# Minimum TLS protocol version. One of TLS1_3_VERSION, TLS1_2_VERSION, # TLS1_1_VERSION_DEPRECATED, TLS1_VERSION_DEPRECATED, or 0 for the default. # The option TLS1_3_VERSION requires OpenSSL 1.1.1 or later to be valid. # As of August 2018, TLSv1.2 is the default minimum TLS protocol version. # Invalid values will use the default. MIN_TLS_PROTOCOL=0 # Maximum TLS protocol version. One of TLS1_3_VERSION, TLS1_2_VERSION, # TLS1_1_VERSION_DEPRECATED, TLS1_VERSION_DEPRECATED, or 0 for the highest # supported version. # The option TLS1_3_VERSION requires OpenSSL 1.1.1 or later to be valid. # Invalid values will use the highest supported version. MAX_TLS_PROTOCOL=0 # GSSAPI Name compatibility mode when trying to determine # if a host certificate is legitimate. GSI predates RFC2818, # so there are some old, less-secure, practices by default. # The different modes are: # STRICT_GT2: # Strictly backward-compatible with GT 2.0 name matching. # X.509 subjectAltName values are ignored. Names with # hyphens are treated as wildcarded such that # host-ANYTHING.example.com will match a certificate named # host.example.com. The name matching will rely on canonical # host (as resolved via getnameinfo) name associated with # a connection's IP addresses. # STRICT_RFC2818: # Support RFC 2818 server identity processing. Hyphen # characters are treated as normal part of a host name. # dnsName and ipAddress subjectAltName extensions are matched # against the host and port passed to GSSAPI. If subjectAltName # is present, X.509 SubjectName is ignored. # HYBRID: # Support a hybrid of the two previous name matching algorithms, # liberally matching both hyphen wildcards, canonical names # associated with IP addresses, and subjectAltName extensions. # This has been the default since GT 4.2 NAME_COMPATIBILITY=STRICT_RFC2818 # OpenSSL Cipher List. This is a preference-ordered list of OpenSSL cipher # names in CIPHER LIST FORMAT specified in ciphers(1). Disregarded and # 'eNULL:ALL:!COMPLEMENTOFDEFAULT' used instead, if GSS_C_CONF_FLAG not set # by the application. CIPHERS=HIGH # If true, when choosing a cipher, a server will use its own preferred # order instead of the cipher order presented by the client. When not set, the # SSL server will always follow the clients preferences. SERVER_CIPHER_ORDER=true # If true, when computing a message integrity check, use the original # implementation, which inspects internal OpenSSL structures. Otherwise, # use keying material and sequence counters in the GSSAPI structures only. # The true setting is only available for OpenSSL < 1.1.0 BACKWARD_COMPATIBLE_MIC=true # If true, when verifying a message integrity check, accept MICs generated # using the original implementation, which inspects internal OpenSSL # structures. Otherwise, only use the new code which relies on use keying # material and sequence counters in the GSSAPI structures only. # The true setting is only available for OpenSSL < 1.1.0 ACCEPT_BACKWARD_COMPATIBLE_MIC=true # If set to a non-root username, then files owned by that user are allowed # to own credentials used by the root user VHOST_CRED_OWNER=root