source: nginx_org/xml/en/docs/http/ngx_http_ssl_module.xml

Last change on this file was 1923:66a30a380fba, checked in by Ruslan Ermilov <ru@…>, 3 weeks ago

Fixed links to tools.ietf.org.

File size: 22.7 KB
Line 
1<?xml version="1.0"?>
2
3<!--
4  Copyright (C) Igor Sysoev
5  Copyright (C) Nginx, Inc.
6  -->
7
8<!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">
9
10<module name="Module ngx_http_ssl_module"
11        link="/en/docs/http/ngx_http_ssl_module.html"
12        lang="en"
13        rev="33">
14
15<section id="summary">
16
17<para>
18The <literal>ngx_http_ssl_module</literal> module provides the
19necessary support for HTTPS.
20</para>
21
22<para>
23This module is not built by default, it should be enabled with the
24<literal>--with-http_ssl_module</literal>
25configuration parameter.
26<note>
27This module requires the
28<link url="http://www.openssl.org">OpenSSL</link> library.
29</note>
30</para>
31
32</section>
33
34
35<section id="example" name="Example Configuration">
36
37<para>
38To reduce the processor load it is recommended to
39<list type="bullet">
40
41<listitem>
42set the number of worker processes equal to the number of processors,
43</listitem>
44
45<listitem>
46enable keep-alive connections,
47</listitem>
48
49<listitem>
50enable the shared session cache,
51</listitem>
52
53<listitem>
54disable the built-in session cache,
55</listitem>
56
57<listitem>
58and possibly increase the session lifetime (by default, 5 minutes):
59</listitem>
60
61</list>
62
63<example>
64<emphasis>worker_processes auto;</emphasis>
65
66http {
67
68    ...
69
70    server {
71        listen              443 ssl;
72        <emphasis>keepalive_timeout   70;</emphasis>
73
74        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
75        ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
76        ssl_certificate     /usr/local/nginx/conf/cert.pem;
77        ssl_certificate_key /usr/local/nginx/conf/cert.key;
78        <emphasis>ssl_session_cache   shared:SSL:10m;</emphasis>
79        <emphasis>ssl_session_timeout 10m;</emphasis>
80
81        ...
82    }
83</example>
84</para>
85
86</section>
87
88
89<section id="directives" name="Directives">
90
91<directive name="ssl">
92<syntax><literal>on</literal> | <literal>off</literal></syntax>
93<default>off</default>
94<context>http</context>
95<context>server</context>
96
97<para>
98Enables the HTTPS protocol for the given virtual server.
99<note>
100It is recommended to use the <literal>ssl</literal> parameter of the
101<link doc="ngx_http_core_module.xml" id="listen"/> directive instead
102of this directive.
103</note>
104</para>
105
106</directive>
107
108
109<directive name="ssl_buffer_size">
110<syntax><value>size</value></syntax>
111<default>16k</default>
112<context>http</context>
113<context>server</context>
114<appeared-in>1.5.9</appeared-in>
115
116<para>
117Sets the size of the buffer used for sending data.
118</para>
119
120<para>
121By default, the buffer size is 16k, which corresponds to minimal
122overhead when sending big responses.
123To minimize Time To First Byte it may be beneficial to use smaller values,
124for example:
125<example>
126ssl_buffer_size 4k;
127</example>
128</para>
129
130</directive>
131
132
133<directive name="ssl_certificate">
134<syntax><value>file</value></syntax>
135<default/>
136<context>http</context>
137<context>server</context>
138
139<para>
140Specifies a <value>file</value> with the certificate in the PEM format
141for the given virtual server.
142If intermediate certificates should be specified in addition to a primary
143certificate, they should be specified in the same file in the following
144order: the primary certificate comes first, then the intermediate certificates.
145A secret key in the PEM format may be placed in the same file.
146</para>
147
148<para>
149Since version 1.11.0,
150this directive can be specified multiple times
151to load certificates of different types, for example, RSA and ECDSA:
152<example>
153server {
154    listen              443 ssl;
155    server_name         example.com;
156
157    ssl_certificate     example.com.rsa.crt;
158    ssl_certificate_key example.com.rsa.key;
159
160    ssl_certificate     example.com.ecdsa.crt;
161    ssl_certificate_key example.com.ecdsa.key;
162
163    ...
164}
165</example>
166<note>
167Only OpenSSL 1.0.2 or higher supports separate
168<link doc="configuring_https_servers.xml" id="chains">certificate chains</link>
169for different certificates.
170With older versions, only one certificate chain can be used.
171</note>
172</para>
173
174<para>
175It should be kept in mind that due to the HTTPS protocol limitations
176virtual servers should listen on different IP addresses:
177<example>
178server {
179    listen          192.168.1.1:443;
180    server_name     one.example.com;
181    ssl_certificate one.example.com.crt;
182    ...
183}
184
185server {
186    listen          192.168.1.2:443;
187    server_name     two.example.com;
188    ssl_certificate two.example.com.crt;
189    ...
190}
191</example>
192otherwise
193<link doc="configuring_https_servers.xml"
194    id="name_based_https_servers">the first server’s certificate</link>
195will be issued for the second site.
196</para>
197
198</directive>
199
200
201<directive name="ssl_certificate_key">
202<syntax><value>file</value></syntax>
203<default/>
204<context>http</context>
205<context>server</context>
206
207<para>
208Specifies a <value>file</value> with the secret key in the PEM format
209for the given virtual server.
210</para>
211
212<para>
213The value
214<literal>engine</literal>:<value>name</value>:<value>id</value>
215can be specified instead of the <value>file</value> (1.7.9),
216which loads a secret key with a specified <value>id</value>
217from the OpenSSL engine <value>name</value>.
218</para>
219
220</directive>
221
222
223<directive name="ssl_ciphers">
224<syntax><value>ciphers</value></syntax>
225<default>HIGH:!aNULL:!MD5</default>
226<context>http</context>
227<context>server</context>
228
229<para>
230Specifies the enabled ciphers.
231The ciphers are specified in the format understood by the
232OpenSSL library, for example:
233<example>
234ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
235</example>
236</para>
237
238<para>
239The full list can be viewed using the
240<command>openssl ciphers</command>” command.
241</para>
242
243<para>
244<note>
245The previous versions of nginx used
246<link doc="configuring_https_servers.xml" id="compatibility">different</link>
247ciphers by default.
248</note>
249</para>
250
251</directive>
252
253
254<directive name="ssl_client_certificate">
255<syntax><value>file</value></syntax>
256<default/>
257<context>http</context>
258<context>server</context>
259
260<para>
261Specifies a <value>file</value> with trusted CA certificates in the PEM format
262used to <link id="ssl_verify_client">verify</link> client certificates and
263OCSP responses if <link id="ssl_stapling"/> is enabled.
264</para>
265
266<para>
267The list of certificates will be sent to clients.
268If this is not desired, the <link id="ssl_trusted_certificate"/>
269directive can be used.
270</para>
271
272</directive>
273
274
275<directive name="ssl_crl">
276<syntax><value>file</value></syntax>
277<default/>
278<context>http</context>
279<context>server</context>
280<appeared-in>0.8.7</appeared-in>
281
282<para>
283Specifies a <value>file</value> with revoked certificates (CRL)
284in the PEM format used to <link id="ssl_verify_client">verify</link>
285client certificates.
286</para>
287
288</directive>
289
290
291<directive name="ssl_dhparam">
292<syntax><value>file</value></syntax>
293<default/>
294<context>http</context>
295<context>server</context>
296<appeared-in>0.7.2</appeared-in>
297
298<para>
299Specifies a <value>file</value> with DH parameters for DHE ciphers.
300</para>
301
302</directive>
303
304
305<directive name="ssl_ecdh_curve">
306<syntax><value>curve</value></syntax>
307<default>auto</default>
308<context>http</context>
309<context>server</context>
310<appeared-in>1.1.0</appeared-in>
311<appeared-in>1.0.6</appeared-in>
312
313<para>
314Specifies a <value>curve</value> for ECDHE ciphers.
315</para>
316
317<para>
318When using OpenSSL 1.0.2 or higher,
319it is possible to specify multiple curves (1.11.0), for example:
320<example>
321ssl_ecdh_curve prime256v1:secp384r1;
322</example>
323</para>
324
325<para>
326The special value <literal>auto</literal> (1.11.0) instructs nginx to use
327a list built into the OpenSSL library when using OpenSSL 1.0.2 or higher,
328or <literal>prime256v1</literal> with older versions.
329</para>
330
331<para>
332<note>
333Prior to version 1.11.0,
334the <literal>prime256v1</literal> curve was used by default.
335</note>
336</para>
337
338</directive>
339
340
341<directive name="ssl_password_file">
342<syntax><value>file</value></syntax>
343<default/>
344<context>http</context>
345<context>server</context>
346<appeared-in>1.7.3</appeared-in>
347
348<para>
349Specifies a <value>file</value> with passphrases for
350<link id="ssl_certificate_key">secret keys</link>
351where each passphrase is specified on a separate line.
352Passphrases are tried in turn when loading the key.
353</para>
354
355<para>
356Example:
357<example>
358http {
359    ssl_password_file /etc/keys/global.pass;
360    ...
361
362    server {
363        server_name www1.example.com;
364        ssl_certificate_key /etc/keys/first.key;
365    }
366
367    server {
368        server_name www2.example.com;
369
370        # named pipe can also be used instead of a file
371        ssl_password_file /etc/keys/fifo;
372        ssl_certificate_key /etc/keys/second.key;
373    }
374}
375</example>
376</para>
377
378</directive>
379
380
381<directive name="ssl_prefer_server_ciphers">
382<syntax><literal>on</literal> | <literal>off</literal></syntax>
383<default>off</default>
384<context>http</context>
385<context>server</context>
386
387<para>
388Specifies that server ciphers should be preferred over client
389ciphers when using the SSLv3 and TLS protocols.
390</para>
391
392</directive>
393
394
395<directive name="ssl_protocols">
396<syntax>
397    [<literal>SSLv2</literal>]
398    [<literal>SSLv3</literal>]
399    [<literal>TLSv1</literal>]
400    [<literal>TLSv1.1</literal>]
401    [<literal>TLSv1.2</literal>]</syntax>
402<default>TLSv1 TLSv1.1 TLSv1.2</default>
403<context>http</context>
404<context>server</context>
405
406<para>
407Enables the specified protocols.
408The <literal>TLSv1.1</literal> and <literal>TLSv1.2</literal> parameters work
409only when the OpenSSL library of version 1.0.1 or higher is used.
410<note>
411The <literal>TLSv1.1</literal> and <literal>TLSv1.2</literal> parameters are
412supported starting from versions 1.1.13 and 1.0.12,
413so when the OpenSSL version 1.0.1 or higher
414is used on older nginx versions, these protocols work, but cannot
415be disabled.
416</note>
417</para>
418
419</directive>
420
421
422<directive name="ssl_session_cache">
423<syntax>
424    <literal>off</literal> |
425    <literal>none</literal> |
426    [<literal>builtin</literal>[:<value>size</value>]]
427    [<literal>shared</literal>:<value>name</value>:<value>size</value>]</syntax>
428<default>none</default>
429<context>http</context>
430<context>server</context>
431
432<para>
433Sets the types and sizes of caches that store session parameters.
434A cache can be of any of the following types:
435<list type="tag">
436
437<tag-name><literal>off</literal></tag-name>
438<tag-desc>
439the use of a session cache is strictly prohibited:
440nginx explicitly tells a client that sessions may not be reused.
441</tag-desc>
442
443<tag-name><literal>none</literal></tag-name>
444<tag-desc>
445the use of a session cache is gently disallowed:
446nginx tells a client that sessions may be reused, but does not
447actually store session parameters in the cache.
448</tag-desc>
449
450<tag-name><literal>builtin</literal></tag-name>
451<tag-desc>
452a cache built in OpenSSL; used by one worker process only.
453The cache size is specified in sessions.
454If size is not given, it is equal to 20480 sessions.
455Use of the built-in cache can cause memory fragmentation.
456</tag-desc>
457
458<tag-name><literal>shared</literal></tag-name>
459<tag-desc>
460a cache shared between all worker processes.
461The cache size is specified in bytes; one megabyte can store
462about 4000 sessions.
463Each shared cache should have an arbitrary name.
464A cache with the same name can be used in several virtual servers.
465</tag-desc>
466
467</list>
468</para>
469
470<para>
471Both cache types can be used simultaneously, for example:
472<example>
473ssl_session_cache builtin:1000 shared:SSL:10m;
474</example>
475but using only shared cache without the built-in cache should
476be more efficient.
477</para>
478
479</directive>
480
481
482<directive name="ssl_session_ticket_key">
483<syntax><value>file</value></syntax>
484<default/>
485<context>http</context>
486<context>server</context>
487<appeared-in>1.5.7</appeared-in>
488
489<para>
490Sets a <value>file</value> with the secret key used to encrypt
491and decrypt TLS session tickets.
492The directive is necessary if the same key has to be shared between
493multiple servers.
494By default, a randomly generated key is used.
495</para>
496
497<para>
498If several keys are specified, only the first key is
499used to encrypt TLS session tickets.
500This allows configuring key rotation, for example:
501<example>
502ssl_session_ticket_key current.key;
503ssl_session_ticket_key previous.key;
504</example>
505</para>
506
507<para>
508The <value>file</value> must contain 80 or 48 bytes
509of random data and can be created using the following command:
510<example>
511openssl rand 80 > ticket.key
512</example>
513Depending on the file size either AES256 (for 80-byte keys, 1.11.8)
514or AES128 (for 48-byte keys) is used for encryption.
515</para>
516
517</directive>
518
519
520<directive name="ssl_session_tickets">
521<syntax><literal>on</literal> | <literal>off</literal></syntax>
522<default>on</default>
523<context>http</context>
524<context>server</context>
525<appeared-in>1.5.9</appeared-in>
526
527<para>
528Enables or disables session resumption through
529<link url="https://tools.ietf.org/html/rfc5077">TLS session tickets</link>.
530</para>
531
532</directive>
533
534
535<directive name="ssl_session_timeout">
536<syntax><value>time</value></syntax>
537<default>5m</default>
538<context>http</context>
539<context>server</context>
540
541<para>
542Specifies a time during which a client may reuse the
543session parameters.
544</para>
545
546</directive>
547
548
549<directive name="ssl_stapling">
550<syntax><literal>on</literal> | <literal>off</literal></syntax>
551<default>off</default>
552<context>http</context>
553<context>server</context>
554<appeared-in>1.3.7</appeared-in>
555
556<para>
557Enables or disables
558<link url="https://tools.ietf.org/html/rfc4366#section-3.6">stapling
559of OCSP responses</link> by the server.
560Example:
561<example>
562ssl_stapling on;
563resolver 192.0.2.1;
564</example>
565</para>
566
567<para>
568For the OCSP stapling to work, the certificate of the server certificate
569issuer should be known.
570If the <link id="ssl_certificate"/> file does
571not contain intermediate certificates,
572the certificate of the server certificate issuer should be
573present in the
574<link id="ssl_trusted_certificate"/> file.
575</para>
576
577<para>
578For a resolution of the OCSP responder hostname,
579the <link doc="ngx_http_core_module.xml" id="resolver"/> directive
580should also be specified.
581</para>
582
583</directive>
584
585
586<directive name="ssl_stapling_file">
587<syntax><value>file</value></syntax>
588<default/>
589<context>http</context>
590<context>server</context>
591<appeared-in>1.3.7</appeared-in>
592
593<para>
594When set, the stapled OCSP response will be taken from the
595specified <value>file</value> instead of querying
596the OCSP responder specified in the server certificate.
597</para>
598
599<para>
600The file should be in the DER format as produced by the
601<literal>openssl ocsp</literal>” command.
602</para>
603
604</directive>
605
606
607<directive name="ssl_stapling_responder">
608<syntax><value>url</value></syntax>
609<default/>
610<context>http</context>
611<context>server</context>
612<appeared-in>1.3.7</appeared-in>
613
614<para>
615Overrides the URL of the OCSP responder specified in the
616<link url="https://tools.ietf.org/html/rfc5280#section-4.2.2.1">Authority
617Information Access</link>” certificate extension.
618</para>
619
620<para>
621Only “<literal>http://</literal>” OCSP responders are supported:
622<example>
623ssl_stapling_responder http://ocsp.example.com/;
624</example>
625</para>
626
627</directive>
628
629
630<directive name="ssl_stapling_verify">
631<syntax><literal>on</literal> | <literal>off</literal></syntax>
632<default>off</default>
633<context>http</context>
634<context>server</context>
635<appeared-in>1.3.7</appeared-in>
636
637<para>
638Enables or disables verification of OCSP responses by the server.
639</para>
640
641<para>
642For verification to work, the certificate of the server certificate
643issuer, the root certificate, and all intermediate certificates
644should be configured as trusted using the
645<link id="ssl_trusted_certificate"/> directive.
646</para>
647
648</directive>
649
650
651<directive name="ssl_trusted_certificate">
652<syntax><value>file</value></syntax>
653<default/>
654<context>http</context>
655<context>server</context>
656<appeared-in>1.3.7</appeared-in>
657
658<para>
659Specifies a <value>file</value> with trusted CA certificates in the PEM format
660used to <link id="ssl_verify_client">verify</link> client certificates and
661OCSP responses if <link id="ssl_stapling"/> is enabled.
662</para>
663
664<para>
665In contrast to the certificate set by <link id="ssl_client_certificate"/>,
666the list of these certificates will not be sent to clients.
667</para>
668
669</directive>
670
671
672<directive name="ssl_verify_client">
673<syntax>
674    <literal>on</literal> | <literal>off</literal> |
675    <literal>optional</literal> | <literal>optional_no_ca</literal></syntax>
676<default>off</default>
677<context>http</context>
678<context>server</context>
679
680<para>
681Enables verification of client certificates.
682The verification result is stored in the
683<link id="var_ssl_client_verify">$ssl_client_verify</link> variable.
684</para>
685
686<para>
687The <literal>optional</literal> parameter (0.8.7+) requests the client
688certificate and verifies it if the certificate is present.
689</para>
690
691<para>
692The <literal>optional_no_ca</literal> parameter (1.3.8, 1.2.5)
693requests the client
694certificate but does not require it to be signed by a trusted CA certificate.
695This is intended for the use in cases when a service that is external to nginx
696performs the actual certificate verification.
697The contents of the certificate is accessible through the
698<link id="var_ssl_client_cert">$ssl_client_cert</link> variable.
699</para>
700
701</directive>
702
703
704<directive name="ssl_verify_depth">
705<syntax><value>number</value></syntax>
706<default>1</default>
707<context>http</context>
708<context>server</context>
709
710<para>
711Sets the verification depth in the client certificates chain.
712</para>
713
714</directive>
715
716</section>
717
718
719<section id="errors" name="Error Processing">
720
721<para>
722The <literal>ngx_http_ssl_module</literal> module supports several
723non-standard error codes that can be used for redirects using the
724<link doc="ngx_http_core_module.xml" id="error_page"/> directive:
725<list type="tag">
726
727<tag-name>495</tag-name>
728<tag-desc>
729an error has occurred during the client certificate verification;
730</tag-desc>
731
732<tag-name>496</tag-name>
733<tag-desc>
734a client has not presented the required certificate;
735</tag-desc>
736
737<tag-name>497</tag-name>
738<tag-desc>
739a regular request has been sent to the HTTPS port.
740</tag-desc>
741
742</list>
743</para>
744
745<para>
746The redirection happens after the request is fully parsed and
747the variables, such as <var>$request_uri</var>,
748<var>$uri</var>, <var>$args</var> and others, are available.
749</para>
750
751</section>
752
753
754<section id="variables" name="Embedded Variables">
755
756<para>
757The <literal>ngx_http_ssl_module</literal> module supports
758several embedded variables:
759<list type="tag">
760
761<tag-name id="var_ssl_cipher"><var>$ssl_cipher</var></tag-name>
762<tag-desc>
763returns the string of ciphers used
764for an established SSL connection;
765</tag-desc>
766
767<tag-name id="var_ssl_ciphers"><var>$ssl_ciphers</var></tag-name>
768<tag-desc>
769returns the list of ciphers supported by the client (1.11.7).
770Known ciphers are listed by names, unknown are shown in hexadecimal,
771for example:
772<example>
773AES128-SHA:AES256-SHA:0x00ff
774</example>
775<note>
776The variable is fully supported only when using OpenSSL version 1.0.2 or higher.
777With older versions, the variable is available
778only for new sessions and lists only known ciphers.
779</note>
780</tag-desc>
781
782<tag-name id="var_ssl_client_cert"><var>$ssl_client_cert</var></tag-name>
783<tag-desc>
784returns the client certificate in the PEM format
785for an established SSL connection, with each line except the first
786prepended with the tab character;
787this is intended for the use in the
788<link doc="ngx_http_proxy_module.xml" id="proxy_set_header"/> directive;
789</tag-desc>
790
791<tag-name id="var_ssl_client_fingerprint"><var>$ssl_client_fingerprint</var></tag-name>
792<tag-desc>
793returns the SHA1 fingerprint of the client certificate
794for an established SSL connection (1.7.1);
795</tag-desc>
796
797<tag-name id="var_ssl_client_i_dn"><var>$ssl_client_i_dn</var></tag-name>
798<tag-desc>
799returns the “issuer DN” string of the client certificate
800for an established SSL connection according to
801<link url="https://tools.ietf.org/html/rfc2253">RFC 2253</link> (1.11.6);
802</tag-desc>
803
804<tag-name id="var_ssl_client_i_dn_legacy"><var>$ssl_client_i_dn_legacy</var></tag-name>
805<tag-desc>
806returns the “issuer DN” string of the client certificate
807for an established SSL connection;
808<note>
809Prior to version 1.11.6, the variable name was <var>$ssl_client_i_dn</var>.
810</note>
811</tag-desc>
812
813<tag-name id="var_ssl_client_raw_cert"><var>$ssl_client_raw_cert</var>
814</tag-name>
815<tag-desc>
816returns the client certificate in the PEM format
817for an established SSL connection;
818</tag-desc>
819
820<tag-name id="var_ssl_client_s_dn"><var>$ssl_client_s_dn</var></tag-name>
821<tag-desc>
822returns the “subject DN” string of the client certificate
823for an established SSL connection according to
824<link url="https://tools.ietf.org/html/rfc2253">RFC 2253</link> (1.11.6);
825</tag-desc>
826
827<tag-name id="var_ssl_client_s_dn_legacy"><var>$ssl_client_s_dn_legacy</var></tag-name>
828<tag-desc>
829returns the “subject DN” string of the client certificate
830for an established SSL connection;
831<note>
832Prior to version 1.11.6, the variable name was <var>$ssl_client_s_dn</var>.
833</note>
834</tag-desc>
835
836<tag-name id="var_ssl_client_serial"><var>$ssl_client_serial</var></tag-name>
837<tag-desc>
838returns the serial number of the client certificate
839for an established SSL connection;
840</tag-desc>
841
842<tag-name id="var_ssl_client_v_end"><var>$ssl_client_v_end</var></tag-name>
843<tag-desc>
844returns the end date of the client certificate (1.11.7);
845</tag-desc>
846
847<tag-name id="var_ssl_client_v_remain"><var>$ssl_client_v_remain</var></tag-name>
848<tag-desc>
849returns the number of days
850until the client certificate expires (1.11.7);
851</tag-desc>
852
853<tag-name id="var_ssl_client_v_start"><var>$ssl_client_v_start</var></tag-name>
854<tag-desc>
855returns the start date of the client certificate (1.11.7);
856</tag-desc>
857
858<tag-name id="var_ssl_client_verify"><var>$ssl_client_verify</var></tag-name>
859<tag-desc>
860returns the result of client certificate verification:
861<literal>SUCCESS</literal>”, “<literal>FAILED:</literal><value>reason</value>”,
862and “<literal>NONE</literal>” if a certificate was not present;
863<note>
864Prior to version 1.11.7, the “<literal>FAILED</literal>” result
865did not contain the <value>reason</value> string.
866</note>
867</tag-desc>
868
869<tag-name id="var_ssl_curves"><var>$ssl_curves</var></tag-name>
870<tag-desc>
871returns the list of curves supported by the client (1.11.7).
872Known curves are listed by names, unknown are shown in hexadecimal,
873for example:
874<example>
8750x001d:prime256v1:secp521r1:secp384r1
876</example>
877<note>
878The variable is supported only when using OpenSSL version 1.0.2 or higher.
879With older versions, the variable value will be an empty string.
880</note>
881<note>
882The variable is available only for new sessions.
883</note>
884</tag-desc>
885
886<tag-name id="var_ssl_protocol"><var>$ssl_protocol</var></tag-name>
887<tag-desc>
888returns the protocol of an established SSL connection;
889</tag-desc>
890
891<tag-name id="var_ssl_server_name"><var>$ssl_server_name</var></tag-name>
892<tag-desc>
893returns the server name requested through
894<link url="http://en.wikipedia.org/wiki/Server_Name_Indication">SNI</link>
895(1.7.0);
896</tag-desc>
897
898<tag-name id="var_ssl_session_id"><var>$ssl_session_id</var></tag-name>
899<tag-desc>
900returns the session identifier of an established SSL connection;
901</tag-desc>
902
903<tag-name id="var_ssl_session_reused"><var>$ssl_session_reused</var></tag-name>
904<tag-desc>
905returns “<literal>r</literal>” if an SSL session was reused,
906or “<literal>.</literal>” otherwise (1.5.11).
907</tag-desc>
908
909</list>
910</para>
911
912</section>
913
914</module>
Note: See TracBrowser for help on using the repository browser.