source: mod_gnutls/README @ a208cd3

debian/masterdebian/stretch-backportsjessie-backportsmsvaupstream
Last change on this file since a208cd3 was 26b08fd, checked in by Nokis Mavrogiannopoulos <nmav@…>, 11 years ago

updated README file to account for openpgp keys --patch by Jack Bates

  • Property mode set to 100644
File size: 4.7 KB
Line 
1mod_gnutls
2
3This module started back in September of 2004 because I was tired of trying to
4fix bugs in mod_ssl.  mod_ssl is a giant beast of a module -- no offense to it's
5authors is intended -- but I believe it has fallen prey to massive feature bloat.
6
7When I started hacking on httpd, mod_ssl remained a great mystery to me, and
8when I actually looked at it, I ran away.  The shear ammount code is huge, and it
9does not conform to the style guidelines.  It was painful to read, and even harder
10to debug.  I wanted to understand how it worked, and I had recently heard about
11GnuTLS, so long story short, I decided to implement a mod_gnutls.
12
13Lines of Code in mod_ssl: 15,324
14Lines of Code in mod_gnutls: 3,594
15
16Because of writing mod_gnutls, I now understand how input and output filters work,
17better than I ever thought possible.  It was a little painful at times, and some parts
18lift code and ideas directly from mod_ssl. Kudos to the original authors of mod_ssl.
19
20----------------------------
21
22Author: Paul Querna <chip force-elite.com>
23
24Heavily modified by Nikos Mavrogiannopoulos <nmav gnutls.org>
25
26License: Apache Software License v2.0. (see the LICENSE file for details)
27
28Current Status:
29- SSL and TLS connections with all popular browsers work!
30- Sets enviromental vars for scripts (compatible with mod_ssl vars)
31- Supports Memcached as a distributed SSL Session Cache
32- Supports DBM as a local SSL Session Cache
33- Support for Server Name Indication
34- Support for Client Certificates
35- Support for TLS-SRP
36
37Basic Configuration:
38
39LoadModule gnutls_module  modules/mod_gnutls.so
40
41# mod_gnutls can optionaly use a memcached server to store it's SSL Sessions.
42# This is useful in a cluster enviroment, where you want all of your servers
43# to share a single SSL Session Cache.
44#GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
45
46# The Default method is to use a DBM backed Cache.  It isn't super fast, but
47# it is portable and does not require another server to be running like memcached.
48GnuTLSCache dbm conf/gnutls_cache
49
50<VirtualHost 1.2.3.4:443>
51    # insert other directives ... here ...
52
53    # This enables the mod_gnutls Handlers for this Virtual Host
54    GnuTLSEnable On
55
56    # This is the Private key for your server.
57    GnuTLSX509KeyFile conf/server.key
58
59    # This is the Server Certificate. 
60    GnuTLSX509CertificateFile conf/server.cert
61</VirtualHost>
62
63# a more advanced configuration
64GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
65GnuTLSCacheTimeout 600
66NameVirtualHost 1.2.3.4:443
67
68<VirtualHost 1.2.3.4:443>
69        Servername server.com:443
70        GnuTLSEnable on
71        GnuTLSPriority NORMAL
72# To export exactly the same environment variables as mod_ssl to CGI scripts.
73        GNUTLSExportCertificates on
74
75        GnuTLSX509CertificateFile /etc/apache2/server-cert.pem
76        GnuTLSX509KeyFile /etc/apache2/server-key.pem
77
78# To enable SRP you must have these files installed. Check the gnutls srptool.
79        GnuTLSSRPPasswdFile /etc/apache2/tpasswd
80        GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf
81
82# In order to verify client certificates. Other options to
83# GnuTLSClientVerify could be ignore or require. The GnuTLSClientCAFile
84# contains the CAs to verify client certificates.
85        GnuTLSClientVerify request
86        GnuTLSX509CAFile ca.pem
87        ...
88</VirtualHost>
89
90# A setup for OpenPGP and X.509 authentication
91<VirtualHost 1.2.3.4:443>
92        Servername crystal.lan:443
93        GnuTLSEnable on
94        GnuTLSPriorities NORMAL:+COMP-NULL
95
96# setup the openpgp keys
97        GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc
98        GnuTLSPGPKeyFile /etc/apache2/test.sec.asc
99
100# and the X.509 keys
101        GnuTLSCertificateFile /etc/apache2/server-cert.pem
102        GnuTLSKeyFile /etc/apache2/server-key.pem
103        GnuTLSClientVerify ignore
104
105# To avoid using the default DH params
106        GnuTLSDHFile /etc/apache2/dh.pem
107
108# these are only needed if GnuTLSClientVerify != ignore
109        GnuTLSClientCAFile ca.pem
110        GnuTLSPGPKeyringFile /etc/apache2/ring.asc
111</VirtualHost>
112
113Create OpenPGP credentials for the server:
114
115IMPORTANT: mod_gnutls currently cannot read encrypted OpenPGP credentials. That
116is, when you generate a key with gpg and gpg prompts you for a passphrase, just
117press enter. Then press enter again, to confirm an empty passphrase.
118http://news.gmane.org/gmane.comp.apache.outoforder.modules
119
120These instructions are from the GnuTLS manual:
121http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html#Invoking-gnutls_002dserv
122
123     $ gpg --gen-key
124     ...enter whatever details you want, use 'test.gnutls.org' as name...
125
126Make a note of the OpenPGP key identifier of the newly generated key, here it
127was 5D1D14D8. You will need to export the key for GnuTLS to be able to use it.
128
129     $ gpg -a --export 5D1D14D8 > openpgp-server.txt
130     $ gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
Note: See TracBrowser for help on using the repository browser.