mod_gnutls This module started back in September of 2004 because I was tired of trying to fix bugs in mod_ssl. mod_ssl is a giant beast of a module -- no offense to it's authors is intended -- but I believe it has fallen prey to massive feature bloat. When I started hacking on httpd, mod_ssl remained a great mystery to me, and when I actually looked at it, I ran away. The shear ammount code is huge, and it does not conform to the style guidelines. It was painful to read, and even harder to debug. I wanted to understand how it worked, and I had recently heard about GnuTLS, so long story short, I decided to implement a mod_gnutls. Lines of Code in mod_ssl: 15,324 Lines of Code in mod_gnutls: 3,594 Because of writing mod_gnutls, I now understand how input and output filters work, better than I ever thought possible. It was a little painful at times, and some parts lift code and ideas directly from mod_ssl. Kudos to the original authors of mod_ssl. ---------------------------- Author: Paul Querna Heavily modified by Nikos Mavrogiannopoulos License: Apache Software License v2.0. (see the LICENSE file for details) Current Status: - SSL and TLS connections with all popular browsers work! - Sets enviromental vars for scripts (compatible with mod_ssl vars) - Supports Memcached as a distributed SSL Session Cache - Supports DBM as a local SSL Session Cache - Support for Server Name Indication - Support for Client Certificates - Support for TLS-SRP Basic Configuration: LoadModule gnutls_module modules/mod_gnutls.so # mod_gnutls can optionaly use a memcached server to store it's SSL Sessions. # This is useful in a cluster enviroment, where you want all of your servers # to share a single SSL Session Cache. #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com" # The Default method is to use a DBM backed Cache. It isn't super fast, but # it is portable and does not require another server to be running like memcached. GnuTLSCache dbm conf/gnutls_cache # insert other directives ... here ... # This enables the mod_gnutls Handlers for this Virtual Host GnuTLSEnable On # This is the Private key for your server. GnuTLSX509KeyFile conf/server.key # This is the Server Certificate. GnuTLSX509CertificateFile conf/server.cert # a more advanced configuration GnuTLSCache dbm "/var/cache/www-tls-cache/cache" GnuTLSCacheTimeout 600 NameVirtualHost 1.2.3.4:443 Servername server.com:443 GnuTLSEnable on GnuTLSPriority NORMAL # To export exactly the same environment variables as mod_ssl to CGI scripts. GNUTLSExportCertificates on GnuTLSX509CertificateFile /etc/apache2/server-cert.pem GnuTLSX509KeyFile /etc/apache2/server-key.pem # To enable SRP you must have these files installed. Check the gnutls srptool. GnuTLSSRPPasswdFile /etc/apache2/tpasswd GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf # In order to verify client certificates. Other options to # GnuTLSClientVerify could be ignore or require. The GnuTLSClientCAFile # contains the CAs to verify client certificates. GnuTLSClientVerify request GnuTLSX509CAFile ca.pem ... # A setup for OpenPGP and X.509 authentication Servername crystal.lan:443 GnuTLSEnable on GnuTLSPriorities NORMAL:+COMP-NULL # setup the openpgp keys GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc GnuTLSPGPKeyFile /etc/apache2/test.sec.asc # and the X.509 keys GnuTLSCertificateFile /etc/apache2/server-cert.pem GnuTLSKeyFile /etc/apache2/server-key.pem GnuTLSClientVerify ignore # To avoid using the default DH params GnuTLSDHFile /etc/apache2/dh.pem # these are only needed if GnuTLSClientVerify != ignore GnuTLSClientCAFile ca.pem GnuTLSPGPKeyringFile /etc/apache2/ring.asc