1 | mod_gnutls |
---|
2 | |
---|
3 | This module started back in September of 2004 because I was tired of trying to |
---|
4 | fix bugs in mod_ssl. mod_ssl is a giant beast of a module -- no offense to it's |
---|
5 | authors is intended -- but I believe it has fallen prey to massive feature bloat. |
---|
6 | |
---|
7 | When I started hacking on httpd, mod_ssl remained a great mystery to me, and |
---|
8 | when I actually looked at it, I ran away. The shear ammount code is huge, and it |
---|
9 | does not conform to the style guidelines. It was painful to read, and even harder |
---|
10 | to debug. I wanted to understand how it worked, and I had recently heard about |
---|
11 | GnuTLS, so long story short, I decided to implement a mod_gnutls. |
---|
12 | |
---|
13 | Lines of Code in mod_ssl: 15,324 |
---|
14 | Lines of Code in mod_gnutls: 1,886 |
---|
15 | |
---|
16 | Because of writing mod_gnutls, I now understand how input and output filters work, |
---|
17 | better than I ever thought possible. It was a little painful at times, and some parts |
---|
18 | lift code and ideas directly from mod_ssl. Kudos to the original authors of mod_ssl. |
---|
19 | |
---|
20 | ---------------------------- |
---|
21 | |
---|
22 | Author: Paul Querna <chip force-elite.com> |
---|
23 | |
---|
24 | Heavily modified by Nikos Mavrogiannopoulos <nmav gnutls.org> |
---|
25 | |
---|
26 | License: Apache Software License v2.0. (see the LICENSE file for details) |
---|
27 | |
---|
28 | Current Status: |
---|
29 | - SSL and TLS connections with all popular browsers work! |
---|
30 | - Sets enviromental vars for scripts (compatible with mod_ssl vars) |
---|
31 | - Supports Memcached as a distributed SSL Session Cache |
---|
32 | - Supports DBM as a local SSL Session Cache |
---|
33 | - Support for Server Name Indication |
---|
34 | - Support for Client Certificates |
---|
35 | - Support for TLS-SRP |
---|
36 | |
---|
37 | Basic Configuration: |
---|
38 | |
---|
39 | LoadModule gnutls_module modules/mod_gnutls.so |
---|
40 | |
---|
41 | # mod_gnutls can optionaly use a memcached server to store it's SSL Sessions. |
---|
42 | # This is useful in a cluster enviroment, where you want all of your servers |
---|
43 | # to share a single SSL Session Cache. |
---|
44 | #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com" |
---|
45 | |
---|
46 | # The Default method is to use a DBM backed Cache. It isn't super fast, but |
---|
47 | # it is portable and does not require another server to be running like memcached. |
---|
48 | GnuTLSCache dbm conf/gnutls_cache |
---|
49 | |
---|
50 | <VirtualHost 1.2.3.4:443> |
---|
51 | # insert other directives ... here ... |
---|
52 | |
---|
53 | # This enables the mod_gnutls Handlers for this Virtual Host |
---|
54 | GnuTLSEnable On |
---|
55 | |
---|
56 | # This is the Private key for your server. |
---|
57 | GnuTLSKeyFile conf/server.key |
---|
58 | |
---|
59 | # This is the Server Certificate. |
---|
60 | GnuTLSCertificateFile conf/server.cert |
---|
61 | </VirtualHost> |
---|
62 | |
---|
63 | |
---|
64 | # a more advanced configuration |
---|
65 | GnuTLSCache dbm "/var/cache/www-tls-cache/cache" |
---|
66 | GnuTLSCacheTimeout 500 |
---|
67 | GnuTLSProtocols TLS1.1 TLS1.0 SSL3.0 |
---|
68 | NameVirtualHost 1.2.3.4:443 |
---|
69 | |
---|
70 | <VirtualHost 1.2.3.4:443> |
---|
71 | Servername server.com:443 |
---|
72 | GnuTLSEnable on |
---|
73 | GnuTLSCiphers AES-128-CBC 3DES-CBC ARCFOUR-128 |
---|
74 | GnuTLSKeyExchangeAlgorithms RSA DHE-RSA DHE-DSS SRP SRP-RSA SRP-DSS |
---|
75 | GnuTLSMACAlgorithms SHA1 MD5 |
---|
76 | GnuTLSCompressionMethods NULL |
---|
77 | # To export exactly the same environment variables as mod_ssl to CGI scripts. |
---|
78 | GNUTLSExportCertificates on |
---|
79 | |
---|
80 | GnuTLSCertificateFile /etc/apache2/server-cert.pem |
---|
81 | GnuTLSKeyFile /etc/apache2/server-key.pem |
---|
82 | |
---|
83 | # To enable SRP you must have these files installed. Check the gnutls srptool. |
---|
84 | GnuTLSSRPPasswdFile /etc/apache2/tpasswd |
---|
85 | GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf |
---|
86 | |
---|
87 | # In order to verify client certificates. Other options to |
---|
88 | # GnuTLSClientVerify could be ignore or require. The GnuTLSClientCAFile |
---|
89 | # contains the CAs to verify client certificates. |
---|
90 | GnuTLSClientVerify request |
---|
91 | GnuTLSClientCAFile ca.pem |
---|
92 | ... |
---|
93 | </VirtualHost> |
---|