| 1 | mod_gnutls |
|---|
| 2 | |
|---|
| 3 | This module started back in September of 2004 because I was tired of trying to |
|---|
| 4 | fix bugs in mod_ssl. mod_ssl is a giant beast of a module -- no offense to it's |
|---|
| 5 | authors is intended -- but I believe it has fallen prey to massive feature bloat. |
|---|
| 6 | |
|---|
| 7 | When I started hacking on httpd, mod_ssl remained a great mystery to me, and |
|---|
| 8 | when I actually looked at it, I ran away. The shear ammount code is huge, and it |
|---|
| 9 | does not conform to the style guidelines. It was painful to read, and even harder |
|---|
| 10 | to debug. I wanted to understand how it worked, and I had recently heard about |
|---|
| 11 | GnuTLS, so long story short, I decided to implement a mod_gnutls. |
|---|
| 12 | |
|---|
| 13 | Lines of Code in mod_ssl: 15,324 |
|---|
| 14 | Lines of Code in mod_gnutls: 3,594 |
|---|
| 15 | |
|---|
| 16 | Because of writing mod_gnutls, I now understand how input and output filters work, |
|---|
| 17 | better than I ever thought possible. It was a little painful at times, and some parts |
|---|
| 18 | lift code and ideas directly from mod_ssl. Kudos to the original authors of mod_ssl. |
|---|
| 19 | |
|---|
| 20 | ---------------------------- |
|---|
| 21 | |
|---|
| 22 | Author: Paul Querna <chip force-elite.com> |
|---|
| 23 | |
|---|
| 24 | Heavily modified by Nikos Mavrogiannopoulos <nmav gnutls.org> |
|---|
| 25 | |
|---|
| 26 | License: Apache Software License v2.0. (see the LICENSE file for details) |
|---|
| 27 | |
|---|
| 28 | Current Status: |
|---|
| 29 | - SSL and TLS connections with all popular browsers work! |
|---|
| 30 | - Sets enviromental vars for scripts (compatible with mod_ssl vars) |
|---|
| 31 | - Supports Memcached as a distributed SSL Session Cache |
|---|
| 32 | - Supports DBM as a local SSL Session Cache |
|---|
| 33 | - Support for Server Name Indication |
|---|
| 34 | - Support for Client Certificates |
|---|
| 35 | - Support for TLS-SRP |
|---|
| 36 | |
|---|
| 37 | Basic Configuration: |
|---|
| 38 | |
|---|
| 39 | LoadModule gnutls_module modules/mod_gnutls.so |
|---|
| 40 | |
|---|
| 41 | # mod_gnutls can optionaly use a memcached server to store it's SSL Sessions. |
|---|
| 42 | # This is useful in a cluster enviroment, where you want all of your servers |
|---|
| 43 | # to share a single SSL Session Cache. |
|---|
| 44 | #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com" |
|---|
| 45 | |
|---|
| 46 | # The Default method is to use a DBM backed Cache. It isn't super fast, but |
|---|
| 47 | # it is portable and does not require another server to be running like memcached. |
|---|
| 48 | GnuTLSCache dbm conf/gnutls_cache |
|---|
| 49 | |
|---|
| 50 | <VirtualHost 1.2.3.4:443> |
|---|
| 51 | # insert other directives ... here ... |
|---|
| 52 | |
|---|
| 53 | # This enables the mod_gnutls Handlers for this Virtual Host |
|---|
| 54 | GnuTLSEnable On |
|---|
| 55 | |
|---|
| 56 | # This is the Private key for your server. |
|---|
| 57 | GnuTLSX509KeyFile conf/server.key |
|---|
| 58 | |
|---|
| 59 | # This is the Server Certificate. |
|---|
| 60 | GnuTLSX509CertificateFile conf/server.cert |
|---|
| 61 | </VirtualHost> |
|---|
| 62 | |
|---|
| 63 | # a more advanced configuration |
|---|
| 64 | GnuTLSCache dbm "/var/cache/www-tls-cache/cache" |
|---|
| 65 | GnuTLSCacheTimeout 600 |
|---|
| 66 | NameVirtualHost 1.2.3.4:443 |
|---|
| 67 | |
|---|
| 68 | <VirtualHost 1.2.3.4:443> |
|---|
| 69 | Servername server.com:443 |
|---|
| 70 | GnuTLSEnable on |
|---|
| 71 | GnuTLSPriority NORMAL |
|---|
| 72 | # To export exactly the same environment variables as mod_ssl to CGI scripts. |
|---|
| 73 | GNUTLSExportCertificates on |
|---|
| 74 | |
|---|
| 75 | GnuTLSX509CertificateFile /etc/apache2/server-cert.pem |
|---|
| 76 | GnuTLSX509KeyFile /etc/apache2/server-key.pem |
|---|
| 77 | |
|---|
| 78 | # To enable SRP you must have these files installed. Check the gnutls srptool. |
|---|
| 79 | GnuTLSSRPPasswdFile /etc/apache2/tpasswd |
|---|
| 80 | GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf |
|---|
| 81 | |
|---|
| 82 | # In order to verify client certificates. Other options to |
|---|
| 83 | # GnuTLSClientVerify could be ignore or require. The GnuTLSClientCAFile |
|---|
| 84 | # contains the CAs to verify client certificates. |
|---|
| 85 | GnuTLSClientVerify request |
|---|
| 86 | GnuTLSX509CAFile ca.pem |
|---|
| 87 | ... |
|---|
| 88 | </VirtualHost> |
|---|
| 89 | |
|---|
| 90 | # A setup for OpenPGP and X.509 authentication |
|---|
| 91 | <VirtualHost 1.2.3.4:443> |
|---|
| 92 | Servername crystal.lan:443 |
|---|
| 93 | GnuTLSEnable on |
|---|
| 94 | GnuTLSPriorities NORMAL:+COMP-NULL |
|---|
| 95 | |
|---|
| 96 | # setup the openpgp keys |
|---|
| 97 | GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc |
|---|
| 98 | GnuTLSPGPKeyFile /etc/apache2/test.sec.asc |
|---|
| 99 | |
|---|
| 100 | # and the X.509 keys |
|---|
| 101 | GnuTLSCertificateFile /etc/apache2/server-cert.pem |
|---|
| 102 | GnuTLSKeyFile /etc/apache2/server-key.pem |
|---|
| 103 | GnuTLSClientVerify ignore |
|---|
| 104 | |
|---|
| 105 | # To avoid using the default DH params |
|---|
| 106 | GnuTLSDHFile /etc/apache2/dh.pem |
|---|
| 107 | |
|---|
| 108 | # these are only needed if GnuTLSClientVerify != ignore |
|---|
| 109 | GnuTLSClientCAFile ca.pem |
|---|
| 110 | GnuTLSPGPKeyringFile /etc/apache2/ring.asc |
|---|
| 111 | </VirtualHost> |
|---|
