source: mod_gnutls/README @ abce298

debian/masterdebian/stretch-backportsjessie-backportsmsvaupstream
Last change on this file since abce298 was f548f15, checked in by Nokis Mavrogiannopoulos <nmav@…>, 12 years ago

prepare for an alpha release

  • Property mode set to 100644
File size: 3.8 KB
Line 
1mod_gnutls
2
3This module started back in September of 2004 because I was tired of trying to
4fix bugs in mod_ssl.  mod_ssl is a giant beast of a module -- no offense to it's
5authors is intended -- but I believe it has fallen prey to massive feature bloat.
6
7When I started hacking on httpd, mod_ssl remained a great mystery to me, and
8when I actually looked at it, I ran away.  The shear ammount code is huge, and it
9does not conform to the style guidelines.  It was painful to read, and even harder
10to debug.  I wanted to understand how it worked, and I had recently heard about
11GnuTLS, so long story short, I decided to implement a mod_gnutls.
12
13Lines of Code in mod_ssl: 15,324
14Lines of Code in mod_gnutls: 3,594
15
16Because of writing mod_gnutls, I now understand how input and output filters work,
17better than I ever thought possible.  It was a little painful at times, and some parts
18lift code and ideas directly from mod_ssl. Kudos to the original authors of mod_ssl.
19
20----------------------------
21
22Author: Paul Querna <chip force-elite.com>
23
24Heavily modified by Nikos Mavrogiannopoulos <nmav gnutls.org>
25
26License: Apache Software License v2.0. (see the LICENSE file for details)
27
28Current Status:
29- SSL and TLS connections with all popular browsers work!
30- Sets enviromental vars for scripts (compatible with mod_ssl vars)
31- Supports Memcached as a distributed SSL Session Cache
32- Supports DBM as a local SSL Session Cache
33- Support for Server Name Indication
34- Support for Client Certificates
35- Support for TLS-SRP
36
37Basic Configuration:
38
39LoadModule gnutls_module  modules/mod_gnutls.so
40
41# mod_gnutls can optionaly use a memcached server to store it's SSL Sessions.
42# This is useful in a cluster enviroment, where you want all of your servers
43# to share a single SSL Session Cache.
44#GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
45
46# The Default method is to use a DBM backed Cache.  It isn't super fast, but
47# it is portable and does not require another server to be running like memcached.
48GnuTLSCache dbm conf/gnutls_cache
49
50<VirtualHost 1.2.3.4:443>
51    # insert other directives ... here ...
52
53    # This enables the mod_gnutls Handlers for this Virtual Host
54    GnuTLSEnable On
55
56    # This is the Private key for your server.
57    GnuTLSX509KeyFile conf/server.key
58
59    # This is the Server Certificate. 
60    GnuTLSX509CertificateFile conf/server.cert
61</VirtualHost>
62
63# a more advanced configuration
64GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
65GnuTLSCacheTimeout 600
66NameVirtualHost 1.2.3.4:443
67
68<VirtualHost 1.2.3.4:443>
69        Servername server.com:443
70        GnuTLSEnable on
71        GnuTLSPriority NORMAL
72# To export exactly the same environment variables as mod_ssl to CGI scripts.
73        GNUTLSExportCertificates on
74
75        GnuTLSX509CertificateFile /etc/apache2/server-cert.pem
76        GnuTLSX509KeyFile /etc/apache2/server-key.pem
77
78# To enable SRP you must have these files installed. Check the gnutls srptool.
79        GnuTLSSRPPasswdFile /etc/apache2/tpasswd
80        GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf
81
82# In order to verify client certificates. Other options to
83# GnuTLSClientVerify could be ignore or require. The GnuTLSClientCAFile
84# contains the CAs to verify client certificates.
85        GnuTLSClientVerify request
86        GnuTLSX509CAFile ca.pem
87        ...
88</VirtualHost>
89
90# A setup for OpenPGP and X.509 authentication
91<VirtualHost 1.2.3.4:443>
92        Servername crystal.lan:443
93        GnuTLSEnable on
94        GnuTLSPriorities NORMAL:+COMP-NULL
95
96# setup the openpgp keys
97        GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc
98        GnuTLSPGPKeyFile /etc/apache2/test.sec.asc
99
100# and the X.509 keys
101        GnuTLSCertificateFile /etc/apache2/server-cert.pem
102        GnuTLSKeyFile /etc/apache2/server-key.pem
103        GnuTLSClientVerify ignore
104
105# To avoid using the default DH params
106        GnuTLSDHFile /etc/apache2/dh.pem
107
108# these are only needed if GnuTLSClientVerify != ignore
109        GnuTLSClientCAFile ca.pem
110        GnuTLSPGPKeyringFile /etc/apache2/ring.asc
111</VirtualHost>
Note: See TracBrowser for help on using the repository browser.