | |
448 <appeared-in>1.7.11</appeared-in> | |
449 | |
450 <para> | |
451 Sets the verification depth in the client certificates chain. | |
452 </para> | |
453 | |
454 </directive> | |
455 | |
456 | |
349 <directive name="starttls"> | 457 <directive name="starttls"> |
350 <syntax> | 458 <syntax> |
351 <literal>on</literal> | | 459 <literal>on</literal> | |
352 <literal>off</literal> | | 460 <literal>off</literal> | |
353 <literal>only</literal></syntax> | 461 <literal>only</literal></syntax> |