From 6b10a73f9b7e6c2027fa4aeef438385e4a73bde8 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 6 Oct 2020 16:04:58 +0200
Subject: [PATCH] Rebuild docs

---
 doc/webserver/user-manual/actions-file.html |   2 +-
 doc/webserver/user-manual/appendix.html     |  16 +-
 doc/webserver/user-manual/config.html       | 168 +++++++++++++++++---
 doc/webserver/user-manual/index.html        |   3 +-
 4 files changed, 156 insertions(+), 33 deletions(-)
diff --git a/doc/webserver/user-manual/actions-file.html b/doc/webserver/user-manual/actions-file.html
index da04b8a3..68c0b5e8 100644
--- a/doc/webserver/user-manual/actions-file.html
+++ b/doc/webserver/user-manual/actions-file.html
@@ -73,7 +73,7 @@
         <p>The default profiles, and their associated actions, as pre-defined in <tt class=
         "FILENAME">default.action</tt> are:</p>
         <div class="TABLE">
-          <a name="AEN3092" id="AEN3092"></a>
+          <a name="AEN3124" id="AEN3124"></a>
           <p><b>Table 1. Default Configurations</b></p>
           <table border="1" frame="border" rules="all" class="CALSTABLE">
             <col width="1*" title="C1">
diff --git a/doc/webserver/user-manual/appendix.html b/doc/webserver/user-manual/appendix.html
index c7ceecb7..0f598070 100644
--- a/doc/webserver/user-manual/appendix.html
+++ b/doc/webserver/user-manual/appendix.html
@@ -202,7 +202,7 @@
       these. If not, you will get a friendly error message. Internet access is not necessary either.</p>
       <ul>
         <li>
-          <p>Privoxy main page:</p><a name="AEN6292" id="AEN6292"></a>
+          <p>Privoxy main page:</p><a name="AEN6324" id="AEN6324"></a>
           <blockquote class="BLOCKQUOTE">
             <p><a href="http://config.privoxy.org/" target="_top">http://config.privoxy.org/</a></p>
           </blockquote>
@@ -211,7 +211,7 @@
           "APPLICATION">Privoxy</span>)</p>
         </li>
         <li>
-          <p>View and toggle client tags:</p><a name="AEN6300" id="AEN6300"></a>
+          <p>View and toggle client tags:</p><a name="AEN6332" id="AEN6332"></a>
           <blockquote class="BLOCKQUOTE">
             <p><a href="http://config.privoxy.org/client-tags" target=
             "_top">http://config.privoxy.org/client-tags</a></p>
@@ -219,21 +219,21 @@
         </li>
         <li>
           <p>Show information about the current configuration, including viewing and editing of actions
-          files:</p><a name="AEN6305" id="AEN6305"></a>
+          files:</p><a name="AEN6337" id="AEN6337"></a>
           <blockquote class="BLOCKQUOTE">
             <p><a href="http://config.privoxy.org/show-status" target=
             "_top">http://config.privoxy.org/show-status</a></p>
           </blockquote>
         </li>
         <li>
-          <p>Show the browser's request headers:</p><a name="AEN6310" id="AEN6310"></a>
+          <p>Show the browser's request headers:</p><a name="AEN6342" id="AEN6342"></a>
           <blockquote class="BLOCKQUOTE">
             <p><a href="http://config.privoxy.org/show-request" target=
             "_top">http://config.privoxy.org/show-request</a></p>
           </blockquote>
         </li>
         <li>
-          <p>Show which actions apply to a URL and why:</p><a name="AEN6315" id="AEN6315"></a>
+          <p>Show which actions apply to a URL and why:</p><a name="AEN6347" id="AEN6347"></a>
           <blockquote class="BLOCKQUOTE">
             <p><a href="http://config.privoxy.org/show-url-info" target=
             "_top">http://config.privoxy.org/show-url-info</a></p>
@@ -242,15 +242,15 @@
         <li>
           <p>Toggle Privoxy on or off. This feature can be turned off/on in the main <tt class="FILENAME">config</tt>
           file. When toggled <span class="QUOTE">"off"</span>, <span class="QUOTE">"Privoxy"</span> continues to run,
-          but only as a pass-through proxy, with no actions taking place:</p><a name="AEN6323" id="AEN6323"></a>
+          but only as a pass-through proxy, with no actions taking place:</p><a name="AEN6355" id="AEN6355"></a>
           <blockquote class="BLOCKQUOTE">
             <p><a href="http://config.privoxy.org/toggle" target="_top">http://config.privoxy.org/toggle</a></p>
           </blockquote>
-          <p>Short cuts. Turn off, then on:</p><a name="AEN6327" id="AEN6327"></a>
+          <p>Short cuts. Turn off, then on:</p><a name="AEN6359" id="AEN6359"></a>
           <blockquote class="BLOCKQUOTE">
             <p><a href="http://config.privoxy.org/toggle?set=disable" target=
             "_top">http://config.privoxy.org/toggle?set=disable</a></p>
-          </blockquote><a name="AEN6330" id="AEN6330"></a>
+          </blockquote><a name="AEN6362" id="AEN6362"></a>
           <blockquote class="BLOCKQUOTE">
             <p><a href="http://config.privoxy.org/toggle?set=enable" target=
             "_top">http://config.privoxy.org/toggle?set=enable</a></p>
diff --git a/doc/webserver/user-manual/config.html b/doc/webserver/user-manual/config.html
index ffd4f346..016c04ab 100644
--- a/doc/webserver/user-manual/config.html
+++ b/doc/webserver/user-manual/config.html
@@ -918,7 +918,7 @@
               hides the <span class="QUOTE">"go there anyway"</span> link. If the user adds the force prefix by hand,
               it will not be accepted and the circumvention attempt is logged.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>enforce-blocks 1</p>
             </dd>
@@ -1547,7 +1547,7 @@
               you try again manually. Start with a small value and check Privoxy's logfile from time to time, to see
               how many retries are usually needed.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>forwarded-connect-retries 1</p>
             </dd>
@@ -1592,7 +1592,7 @@
               you may want to adjust the CGI templates to make sure they don't reference content from
               config.privoxy.org.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>accept-intercepted-requests 1</p>
             </dd>
@@ -1629,7 +1629,7 @@
               done without care.</p>
               <p>Don't enable this option unless you're sure that you really need it.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>allow-cgi-request-crunching 1</p>
             </dd>
@@ -1667,7 +1667,7 @@
               <p>If you don't notice any editing problems, there is no reason to enable this option, but if one of the
               submit buttons appears to be broken, you should give it a try.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>split-large-forms 1</p>
             </dd>
@@ -1714,7 +1714,7 @@
               increasing it to 300 seconds or even more if you think your browser can handle it. If your browser
               appears to be hanging, it probably can't.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>keep-alive-timeout 300</p>
             </dd>
@@ -1754,7 +1754,7 @@
               <p>If you are seeing problems with pages not properly loading, disabling this option could work around
               the problem.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>tolerate-pipelining 1</p>
             </dd>
@@ -1799,7 +1799,7 @@
               <p>This option has no effect if <span class="APPLICATION">Privoxy</span> has been compiled without
               keep-alive support.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>default-server-timeout 60</p>
             </dd>
@@ -1855,7 +1855,7 @@
               <p>This option should only be used by experienced users who understand the risks and can weight them
               against the benefits.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>connection-sharing 1</p>
             </dd>
@@ -1887,7 +1887,7 @@
               <p>The default is quite high and you probably want to reduce it. If you aren't using an occasionally slow
               proxy like Tor, reducing it to a few seconds should be fine.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>socket-timeout 300</p>
             </dd>
@@ -1940,7 +1940,7 @@
               reached. This will likely change in a future version, but currently this limit can't be increased without
               recompiling <span class="APPLICATION">Privoxy</span> with a different FD_SETSIZE limit.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>max-client-connections 256</p>
             </dd>
@@ -1982,7 +1982,7 @@
               <p>Effectively using a value above 128 usually requires changing the system configuration as well. On
               FreeBSD-based system the limit is controlled by the kern.ipc.soacceptqueue sysctl.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>listen-backlog 4096</p>
             </dd>
@@ -2022,7 +2022,7 @@
               "https://www.freebsd.org/cgi/man.cgi?query=accf_http" target="_top">accf_http(9) man page</a> to learn
               how to enable the support in the operating system.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>enable-accept-filter 1</p>
             </dd>
@@ -2286,7 +2286,7 @@
               "_top">http://config.privoxy.org/client-tags</a> therefore provides a "enable this tag temporarily"
               option. If it is used, the tag will be set until the client-tag-lifetime is over.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <table border="0" bgcolor="#E0E0E0" width="90%">
                 <tr>
@@ -2343,7 +2343,7 @@
               change the client tags for other clients or increase Privoxy's memory requirements by registering lots of
               client tag settings for clients that don't exist.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <table border="0" bgcolor="#E0E0E0" width="90%">
                 <tr>
@@ -2390,7 +2390,7 @@
               memory is (currently) cleared before using it, a buffer that is too large can actually reduce the
               throughput.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <table border="0" bgcolor="#E0E0E0" width="90%">
                 <tr>
@@ -2434,7 +2434,7 @@
               <p>The permissions should only let <span class="APPLICATION">Privoxy</span> and the <span class=
               "APPLICATION">Privoxy</span> admin access the directory.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>ca-directory /usr/local/etc/privoxy/CA</p>
             </dd>
@@ -2472,7 +2472,7 @@
               <p>The file can be generated with: openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out
               cacert.crt -days 3650</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>ca-cert-file root.crt</p>
             </dd>
@@ -2504,7 +2504,7 @@
               <p>This directive specifies the name of the CA key file in ".pem" format. See the <a href="#CA-CERT-FILE"
               target="_top">ca-cert-file</a> for a command to generate it.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>ca-key-file cakey.pem</p>
             </dd>
@@ -2537,7 +2537,7 @@
               certificates for intercepted requests.</p>
               <p>Note that the password is shown on the CGI page so don't reuse an important one.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>ca-password blafasel</p>
             </dd>
@@ -2592,7 +2592,7 @@
                 </table>
               </div>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>certificate-directory /usr/local/var/privoxy/certs</p>
             </dd>
@@ -2600,7 +2600,129 @@
         </div>
       </div>
       <div class="SECT3">
-        <h4 class="SECT3"><a name="TRUSTED-CAS-FILE" id="TRUSTED-CAS-FILE">7.7.6. trusted-cas-file</a></h4>
+        <h4 class="SECT3"><a name="CIPHER-LIST" id="CIPHER-LIST">7.7.6. cipher-list</a></h4>
+        <div class="VARIABLELIST">
+          <dl>
+            <dt>Specifies:</dt>
+            <dd>
+              <p>A list of ciphers to use in TLS handshakes</p>
+            </dd>
+            <dt>Type of value:</dt>
+            <dd>
+              <p>Text</p>
+            </dd>
+            <dt>Default value:</dt>
+            <dd>
+              <p>None</p>
+            </dd>
+            <dt>Effect if unset:</dt>
+            <dd>
+              <p>A default value is inherited from the TLS library.</p>
+            </dd>
+            <dt>Notes:</dt>
+            <dd>
+              <p>This directive allows to specify a non-default list of ciphers to use in TLS handshakes with clients
+              and servers.</p>
+              <p>Ciphers are separated by colons. Which ciphers are supported depends on the TLS library. When using
+              OpenSSL, unsupported ciphers are skipped. When using MbedTLS they are rejected.</p>
+              <div class="WARNING">
+                <table class="WARNING" border="1" width="90%">
+                  <tr>
+                    <td align="center"><b>Warning</b></td>
+                  </tr>
+                  <tr>
+                    <td align="left">
+                      <p>Specifying an unusual cipher list makes fingerprinting easier. Note that the default list
+                      provided by the TLS library may be unusual when compared to the one used by modern browsers as
+                      well.</p>
+                    </td>
+                  </tr>
+                </table>
+              </div>
+            </dd>
+            <dt>Examples:</dt>
+            <dd>
+              <table border="0" bgcolor="#E0E0E0" width="90%">
+                <tr>
+                  <td>
+                    <pre class="SCREEN">    # Explicitly set a couple of ciphers with names used by MbedTLS
+    cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-AES-256-CCM:\
+TLS-DHE-RSA-WITH-AES-256-CCM-8:\
+TLS-DHE-RSA-WITH-AES-128-CCM:\
+TLS-DHE-RSA-WITH-AES-128-CCM-8:\
+TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384
+   </pre>
+                  </td>
+                </tr>
+              </table>
+              <table border="0" bgcolor="#E0E0E0" width="90%">
+                <tr>
+                  <td>
+                    <pre class="SCREEN">    # Explicitly set a couple of ciphers with names used by OpenSSL
+cipher-list ECDHE-RSA-AES256-GCM-SHA384:\
+ECDHE-ECDSA-AES256-GCM-SHA384:\
+DH-DSS-AES256-GCM-SHA384:\
+DHE-DSS-AES256-GCM-SHA384:\
+DH-RSA-AES256-GCM-SHA384:\
+DHE-RSA-AES256-GCM-SHA384:\
+ECDH-RSA-AES256-GCM-SHA384:\
+ECDH-ECDSA-AES256-GCM-SHA384:\
+ECDHE-RSA-AES128-GCM-SHA256:\
+ECDHE-ECDSA-AES128-GCM-SHA256:\
+DH-DSS-AES128-GCM-SHA256:\
+DHE-DSS-AES128-GCM-SHA256:\
+DH-RSA-AES128-GCM-SHA256:\
+DHE-RSA-AES128-GCM-SHA256:\
+ECDH-RSA-AES128-GCM-SHA256:\
+ECDH-ECDSA-AES128-GCM-SHA256:\
+ECDHE-RSA-AES256-GCM-SHA384:\
+AES128-SHA
+   </pre>
+                  </td>
+                </tr>
+              </table>
+              <table border="0" bgcolor="#E0E0E0" width="90%">
+                <tr>
+                  <td>
+                    <pre class=
+                    "SCREEN">    # Use keywords instead of explicity naming the ciphers (Does not work with MbedTLS)
+    cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
+   </pre>
+                  </td>
+                </tr>
+              </table>
+            </dd>
+          </dl>
+        </div>
+      </div>
+      <div class="SECT3">
+        <h4 class="SECT3"><a name="TRUSTED-CAS-FILE" id="TRUSTED-CAS-FILE">7.7.7. trusted-cas-file</a></h4>
         <div class="VARIABLELIST">
           <dl>
             <dt>Specifies:</dt>
@@ -2626,7 +2748,7 @@
               <p>An example file can be downloaded from <a href="https://curl.haxx.se/ca/cacert.pem" target=
               "_top">https://curl.haxx.se/ca/cacert.pem</a>.</p>
             </dd>
-            <dt>Examples:</dt>
+            <dt>Example:</dt>
             <dd>
               <p>trusted-cas-file trusted_cas_file.pem</p>
             </dd>
diff --git a/doc/webserver/user-manual/index.html b/doc/webserver/user-manual/index.html
index 6d899018..082b58a9 100644
--- a/doc/webserver/user-manual/index.html
+++ b/doc/webserver/user-manual/index.html
@@ -202,7 +202,8 @@
                 <dt>7.7.3. <a href="config.html#CA-KEY-FILE">ca-key-file</a></dt>
                 <dt>7.7.4. <a href="config.html#CA-PASSWORD">ca-password</a></dt>
                 <dt>7.7.5. <a href="config.html#CERTIFICATE-DIRECTORY">certificate-directory</a></dt>
-                <dt>7.7.6. <a href="config.html#TRUSTED-CAS-FILE">trusted-cas-file</a></dt>
+                <dt>7.7.6. <a href="config.html#CIPHER-LIST">cipher-list</a></dt>
+                <dt>7.7.7. <a href="config.html#TRUSTED-CAS-FILE">trusted-cas-file</a></dt>
               </dl>
             </dd>
             <dt>7.8. <a href="config.html#WINDOWS-GUI">Windows GUI Options</a></dt>
-- 
2.39.2

