Changeset fc124e9 in mod_gnutls


Ignore:
Timestamp:
Jun 20, 2016, 2:51:01 PM (18 months ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
master, debian, upstream
Children:
c3c96ca
Parents:
743e31f
git-author:
Thomas Klute <thomas2.klute@…> (06/20/16 14:19:22)
git-committer:
Thomas Klute <thomas2.klute@…> (06/20/16 14:51:01)
Message:

Handbook: Update configuration examples

  • Replaced old example suggesting ill-advised security for performance trade-offs with an OCSP stapling example
  • Use only simple priority strings
  • Reformatting for better readability
  • Use RFC 5737 example IP addresses
File:
1 edited

Legend:

Unmodified
Added
Removed
  • doc/mod_gnutls_manual.mdwn

    r743e31f rfc124e9  
    625625---------------------------
    626626
    627 The following is an example of standard TLS Hosting, using one IP
    628 Addresses for each virtual host
     627The following is an example of simple TLS hosting, using one IP
     628Addresses for each virtual host.
    629629
    630630     # Load the module into Apache.
     
    632632     GnuTLSCache gdbm /var/cache/www-tls-cache
    633633     GnuTLSCacheTimeout 500
    634      # With normal TLS Websites, you need one IP Address per-site.
    635      Listen 1.2.3.1:443
    636      Listen 1.2.3.2:443
    637      Listen 1.2.3.3:443
    638      Listen 1.2.3.4:443
    639      <VirtualHost 1.2.3.1:443>
    640      GnuTLSEnable on
    641      GnuTLSPriorities NONE:+AES-128-CBC:+3DES-CBC:+ARCFOUR-128:+RSA:+DHE-RSA:+DHE-DSS:+SHA1:+MD5:+COMP-NULL
    642      DocumentRoot /www/site1.example.com/html
    643      ServerName site1.example.com:443
    644      GnuTLSCertificateFile conf/ssl/site1.crt
    645      GnuTLSKeyFile conf/ss/site1.key
     634
     635     # Without SNI you need one IP Address per-site.
     636     Listen 192.0.2.1:443
     637     Listen 192.0.2.2:443
     638     Listen 192.0.2.3:443
     639     Listen 192.0.2.4:443
     640
     641     <VirtualHost 192.0.2.1:443>
     642         GnuTLSEnable on
     643         GnuTLSPriorities SECURE128
     644         DocumentRoot /www/site1.example.com/html
     645         ServerName site1.example.com:443
     646         GnuTLSCertificateFile conf/tls/site1.crt
     647         GnuTLSKeyFile conf/tls/site1.key
    646648     </VirtualHost>
    647      <VirtualHost 1.2.3.2:443>
    648      # This virtual host enables SRP authentication
    649      GnuTLSEnable on
    650      GnuTLSPriorities NORMAL:+SRP
    651      DocumentRoot /www/site2.example.com/html
    652      ServerName site2.example.com:443
    653      GnuTLSSRPPasswdFile conf/ssl/tpasswd.site2
    654      GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site2.conf
     649
     650     <VirtualHost 192.0.2.2:443>
     651         # This virtual host enables SRP authentication
     652         GnuTLSEnable on
     653         GnuTLSPriorities NORMAL:+SRP
     654         DocumentRoot /www/site2.example.com/html
     655         ServerName site2.example.com:443
     656         GnuTLSSRPPasswdFile conf/tls/tpasswd.site2
     657         GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site2.conf
    655658     </VirtualHost>
    656      <VirtualHost 1.2.3.3:443>
    657      # This server enables SRP, OpenPGP and X.509 authentication.
    658      GnuTLSEnable on
    659      GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS
    660      DocumentRoot /www/site3.example.com/html
    661      ServerName site3.example.com:443
    662      GnuTLSCertificateFile conf/ssl/site3.crt
    663      GnuTLSKeyFile conf/ss/site3.key
    664      GnuTLSClientVerify ignore
    665      GnuTLSPGPCertificateFile conf/ss/site3.pub.asc
    666      GnuTLSPGPKeyFile conf/ss/site3.sec.asc
    667      GnuTLSSRPPasswdFile conf/ssl/tpasswd.site3
    668      GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site3.conf
     659
     660     <VirtualHost 192.0.2.3:443>
     661         # This server enables SRP, OpenPGP and X.509 authentication.
     662         GnuTLSEnable on
     663         GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS:+CTYPE-OPENPGP
     664         DocumentRoot /www/site3.example.com/html
     665         ServerName site3.example.com:443
     666         GnuTLSCertificateFile conf/tls/site3.crt
     667         GnuTLSKeyFile conf/tls/site3.key
     668         GnuTLSClientVerify ignore
     669         GnuTLSPGPCertificateFile conf/tls/site3.pub.asc
     670         GnuTLSPGPKeyFile conf/tls/site3.sec.asc
     671         GnuTLSSRPPasswdFile conf/tls/tpasswd.site3
     672         GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site3.conf
    669673     </VirtualHost>
    670      <VirtualHost 1.2.3.4:443>
    671      GnuTLSEnable on
    672      # %COMPAT disables some security features to enable maximum compatibility with clients.
    673      GnuTLSPriorities NONE:+AES-128-CBC:+ARCFOUR-128:+RSA:+SHA1:+MD5:+COMP-NULL:%COMPAT
    674      DocumentRoot /www/site4.example.com/html
    675      ServerName site4.example.com:443
    676      GnuTLSCertificateFile conf/ssl/site4.crt
    677      GnuTLSKeyFile conf/ss/site4.key
     674
     675     <VirtualHost 192.0.2.4:443>
     676         GnuTLSEnable on
     677         # %COMPAT disables some security features to enable maximum
     678         # compatibility with clients. Don't use this if you need strong
     679         # security.
     680         GnuTLSPriorities NORMAL:%COMPAT
     681         DocumentRoot /www/site4.example.com/html
     682         ServerName site4.example.com:443
     683         GnuTLSCertificateFile conf/tls/site4.crt
     684         GnuTLSKeyFile conf/tls/site4.key
    678685     </VirtualHost>
    679686
     
    681688------------------------------
    682689
    683 `mod_gnutls` can also use "Server Name Indication", as specified in
    684 RFC 3546.  This allows hosting many TLS Websites, with a Single IP
    685 Address.  Currently all the recent browsers support this
    686 standard. Here is an example, using SNI: ` `
    687 
     690`mod_gnutls` supports "Server Name Indication", as specified in
     691RFC 3546. This allows hosting many TLS websites with a single IP
     692address. All recent browsers support this standard. Here is an
     693example using SNI:
    688694
    689695     # Load the module into Apache.
    690696     LoadModule gnutls_module modules/mod_gnutls.so
    691      # With normal TLS Websites, you need one IP Address per-site.
    692      Listen 1.2.3.1:443
    693      # This could also be 'Listen *:443',
    694      # just like '*:80' is common for non-https
    695      # This tells apache, that for this IP/Port combination, we want to use
    696      # Name Based Virtual Hosting. In the case of Server Name Indication,
    697      # it lets mod_gnutls pick the correct Server Certificate.
    698      NameVirtualHost 1.2.3.1:443
    699      <VirtualHost 1.2.3.1:443>
    700      GnuTLSEnable on
    701      GnuTLSSessionTickets on
    702      GnuTLSPriorities NORMAL
    703      DocumentRoot /www/site1.example.com/html
    704      ServerName site1.example.com:443
    705      GnuTLSCertificateFile conf/ssl/site1.crt
    706      GnuTLSKeyFile conf/ss/site1.key
     697
     698     # SNI allows hosting multiple sites using one IP address. This
     699     # could also be 'Listen *:443', just like '*:80' is common for
     700     # non-HTTPS
     701     Listen 198.51.100.1:443
     702
     703     <VirtualHost _default_:443>
     704         GnuTLSEnable on
     705         GnuTLSSessionTickets on
     706         GnuTLSPriorities NORMAL
     707         DocumentRoot /www/site1.example.com/html
     708         ServerName site1.example.com:443
     709         GnuTLSCertificateFile conf/tls/site1.crt
     710         GnuTLSKeyFile conf/tls/site1.key
    707711     </VirtualHost>
    708      <VirtualHost 1.2.3.1:443>
    709      GnuTLSEnable on
    710      GnuTLSPriorities NORMAL
    711      DocumentRoot /www/site2.example.com/html
    712      ServerName site2.example.com:443
    713      GnuTLSCertificateFile conf/ssl/site2.crt
    714      GnuTLSKeyFile conf/ss/site2.key
     712
     713     <VirtualHost _default_:443>
     714         GnuTLSEnable on
     715         GnuTLSPriorities NORMAL
     716         DocumentRoot /www/site2.example.com/html
     717         ServerName site2.example.com:443
     718         GnuTLSCertificateFile conf/tls/site2.crt
     719         GnuTLSKeyFile conf/tls/site2.key
    715720     </VirtualHost>
    716      <VirtualHost 1.2.3.1:443>
    717      GnuTLSEnable on
    718      GnuTLSPriorities NORMAL
    719      DocumentRoot /www/site3.example.com/html
    720      ServerName site3.example.com:443
    721      GnuTLSCertificateFile conf/ssl/site3.crt
    722      GnuTLSKeyFile conf/ss/site3.key
     721
     722     <VirtualHost _default_:443>
     723         GnuTLSEnable on
     724         GnuTLSPriorities NORMAL
     725         DocumentRoot /www/site3.example.com/html
     726         ServerName site3.example.com:443
     727         GnuTLSCertificateFile conf/tls/site3.crt
     728         GnuTLSKeyFile conf/tls/site3.key
    723729     </VirtualHost>
    724      <VirtualHost 1.2.3.1:443>
    725      GnuTLSEnable on
    726      GnuTLSPriorities NORMAL
    727      DocumentRoot /www/site4.example.com/html
    728      ServerName site4.example.com:443
    729      GnuTLSCertificateFile conf/ssl/site4.crt
    730      GnuTLSKeyFile conf/ss/site4.key
     730
     731     <VirtualHost _default_:443>
     732         GnuTLSEnable on
     733         GnuTLSPriorities NORMAL
     734         DocumentRoot /www/site4.example.com/html
     735         ServerName site4.example.com:443
     736         GnuTLSCertificateFile conf/tls/site4.crt
     737         GnuTLSKeyFile conf/tls/site4.key
    731738     </VirtualHost>
    732739
    733 
    734 * * * * *
    735 
    736 Performance Issues
    737 ==================
    738 
    739 `mod_gnutls` by default uses conservative settings for the server.
    740 You can fine tune the configuration to reduce the load on a busy
    741 server.  The following examples do exactly this:
    742 
     740OCSP Stapling Example
     741---------------------
     742
     743This example uses an X.509 server certificate. The server will fetch
     744OCSP responses from the responder listed in the certificate and store
     745them im a memcached cache shared with another server.
    743746
    744747     # Load the module into Apache.
    745748     LoadModule gnutls_module modules/mod_gnutls.so
    746      # Using 4 memcache servers to distribute the TLS Session Cache.
    747      GnuTLSCache memcache "mc1.example.com mc2.example.com mc3.example.com mc4.example.com"
     749     GnuTLSCache memcache "192.0.2.1:11211 192.0.2.2:11211"
    748750     GnuTLSCacheTimeout 600
    749      Listen 1.2.3.1:443
    750      NameVirtualHost 1.2.3.1:443
    751      <VirtualHost 1.2.3.1:443>
    752      GnuTLSEnable on
    753      # Here we disable the Perfect forward secrecy ciphersuites (DHE)
    754      # and disallow AES-256 since AES-128 is just fine.
    755      GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT
    756      DocumentRoot /www/site1.example.com/html
    757      ServerName site1.example.com:443
    758      GnuTLSCertificateFile conf/ssl/site1.crt
    759      GnuTLSKeyFile conf/ss/site1.key
    760      </VirtualHost>
    761      <VirtualHost 1.2.3.1:443>
    762      GnuTLSEnable on
    763      # Here we instead of disabling the DHE ciphersuites we use
    764      # Diffie Hellman parameters of smaller size than the default (2048 bits).
    765      # Using small numbers from 768 to 1024 bits should be ok once they are
    766      # regenerated every few hours.
    767      # Use "certtool --generate-dh-params --bits 1024" to get those
    768      GnuTLSDHFile /etc/apache2/dh.params
    769      GnuTLSPriorities NORMAL:!AES-256-CBC:%COMPAT
    770      DocumentRoot /www/site2.example.com/html
    771      ServerName site2.example.com:443
    772      GnuTLSCertificateFile conf/ssl/site2.crt
    773      GnuTLSKeyFile conf/ss/site2.key
     751
     752     Listen 192.0.2.1:443
     753
     754     <VirtualHost _default_:443>
     755         GnuTLSEnable          On
     756         GnuTLSPriorities      NORMAL
     757         DocumentRoot          /www/site1.example.com/html
     758         ServerName            site1.example.com:443
     759         GnuTLSCertificateFile conf/tls/site1.crt
     760         GnuTLSKeyFile         conf/tls/site1.key
     761         GnuTLSPriorities      NORMAL
     762         GnuTLSOCSPStapling    On
    774763     </VirtualHost>
    775764
Note: See TracChangeset for help on using the changeset viewer.