docs: update descriptions for encryption

- Add descriptions for certificate and key_file
- xrdp actually supports 128-bit encryption in Standard RDP Security
- change line breaks
This commit is contained in:
Koichiro IWAO 2016-11-15 17:15:24 +09:00
parent d6e8435a72
commit 13aa2fcc2a

View File

@ -45,38 +45,57 @@ If set to \fB1\fR, \fBtrue\fR or \fByes\fR this option enables bitmap compressio
\fBbulk_compression\fP=\fI[true|false]\fP \fBbulk_compression\fP=\fI[true|false]\fP
If set to \fB1\fR, \fBtrue\fR or \fByes\fR this option enables compression of bulk data in \fBxrdp\fR(8). If set to \fB1\fR, \fBtrue\fR or \fByes\fR this option enables compression of bulk data in \fBxrdp\fR(8).
.TP
\fBcertificate\fP=\fI/path/to/certificate\fP
.TP
\fBkey_file\fP=\fI/path/to/private_key\fP
Set location of TLS certificate and private key. They must be written in PEM format.
If not specified, defaults to \fB${XRDP_CFG_DIR}/cert.pem\fP, \fB${XRDP_CFG_DIR}/key.pem\fP.
This parameter is effective only if \fBsecurity_layer\fP is set to \fBtls\fP or \fBnegotiate\fP.
.TP .TP
\fBchannel_code\fP=\fI[true|false]\fP \fBchannel_code\fP=\fI[true|false]\fP
If set to \fB0\fR, \fBfalse\fR or \fBno\fR this option disables all channels \fBxrdp\fR(8). If set to \fB0\fR, \fBfalse\fR or \fBno\fR this option disables all channels \fBxrdp\fR(8).
See section \fBCHANNELS\fP below for more fine grained options. See section \fBCHANNELS\fP below for more fine grained options.
.TP .TP
\fBcrypt_level\fP=\fIlow|medium|high|fips\fP \fBcrypt_level\fP=\fI[low|medium|high|fips]\fP
.\" <http://blogs.msdn.com/b/openspecification/archive/2011/12/08/encryption-negotiation-in-rdp-connection.aspx> .\" <http://blogs.msdn.com/b/openspecification/archive/2011/12/08/encryption-negotiation-in-rdp-connection.aspx>
RDP connection are controlled by two encryption settings: \fIEncryption Level\fP and \fIEncryption Method\fP. Regulate encryption level of Standard RDP Security.
The only supported \fIEncryption Method\fP is \fB40BIT_ENCRYPTION\fP, \fB128BIT_ENCRYPTION\fP and \fB56BIT_ENCRYPTION\fP are currently not supported. This parameter is effective only if \fBsecurity_layer\fP is set to \fBrdp\fP or \fBnegotiate\fP.
Encryption in Standard RDP Security is controlled by two settings: \fIEncryption Level\fP
and \fIEncryption Method\fP. The only supported \fIEncryption Method\fP are \fB40BIT_ENCRYPTION\fP
and \fB128BIT_ENCRYPTION\fP. \fB56BIT_ENCRYPTION\fP is not supported.
This option controls the \fIEncryption Level\fP: This option controls the \fIEncryption Level\fP:
.RS 8 .RS 8
.TP .TP
.B low .B low
All data sent from the client to the server is protected by encryption based on the maximum key strength supported by the client. All data sent from the client to the server is protected by encryption based on
the maximum key strength supported by the client.
.I This is the only level that the traffic sent by the server to client is not encrypted. .I This is the only level that the traffic sent by the server to client is not encrypted.
.TP .TP
.B medium .B medium
All data sent between the client and the server is protected by encryption based on the maximum key strength supported by the client. All data sent between the client and the server is protected by encryption based on
the maximum key strength supported by the client (client compatible).
.TP .TP
.B high .B high
All data sent between the client and server is protected by encryption based on the server's maximum key strength. All data sent between the client and the server is protected by encryption based on
the server's maximum key strength (sever compatible).
.TP .TP
.B fips .B fips
All data sent between the client and server is protected using Federal Information Processing Standard 140-1 validated encryption methods. All data sent between the client and server is protected using Federal Information
.I This level is required for Windows clients (mstsc.exe) if the client's group policy enforces FIPS-compliance mode. Processing Standard 140-1 validated encryption methods.
.I This level is required for Windows clients (mstsc.exe) if the client's group policy
.I enforces FIPS-compliance mode.
.RE .RE
.TP .TP
\fBdisableSSLv3\fP=\fI[true|false]\fP \fBdisableSSLv3\fP=\fI[true|false]\fP
If set to \fB1\fP, \fBtrue\fP or \fByes\fP, \fBxrdp\fP will not accept SSLv3 connections. If set to \fB1\fP, \fBtrue\fP or \fByes\fP, \fBxrdp\fP will not accept SSLv3 connections.
If not specified, defaults to \fBfalse\fP. If not specified, defaults to \fBfalse\fP.
This parameter is effective only if \fBsecurity_layer\fP is set to \fBtls\fP or \fBnegotiate\fP.
.TP .TP
\fBfork\fP=\fI[true|false]\fP \fBfork\fP=\fI[true|false]\fP
@ -150,6 +169,8 @@ Specifies TLS cipher suite. The format of this parameter is equivalent to which
(ex. $ openssl ciphers 'HIGH:!ADH:!SHA1') (ex. $ openssl ciphers 'HIGH:!ADH:!SHA1')
This parameter is effective only if \fBsecurity_layer\fP is set to \fBtls\fP or \fBnegotiate\fP.
.TP .TP
\fBuse_fastpath\fP=\fI[input|output|both|none]\fP \fBuse_fastpath\fP=\fI[input|output|both|none]\fP
If not specified, defaults to \fBnone\fP. If not specified, defaults to \fBnone\fP.