added documentation for ssl options

2012-07-26 13:39:21 +02:00 · 2012-07-26 13:39:21 +02:00 · daa6ca8b5e
parent 1f62715e87
commit daa6ca8b5e
7 changed files with 155 additions and 4 deletions
--- a/Doxygen/Examples.ArangoDB/openssl-ciphers
+++ b/Doxygen/Examples.ArangoDB/openssl-ciphers
@ -0,0 +1,8 @@
+> openssl ciphers -v
+
+ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
+ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
+DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
+DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
+DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
+...
--- a/Doxygen/Examples.ArangoDB/openssl-options
+++ b/Doxygen/Examples.ArangoDB/openssl-options
@ -0,0 +1,9 @@
+> grep "#define SSL_OP_.*" /usr/include/openssl/ssl.h
+
+#define SSL_OP_MICROSOFT_SESS_ID_BUG                    0x00000001L
+#define SSL_OP_NETSCAPE_CHALLENGE_BUG                   0x00000002L
+#define SSL_OP_LEGACY_SERVER_CONNECT                    0x00000004L
+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG         0x00000008L
+#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              0x00000010L
+#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               0x00000020L
+...
--- a/Doxygen/Examples.ArangoDB/server-keyfile
+++ b/Doxygen/Examples.ArangoDB/server-keyfile
@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+
+(base64 encoded certificate)
+
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+
+(base64 encoded private key)
+
+-----END RSA PRIVATE KEY-----
--- a/Doxygen/Examples.ArangoDB/server-keyfile-openssl
+++ b/Doxygen/Examples.ArangoDB/server-keyfile-openssl
@ -0,0 +1,17 @@
+# create private key in file "server.key"
+openssl genrsa -des3 -out server.key 1024
+
+# create certificate signing request (csr) in file "server.csr"
+openssl req -new -key server.key -out server.csr
+
+# copy away original private key to "server.key.org"
+cp server.key server.key.org
+
+# remove passphrase from the private key
+openssl rsa -in server.key.org -out server.key
+
+# sign the csr with the key, creates certificate file "server.crt"
+openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
+
+# combine certificate and key into single file "ssl.keyfile"
+cat server.crt server.key > ssl.keyfile
--- a/arangod/Documentation/command-line-options.dox
+++ b/arangod/Documentation/command-line-options.dox
@ -47,6 +47,12 @@
 ///     <ul>
 ///      <li>@ref CommandLineArangoEndpoint "server.endpoint"</li>
 ///      <li>@ref CommandLineArangoDisableAuthentication "server.disable-authentication"</li>
+///      <li>@ref CommandLineArangoKeyFile "server.keyfile"</li>
+///      <li>@ref CommandLineArangoCaFile "server.cafile"</li>
+///      <li>@ref CommandLineArangoSslProtocol "server.ssl-protocol</li>
+///      <li>@ref CommandLineArangoSslCacheMode "server.ssl-cache-mode</li>
+///      <li>@ref CommandLineArangoSslOptions "server.ssl-options</li>
+///      <li>@ref CommandLineArangoSslCipherList "server.ssl-cipher-list</li>
 ///      <li>@ref CommandLineArangoDirectory "database.directory"</li>
 ///      <li>@ref CommandLineArangoMaximalJournalSize "database.maximal-journal-size"</li>
 ///      <li>@ref CommandLineArangoWaitForSync "database.wait-for-sync"</li>
@ -163,8 +169,26 @@
 /// @anchor CommandLineArangoDisableAuthentication
 /// @copydetails triagens::arango::ArangoServer::_disableAuthentication
 ///
+/// @anchor CommandLineArangoKeyFile
+/// @copydetails triagens::rest::ApplicationHttpsServer::_httpsKeyfile
+///
+/// @anchor CommandLineArangoCaFile
+/// @copydetails triagens::rest::ApplicationHttpsServer::_cafile
+///
+/// @anchor CommandLineArangoSslProtocol
+/// @copydetails triagens::rest::ApplicationHttpsServer::_sslProtocol
+///
+/// @anchor CommandLineArangoSslCacheMode
+/// @copydetails triagens::rest::ApplicationHttpsServer::_sslCacheMode
+///
+/// @anchor CommandLineArangoSslOptions
+/// @copydetails triagens::rest::ApplicationHttpsServer::_sslOptions
+///
+/// @anchor CommandLineArangoSslCipherList
+/// @copydetails triagens::rest::ApplicationHttpsServer::_sslCipherList
+///
 /// @anchor CommandLineArangoDisableAdminInterface
-/// @CMDOPT{--disable-admin-interface}
+/// @CMDOPT{--server.disable-admin-interface}
 ///
 /// If this option is specified, then the HTML admininstration interface at 
 /// URL http://server:port/ will be disabled and cannot used by any user at all.
--- a/arangod/RestServer/ArangoServer.h
+++ b/arangod/RestServer/ArangoServer.h
@ -326,7 +326,7 @@ namespace triagens {
 ///
 /// @CMDOPT{--server.disable-authentication @CA{value}}
 ///
-/// Settings @CA{value} to true will turn off authentication on the server side
+/// Setting @CA{value} to true will turn off authentication on the server side
 /// so all clients can execute any action without authorisation and privilege
 /// checks.
 ///
--- a/lib/HttpsServer/ApplicationHttpsServer.h
+++ b/lib/HttpsServer/ApplicationHttpsServer.h
@ -233,37 +233,120 @@ namespace triagens {
        vector<HttpsServer*> _httpsServers;

 ////////////////////////////////////////////////////////////////////////////////
-/// @brief keyfile
+/// @brief keyfile containing server certificate
+///
+/// @CMDOPT{--server.keyfile @CA{filename}}
+///
+/// If SSL encryption is used, this option must be used to specify the filename
+/// of the server private key. The file must contain both an X509 certificate and
+/// the server's private key.
+///
+/// The file specified by @CA{filename} should have the following structure:
+///
+/// @verbinclude server-keyfile
+///
+/// You may use certificates issued by a Certificate Authority or self-signed
+/// certificates. Self-signed certificates can be created by a tool of your 
+/// choice. When using OpenSSL for creating the self-signed certificate, the 
+/// following commands should create a keyfile:
+/// 
+/// @verbinclude server-keyfile-openssl
+///
+/// For further information please check the manuals of the tools you use to
+/// create the certificate.
+///
+/// Note: the --server.keyfile option must be set if the server is started with 
+/// at least one SSL endpoint.
 ////////////////////////////////////////////////////////////////////////////////

        string _httpsKeyfile;

 ////////////////////////////////////////////////////////////////////////////////
 /// @brief CA file
+///
+/// @CMDOPT{--server.cafile @CA{filename}}
+///
+/// This option can be used to specify the file which contains the CA certificates
+/// of clients.
+///
+/// TODO
+///
+/// Note: this option is only relevant if at least one SSL endpoint is used.
 ////////////////////////////////////////////////////////////////////////////////

        string _cafile;

 ////////////////////////////////////////////////////////////////////////////////
-/// @brief ssl protocol to use
+/// @brief SSL protocol type to use
+///
+/// @CMDOPT{--server.ssl-protocol @CA{value}}
+///
+/// Use this option to specify the default encryption protocol to be used. 
+/// The following variants are available:
+/// - 1: SSLv2
+/// - 2: SSLv23
+/// - 3: SSLv3
+/// - 4: TLSv1
+///
+/// The default @CA{value} is 4 (i.e. TLSv1).
+///
+/// Note: this option is only relevant if at least one SSL endpoint is used.
 ////////////////////////////////////////////////////////////////////////////////

        uint32_t _sslProtocol;

 ////////////////////////////////////////////////////////////////////////////////
 /// @brief ssl cache mode to use
+///
+/// @CMDOPT{--server.ssl-cache-mode @CA{value}}
+///
+/// TODO
+///
+/// Note: this option is only relevant if at least one SSL endpoint is used.
 ////////////////////////////////////////////////////////////////////////////////

        uint64_t _sslCacheMode;

 ////////////////////////////////////////////////////////////////////////////////
 /// @brief ssl options to use
+///
+/// @CMDOPT{--server.ssl-options @CA{value}}
+///
+/// This option can be used to set various SSL-related options. Individual 
+/// option values must be combined using bitwise OR.
+///
+/// Which options are available on your platform is determined by the OpenSSL
+/// version you use. The list of options available on your platform might be
+/// retrieved by the following shell command:
+///
+/// @verbinclude openssl-options
+///
+/// A description of the options can be found online in the OpenSSL documentation 
+/// at: http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
+/// 
+/// Note: this option is only relevant if at least one SSL endpoint is used.
 ////////////////////////////////////////////////////////////////////////////////

        uint64_t _sslOptions;

 ////////////////////////////////////////////////////////////////////////////////
 /// @brief ssl cipher list to use
+/// 
+/// @CMDOPT{--server.ssl-cipher-list @CA{cipher-list}}
+///
+/// This option can be used to restrict the server to certain SSL ciphers only,
+/// and to define the relative usage preference of SSL ciphers.
+///
+/// The format of @CA{cipher-list} is documented in the OpenSSL documentation.
+///  
+/// To check which ciphers are available on your platform, you may use the 
+/// following shell command:
+/// 
+/// @verbinclude openssl-ciphers
+///
+/// The default value for @CA{cipher-list} is "ALL".
+/// 
+/// Note: this option is only relevant if at least one SSL endpoint is used.
 ////////////////////////////////////////////////////////////////////////////////

        string _sslCipherList;