The C<netcmd> plugin provides a management interface for I<collectd> much like
the C<unixsock> plugin. Please see L<collectd-unixsock(5)> for a description of
-the commands understood on the socket. Optionally, network traffic is encrypted
-and authenticated using I<Transport Layer Security> (TLS).
+the commands understood on the socket.
+
+Optionally, network traffic is encrypted and authenticated using I<Transport
+Layer Security> (TLS). To use TLS you have to specify the B<TLSCertFile> and
+B<TLSKeyFile> options.
The configuration of the C<netcmd> plugin consists of one or more B<Listen>
block, each defining a socket to bind to and listen on. Example:
=item B<Port> I<Port>|I<Service>
-Port number or service name to bind to. Defaults to C<"25826">. Please note
-that even numeric ports must be specified as a string.
+Port number or service name to bind to. Defaults to C<"25826">.
=item B<TLSCertFile> I<Path>
Path to the TLS certificate file.
+If this option is unset, TLS will not be enabled.
=item B<TLSKeyFile> I<Path>
Path to the TLS key file.
+If this option is unset, TLS will not be enabled.
=item B<TLSCAFile> I<Path>
=item B<TLSVerifyPeer> B<true>|B<false>
-Controlls whether or not to verify the client certificate of connecting peers.
+Controls whether or not to verify the client certificate of connecting peers.
The plugin will I<request> a client certificate either way, but it will only
I<require> a valid certificate when this option is set to B<true>. Defaults to
B<false>.
If set to B<true>, the options B<TLSCertFile>, B<TLSKeyFile> and B<TLSCAFile>
are I<required>.
+=item B<TLSDHBits> I<Num>
+
+Sets the number of bits used for I<Diffie-Hellman> (DH) key generation. By
+default, the number of bits of the server's I<public key> is used, i.e. if
+you're using a certificate with a 4096E<nbsp>bit RSA key, then 4096E<nbsp>bit
+will be used for DH as well. Don't change this setting unless you know what
+you're doing.
+
=back
=head2 Plugin C<netlink>