listens on separate sockets for TLS connections (https) using OpenSSL setup a TLS socket (mandatory) the socket address to listen on (same as "listen":plugin_core.html#plugin_core__setup_listen), can be specified more than once to setup multiple sockets with the same options (mandatory) file containing the private key, certificate and (optionally) intermediate certificates (the root certificate is usually not included) file containing the intermediate certificates OpenSSL ciphers string (default: "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK") filename with generated dh-params (default: fixed 4096-bit parameters) OpenSSL ecdh-curve name list of OpenSSL options (default: NO_SSLv2, NO_SSLv3, CIPHER_SERVER_PREFERENCE, NO_COMPRESSION, SINGLE_DH_USE, SINGLE_ECDH_USE) enable client certificate verification (default: false) allow all CAs and self-signed certificates, for manual checking (default: false) sets client verification depth (default: 1) abort clients failing verification (default: false) file containing client CA certificates (to verify client certificates) For @ciphers@ see OpenSSL "ciphers":https://www.openssl.org/docs/manmaster/man1/ciphers.html string For @options@ see "options":https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html. Explicitly specify the reverse flag by toggling the "NO_" prefix to override defaults. setup { module_load "mod_openssl"; openssl [ "listen" => "0.0.0.0:443", "listen" => "[::]:443", "pemfile" => "/etc/certs/lighttpd.pem", "options" => ["ALL", "NO_TICKET"], ]; } setup { module_load "mod_openssl"; openssl ( "listen" => "0.0.0.0:443", "listen" => "[::]:443", "pemfile" => "/etc/certs/lighttpd.pem", "client-ca-file" => "/etc/certs/myCA.pem", "verify" => true, "verify-require" => true ); } setup { module_load "mod_openssl"; openssl ( "listen" => "0.0.0.0:443", "listen" => "[::]:443", "pemfile" => "/etc/certs/lighttpd.pem", "verify" => true, "verify-any" => true, "verify-depth" => 9 ); } openssl.setenv "client-cert"; set SSL environment strings list of subsets to export Supported subsets: * "client" - set @SSL_CLIENT_S_DN_@ short-named entries * "client-cert" - set @SSL_CLIENT_CERT@ to client certificate PEM * "server" - set @SSL_SERVER_S_DN_@ short-named entries * "server-cert" - set @SSL_SERVER_CERT@ to server certificate PEM