| [6af4f74] | 1 | |
|---|
| [7ca474b] | 2 | mod_gnutls, Apache GnuTLS module. |
|---|
| 3 | ================================= |
|---|
| [6af4f74] | 4 | |
|---|
| [7ca474b] | 5 | $LastChangedDate: $ |
|---|
| [6af4f74] | 6 | |
|---|
| [7ca474b] | 7 | Contents: |
|---|
| [6af4f74] | 8 | |
|---|
| [7ca474b] | 9 | I. ABOUT |
|---|
| 10 | II. AUTHORS |
|---|
| 11 | III. LICENSE |
|---|
| 12 | IV. STATUS |
|---|
| 13 | V. BASIC CONFIGURATION |
|---|
| 14 | VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER |
|---|
| [6af4f74] | 15 | |
|---|
| 16 | |
|---|
| [7bebb42] | 17 | |
|---|
| [7ca474b] | 18 | I. ABOUT |
|---|
| [6af4f74] | 19 | |
|---|
| [7ca474b] | 20 | This module started back in September of 2004 because I was tired of |
|---|
| 21 | trying to fix bugs in mod_ssl. mod_ssl is a giant beast of a module -- |
|---|
| 22 | no offense to it's authors is intended -- but I believe it has fallen |
|---|
| 23 | prey to massive feature bloat. |
|---|
| [6af4f74] | 24 | |
|---|
| [7ca474b] | 25 | When I started hacking on httpd, mod_ssl remained a great mystery to me, |
|---|
| 26 | and when I actually looked at it, I ran away. The shear amount code is |
|---|
| 27 | huge, and it does not conform to the style guidelines. It was painful to |
|---|
| 28 | read, and even harder to debug. I wanted to understand how it worked, |
|---|
| 29 | and I had recently heard about GnuTLS, so long story short, I decided to |
|---|
| 30 | implement a mod_gnutls. |
|---|
| [6af4f74] | 31 | |
|---|
| [7ca474b] | 32 | Lines of Code in mod_ssl: 15,324 |
|---|
| 33 | Lines of Code in mod_gnutls: 3,594 |
|---|
| [6af4f74] | 34 | |
|---|
| [7ca474b] | 35 | Because of writing mod_gnutls, I now understand how input and output |
|---|
| 36 | filters work, better than I ever thought possible. It was a little |
|---|
| 37 | painful at times, and some parts lift code and ideas directly from |
|---|
| 38 | mod_ssl. Kudos to the original authors of mod_ssl. |
|---|
| [6af4f74] | 39 | |
|---|
| 40 | |
|---|
| 41 | |
|---|
| [7ca474b] | 42 | II. AUTHORS |
|---|
| [6af4f74] | 43 | |
|---|
| [7ca474b] | 44 | Paul Querna <chip force-elite.com> |
|---|
| 45 | Nikos Mavrogiannopoulos <nmav gnutls.org> |
|---|
| [6af4f74] | 46 | |
|---|
| 47 | |
|---|
| [7bebb42] | 48 | |
|---|
| [7ca474b] | 49 | III. LICENSE |
|---|
| [7bebb42] | 50 | |
|---|
| [7ca474b] | 51 | Apache License, Version 2.0 (see the LICENSE file for details) |
|---|
| 52 | |
|---|
| 53 | |
|---|
| 54 | |
|---|
| 55 | IV. STATUS |
|---|
| 56 | |
|---|
| 57 | * SSL and TLS connections with all popular browsers work! |
|---|
| 58 | * Sets environmental vars for scripts (compatible with mod_ssl vars) |
|---|
| 59 | * Supports memcached as a distributed SSL session cache |
|---|
| 60 | * Supports DBM as a local SSL session cache |
|---|
| 61 | * Support for server name indication (SNI), RFC3546 |
|---|
| 62 | * Support for client certificates |
|---|
| 63 | * Support for secure remote password (SRP), RFC5054 |
|---|
| 64 | |
|---|
| 65 | |
|---|
| 66 | |
|---|
| 67 | V. BASIC CONFIGURATION |
|---|
| 68 | |
|---|
| 69 | LoadModule gnutls_module modules/mod_gnutls.so |
|---|
| 70 | |
|---|
| 71 | # mod_gnutls can optionally use a memcached server to store it's SSL |
|---|
| 72 | # Sessions. This is useful in a cluster environment, where you want all |
|---|
| 73 | # of your servers to share a single SSL session cache. |
|---|
| 74 | #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com" |
|---|
| 75 | |
|---|
| 76 | # The Default method is to use a DBM backed Cache. It isn't super fast, |
|---|
| 77 | # but it is portable and does not require another server to be running |
|---|
| 78 | # like memcached. |
|---|
| 79 | GnuTLSCache dbm conf/gnutls_cache |
|---|
| 80 | |
|---|
| 81 | <VirtualHost 1.2.3.4:443> |
|---|
| 82 | |
|---|
| 83 | # Enable mod_gnutls handlers for this virtual host |
|---|
| 84 | GnuTLSEnable On |
|---|
| 85 | |
|---|
| 86 | # This is the private key for your server |
|---|
| 87 | GnuTLSX509KeyFile conf/server.key |
|---|
| 88 | |
|---|
| 89 | # This is the server certificate |
|---|
| 90 | GnuTLSX509CertificateFile conf/server.cert |
|---|
| 91 | |
|---|
| 92 | </VirtualHost> |
|---|
| 93 | |
|---|
| 94 | # A more advanced configuration |
|---|
| 95 | GnuTLSCache dbm "/var/cache/www-tls-cache/cache" |
|---|
| 96 | GnuTLSCacheTimeout 600 |
|---|
| 97 | NameVirtualHost 1.2.3.4:443 |
|---|
| 98 | |
|---|
| 99 | <VirtualHost 1.2.3.4:443> |
|---|
| 100 | |
|---|
| 101 | Servername server.com:443 |
|---|
| [7bebb42] | 102 | GnuTLSEnable on |
|---|
| [7ca474b] | 103 | GnuTLSPriority NORMAL |
|---|
| 104 | |
|---|
| 105 | # Export exactly the same environment variables as mod_ssl to CGI |
|---|
| 106 | # scripts. |
|---|
| 107 | GNUTLSExportCertificates on |
|---|
| 108 | |
|---|
| 109 | GnuTLSX509CertificateFile /etc/apache2/server-cert.pem |
|---|
| 110 | GnuTLSX509KeyFile /etc/apache2/server-key.pem |
|---|
| 111 | |
|---|
| 112 | # To enable SRP you must have these files installed. Check the gnutls |
|---|
| 113 | # srptool. |
|---|
| 114 | GnuTLSSRPPasswdFile /etc/apache2/tpasswd |
|---|
| 115 | GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf |
|---|
| 116 | |
|---|
| 117 | # In order to verify client certificates. Other options to |
|---|
| 118 | # GnuTLSClientVerify could be ignore or require. The |
|---|
| 119 | # GnuTLSClientCAFile contains the CAs to verify client certificates. |
|---|
| 120 | GnuTLSClientVerify request |
|---|
| 121 | GnuTLSX509CAFile ca.pem |
|---|
| 122 | |
|---|
| 123 | </VirtualHost> |
|---|
| 124 | |
|---|
| 125 | # A setup for OpenPGP and X.509 authentication |
|---|
| 126 | <VirtualHost 1.2.3.4:443> |
|---|
| 127 | |
|---|
| 128 | Servername crystal.lan:443 |
|---|
| [f548f15] | 129 | GnuTLSEnable on |
|---|
| [7ca474b] | 130 | GnuTLSPriorities NORMAL:+COMP-NULL |
|---|
| 131 | |
|---|
| 132 | # Setup the openpgp keys |
|---|
| 133 | GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc |
|---|
| 134 | GnuTLSPGPKeyFile /etc/apache2/test.sec.asc |
|---|
| 135 | |
|---|
| 136 | # - and the X.509 keys |
|---|
| 137 | GnuTLSCertificateFile /etc/apache2/server-cert.pem |
|---|
| 138 | GnuTLSKeyFile /etc/apache2/server-key.pem |
|---|
| [f548f15] | 139 | |
|---|
| [7ca474b] | 140 | GnuTLSClientVerify ignore |
|---|
| 141 | |
|---|
| 142 | # To avoid using the default DH params |
|---|
| 143 | GnuTLSDHFile /etc/apache2/dh.pem |
|---|
| 144 | |
|---|
| 145 | # These are only needed if GnuTLSClientVerify != ignore |
|---|
| 146 | GnuTLSClientCAFile ca.pem |
|---|
| 147 | GnuTLSPGPKeyringFile /etc/apache2/ring.asc |
|---|
| [f548f15] | 148 | |
|---|
| [7ca474b] | 149 | </VirtualHost> |
|---|
| [f548f15] | 150 | |
|---|
| 151 | |
|---|
| [26b08fd] | 152 | |
|---|
| [7ca474b] | 153 | VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER |
|---|
| [26b08fd] | 154 | |
|---|
| [7ca474b] | 155 | mod_gnutls currently cannot read encrypted OpenPGP credentials. That is, |
|---|
| 156 | when you generate a key with gpg and gpg prompts you for a passphrase, |
|---|
| 157 | just press enter. Then press enter again, to confirm an empty |
|---|
| 158 | passphrase. http://news.gmane.org/gmane.comp.apache.outoforder.modules |
|---|
| [26b08fd] | 159 | |
|---|
| [7ca474b] | 160 | These instructions are from the GnuTLS manual: |
|---|
| 161 | http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html#Invoking-gnutls_002dserv |
|---|
| [26b08fd] | 162 | |
|---|
| [7ca474b] | 163 | $ gpg --gen-key |
|---|
| 164 | ...enter whatever details you want, use 'test.gnutls.org' as name... |
|---|
| [26b08fd] | 165 | |
|---|
| [7ca474b] | 166 | Make a note of the OpenPGP key identifier of the newly generated key, |
|---|
| 167 | here it was 5D1D14D8. You will need to export the key for GnuTLS to be |
|---|
| 168 | able to use it. |
|---|
| [26b08fd] | 169 | |
|---|
| [7ca474b] | 170 | $ gpg -a --export 5D1D14D8 > openpgp-server.txt |
|---|
| 171 | $ gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt |
|---|
