source: mod_gnutls/README @ 0106b25

debian/masterdebian/stretch-backportsjessie-backportsmsvaupstream
Last change on this file since 0106b25 was 7ca474b, checked in by Nokis Mavrogiannopoulos <nmav@…>, 11 years ago

readability changes by Jack Bates.

  • Property mode set to 100644
File size: 5.5 KB
Line 
1
2                mod_gnutls, Apache GnuTLS module.
3                =================================
4
5$LastChangedDate: $
6
7Contents:
8
9     I. ABOUT
10    II. AUTHORS
11   III. LICENSE
12    IV. STATUS
13     V. BASIC CONFIGURATION
14    VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER
15
16
17
18I.    ABOUT
19
20      This module started back in September of 2004 because I was tired of
21      trying to fix bugs in mod_ssl.  mod_ssl is a giant beast of a module --
22      no offense to it's authors is intended -- but I believe it has fallen
23      prey to massive feature bloat.
24
25      When I started hacking on httpd, mod_ssl remained a great mystery to me,
26      and when I actually looked at it, I ran away.  The shear amount code is
27      huge, and it does not conform to the style guidelines.  It was painful to
28      read, and even harder to debug.  I wanted to understand how it worked,
29      and I had recently heard about GnuTLS, so long story short, I decided to
30      implement a mod_gnutls.
31
32         Lines of Code in mod_ssl: 15,324
33         Lines of Code in mod_gnutls: 3,594
34
35      Because of writing mod_gnutls, I now understand how input and output
36      filters work, better than I ever thought possible.  It was a little
37      painful at times, and some parts lift code and ideas directly from
38      mod_ssl.  Kudos to the original authors of mod_ssl.
39
40
41
42II.   AUTHORS
43
44      Paul Querna <chip force-elite.com>
45      Nikos Mavrogiannopoulos <nmav gnutls.org>
46
47
48
49III.  LICENSE
50
51      Apache License, Version 2.0 (see the LICENSE file for details)
52
53
54
55IV.   STATUS
56
57      * SSL and TLS connections with all popular browsers work!
58      * Sets environmental vars for scripts (compatible with mod_ssl vars)
59      * Supports memcached as a distributed SSL session cache
60      * Supports DBM as a local SSL session cache
61      * Support for server name indication (SNI), RFC3546
62      * Support for client certificates
63      * Support for secure remote password (SRP), RFC5054
64
65
66
67V.    BASIC CONFIGURATION
68
69      LoadModule gnutls_module modules/mod_gnutls.so
70     
71      # mod_gnutls can optionally use a memcached server to store it's SSL
72      # Sessions.  This is useful in a cluster environment, where you want all
73      # of your servers to share a single SSL session cache.
74      #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
75     
76      # The Default method is to use a DBM backed Cache.  It isn't super fast,
77      # but it is portable and does not require another server to be running
78      # like memcached.
79      GnuTLSCache dbm conf/gnutls_cache
80     
81      <VirtualHost 1.2.3.4:443>
82
83        # Enable mod_gnutls handlers for this virtual host
84        GnuTLSEnable On
85     
86        # This is the private key for your server
87        GnuTLSX509KeyFile conf/server.key
88     
89        # This is the server certificate
90        GnuTLSX509CertificateFile conf/server.cert
91
92      </VirtualHost>
93     
94      # A more advanced configuration
95      GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
96      GnuTLSCacheTimeout 600
97      NameVirtualHost 1.2.3.4:443
98     
99      <VirtualHost 1.2.3.4:443>
100
101        Servername server.com:443
102        GnuTLSEnable on
103        GnuTLSPriority NORMAL
104
105        # Export exactly the same environment variables as mod_ssl to CGI
106        # scripts.
107        GNUTLSExportCertificates on
108     
109        GnuTLSX509CertificateFile /etc/apache2/server-cert.pem
110        GnuTLSX509KeyFile /etc/apache2/server-key.pem
111     
112        # To enable SRP you must have these files installed.  Check the gnutls
113        # srptool.
114        GnuTLSSRPPasswdFile /etc/apache2/tpasswd
115        GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf
116     
117        # In order to verify client certificates.  Other options to
118        # GnuTLSClientVerify could be ignore or require.  The
119        # GnuTLSClientCAFile contains the CAs to verify client certificates.
120        GnuTLSClientVerify request
121        GnuTLSX509CAFile ca.pem
122
123      </VirtualHost>
124     
125      # A setup for OpenPGP and X.509 authentication
126      <VirtualHost 1.2.3.4:443>
127
128        Servername crystal.lan:443
129        GnuTLSEnable on
130        GnuTLSPriorities NORMAL:+COMP-NULL
131     
132        # Setup the openpgp keys
133        GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc
134        GnuTLSPGPKeyFile /etc/apache2/test.sec.asc
135     
136        # - and the X.509 keys
137        GnuTLSCertificateFile /etc/apache2/server-cert.pem
138        GnuTLSKeyFile /etc/apache2/server-key.pem
139
140        GnuTLSClientVerify ignore
141     
142        # To avoid using the default DH params
143        GnuTLSDHFile /etc/apache2/dh.pem
144     
145        # These are only needed if GnuTLSClientVerify != ignore
146        GnuTLSClientCAFile ca.pem
147        GnuTLSPGPKeyringFile /etc/apache2/ring.asc
148
149      </VirtualHost>
150
151
152
153VI.   CREATE OPENPGP CREDENTIALS FOR THE SERVER
154
155      mod_gnutls currently cannot read encrypted OpenPGP credentials.  That is,
156      when you generate a key with gpg and gpg prompts you for a passphrase,
157      just press enter.  Then press enter again, to confirm an empty
158      passphrase.  http://news.gmane.org/gmane.comp.apache.outoforder.modules
159
160      These instructions are from the GnuTLS manual:
161      http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html#Invoking-gnutls_002dserv
162
163        $ gpg --gen-key
164        ...enter whatever details you want, use 'test.gnutls.org' as name...
165
166      Make a note of the OpenPGP key identifier of the newly generated key,
167      here it was 5D1D14D8.  You will need to export the key for GnuTLS to be
168      able to use it.
169
170         $ gpg -a --export 5D1D14D8 > openpgp-server.txt
171         $ gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
Note: See TracBrowser for help on using the repository browser.