Check the SSL introduction for a brief explanation of Secure Communications, and for information about how you can obtain the certificates needed.
gwebss [standard GwebS parameters...]
[-sslcf | -SSLCertificateFile] (required)
[-sslckf | -SSLCertificateKeyFile]
[-sslckp | -SSLCertificateKeyPass]
[-sslca | -SSLCaCertificateFile]
[-sslcap | -SSLCaCertificatePath]
[-sslvc | -SSLVerifyClient]
[-sslvd | -SSLVerifyDepth]
[-sslto | -SSLSessionCacheTimeout]
These parameters have the same name as the SSL configuration file directives, described below. Command-line parameters override the corresponding configuration file parameters.
All configuration file directives available for the GwebS standard server can be used with GwebSS. In addition, the following directives may be specified:
This parameter is required.
Identifies the Certificate file for the server and optionally also to the corresponding Private Key file for it.
If the contained Private Key is encrypted the passphrase must be given (see SSLCertificateKeyPass).
If the supplied filename starts with the four characters pem:, the file must be in PEM format (default). To supply a DER-encoded certificate, preceede the file name with der:.
Identifies the Private Key file for the server. If the Private Key is not combined with the Certificate in the SSLCertificateFile, use this additional directive to point to the file with the stand-alone Private Key.
If the contained Private Key is encrypted the passphrase must be given (see SSLCertificateKeyPass).
If the supplied filename starts with the four characters pem:, the file must be in PEM format (default). To supply a DER-encoded certificate, preceede the file name with der:.
Specifies the optional passphrase for the SSLCertificateFile or SSLCertificateKeyFile certificate private key.
For Client Authentication: Identifies the file where you can assemble the Certificates of Certification Authorities (CA) whose clients you deal with.
Such a file is simply the concatenation of the various PEM-encoded Certificate files, in order of preference.
For Client Authentication: Identifies the directory where you keep the Certificates of Certification Authorities (CA) whose clients you deal with.
The files in this directory have to be PEM-encoded and are accessed through hash filenames. You can't just place the Certificate files there, you also have to create symbolic links named "hash-value.N". You should always make sure this directory contains the appropriate symbolic links.
This directive sets the Certificate verification level for the Client Authentication, and is used in the client authentication process used in the standard SSL handshake when a connection is established.
This directive sets how deeply GwebSS should verify before deciding that the clients don't have a valid certificate. The depth actually is the maximum number of intermediate certificate issuers.
This directive sets the timeout for the information stored in the global/inter-process SSL Session Cache and the OpenSSL internal memory cache.
The default is 300 (5 minutes), but should be tuned to match the usage characteristics of the application is question.