##VERSION: $Id: cone.dist.in,v 1.1 2003/05/27 14:09:03 mrsam Exp $
#
# cone configuration file created from cone.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
#  Copyright 2003 Double Precision, Inc.  See COPYING for
#  distribution information.
#
#  This configuration file sets various options for CONE.  Most of these
#  options are SSL-related.  This file is typically installed as
#  /etc/cone, if $HOME/.conerc exists it will override
#  the settings in this file.
#
#  This is basically a shell script, that initializes environment variables.
#  Local changes to the specific environment variables may be made directly
#  below.  Additional environment variable initialization or scripting may
#  be placed in the LOCAL section at the end of this file.
#
#
#########################################################################
#
# The following variables configure encrypted connections to servers.

##NAME: TLS_PROTOCOL:0
# 
# TLS_PROTOCOL sets the protocol version for SSL connections.
# The possible versions are:
#
# SSL2 - SSLv2
# SSL3 - SSLv3
# TLS1 - TLS1

TLS_PROTOCOL=SSL3

##NAME: TLS_STARTTLS_PROTOCOL:0
# 
# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL when a non-encrypted
# connection to servers is upgraded via the STARTTLS mechanism.
#

TLS_STARTTLS_PROTOCOL=TLS1

##NAME: TLS_CIPHER_LIST:0
#
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
# OpenSSL library.  In most situations you can leave TLS_CIPHER_LIST
# undefined
#
# TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"

##NAME: TLS_TIMEOUT:0
# TLS_TIMEOUT is currently not implemented, and reserved for future use.
# This is supposed to be an inactivity timeout, but its not yet implemented.
#

##NAME: TLS_DHCERTFILE:0
#
# TLS_DHCERTFILE - PEM file that stores our Diffie-Hellman cipher pair.
# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA
# you must generate a DH pair that will be used.  In most situations the
# DH pair is to be treated as confidential, and the file specified by
# TLS_DHCERTFILE must not be world-readable.
#
# TLS_DHCERTFILE=

##NAME: TLS_CERTFILE:0
#
# TLS_CERTFILE - certificate to use.  TLS_CERTFILE is required for SSL/TLS
# servers, and is optional for SSL/TLS clients.  TLS_CERTFILE is usually
# treated as confidential, and must not be world-readable.
#
# TLS_CERTFILE=

##NAME: TLS_TRUSTCERTS:0
#
# TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
# pathname can be a file or a directory. If a file, the file should
# contain a list of trusted certificates, in PEM format. If a
# directory, the directory should contain the trusted certificates,
# in PEM format, one per file and hashed using OpenSSL's c_rehash
# script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying
# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set
# to PEER or REQUIREPEER).
#
#
# TLS_TRUSTCERTS=

TLS_TRUSTCERTS=/usr/share/cone/rootcerts


##NAME: TLS_VERIFYPEER:0
#
# TLS_VERIFYPEER - how to verify client certificates.  The possible values of
# this setting are:
#
# NONE - do not verify anything
#
# PEER - verify the client certificate, if one's presented
#
# REQUIREPEER - require a client certificate, fail if one's not presented
#
# (NOTE: PEER and REQUIREPEER require that TLS_TRUSTCERTS must be set)
#
TLS_VERIFYPEER=NONE

##NAME: TLS_CACHE:0
#
# A TLS/SSL session cache may slightly improve response with multiple
# encrypted sessions to the same server.  TLS_CACHEFILE will be
# automatically created, TLS_CACHESIZE bytes long, and used as a cache
# buffer.
#
# This is an experimental feature and should be disabled if it causes
# problems with SSL servers.  Disable SSL caching by commenting out the
# following settings:

TLS_CACHEFILE=$HOME/.cone/sslcache
TLS_CACHESIZE=524288

##NAME: LOCAL:0
#
# Additional site-specific initialization code may be placed below
#

