mod_openssl

mod_openssl listens on separate sockets for TLS connections (https) using OpenSSL

openssl (setup)

setup a TLS socket

openssl options;

options

A key-value table with the following entries:

listen: (mandatory) the socket address to listen on (same as "listen":plugin_core.html#plugin_core__setup_listen), can be specified more than once to setup multiple sockets with the same options
pemfile: (mandatory) file containing the private key, certificate and (optionally) intermediate certificates (the root certificate is usually not included)
ca-file: file containing the intermediate certificates
ciphers: OpenSSL ciphers string (default: "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK")
dh-params: filename with generated dh-params (default: fixed 4096-bit parameters)
ecdh-curve: OpenSSL ecdh-curve name
options: list of OpenSSL options (default: NO_SSLv2, NO_SSLv3, CIPHER_SERVER_PREFERENCE, NO_COMPRESSION, SINGLE_DH_USE, SINGLE_ECDH_USE)
verify: enable client certificate verification (default: false)
verify-any: allow all CAs and self-signed certificates, for manual checking (default: false)
verify-depth: sets client verification depth (default: 1)
verify-require: abort clients failing verification (default: false)
client-ca-file: file containing client CA certificates (to verify client certificates)

For ciphers see OpenSSL ciphers string

For options see options. Explicitly specify the reverse flag by toggling the “NO_” prefix to override defaults.

Simple TLS on IPv4 and IPv6

setup {
	module_load "mod_openssl";
	openssl [
		"listen" => "0.0.0.0:443",
		"listen" => "[::]:443",
		"pemfile" => "/etc/certs/lighttpd.pem",
		"options" => ["ALL", "NO_TICKET"],
	];
}

TLS with client certificate verification

setup {
	module_load "mod_openssl";
	openssl (
		"listen" => "0.0.0.0:443",
		"listen" => "[::]:443",
		"pemfile" => "/etc/certs/lighttpd.pem",
		"client-ca-file" => "/etc/certs/myCA.pem",
		"verify" => true,
		"verify-require" => true
	);
}

TLS with any client certificate

setup {
	module_load "mod_openssl";
	openssl (
		"listen" => "0.0.0.0:443",
		"listen" => "[::]:443",
		"pemfile" => "/etc/certs/lighttpd.pem",
		"verify" => true,
		"verify-any" => true,
		"verify-depth" => 9
	);
}
openssl.setenv "client-cert";

openssl.setenv (action)

set SSL environment strings

openssl.setenv list;

list: list of subsets to export

Supported subsets:

“client” – set SSL_CLIENT_S_DN_ short-named entries
“client-cert” – set SSL_CLIENT_CERT to client certificate PEM
“server” – set SSL_SERVER_S_DN_ short-named entries
“server-cert” – set SSL_SERVER_CERT to server certificate PEM