Repository: qpid-dispatch Updated Branches: refs/heads/master 0e6932fae -> edf1d8fbe
DISPATCH-1066 - Doc new protocols attribute in sslProfile config procedure.This closes #338 Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/edf1d8fb Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/edf1d8fb Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/edf1d8fb Branch: refs/heads/master Commit: edf1d8fbe5873328f6338d38bef9800f1f3ea3a1 Parents: 0e6932f Author: Ben Hardesty <bhard...@redhat.com> Authored: Fri Jul 6 14:43:29 2018 -0400 Committer: Ganesh Murthy <gmur...@redhat.com> Committed: Fri Jul 13 22:17:51 2018 -0400 ---------------------------------------------------------------------- .../user-guide/configuration-security.adoc | 27 +++++++++++++++++++- .../user-guide/managing-using-qdmanage.adoc | 6 ++--- 2 files changed, 29 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/edf1d8fb/docs/books/user-guide/configuration-security.adoc ---------------------------------------------------------------------- diff --git a/docs/books/user-guide/configuration-security.adoc b/docs/books/user-guide/configuration-security.adoc index 993cecf..e2d1798 100644 --- a/docs/books/user-guide/configuration-security.adoc +++ b/docs/books/user-guide/configuration-security.adoc @@ -52,6 +52,7 @@ You must have the following files in PEM format: sslProfile { name: _NAME_ ciphers: _CIPHERS_ + protocols: _PROTOCOL_ caCertFile: _PATH_.pem certFile: _PATH_.pem privateKeyFile: _PATH_.pem @@ -71,15 +72,39 @@ name: router-ssl-profile `ciphers`:: The SSL cipher suites that can be used by this SSL/TLS profile. If certain ciphers are unsuitable for your environment, you can use this attribute to restrict them from being used. + -To enable a cipher list, enter one or more cipher strings separated by colons (`:`). For example: +To enable a cipher list, enter one or more cipher strings separated by colons (`:`). + +.Enabling a Cipher List +==== [options="nowrap"] ---- ciphers: ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP ---- +==== + To see the full list of available ciphers, use the `openssl ciphers` command. For more information about each cipher, see the link:https://www.openssl.org/docs/manmaster/man1/ciphers.html[ciphers man page^]. +`protocols`:: The SSL/TLS protocols that this router can use. You can specify a list of one or more of the following values: TLSv1, TLSv1.1, or TLSv1.2. ++ +To specify multiple protocols, separate the protocols with a space. ++ +.Specifying Multiple Protocols +==== +This example permits the SSL/TLS profile to use TLS v1.1 and TLS v1.2 only: + +[options="nowrap"] +---- +protocols: TLSv1.1 TLSv1.2 +---- +==== ++ +If you do not specify a value, the router will use the TLS protocol specified by the system-wide configuration. ++ +[NOTE] +==== +When setting the TLS protocol versions for the router, you should also consider the TLS protocol version (or versions) used by your client applications. If a subset of TLS protocol versions does not exist between a client and the router, the client will not be able to connect to the router. +==== + `caCertFile`:: The absolute path to the file that contains the public certificates of trusted certificate authorities (CA). + For example: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/edf1d8fb/docs/books/user-guide/managing-using-qdmanage.adoc ---------------------------------------------------------------------- diff --git a/docs/books/user-guide/managing-using-qdmanage.adoc b/docs/books/user-guide/managing-using-qdmanage.adoc index b22bd6d..c81115d 100644 --- a/docs/books/user-guide/managing-using-qdmanage.adoc +++ b/docs/books/user-guide/managing-using-qdmanage.adoc @@ -306,18 +306,18 @@ include::managing-using-qdmanage.adoc[tags=qdmanage-connection-options-note] |=== | To... | Use this command... -|View the routerâs SSL configuration +|View the routerâs SSL/TLS configuration a| [options="nowrap"] ---- qdmanage query --type=sslProfile ---- -|Set up SSL for the router +|Set up SSL/TLS for the router a| [options="nowrap",subs="+quotes"] ---- -qdmanage create --type=sslProfile --name=_NAME_ --certDB=_PATH_ --certFile=_PATH_ --privateKeyFile=_PATH_ --_ATTRIBUTE_=_VALUE_ ... +qdmanage create --type=sslProfile --name=_NAME_ --_ATTRIBUTE_=_VALUE_ ... ---- |Add SSL/TLS encryption to an incoming connection --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org