summaryrefslogtreecommitdiffstats
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/conf/extra/httpd-ssl.conf.in6
-rw-r--r--docs/log-message-tags/next-number2
-rw-r--r--docs/manual/mod/mod_ssl.xml42
-rw-r--r--docs/manual/ssl/ssl_faq.xml21
4 files changed, 70 insertions, 1 deletions
diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in
index 1e822a31a1..898a99628c 100644
--- a/docs/conf/extra/httpd-ssl.conf.in
+++ b/docs/conf/extra/httpd-ssl.conf.in
@@ -157,6 +157,12 @@ SSLCertificateKeyFile "@exp_sysconfdir@/server.key"
#SSLVerifyClient require
#SSLVerifyDepth 10
+# TLS-SRP mutual authentication:
+# Enable TLS-SRP and set the path to the OpenSSL SRP verifier
+# file (containing login information for SRP user accounts). See
+# the mod_ssl FAQ for instructions on creating this file.
+#SSLSRPVerifierFile "@exp_sysconfdir@/passwd.srpv"
+
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number
index 2c9fd9df4d..c6b57b0fe0 100644
--- a/docs/log-message-tags/next-number
+++ b/docs/log-message-tags/next-number
@@ -1 +1 @@
-2308
+2311
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index f1e9713c5b..0b8403a7d1 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -96,6 +96,8 @@ compatibility variables.</p>
<tr><td><code>SSL_SERVER_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of server's certificate</td></tr>
<tr><td><code>SSL_SERVER_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of server's certificate</td></tr>
<tr><td><code>SSL_SERVER_CERT</code></td> <td>string</td> <td>PEM-encoded server certificate</td></tr>
+<tr><td><code>SSL_SRP_USER</code></td> <td>string</td> <td>SRP username</td></tr>
+<tr><td><code>SSL_SRP_USERINFO</code></td> <td>string</td> <td>SRP user info</td></tr>
</table>
<p><em>x509</em> specifies a component of an X.509 DN; one of
@@ -670,6 +672,7 @@ specify the preference and order for the ciphers (see <a href="#table1">Table
<tr><td><code>kDHr</code></td> <td>Diffie-Hellman key exchange with RSA key</td></tr>
<tr><td><code>kDHd</code></td> <td>Diffie-Hellman key exchange with DSA key</td></tr>
<tr><td><code>kEDH</code></td> <td>Ephemeral (temp.key) Diffie-Hellman key exchange (no cert)</td> </tr>
+<tr><td><code>kSRP</code></td> <td>Secure Remote Password (SRP) key exchange</td></tr>
<tr><td colspan="2"><em>Authentication Algorithm:</em></td></tr>
<tr><td><code>aNULL</code></td> <td>No authentication</td></tr>
<tr><td><code>aRSA</code></td> <td>RSA authentication</td></tr>
@@ -700,6 +703,7 @@ specify the preference and order for the ciphers (see <a href="#table1">Table
<tr><td><code>DH</code></td> <td>all ciphers using Diffie-Hellman key exchange</td> </tr>
<tr><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr>
<tr><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr>
+<tr><td><code>SRP</code></td> <td>all ciphers using Secure Remote Password (SRP) key exchange</td> </tr>
<tr><td><code>DSS</code></td> <td>all ciphers using DSS authentication</td> </tr>
<tr><td><code>NULL</code></td> <td>all ciphers using no encryption</td> </tr>
</table>
@@ -1181,6 +1185,44 @@ SSLVerifyDepth 10
</directivesynopsis>
<directivesynopsis>
+<name>SSLSRPVerifierFile</name>
+<description>Path to SRP verifier file</description>
+<syntax>SSLSRPVerifierFile <em>file-path</em></syntax>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+
+<usage>
+<p>
+This directive enables TLS-SRP and sets the path to the OpenSSL SRP (Secure
+Remote Password) verifier file containing TLS-SRP usernames, verifiers, salts,
+and group parameters.</p>
+<example><title>Example</title>
+SSLSRPVerifierFile "/path/to/file.srpv"
+</example>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLSRPUnknownUserSeed</name>
+<description>SRP unknown user seed</description>
+<syntax>SSLSRPUnknownUserSeed <em>secret-string</em></syntax>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+
+<usage>
+<p>
+This directive sets the seed used to fake SRP user parameters for unknown
+users, to avoid leaking whether a given user exists. Specify a secret
+string. If this directive is not used, then Apache will return the
+UNKNOWN_PSK_IDENTITY alert to clients who specify an unknown username.
+</p>
+<example><title>Example</title>
+SSLSRPUnknownUserSeed "secret"
+</example>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
<name>SSLOptions</name>
<description>Configure various SSL engine run-time options</description>
<syntax>SSLOptions [+|-]<em>option</em> ...</syntax>
diff --git a/docs/manual/ssl/ssl_faq.xml b/docs/manual/ssl/ssl_faq.xml
index a7e36f8833..cf5dd127ef 100644
--- a/docs/manual/ssl/ssl_faq.xml
+++ b/docs/manual/ssl/ssl_faq.xml
@@ -719,6 +719,27 @@ SetEnvIf User-Agent "MSIE [2-5]" \
or otherwise.</p>
</section>
+<section id="srp"><title>How do I enable TLS-SRP?</title>
+ <p>TLS-SRP (Secure Remote Password key exchange for TLS, specified in RFC 5054)
+ can supplement or replace certificates in authenticating an SSL connection.
+ To use TLS-SRP, set the
+ <directive module="mod_ssl">SSLSRPVerifierFile</directive> directive to
+ point to an OpenSSL SRP verifier file. To create the verifier file, use the
+ <code>openssl</code> tool:</p>
+ <example>
+ openssl srp -srpvfile passwd.srpv -add username
+ </example>
+ <p>After creating this file, specify it in the SSL server configuration:</p>
+ <example>
+ SSLSRPVerifierFile /path/to/passwd.srpv
+ </example>
+ <p>To force clients to use non-certificate TLS-SRP cipher suites, use the
+ following directive:</p>
+ <example>
+ SSLCipherSuite "!DSS:!aRSA:SRP"
+ </example>
+</section>
+
</section>
<!-- /aboutssl -->
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-19 18:14:34 +0100