Context Navigation

source: mod_gnutls/README @ f8ffc43

Visit:

debian/masterdebian/stretch-backportsjessie-backportsupstream upstream/0.5.3

Last change on this file since f8ffc43 was f8ffc43, checked in by Daniel Kahn Gillmor <dkg@…>, 10 years ago
Imported Upstream version 0.5.3
Property mode set to `100644`
File size: 5.5 KB

Line
1
2	mod_gnutls, Apache GnuTLS module.
3	=================================
4
5	$LastChangedDate: $
6
7	Contents:
8
9	I. ABOUT
10	II. AUTHORS
11	III. LICENSE
12	IV. STATUS
13	V. BASIC CONFIGURATION
14	VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER
15
16
17
18	I. ABOUT
19
20	This module started back in September of 2004 because I was tired of
21	trying to fix bugs in mod_ssl. mod_ssl is a giant beast of a module --
22	no offense to it's authors is intended -- but I believe it has fallen
23	prey to massive feature bloat.
24
25	When I started hacking on httpd, mod_ssl remained a great mystery to me,
26	and when I actually looked at it, I ran away. The shear amount code is
27	huge, and it does not conform to the style guidelines. It was painful to
28	read, and even harder to debug. I wanted to understand how it worked,
29	and I had recently heard about GnuTLS, so long story short, I decided to
30	implement a mod_gnutls.
31
32	Lines of Code in mod_ssl: 15,324
33	Lines of Code in mod_gnutls: 3,594
34
35	Because of writing mod_gnutls, I now understand how input and output
36	filters work, better than I ever thought possible. It was a little
37	painful at times, and some parts lift code and ideas directly from
38	mod_ssl. Kudos to the original authors of mod_ssl.
39
40
41
42	II. AUTHORS
43
44	Paul Querna <chip force-elite.com>
45	Nikos Mavrogiannopoulos <nmav gnutls.org>
46
47
48
49	III. LICENSE
50
51	Apache License, Version 2.0 (see the LICENSE file for details)
52
53
54
55	IV. STATUS
56
57	* SSL and TLS connections with all popular browsers work!
58	* Sets environmental vars for scripts (compatible with mod_ssl vars)
59	* Supports memcached as a distributed SSL session cache
60	* Supports DBM as a local SSL session cache
61	* Support for server name indication (SNI), RFC3546
62	* Support for client certificates
63	* Support for secure remote password (SRP), RFC5054
64
65
66
67	V. BASIC CONFIGURATION
68
69	LoadModule gnutls_module modules/mod_gnutls.so
70
71	# mod_gnutls can optionally use a memcached server to store it's SSL
72	# Sessions. This is useful in a cluster environment, where you want all
73	# of your servers to share a single SSL session cache.
74	#GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
75
76	# The Default method is to use a DBM backed Cache. It isn't super fast,
77	# but it is portable and does not require another server to be running
78	# like memcached.
79	GnuTLSCache dbm conf/gnutls_cache
80
81	<VirtualHost 1.2.3.4:443>
82
83	# Enable mod_gnutls handlers for this virtual host
84	GnuTLSEnable On
85
86	# This is the private key for your server
87	GnuTLSX509KeyFile conf/server.key
88
89	# This is the server certificate
90	GnuTLSX509CertificateFile conf/server.cert
91
92	</VirtualHost>
93
94	# A more advanced configuration
95	GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
96	GnuTLSCacheTimeout 600
97	NameVirtualHost 1.2.3.4:443
98
99	<VirtualHost 1.2.3.4:443>
100
101	Servername server.com:443
102	GnuTLSEnable on
103	GnuTLSPriority NORMAL
104
105	# Export exactly the same environment variables as mod_ssl to CGI
106	# scripts.
107	GNUTLSExportCertificates on
108
109	GnuTLSX509CertificateFile /etc/apache2/server-cert.pem
110	GnuTLSX509KeyFile /etc/apache2/server-key.pem
111
112	# To enable SRP you must have these files installed. Check the gnutls
113	# srptool.
114	GnuTLSSRPPasswdFile /etc/apache2/tpasswd
115	GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf
116
117	# In order to verify client certificates. Other options to
118	# GnuTLSClientVerify could be ignore or require. The
119	# GnuTLSClientCAFile contains the CAs to verify client certificates.
120	GnuTLSClientVerify request
121	GnuTLSX509CAFile ca.pem
122
123	</VirtualHost>
124
125	# A setup for OpenPGP and X.509 authentication
126	<VirtualHost 1.2.3.4:443>
127
128	Servername crystal.lan:443
129	GnuTLSEnable on
130	GnuTLSPriorities NORMAL:+COMP-NULL
131
132	# Setup the openpgp keys
133	GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc
134	GnuTLSPGPKeyFile /etc/apache2/test.sec.asc
135
136	# - and the X.509 keys
137	GnuTLSCertificateFile /etc/apache2/server-cert.pem
138	GnuTLSKeyFile /etc/apache2/server-key.pem
139
140	GnuTLSClientVerify ignore
141
142	# To avoid using the default DH params
143	GnuTLSDHFile /etc/apache2/dh.pem
144
145	# These are only needed if GnuTLSClientVerify != ignore
146	GnuTLSClientCAFile ca.pem
147	GnuTLSPGPKeyringFile /etc/apache2/ring.asc
148
149	</VirtualHost>
150
151
152
153	VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER
154
155	mod_gnutls currently cannot read encrypted OpenPGP credentials. That is,
156	when you generate a key with gpg and gpg prompts you for a passphrase,
157	just press enter. Then press enter again, to confirm an empty
158	passphrase. http://news.gmane.org/gmane.comp.apache.outoforder.modules
159
160	These instructions are from the GnuTLS manual:
161	http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html#Invoking-gnutls_002dserv
162
163	$ gpg --gen-key
164	...enter whatever details you want, use 'test.gnutls.org' as name...
165
166	Make a note of the OpenPGP key identifier of the newly generated key,
167	here it was 5D1D14D8. You will need to export the key for GnuTLS to be
168	able to use it.
169
170	$ gpg -a --export 5D1D14D8 > openpgp-server.txt
171	$ gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt

Note: See TracBrowser for help on using the repository browser.

Download in other formats: