Mercurial > hg > nginx-site
changeset 1266:35d6ac64bf27
Documented five directives in the mail ssl module.
The following directives were documented:
ssl_ciphers, ssl_dhparam, ssl_ecdh_curve, ssl_password_file, ssl_session_tickets.
author | Yaroslav Zhuravlev <yar@nginx.com> |
---|---|
date | Tue, 05 Aug 2014 19:07:39 +0400 |
parents | ba6da8f0ecd2 |
children | cf2f93ab8df9 |
files | xml/en/docs/mail/ngx_mail_ssl_module.xml xml/ru/docs/mail/ngx_mail_ssl_module.xml |
diffstat | 2 files changed, 232 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/xml/en/docs/mail/ngx_mail_ssl_module.xml +++ b/xml/en/docs/mail/ngx_mail_ssl_module.xml @@ -10,7 +10,7 @@ <module name="Module ngx_mail_ssl_module" link="/en/docs/mail/ngx_mail_ssl_module.html" lang="en" - rev="3"> + rev="4"> <section id="summary"> @@ -79,6 +79,106 @@ server. </directive> +<directive name="ssl_ciphers"> +<syntax><value>ciphers</value></syntax> +<default>HIGH:!aNULL:!MD5</default> +<context>mail</context> +<context>server</context> + +<para> +Specifies the enabled ciphers. +The ciphers are specified in the format understood by the +OpenSSL library, for example: +<example> +ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; +</example> +</para> + +<para> +The full list can be viewed using the +“<command>openssl ciphers</command>” command. +</para> + +<para> +<note> +The previous versions of nginx used +<link doc="../http/configuring_https_servers.xml" id="compatibility">different</link> +ciphers by default. +</note> +</para> + +</directive> + + +<directive name="ssl_dhparam"> +<syntax><value>file</value></syntax> +<default/> +<context>mail</context> +<context>server</context> +<appeared-in>0.7.2</appeared-in> + +<para> +Specifies a <value>file</value> with DH parameters for EDH ciphers. +</para> + +</directive> + + +<directive name="ssl_ecdh_curve"> +<syntax><value>curve</value></syntax> +<default>prime256v1</default> +<context>mail</context> +<context>server</context> +<appeared-in>1.1.0</appeared-in> +<appeared-in>1.0.6</appeared-in> + +<para> +Specifies a <value>curve</value> for ECDHE ciphers. +</para> + +</directive> + + +<directive name="ssl_password_file"> +<syntax><value>file</value></syntax> +<default/> +<context>mail</context> +<context>server</context> +<appeared-in>1.7.3</appeared-in> + +<para> +Specifies a <value>file</value> with passphrases for +<link id="ssl_certificate_key">secret keys</link> +where each passphrase is specified on a separate line. +Passphrases are tried in turn when loading the key. +</para> + +<para> +Example: +<example> +mail { + ssl_password_file /etc/keys/global.pass; + ... + + server { + server_name mail1.example.com; + ssl_certificate_key /etc/keys/first.key; + } + + server { + server_name mail2.example.com; + + # named pipe can also be used instead of a file + ssl_password_file /etc/keys/fifo; + ssl_certificate_key /etc/keys/second.key; + } +} +</example> +</para> + +</directive> + + <directive name="ssl_prefer_server_ciphers"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>off</default> @@ -217,6 +317,21 @@ openssl rand 48 > ticket.key </directive> +<directive name="ssl_session_tickets"> +<syntax><literal>on</literal> | <literal>off</literal></syntax> +<default>on</default> +<context>mail</context> +<context>server</context> +<appeared-in>1.5.9</appeared-in> + +<para> +Enables or disables session resumption through +<link url="http://tools.ietf.org/html/rfc5077">TLS session tickets</link>. +</para> + +</directive> + + <directive name="ssl_session_timeout"> <syntax><value>time</value></syntax> <default>5m</default>
--- a/xml/ru/docs/mail/ngx_mail_ssl_module.xml +++ b/xml/ru/docs/mail/ngx_mail_ssl_module.xml @@ -10,7 +10,7 @@ <module name="Модуль ngx_mail_ssl_module" link="/ru/docs/mail/ngx_mail_ssl_module.html" lang="ru" - rev="3"> + rev="4"> <section id="summary"> @@ -79,6 +79,106 @@ </directive> +<directive name="ssl_ciphers"> +<syntax><value>шифры</value></syntax> +<default>HIGH:!aNULL:!MD5</default> +<context>mail</context> +<context>server</context> + +<para> +Описывает разрешённые шифры. +Шифры задаются в формате, поддерживаемом библиотекой +OpenSSL, например: +<example> +ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; +</example> +</para> + +<para> +Полный список можно посмотреть с помощью команды +“<command>openssl ciphers</command>”. +</para> + +<para> +<note> +В предыдущих версиях nginx по умолчанию использовались +<link doc="../http/configuring_https_servers.xml" id="compatibility">другие</link> +шифры. +</note> +</para> + +</directive> + + +<directive name="ssl_dhparam"> +<syntax><value>файл</value></syntax> +<default/> +<context>mail</context> +<context>server</context> +<appeared-in>0.7.2</appeared-in> + +<para> +Указывает <value>файл</value> с параметрами для шифров с обменом EDH-ключами. +</para> + +</directive> + + +<directive name="ssl_ecdh_curve"> +<syntax><value>кривая</value></syntax> +<default>prime256v1</default> +<context>mail</context> +<context>server</context> +<appeared-in>1.1.0</appeared-in> +<appeared-in>1.0.6</appeared-in> + +<para> +Задаёт кривую для ECDHE-шифров. +</para> + +</directive> + + +<directive name="ssl_password_file"> +<syntax><value>файл</value></syntax> +<default/> +<context>mail</context> +<context>server</context> +<appeared-in>1.7.3</appeared-in> + +<para> +Задаёт <value>файл</value> с паролями от +<link id="ssl_certificate_key">секретных ключей</link>, +где каждый пароль указан на отдельной строке. +Пароли применяются по очереди в момент загрузки ключа. +</para> + +<para> +Пример: +<example> +mail { + ssl_password_file /etc/keys/global.pass; + ... + + server { + server_name mail1.example.com; + ssl_certificate_key /etc/keys/first.key; + } + + server { + server_name mail2.example.com; + + # вместо файла можно указать именованный канал + ssl_password_file /etc/keys/fifo; + ssl_certificate_key /etc/keys/second.key; + } +} +</example> +</para> + +</directive> + + <directive name="ssl_prefer_server_ciphers"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>off</default> @@ -217,6 +317,21 @@ openssl rand 48 > ticket.key </directive> +<directive name="ssl_session_tickets"> +<syntax><literal>on</literal> | <literal>off</literal></syntax> +<default>on</default> +<context>mail</context> +<context>server</context> +<appeared-in>1.5.9</appeared-in> + +<para> +Разрешает или запрещает возобновление сессий при помощи +<link url="http://tools.ietf.org/html/rfc5077">TLS session tickets</link>. +</para> + +</directive> + + <directive name="ssl_session_timeout"> <syntax><value>время</value></syntax> <default>5m</default>