projects / privoxy.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Turn a reference to the show-status page into a link
[privoxy.git] / doc / source / p-config.sgml
diff --git a/doc/source/p-config.sgml b/doc/source/p-config.sgml
index 29770bc..f41ec07 100644 (file)
--- a/doc/source/p-config.sgml
+++ b/doc/source/p-config.sgml
@@ -107,7 +107,7 @@ Copyright (C) 2001-2020 Privoxy Developers https://www.privoxy.org/
       4. ACCESS CONTROL AND SECURITY                             #
       5. FORWARDING                                              #
       6. MISCELLANEOUS                                           #
-      7. TLS                                                     #
+      7. HTTPS INSPECTION (EXPERIMENTAL)                         #
       8. WINDOWS GUI OPTIONS                                     #
                                                                  #
 ##################################################################
@@ -1018,7 +1018,7 @@ actionsfile
     <programlisting>
   debug     1 # Log the destination for each request. See also debug 1024.
   debug     2 # show each connection status
-  debug     4 # show I/O status
+  debug     4 # show tagging-related messages
   debug     8 # show header parsing
   debug    16 # log all data written to the network
   debug    32 # debug force feature
@@ -1269,7 +1269,7 @@ actionsfile
     They can only be used if <application>Privoxy</application> has
     been compiled with IPv6 support. If you aren't sure if your version
     supports it, have a look at
-    <literal>http://config.privoxy.org/show-status</literal>.
+    <ulink url="http://config.privoxy.org/show-status">http://config.privoxy.org/show-status</ulink>.
    </para>
    <para>
     Some operating systems will prefer IPv6 to IPv4 addresses even if the
@@ -3900,8 +3900,16 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
 </sect2>
 
 
-<sect2 id="tls">
-<title>TLS/SSL Inspection (Experimental)</title>
+<sect2 id="https-inspection-directives">
+<title>HTTPS Inspection (Experimental)</title>
+
+<para>
+  HTTPS inspection allows to filter encrypted requests.
+  This is only supported when <application>Privoxy</application>
+  has been built with FEATURE_HTTPS_INSPECTION.
+  If you aren't sure if your version supports it, have a look at
+  <ulink url="http://config.privoxy.org/show-status">http://config.privoxy.org/show-status</ulink>.
+</para>
 
 <!--   ~~~~~       New section      ~~~~~     -->
 
@@ -4018,7 +4026,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
    </para>
    <para>
     The file can be generated with:
-    openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.crt -days 3650
+    <command>openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.crt -days 3650</command>
    </para>
   </listitem>
  </varlistentry>
@@ -4074,9 +4082,9 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   <term>Notes:</term>
   <listitem>
    <para>
-    This directive specifies the name of the CA key file
-    in ".pem" format. See the <ulink url="#CA-CERT-FILE">ca-cert-file</ulink>
-    for a command to generate it.
+    This directive specifies the name of the CA key file in ".pem" format.
+    The <ulink url="#CA-CERT-FILE">ca-cert-file section</ulink> contains
+    a command to generate it.
    </para>
   </listitem>
  </varlistentry>
@@ -4240,6 +4248,131 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
 
 <!--   ~~~~~       New section      ~~~~~     -->
 
+<sect3 renderas="sect4" id="cipher-list"><title>cipher-list</title>
+<variablelist>
+ <varlistentry>
+  <term>Specifies:</term>
+  <listitem>
+   <para>
+    A list of ciphers to use in TLS handshakes
+   </para>
+  </listitem>
+ </varlistentry>
+ <varlistentry>
+  <term>Type of value:</term>
+  <listitem>
+   <para>
+    Text
+   </para>
+  </listitem>
+ </varlistentry>
+ <varlistentry>
+  <term>Default value:</term>
+  <listitem>
+   <para>None</para>
+  </listitem>
+ </varlistentry>
+ <varlistentry>
+  <term>Effect if unset:</term>
+  <listitem>
+   <para>
+    A default value is inherited from the TLS library.
+   </para>
+  </listitem>
+ </varlistentry>
+ <varlistentry>
+  <term>Notes:</term>
+  <listitem>
+   <para>
+    This directive allows to specify a non-default list of ciphers to use
+    in TLS handshakes with clients and servers.
+   </para>
+   <para>
+    Ciphers are separated by colons. Which ciphers are supported
+    depends on the TLS library. When using OpenSSL, unsupported ciphers
+    are skipped. When using MbedTLS they are rejected.
+   </para>
+   <warning>
+    <para>
+     Specifying an unusual cipher list makes fingerprinting easier.
+     Note that the default list provided by the TLS library may
+     be unusual when compared to the one used by modern browsers
+     as well.
+    </para>
+   </warning>
+  </listitem>
+ </varlistentry>
+ <varlistentry>
+  <term>Examples:</term>
+  <listitem>
+   <screen>
+    # Explicitly set a couple of ciphers with names used by MbedTLS
+    cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-AES-256-CCM:\
+TLS-DHE-RSA-WITH-AES-256-CCM-8:\
+TLS-DHE-RSA-WITH-AES-128-CCM:\
+TLS-DHE-RSA-WITH-AES-128-CCM-8:\
+TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384
+   </screen>
+   <screen>
+    # Explicitly set a couple of ciphers with names used by OpenSSL
+cipher-list ECDHE-RSA-AES256-GCM-SHA384:\
+ECDHE-ECDSA-AES256-GCM-SHA384:\
+DH-DSS-AES256-GCM-SHA384:\
+DHE-DSS-AES256-GCM-SHA384:\
+DH-RSA-AES256-GCM-SHA384:\
+DHE-RSA-AES256-GCM-SHA384:\
+ECDH-RSA-AES256-GCM-SHA384:\
+ECDH-ECDSA-AES256-GCM-SHA384:\
+ECDHE-RSA-AES128-GCM-SHA256:\
+ECDHE-ECDSA-AES128-GCM-SHA256:\
+DH-DSS-AES128-GCM-SHA256:\
+DHE-DSS-AES128-GCM-SHA256:\
+DH-RSA-AES128-GCM-SHA256:\
+DHE-RSA-AES128-GCM-SHA256:\
+ECDH-RSA-AES128-GCM-SHA256:\
+ECDH-ECDSA-AES128-GCM-SHA256:\
+ECDHE-RSA-AES256-GCM-SHA384:\
+AES128-SHA
+   </screen>
+   <screen>
+    # Use keywords instead of explicitly naming the ciphers (Does not work with MbedTLS)
+    cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
+   </screen>
+  </listitem>
+ </varlistentry>
+</variablelist>
+</sect3>
+
+<!--  ~  End section  ~  -->
+
+<!--   ~~~~~       New section      ~~~~~     -->
+
 <sect3 renderas="sect4" id="trusted-cas-file"><title>trusted-cas-file</title>
 <variablelist>
  <varlistentry>
@@ -4281,7 +4414,9 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
    </para>
    <para>
     An example file can be downloaded from
-    <ulink url="https://curl.haxx.se/ca/cacert.pem">https://curl.haxx.se/ca/cacert.pem</ulink>.
+    <ulink url="https://curl.se/ca/cacert.pem">https://curl.se/ca/cacert.pem</ulink>.
+    If you want to create the file yourself, please see:
+    <ulink url="https://curl.se/docs/caextract.html">https://curl.se/docs/caextract.html</ulink>.
    </para>
   </listitem>
  </varlistentry>
The official Privoxy git repository