From 61c5a2b151cfc7e338cc24234b9389940a3ef4a5 Mon Sep 17 00:00:00 2001
From: "Zsolt Gyulai (zgyulai)" <zsolt.gyulai@quest.com>
Date: Mon, 15 Jan 2024 12:25:38 +0100
Subject: [PATCH] added openssl-conf-cmds() and ocsp-stapling-verify() options

Signed-off-by: Zsolt Gyulai (zgyulai) <zsolt.gyulai@quest.com>
---
 .../syslog-ng-guide-admin/tlsoptions.htm      | 73 +++++++++++++++++++
 1 file changed, 73 insertions(+)

diff --git a/Content/Guides/syslog-ng-guide-admin/tlsoptions.htm b/Content/Guides/syslog-ng-guide-admin/tlsoptions.htm
index 0340bfa83..21a688142 100644
--- a/Content/Guides/syslog-ng-guide-admin/tlsoptions.htm
+++ b/Content/Guides/syslog-ng-guide-admin/tlsoptions.htm
@@ -198,6 +198,79 @@ <h6>keylog-file()</h6>
                     </tr>
                 </tbody>
             </table>
+        </div>
+		<div>
+            <h6>ocsp-stapling-verify()</h6>
+            <MadCap:keyword term="ocsp-stapling-verify">
+            </MadCap:keyword>
+            <MadCap:keyword term="ocsp-stapling-verify">
+            </MadCap:keyword>
+            <table cellspacing="0" class="TableStyle-RuledTableWithHeading_DoNotEdit" colsep="0" rowsep="0" style="width: 100%;mc-table-style: url('../../Resources/TableStyles/RuledTableWithHeading_DoNotEdit.css');">
+                <tbody>
+                    <tr class="TableStyle-RuledTableWithHeading_DoNotEdit-Body-Body1">
+                        <td class="TableStyle-RuledTableWithHeading_DoNotEdit-BodyE-Column1-Body1">Accepted values:</td>
+                        <td class="TableStyle-RuledTableWithHeading_DoNotEdit-BodyD-Column1-Body1"><span class="Code">yes</span>, <span class="Code">no</span></td>
+                    </tr>
+                    <tr class="TableStyle-RuledTableWithHeading_DoNotEdit-Body-Body1">
+                        <td class="TableStyle-RuledTableWithHeading_DoNotEdit-BodyB-Column1-Body1">Default:</td>
+                        <td class="TableStyle-RuledTableWithHeading_DoNotEdit-BodyA-Column1-Body1"><span class="Code">no</span></td>
+                    </tr>
+                </tbody>
+                <col class="TableStyle-RuledTableWithHeading_DoNotEdit-Column-Column1" style="width: 0.3in;">
+                </col>
+            </table>
+			<p>This option is available in <MadCap:variable name="General.abbrev"></MadCap:variable> 4.0 and later versions.</p>
+            <p><i style="font-style: normal;">Description:</i> In case the OCSP stapling verification is enabled <MadCap:variable name="General.abbrev"></MadCap:variable> request the server to return its OCSP status. This status response is verified by <MadCap:variable name="General.abbrev"></MadCap:variable> using the trust store configured by the <span class="Code">ca-file()</span>, <span class="Code">ca-dir()</span>, or the <span class="Code">pkcs12-file()</span> options.</p>
+			<div class="Note">
+				<p class="Hyphenation"><span class="AllNoteStyles">NOTE:</span> RFC 6961 multi-stapling and TLS 1.3-provided multiple responses are currently not validated, only the peer certificate is verified.</p>
+			</div>
+			<div class="Example">
+                <h6>Example:</h6>
+				<pre>destination {
+
+    network("example.com" transport(tls)
+        tls(
+            pkcs12-file("/path/to/test.p12")
+            peer-verify(yes)
+            ocsp-stapling-verify(yes)
+        )
+    );
+};
+				</pre>
+			</div>
+        </div>
+		<div>
+            <h6>openssl-conf-cmds()</h6>
+            <MadCap:keyword term="openssl-conf-cmds()">
+            </MadCap:keyword>
+            <MadCap:keyword term="openssl-conf-cmds()">
+            </MadCap:keyword>
+			<p>This option is available in <MadCap:variable name="General.abbrev"></MadCap:variable> 4.0 and later versions.</p>
+			<div class="Note">
+				<p class="Hyphenation"><span class="AllNoteStyles">NOTE:</span> <span class="Code">openssl-conf-cmds()</span> always has the highest priority. It overrides any other option found in the <span class="Code">tls()</span> section.</p>
+			</div>
+			<p>OpenSSL offers an alternative and software-independent configuration mechanism through the SSL_CONF_cmd interface for configuring the various SSL_CTX and SSL options.</p>
+			<p>The order of operations within <span class="Code">openssl-conf-cmds()</span> affects the order of execution. The commands are executed in top-down order. If the same option occurs multiple times, the last executed option takes effect. This is also true for options that can be set multiple ways (for example, cipher suites or protocols).</p>
+			<div class="Example">
+                <h6>Example:</h6>
+				<pre>    tls(
+        ca-dir("/etc/ca.d")
+        key-file("/etc/cert.d/serverkey.pem")
+        cert-file("/etc/cert.d/servercert.pem")
+        peer-verify(yes)
+
+        openssl-conf-cmds(
+            # For system wide available cipher suites use: /usr/bin/openssl ciphers -v
+            # For formatting rules see: https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html
+            "CipherString" => "ECDHE-RSA-AES128-SHA",                                   # TLSv1.2 and bellow
+            "CipherSuites" => "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",    # TLSv1.3+ (OpenSSl 1.1.1+)
+
+            "Options" => "PrioritizeChaCha",
+            "Protocol" => "-ALL,TLSv1.3",
+        )
+    )
+				</pre>
+			</div>
         </div>
         <div>
             <h6 name="tls-options-peer-verify"><a name="tls-options-peer-verify"></a>peer-verify()</h6>