X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=doc%2Fsource%2Fp-config.sgml;h=5f6e1e0607849f9b0b5c4d8de8f7cb5a7a64e0bb;hp=d1fbf295ec7678aa2961a67e292f385e7687b6d8;hb=5c80f4bb5ef69a76b7051dbb50c3404ef4501b01;hpb=6235cc02e3f789fd39b1d72fadeb776ec3920572

diff --git a/doc/source/p-config.sgml b/doc/source/p-config.sgml
index d1fbf295..5f6e1e06 100644
--- a/doc/source/p-config.sgml
+++ b/doc/source/p-config.sgml
@@ -107,7 +107,7 @@ Copyright (C) 2001-2020 Privoxy Developers https://www.privoxy.org/
       4. ACCESS CONTROL AND SECURITY                             #
       5. FORWARDING                                              #
       6. MISCELLANEOUS                                           #
-      7. TLS                                                     #
+      7. HTTPS INSPECTION (EXPERIMENTAL)                         #
       8. WINDOWS GUI OPTIONS                                     #
                                                                  #
 ##################################################################
@@ -1018,7 +1018,7 @@ actionsfile
     <programlisting>
   debug     1 # Log the destination for each request. See also debug 1024.
   debug     2 # show each connection status
-  debug     4 # show I/O status
+  debug     4 # show tagging-related messages
   debug     8 # show header parsing
   debug    16 # log all data written to the network
   debug    32 # debug force feature
@@ -1269,7 +1269,7 @@ actionsfile
     They can only be used if <application>Privoxy</application> has
     been compiled with IPv6 support. If you aren't sure if your version
     supports it, have a look at
-    <literal>http://config.privoxy.org/show-status</literal>.
+    <ulink url="http://config.privoxy.org/show-status">http://config.privoxy.org/show-status</ulink>.
    </para>
    <para>
     Some operating systems will prefer IPv6 to IPv4 addresses even if the
@@ -1630,7 +1630,7 @@ actionsfile
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     enforce-blocks 1
@@ -2508,7 +2508,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     forwarded-connect-retries 1
@@ -2585,7 +2585,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     accept-intercepted-requests 1
@@ -2643,7 +2643,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     allow-cgi-request-crunching 1
@@ -2710,7 +2710,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     split-large-forms 1
@@ -2793,7 +2793,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     keep-alive-timeout 300
@@ -2862,7 +2862,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     tolerate-pipelining 1
@@ -2943,7 +2943,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     default-server-timeout 60
@@ -3042,7 +3042,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     connection-sharing 1
@@ -3098,7 +3098,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     socket-timeout 300
@@ -3186,7 +3186,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     max-client-connections 256
@@ -3265,7 +3265,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     listen-backlog 4096
@@ -3336,7 +3336,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     enable-accept-filter 1
@@ -3632,12 +3632,6 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
  <varlistentry>
   <term>Notes:</term>
   <listitem>
-   <warning>
-   <para>
-    This is an experimental feature. The syntax is likely to change
-    in future versions.
-   </para>
-   </warning>
    <para>
     Client-specific tags allow Privoxy admins to create different
     profiles and let the users chose which one they want without
@@ -3671,7 +3665,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
     Clients can request tags to be set by using the CGI interface <ulink
      url="http://config.privoxy.org/client-tags">http://config.privoxy.org/client-tags</ulink>.
     The specific tag description is only used on the web page and should
-    be phrased in away that the user understand the effect of the tag.
+    be phrased in away that the user understands the effect of the tag.
    </para>
   </listitem>
  </varlistentry>
@@ -3683,6 +3677,11 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
     # that are enabled based on CLIENT-TAG patterns.
     client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions
     client-specific-tag disable-content-filters Disable content-filters but do not affect other actions
+    client-specific-tag overrule-redirects Overrule redirect sections
+    client-specific-tag allow-cookies Do not crunch cookies in either direction
+    client-specific-tag change-tor-socks-port Change forward-socks5 settings to use a different Tor socks port (and circuits)
+    client-specific-tag no-https-inspection Disable HTTPS inspection
+    client-specific-tag no-tls-verification Don't verify certificates when http-inspection is enabled
 </screen>
   </listitem>
  </varlistentry>
@@ -3718,12 +3717,6 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
  <varlistentry>
   <term>Notes:</term>
   <listitem>
-   <warning>
-   <para>
-    This is an experimental feature. The syntax is likely to change
-    in future versions.
-   </para>
-   </warning>
    <para>
     In case of some tags users may not want to enable them permanently,
     but only for a short amount of time, for example to circumvent a block
@@ -3739,7 +3732,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
     <screen>
       # Increase the time to life for temporarily enabled tags to 3 minutes
@@ -3779,12 +3772,6 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
  <varlistentry>
   <term>Notes:</term>
   <listitem>
-   <warning>
-   <para>
-    This is an experimental feature. The syntax is likely to change
-    in future versions.
-   </para>
-   </warning>
    <para>
     If clients reach Privoxy through another proxy, for example a load
     balancer, Privoxy can't tell the client's IP address from the connection.
@@ -3811,7 +3798,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
     <screen>
       # Allow systems that can reach Privoxy to provide the client
@@ -3884,7 +3871,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
     <screen>
       # Increase the receive buffer size
@@ -3900,8 +3887,16 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
 </sect2>
 
 
-<sect2 id="tls">
-<title>TLS/SSL Inspection</title>
+<sect2 id="https-inspection-directives">
+<title>HTTPS Inspection (Experimental)</title>
+
+<para>
+  HTTPS inspection allows to filter encrypted requests and responses.
+  This is only supported when <application>Privoxy</application>
+  has been built with FEATURE_HTTPS_INSPECTION.
+  If you aren't sure if your version supports it, have a look at
+  <ulink url="http://config.privoxy.org/show-status">http://config.privoxy.org/show-status</ulink>.
+</para>
 
 <!--   ~~~~~       New section      ~~~~~     -->
 
@@ -3952,7 +3947,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     ca-directory /usr/local/etc/privoxy/CA
@@ -4018,12 +4013,12 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
    </para>
    <para>
     The file can be generated with:
-    openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.crt -days 3650
+    <command>openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.crt -days 3650</command>
    </para>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     ca-cert-file root.crt
@@ -4074,14 +4069,14 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   <term>Notes:</term>
   <listitem>
    <para>
-    This directive specifies the name of the CA key file
-    in ".pem" format. See the <ulink url="#CA-CERT-FILE">ca-cert-file</ulink>
-    for a command to generate it.
+    This directive specifies the name of the CA key file in ".pem" format.
+    The <ulink url="#CA-CERT-FILE">ca-cert-file section</ulink> contains
+    a command to generate it.
    </para>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     ca-key-file cakey.pem
@@ -4143,7 +4138,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     ca-password blafasel
@@ -4206,13 +4201,26 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
     and the <ulink url="#CA-CERT-KEY">ca-cert-key</ulink>.
    </para>
    <para>
-    The permissions should only let &my-app; and the  &my-app;
+    The permissions should only let &my-app; and the &my-app;
     admin access the directory.
    </para>
+   <warning>
+    <para>
+     &my-app; currently does not garbage-collect obsolete keys
+     and certificates and does not keep track of how may keys
+     and certificates exist.
+    </para>
+    <para>
+     &my-app; admins should monitor the size of the directory
+     and/or make sure there is sufficient space available.
+     A cron job to limit the number of keys and certificates
+     to a certain number may be worth considering.
+    </para>
+   </warning>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     certificate-directory /usr/local/var/privoxy/certs
@@ -4227,6 +4235,131 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
 
 <!--   ~~~~~       New section      ~~~~~     -->
 
+<sect3 renderas="sect4" id="cipher-list"><title>cipher-list</title>
+<variablelist>
+ <varlistentry>
+  <term>Specifies:</term>
+  <listitem>
+   <para>
+    A list of ciphers to use in TLS handshakes
+   </para>
+  </listitem>
+ </varlistentry>
+ <varlistentry>
+  <term>Type of value:</term>
+  <listitem>
+   <para>
+    Text
+   </para>
+  </listitem>
+ </varlistentry>
+ <varlistentry>
+  <term>Default value:</term>
+  <listitem>
+   <para>None</para>
+  </listitem>
+ </varlistentry>
+ <varlistentry>
+  <term>Effect if unset:</term>
+  <listitem>
+   <para>
+    A default value is inherited from the TLS library.
+   </para>
+  </listitem>
+ </varlistentry>
+ <varlistentry>
+  <term>Notes:</term>
+  <listitem>
+   <para>
+    This directive allows to specify a non-default list of ciphers to use
+    in TLS handshakes with clients and servers.
+   </para>
+   <para>
+    Ciphers are separated by colons. Which ciphers are supported
+    depends on the TLS library. When using OpenSSL, unsupported ciphers
+    are skipped. When using MbedTLS they are rejected.
+   </para>
+   <warning>
+    <para>
+     Specifying an unusual cipher list makes fingerprinting easier.
+     Note that the default list provided by the TLS library may
+     be unusual when compared to the one used by modern browsers
+     as well.
+    </para>
+   </warning>
+  </listitem>
+ </varlistentry>
+ <varlistentry>
+  <term>Examples:</term>
+  <listitem>
+   <screen>
+    # Explicitly set a couple of ciphers with names used by MbedTLS
+    cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-AES-256-CCM:\
+TLS-DHE-RSA-WITH-AES-256-CCM-8:\
+TLS-DHE-RSA-WITH-AES-128-CCM:\
+TLS-DHE-RSA-WITH-AES-128-CCM-8:\
+TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384
+   </screen>
+   <screen>
+    # Explicitly set a couple of ciphers with names used by OpenSSL
+cipher-list ECDHE-RSA-AES256-GCM-SHA384:\
+ECDHE-ECDSA-AES256-GCM-SHA384:\
+DH-DSS-AES256-GCM-SHA384:\
+DHE-DSS-AES256-GCM-SHA384:\
+DH-RSA-AES256-GCM-SHA384:\
+DHE-RSA-AES256-GCM-SHA384:\
+ECDH-RSA-AES256-GCM-SHA384:\
+ECDH-ECDSA-AES256-GCM-SHA384:\
+ECDHE-RSA-AES128-GCM-SHA256:\
+ECDHE-ECDSA-AES128-GCM-SHA256:\
+DH-DSS-AES128-GCM-SHA256:\
+DHE-DSS-AES128-GCM-SHA256:\
+DH-RSA-AES128-GCM-SHA256:\
+DHE-RSA-AES128-GCM-SHA256:\
+ECDH-RSA-AES128-GCM-SHA256:\
+ECDH-ECDSA-AES128-GCM-SHA256:\
+ECDHE-RSA-AES256-GCM-SHA384:\
+AES128-SHA
+   </screen>
+   <screen>
+    # Use keywords instead of explicitly naming the ciphers (Does not work with MbedTLS)
+    cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
+   </screen>
+  </listitem>
+ </varlistentry>
+</variablelist>
+</sect3>
+
+<!--  ~  End section  ~  -->
+
+<!--   ~~~~~       New section      ~~~~~     -->
+
 <sect3 renderas="sect4" id="trusted-cas-file"><title>trusted-cas-file</title>
 <variablelist>
  <varlistentry>
@@ -4268,12 +4401,14 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t</title>
    </para>
    <para>
     An example file can be downloaded from
-    <ulink url="https://curl.haxx.se/ca/cacert.pem">https://curl.haxx.se/ca/cacert.pem</ulink>.
+    <ulink url="https://curl.se/ca/cacert.pem">https://curl.se/ca/cacert.pem</ulink>.
+    If you want to create the file yourself, please see:
+    <ulink url="https://curl.se/docs/caextract.html">https://curl.se/docs/caextract.html</ulink>.
    </para>
   </listitem>
  </varlistentry>
  <varlistentry>
-  <term>Examples:</term>
+  <term>Example:</term>
   <listitem>
    <para>
     trusted-cas-file trusted_cas_file.pem