1 | % `mod_gnutls` Manual |
---|
2 | |
---|
3 | * * * * * |
---|
4 | |
---|
5 | `mod_gnutls` is a module for the Apache web server that provides HTTPS |
---|
6 | (HTTP over Transport Layer Security (TLS) or the older Secure Sockets |
---|
7 | Layer (SSL)) using the GnuTLS library. More information about the |
---|
8 | module can be found at [the project's website](https://mod.gnutls.org/). |
---|
9 | |
---|
10 | * * * * * |
---|
11 | |
---|
12 | Compilation & Installation |
---|
13 | ========================== |
---|
14 | |
---|
15 | `mod_gnutls` uses the `./configure && make && make install` mechanism |
---|
16 | common to many Open Source programs. Most of the dirty work is |
---|
17 | handled by either `./configure` or Apache's `apxs` utility. If you have |
---|
18 | built Apache modules before, there shouldn't be any surprises for you. |
---|
19 | |
---|
20 | The interesting options you can pass to configure are: |
---|
21 | |
---|
22 | `--with-apxs=PATH` |
---|
23 | : This option is used to specify the location of the apxs utility that |
---|
24 | was installed as part of apache. Specify the location of the |
---|
25 | binary, not the directory it is located in. |
---|
26 | |
---|
27 | `--with-libgnutls=PATH` |
---|
28 | : Full path to the libgnutls-config program. |
---|
29 | |
---|
30 | `--with-apr-memcache=PREFIX` |
---|
31 | : Prefix to where apr\_memcache is installed. |
---|
32 | |
---|
33 | `--help` |
---|
34 | : Provides a list of all available configure options. |
---|
35 | |
---|
36 | * * * * * |
---|
37 | |
---|
38 | Integration |
---|
39 | =========== |
---|
40 | |
---|
41 | To activate `mod_gnutls` just add the following line to your httpd.conf |
---|
42 | and restart Apache: |
---|
43 | |
---|
44 | LoadModule gnutls_module modules/mod_gnutls.so |
---|
45 | |
---|
46 | * * * * * |
---|
47 | |
---|
48 | Configuration Directives |
---|
49 | ======================== |
---|
50 | |
---|
51 | `GnuTLSEnable` |
---|
52 | -------------- |
---|
53 | |
---|
54 | Enable GnuTLS for this virtual host |
---|
55 | |
---|
56 | GnuTLSEnable [on|off] |
---|
57 | |
---|
58 | Default: *off*\ |
---|
59 | Context: virtual host |
---|
60 | |
---|
61 | This directive enables SSL/TLS Encryption for a Virtual Host. |
---|
62 | |
---|
63 | `GnuTLSCache` |
---|
64 | ------------- |
---|
65 | |
---|
66 | Configure SSL Session Cache |
---|
67 | |
---|
68 | GnuTLSCache [dbm|gdbm|memcache|none] [PATH|SERVERLIST|-] |
---|
69 | |
---|
70 | Default: `GnuTLSCache none`\ |
---|
71 | Context: server config |
---|
72 | |
---|
73 | This directive configures the SSL Session Cache for `mod_gnutls`. |
---|
74 | This could be shared between machines of different architectures. |
---|
75 | |
---|
76 | `dbm` (Requires Berkeley DBM) |
---|
77 | : Uses the default Berkeley DB backend of APR DBM to cache SSL |
---|
78 | Sessions results. The argument is a relative or absolute path to |
---|
79 | be used as the DBM Cache file. This is compatible with most |
---|
80 | operating systems, but needs the Apache Runtime to be compiled |
---|
81 | with Berkeley DBM support. |
---|
82 | |
---|
83 | `gdbm` |
---|
84 | : Uses the GDBM backend of APR DBM to cache SSL Sessions results. |
---|
85 | |
---|
86 | The argument is a relative or absolute path to be used as the DBM Cache |
---|
87 | file. This is the recommended option. |
---|
88 | |
---|
89 | `memcache` |
---|
90 | : Uses a memcached server to cache the SSL Session. |
---|
91 | |
---|
92 | The argument is a space separated list of servers. If no port |
---|
93 | number is supplied, the default of 11211 is used. This can be |
---|
94 | used to share a session cache between all servers in a cluster. |
---|
95 | |
---|
96 | `none` |
---|
97 | : Turns off all caching of SSL Sessions. |
---|
98 | |
---|
99 | This can significantly reduce the performance of `mod_gnutls` since |
---|
100 | even followup connections by a client must renegotiate parameters |
---|
101 | instead of reusing old ones. This is the default, since it |
---|
102 | requires no configuration. |
---|
103 | |
---|
104 | `GnuTLSCacheTimeout` |
---|
105 | -------------------- |
---|
106 | |
---|
107 | Timeout for SSL Session Cache expiration |
---|
108 | |
---|
109 | GnuTLSCacheTimeout SECONDS |
---|
110 | |
---|
111 | Default: `GnuTLSCacheTimeout 300`\ |
---|
112 | Context: server config |
---|
113 | |
---|
114 | Sets the timeout for SSL Session Cache entries expiration. This |
---|
115 | directive is valid even if Session Tickets are used, and indicates the |
---|
116 | expiration time of the ticket in seconds. |
---|
117 | |
---|
118 | `GnuTLSSessionTickets` |
---|
119 | ---------------------- |
---|
120 | |
---|
121 | Enable Session Tickets for the server |
---|
122 | |
---|
123 | GnuTLSSessionTickets [on|off] |
---|
124 | |
---|
125 | Default: `off`\ |
---|
126 | Context: server config, virtual host |
---|
127 | |
---|
128 | To avoid storing data for TLS session resumption it is allowed to |
---|
129 | provide client with a ticket, to use on return. Use for servers with |
---|
130 | limited storage, and don't combine with GnuTLSCache. For a pool of |
---|
131 | servers this option is not recommended since the tickets are unique |
---|
132 | for the issuing server only. |
---|
133 | |
---|
134 | |
---|
135 | `GnuTLSCertificateFile` |
---|
136 | ----------------------- |
---|
137 | |
---|
138 | Set to the PEM Encoded Server Certificate |
---|
139 | |
---|
140 | GnuTLSCertificateFile FILEPATH |
---|
141 | |
---|
142 | Default: *none*\ |
---|
143 | Context: server config, virtual host |
---|
144 | |
---|
145 | Takes an absolute or relative path to a PEM-encoded X.509 certificate to |
---|
146 | use as this Server's End Entity (EE) certificate. If you need to supply |
---|
147 | certificates for intermediate Certificate Authorities (iCAs), they |
---|
148 | should be listed in sequence in the file, from EE to the iCA closest to |
---|
149 | the root CA. Optionally, you can also include the root CA's certificate |
---|
150 | as the last certificate in the list. |
---|
151 | |
---|
152 | `GnuTLSKeyFile` |
---|
153 | --------------- |
---|
154 | |
---|
155 | Set to the PEM Encoded Server Certificate |
---|
156 | |
---|
157 | GnuTLSCertificateFile FILEPATH |
---|
158 | |
---|
159 | Default: *none*\ |
---|
160 | Context: server config, virtual host |
---|
161 | |
---|
162 | Takes an absolute or relative path to the Server Private Key. This |
---|
163 | key cannot currently be password protected. |
---|
164 | |
---|
165 | **Security Warning:**\ |
---|
166 | This private key must be protected. It is read while Apache is still |
---|
167 | running as root, and does not need to be readable by the nobody or |
---|
168 | apache user. |
---|
169 | |
---|
170 | `GnuTLSPGPCertificateFile` |
---|
171 | -------------------------- |
---|
172 | |
---|
173 | Set to a base64 Encoded Server OpenPGP Certificate |
---|
174 | |
---|
175 | GnuTLSPGPCertificateFile FILEPATH |
---|
176 | |
---|
177 | Default: *none*\ |
---|
178 | Context: server config, virtual host |
---|
179 | |
---|
180 | Takes an absolute or relative path to a base64 Encoded OpenPGP |
---|
181 | Certificate to use as this Server's Certificate. |
---|
182 | |
---|
183 | `GnuTLSPGPKeyFile` |
---|
184 | ------------------ |
---|
185 | |
---|
186 | Set to the Server OpenPGP Secret Key |
---|
187 | |
---|
188 | GnuTLSPGPKeyFile FILEPATH |
---|
189 | |
---|
190 | Default: *none*\ |
---|
191 | Context: server config, virtual host |
---|
192 | |
---|
193 | Takes an absolute or relative path to the Server Private Key. This key |
---|
194 | cannot currently be password protected. |
---|
195 | |
---|
196 | **Security Warning:**\ |
---|
197 | This private key must be protected. It is read while Apache is still |
---|
198 | running as root, and does not need to be readable by the nobody or |
---|
199 | apache user. |
---|
200 | |
---|
201 | `GnuTLSClientVerify` |
---|
202 | -------------------- |
---|
203 | |
---|
204 | Enable Client Certificate Verification\ |
---|
205 | |
---|
206 | GnuTLSClientVerify [ignore|request|require] |
---|
207 | |
---|
208 | Default: `ignore`\ |
---|
209 | Context: server config, virtual host, directory, .htaccess |
---|
210 | |
---|
211 | This directive controls the use of SSL Client Certificate |
---|
212 | Authentication. If used in the .htaccess context, it can force TLS |
---|
213 | re-negotiation. |
---|
214 | |
---|
215 | `ignore` |
---|
216 | : `mod_gnutls` will ignore the contents of any SSL Client Certificates |
---|
217 | sent. It will not request that the client sends a certificate. |
---|
218 | |
---|
219 | `request` |
---|
220 | : The client certificate will be requested, but not required. |
---|
221 | The Certificate will be validated if sent. The output of the |
---|
222 | validation status will be stored in the `SSL_CLIENT_VERIFY` |
---|
223 | environment variable and can be `SUCCESS`, `FAILED` or `NONE`. |
---|
224 | |
---|
225 | `require` |
---|
226 | : A Client certificate will be required. Any requests without a valid |
---|
227 | client certificate will be denied. The `SSL_CLIENT_VERIFY` |
---|
228 | environment variable will only be set to `SUCCESS`. |
---|
229 | |
---|
230 | `GnuTLSClientCAFile` |
---|
231 | -------------------- |
---|
232 | |
---|
233 | Set to the PEM Encoded Certificate Authority Certificate |
---|
234 | |
---|
235 | GnuTLSClientCAFile FILEPATH |
---|
236 | |
---|
237 | Default: *none* |
---|
238 | Context: server config, virtual host |
---|
239 | |
---|
240 | Takes an absolute or relative path to a PEM Encoded Certificate to use |
---|
241 | as a Certificate Authority with Client Certificate Authentication. |
---|
242 | This file may contain a list of trusted authorities. |
---|
243 | |
---|
244 | `GnuTLSPGPKeyringFile` |
---|
245 | ---------------------- |
---|
246 | |
---|
247 | Set to a base64 Encoded key ring |
---|
248 | |
---|
249 | GnuTLSPGPKeyringFile FILEPATH |
---|
250 | |
---|
251 | Default: *none*\ |
---|
252 | Context: server config, virtual host |
---|
253 | |
---|
254 | Takes an absolute or relative path to a base64 Encoded Certificate |
---|
255 | list (key ring) to use as a means of verification of Client |
---|
256 | Certificates. This file should contain a list of trusted signers. |
---|
257 | |
---|
258 | `GnuTLSDHFile` |
---|
259 | -------------- |
---|
260 | |
---|
261 | Set to the PKCS \#3 encoded Diffie Hellman parameters |
---|
262 | |
---|
263 | GnuTLSDHFile FILEPATH |
---|
264 | |
---|
265 | Default: *none*\ |
---|
266 | Context: server config, virtual host |
---|
267 | |
---|
268 | Takes an absolute or relative path to a PKCS \#3 encoded DH |
---|
269 | parameters.Those are used when the DHE key exchange method is enabled. |
---|
270 | You can generate this file using `certtool --generate-dh-params --bits |
---|
271 | 2048`. If not set `mod_gnutls` will use the included parameters. |
---|
272 | |
---|
273 | `GnuTLSSRPPasswdFile` |
---|
274 | --------------------- |
---|
275 | |
---|
276 | Set to the SRP password file for SRP ciphersuites |
---|
277 | |
---|
278 | GnuTLSSRPPasswdFile FILEPATH |
---|
279 | |
---|
280 | Default: *none*\ |
---|
281 | Context: server config, virtual host |
---|
282 | |
---|
283 | Takes an absolute or relative path to an SRP password file. This is |
---|
284 | the same format as used in libsrp. You can generate such file using |
---|
285 | the command `srptool --passwd /etc/tpasswd --passwd-conf |
---|
286 | /etc/tpasswd.conf -u test` to set a password for user test. This |
---|
287 | password file holds the username, a password verifier and the |
---|
288 | dependency to the SRP parameters. |
---|
289 | |
---|
290 | `GnuTLSSRPPasswdConfFile` |
---|
291 | ------------------------- |
---|
292 | |
---|
293 | Set to the SRP password.conf file for SRP ciphersuites |
---|
294 | |
---|
295 | GnuTLSSRPPasswdConfFile FILEPATH |
---|
296 | |
---|
297 | Default: *none*\ |
---|
298 | Context: server config, virtual host |
---|
299 | |
---|
300 | Takes an absolute or relative path to an SRP password.conf file. This |
---|
301 | is the same format as used in `libsrp`. You can generate such file |
---|
302 | using the command `srptool --create-conf /etc/tpasswd.conf`. This |
---|
303 | file holds the SRP parameters and is associate with the password file |
---|
304 | (the verifiers depends on these parameters). |
---|
305 | |
---|
306 | `GnuTLSPriorities` |
---|
307 | ------------------ |
---|
308 | |
---|
309 | Set the allowed ciphers, key exchange algorithms, MACs and compression |
---|
310 | methods |
---|
311 | |
---|
312 | GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N |
---|
313 | |
---|
314 | Default: *none*\ |
---|
315 | Context: server config, virtual host |
---|
316 | |
---|
317 | Takes a semi-colon separated list of ciphers, key exchange methods |
---|
318 | Message authentication codes and compression methods to enable. |
---|
319 | The allowed keywords are specified in the `gnutls_priority_init()` |
---|
320 | function of GnuTLS. |
---|
321 | |
---|
322 | Full details can be found at [the GnuTLS documentation](http://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings). |
---|
323 | In brief you can specify a set of ciphersuites from the choices: |
---|
324 | |
---|
325 | `NONE` |
---|
326 | : The empty list. |
---|
327 | |
---|
328 | `EXPORT` |
---|
329 | : A list with all the supported cipher combinations |
---|
330 | including the `EXPORT` strength algorithms. |
---|
331 | |
---|
332 | `PERFORMANCE` |
---|
333 | : A list with all the secure cipher combinations sorted in terms of performance. |
---|
334 | |
---|
335 | `NORMAL` |
---|
336 | : A list with all the secure cipher combinations sorted |
---|
337 | with respect to security margin (subjective term). |
---|
338 | |
---|
339 | `SECURE` |
---|
340 | : A list with all the secure cipher combinations including |
---|
341 | the 256-bit ciphers sorted with respect to security margin. |
---|
342 | |
---|
343 | Additionally you can add or remove algorithms using the `+` and `!` |
---|
344 | prefixes respectively. |
---|
345 | |
---|
346 | For example, in order to disable the `ARCFOUR` cipher from the `NORMAL` set |
---|
347 | you can use the string `NORMAL:!ARCFOUR-128` |
---|
348 | |
---|
349 | Other options such as the protocol version and the compression method |
---|
350 | can be specified using the `VERS-` and `COMP-` prefixes. |
---|
351 | |
---|
352 | So in order to remove or add a specific TLS version from the `NORMAL` |
---|
353 | set, use `NORMAL:!VERS-SSL3.0`. And to enable zlib compression use |
---|
354 | `NORMAL:+COMP-DEFLATE`. |
---|
355 | |
---|
356 | |
---|
357 | However it is recommended not to add compression at this level. With |
---|
358 | the `NONE` set, in order to be usable, you have to specify a complete |
---|
359 | set of combinations of protocol versions, cipher algorithms |
---|
360 | (`AES-128-CBC`), key exchange algorithms (`RSA`), message |
---|
361 | authentication codes (`SHA1`) and compression methods (`COMP-NULL`). |
---|
362 | |
---|
363 | You can find a list of all supported Ciphers, Versions, MACs, etc. by |
---|
364 | running `gnutls-cli --list`. |
---|
365 | |
---|
366 | The special keyword `%COMPAT` will disable some security features such |
---|
367 | as protection against statistical attacks to ciphertext data in order to |
---|
368 | achieve maximum compatibility (some broken mobile clients need this). |
---|
369 | |
---|
370 | `GnuTLSExportCertificates` |
---|
371 | -------------------------- |
---|
372 | |
---|
373 | Export the PEM encoded certificates to CGIs |
---|
374 | |
---|
375 | GnuTLSExportCertificates [on|off] |
---|
376 | |
---|
377 | Default: `off`\ |
---|
378 | Context: server config, virtual host |
---|
379 | |
---|
380 | This directive enables exporting the full certificates of the server and |
---|
381 | the client to CGI scripts. The exported certificates will be PEM-encoded |
---|
382 | (if X.509) or ASCII-armored (if OpenPGP). |
---|
383 | With GnuTLSExportCertificates enabled, `mod_gnutls` exports the same |
---|
384 | environment variables to the CGI process as `mod_ssl`. |
---|
385 | |
---|
386 | * * * * * |
---|
387 | |
---|
388 | Configuration Examples |
---|
389 | ====================== |
---|
390 | |
---|
391 | Simple Standard SSL Example |
---|
392 | --------------------------- |
---|
393 | |
---|
394 | The following is an example of standard SSL Hosting, using one IP |
---|
395 | Addresses for each virtual host |
---|
396 | |
---|
397 | # Load the module into Apache. |
---|
398 | LoadModule gnutls_module modules/mod_gnutls.so |
---|
399 | GnuTLSCache gdbm /var/cache/www-tls-cache |
---|
400 | GnuTLSCacheTimeout 500 |
---|
401 | # With normal SSL Websites, you need one IP Address per-site. |
---|
402 | Listen 1.2.3.1:443 |
---|
403 | Listen 1.2.3.2:443 |
---|
404 | Listen 1.2.3.3:443 |
---|
405 | Listen 1.2.3.4:443 |
---|
406 | <VirtualHost 1.2.3.1:443> |
---|
407 | GnuTLSEnable on |
---|
408 | GnuTLSPriorities NONE:+AES-128-CBC:+3DES-CBC:+ARCFOUR-128:+RSA:+DHE-RSA:+DHE-DSS:+SHA1:+MD5:+COMP-NULL |
---|
409 | DocumentRoot /www/site1.example.com/html |
---|
410 | ServerName site1.example.com:443 |
---|
411 | GnuTLSCertificateFile conf/ssl/site1.crt |
---|
412 | GnuTLSKeyFile conf/ss/site1.key |
---|
413 | </VirtualHost> |
---|
414 | <VirtualHost 1.2.3.2:443> |
---|
415 | # This virtual host enables SRP authentication |
---|
416 | GnuTLSEnable on |
---|
417 | GnuTLSPriorities NORMAL:+SRP |
---|
418 | DocumentRoot /www/site2.example.com/html |
---|
419 | ServerName site2.example.com:443 |
---|
420 | GnuTLSSRPPasswdFile conf/ssl/tpasswd.site2 |
---|
421 | GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site2.conf |
---|
422 | </VirtualHost> |
---|
423 | <VirtualHost 1.2.3.3:443> |
---|
424 | # This server enables SRP, OpenPGP and X.509 authentication. |
---|
425 | GnuTLSEnable on |
---|
426 | GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS |
---|
427 | DocumentRoot /www/site3.example.com/html |
---|
428 | ServerName site3.example.com:443 |
---|
429 | GnuTLSCertificateFile conf/ssl/site3.crt |
---|
430 | GnuTLSKeyFile conf/ss/site3.key |
---|
431 | GnuTLSClientVerify ignore |
---|
432 | GnuTLSPGPCertificateFile conf/ss/site3.pub.asc |
---|
433 | GnuTLSPGPKeyFile conf/ss/site3.sec.asc |
---|
434 | GnuTLSSRPPasswdFile conf/ssl/tpasswd.site3 |
---|
435 | GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site3.conf |
---|
436 | </VirtualHost> |
---|
437 | <VirtualHost 1.2.3.4:443> |
---|
438 | GnuTLSEnable on |
---|
439 | # %COMPAT disables some security features to enable maximum compatibility with clients. |
---|
440 | GnuTLSPriorities NONE:+AES-128-CBC:+ARCFOUR-128:+RSA:+SHA1:+MD5:+COMP-NULL:%COMPAT |
---|
441 | DocumentRoot /www/site4.example.com/html |
---|
442 | ServerName site4.example.com:443 |
---|
443 | GnuTLSCertificateFile conf/ssl/site4.crt |
---|
444 | GnuTLSKeyFile conf/ss/site4.key |
---|
445 | </VirtualHost> |
---|
446 | |
---|
447 | Server Name Indication Example |
---|
448 | ------------------------------ |
---|
449 | |
---|
450 | `mod_gnutls` can also use "Server Name Indication", as specified in |
---|
451 | RFC 3546. This allows hosting many SSL Websites, with a Single IP |
---|
452 | Address. Currently all the recent browsers support this |
---|
453 | standard. Here is an example, using SNI: ` ` |
---|
454 | |
---|
455 | |
---|
456 | # Load the module into Apache. |
---|
457 | LoadModule gnutls_module modules/mod_gnutls.so |
---|
458 | # With normal SSL Websites, you need one IP Address per-site. |
---|
459 | Listen 1.2.3.1:443 |
---|
460 | # This could also be 'Listen *:443', |
---|
461 | # just like '*:80' is common for non-https |
---|
462 | # No caching. Enable session tickets. Timeout is still used for |
---|
463 | # ticket expiration. |
---|
464 | GnuTLSCacheTimeout 600 |
---|
465 | # This tells apache, that for this IP/Port combination, we want to use |
---|
466 | # Name Based Virtual Hosting. In the case of Server Name Indication, |
---|
467 | # it lets mod_gnutls pick the correct Server Certificate. |
---|
468 | NameVirtualHost 1.2.3.1:443 |
---|
469 | <VirtualHost 1.2.3.1:443> |
---|
470 | GnuTLSEnable on |
---|
471 | GnuTLSSessionTickets on |
---|
472 | GnuTLSPriorities NORMAL |
---|
473 | DocumentRoot /www/site1.example.com/html |
---|
474 | ServerName site1.example.com:443 |
---|
475 | GnuTLSCertificateFile conf/ssl/site1.crt |
---|
476 | GnuTLSKeyFile conf/ss/site1.key |
---|
477 | </VirtualHost> |
---|
478 | <VirtualHost 1.2.3.1:443> |
---|
479 | GnuTLSEnable on |
---|
480 | GnuTLSPriorities NORMAL |
---|
481 | DocumentRoot /www/site2.example.com/html |
---|
482 | ServerName site2.example.com:443 |
---|
483 | GnuTLSCertificateFile conf/ssl/site2.crt |
---|
484 | GnuTLSKeyFile conf/ss/site2.key |
---|
485 | </VirtualHost> |
---|
486 | <VirtualHost 1.2.3.1:443> |
---|
487 | GnuTLSEnable on |
---|
488 | GnuTLSPriorities NORMAL |
---|
489 | DocumentRoot /www/site3.example.com/html |
---|
490 | ServerName site3.example.com:443 |
---|
491 | GnuTLSCertificateFile conf/ssl/site3.crt |
---|
492 | GnuTLSKeyFile conf/ss/site3.key |
---|
493 | </VirtualHost> |
---|
494 | <VirtualHost 1.2.3.1:443> |
---|
495 | GnuTLSEnable on |
---|
496 | GnuTLSPriorities NORMAL |
---|
497 | DocumentRoot /www/site4.example.com/html |
---|
498 | ServerName site4.example.com:443 |
---|
499 | GnuTLSCertificateFile conf/ssl/site4.crt |
---|
500 | GnuTLSKeyFile conf/ss/site4.key |
---|
501 | </VirtualHost> |
---|
502 | |
---|
503 | |
---|
504 | * * * * * |
---|
505 | |
---|
506 | Performance Issues |
---|
507 | ================== |
---|
508 | |
---|
509 | `mod_gnutls` by default uses conservative settings for the server. |
---|
510 | You can fine tune the configuration to reduce the load on a busy |
---|
511 | server. The following examples do exactly this: |
---|
512 | |
---|
513 | |
---|
514 | # Load the module into Apache. |
---|
515 | LoadModule gnutls_module modules/mod_gnutls.so |
---|
516 | # Using 4 memcache servers to distribute the SSL Session Cache. |
---|
517 | GnuTLSCache memcache "mc1.example.com mc2.example.com mc3.example.com mc4.example.com" |
---|
518 | GnuTLSCacheTimeout 600 |
---|
519 | Listen 1.2.3.1:443 |
---|
520 | NameVirtualHost 1.2.3.1:443 |
---|
521 | <VirtualHost 1.2.3.1:443> |
---|
522 | GnuTLSEnable on |
---|
523 | # Here we disable the Perfect forward secrecy ciphersuites (DHE) |
---|
524 | # and disallow AES-256 since AES-128 is just fine. |
---|
525 | GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT |
---|
526 | DocumentRoot /www/site1.example.com/html |
---|
527 | ServerName site1.example.com:443 |
---|
528 | GnuTLSCertificateFile conf/ssl/site1.crt |
---|
529 | GnuTLSKeyFile conf/ss/site1.key |
---|
530 | </VirtualHost> |
---|
531 | <VirtualHost 1.2.3.1:443> |
---|
532 | GnuTLSEnable on |
---|
533 | # Here we instead of disabling the DHE ciphersuites we use |
---|
534 | # Diffie Hellman parameters of smaller size than the default (2048 bits). |
---|
535 | # Using small numbers from 768 to 1024 bits should be ok once they are |
---|
536 | # regenerated every few hours. |
---|
537 | # Use "certtool --generate-dh-params --bits 1024" to get those |
---|
538 | GnuTLSDHFile /etc/apache2/dh.params |
---|
539 | GnuTLSPriorities NORMAL:!AES-256-CBC:%COMPAT |
---|
540 | DocumentRoot /www/site2.example.com/html |
---|
541 | ServerName site2.example.com:443 |
---|
542 | GnuTLSCertificateFile conf/ssl/site2.crt |
---|
543 | GnuTLSKeyFile conf/ss/site2.key |
---|
544 | </VirtualHost> |
---|
545 | |
---|
546 | * * * * * |
---|
547 | |
---|
548 | Environment Variables |
---|
549 | ===================== |
---|
550 | |
---|
551 | `mod_gnutls` exports the following environment variables to scripts. |
---|
552 | These are compatible with `mod_ssl`. |
---|
553 | |
---|
554 | `HTTPS` |
---|
555 | ------- |
---|
556 | |
---|
557 | Can be `on` or `off` |
---|
558 | |
---|
559 | `SSL_VERSION_LIBRARY` |
---|
560 | --------------------- |
---|
561 | |
---|
562 | The version of the GnuTLS library |
---|
563 | |
---|
564 | `SSL_VERSION_INTERFACE` |
---|
565 | ----------------------- |
---|
566 | |
---|
567 | The version of this module |
---|
568 | |
---|
569 | `SSL_PROTOCOL` |
---|
570 | -------------- |
---|
571 | |
---|
572 | The SSL or TLS protocol name (such as `TLS 1.0` etc.) |
---|
573 | |
---|
574 | `SSL_CIPHER` |
---|
575 | ------------ |
---|
576 | |
---|
577 | The SSL or TLS cipher suite name |
---|
578 | |
---|
579 | `SSL_COMPRESS_METHOD` |
---|
580 | --------------------- |
---|
581 | |
---|
582 | The negotiated compression method (`NULL` or `DEFLATE`) |
---|
583 | |
---|
584 | `SSL_SRP_USER` |
---|
585 | -------------- |
---|
586 | |
---|
587 | The SRP username used for authentication (only set when |
---|
588 | `GnuTLSSRPPasswdFile` and `GnuTLSSRPPasswdConfFile` are configured). |
---|
589 | |
---|
590 | `SSL_CIPHER_USEKEYSIZE` & `SSL_CIPHER_ALGKEYSIZE` |
---|
591 | ------------------------------------------------- |
---|
592 | |
---|
593 | The number if bits used in the used cipher algorithm. |
---|
594 | |
---|
595 | This does not fully reflect the security level since the size of |
---|
596 | RSA or DHE key exchange parameters affect the security level too. |
---|
597 | |
---|
598 | `SSL_DH_PRIME_BITS` |
---|
599 | ------------------- |
---|
600 | |
---|
601 | The number if bits in the modulus for the DH group, if DHE or static |
---|
602 | DH is used. |
---|
603 | |
---|
604 | This will not be set if DH is not used. |
---|
605 | |
---|
606 | `SSL_CIPHER_EXPORT` |
---|
607 | ------------------- |
---|
608 | |
---|
609 | `True` or `False`. Whether the cipher suite negotiated is an export one. |
---|
610 | |
---|
611 | `SSL_SESSION_ID` |
---|
612 | ---------------- |
---|
613 | |
---|
614 | The session ID negotiated in this session. Can be the same during client |
---|
615 | reloads. |
---|
616 | |
---|
617 | `SSL_CLIENT_V_REMAIN` |
---|
618 | --------------------- |
---|
619 | |
---|
620 | The number of days until the client's certificate is expired. |
---|
621 | |
---|
622 | `SSL_CLIENT_V_START` |
---|
623 | -------------------- |
---|
624 | |
---|
625 | The activation time of client's certificate. |
---|
626 | |
---|
627 | `SSL_CLIENT_V_END` |
---|
628 | ------------------ |
---|
629 | |
---|
630 | The expiration time of client's certificate. |
---|
631 | |
---|
632 | `SSL_CLIENT_S_DN` |
---|
633 | ----------------- |
---|
634 | |
---|
635 | The distinguished name of client's certificate in RFC2253 format. |
---|
636 | |
---|
637 | `SSL_CLIENT_I_DN` |
---|
638 | ----------------- |
---|
639 | |
---|
640 | The SSL or TLS cipher suite name |
---|
641 | |
---|
642 | `SSL_CLIENT_S_AN%` |
---|
643 | ------------------ |
---|
644 | |
---|
645 | These will contain the alternative names of the client certificate (`%` is |
---|
646 | a number starting from zero). |
---|
647 | |
---|
648 | The values will be prepended by `DNSNAME:`, `RFC822NAME:` or `URI:` |
---|
649 | depending on the type. |
---|
650 | |
---|
651 | If it is not supported the value `UNSUPPORTED` will be set. |
---|
652 | |
---|
653 | `SSL_SERVER_M_SERIAL` |
---|
654 | --------------------- |
---|
655 | |
---|
656 | The serial number of the server's certificate. |
---|
657 | |
---|
658 | `SSL_SERVER_M_VERSION` |
---|
659 | ---------------------- |
---|
660 | |
---|
661 | The version of the server's certificate. |
---|
662 | |
---|
663 | `SSL_SERVER_A_SIG` |
---|
664 | ------------------ |
---|
665 | |
---|
666 | The algorithm used for the signature in server's certificate. |
---|
667 | |
---|
668 | `SSL_SERVER_A_KEY` |
---|
669 | ------------------ |
---|
670 | |
---|
671 | The public key algorithm in server's certificate. |
---|
672 | |
---|
673 | `SSL_SERVER1_CERT` |
---|
674 | ------------------ |
---|
675 | |
---|
676 | The PEM-encoded server certificate. |
---|
677 | |
---|
678 | `SSL_SERVER_CERT_TYPE` |
---|
679 | ---------------------- |
---|
680 | |
---|
681 | The certificate type can be `X.509` or `OPENPGP`. |
---|
682 | |
---|
683 | `SSL_CLIENT_CERT_TYPE` |
---|
684 | ---------------------- |
---|
685 | |
---|
686 | The certificate type can be `X.509` or `OPENPGP`. |
---|