diff options
Diffstat (limited to 'README')
-rw-r--r-- | README | 67 |
1 files changed, 59 insertions, 8 deletions
@@ -11,7 +11,7 @@ to debug. I wanted to understand how it worked, and I had recently heard about | |||
11 | GnuTLS, so long story short, I decided to implement a mod_gnutls. | 11 | GnuTLS, so long story short, I decided to implement a mod_gnutls. |
12 | 12 | ||
13 | Lines of Code in mod_ssl: 15,324 | 13 | Lines of Code in mod_ssl: 15,324 |
14 | Lines of Code in mod_gnutls: 1,886 | 14 | Lines of Code in mod_gnutls: 3,594 |
15 | 15 | ||
16 | Because of writing mod_gnutls, I now understand how input and output filters work, | 16 | Because of writing mod_gnutls, I now understand how input and output filters work, |
17 | better than I ever thought possible. It was a little painful at times, and some parts | 17 | better than I ever thought possible. It was a little painful at times, and some parts |
@@ -19,19 +19,20 @@ lift code and ideas directly from mod_ssl. Kudos to the original authors of mod_ | |||
19 | 19 | ||
20 | ---------------------------- | 20 | ---------------------------- |
21 | 21 | ||
22 | Author: Paul Querna <chip force-elite.com | 22 | Author: Paul Querna <chip force-elite.com> |
23 | |||
24 | Heavily modified by Nikos Mavrogiannopoulos <nmav gnutls.org> | ||
23 | 25 | ||
24 | License: Apache Software License v2.0. (see the LICENSE file for details) | 26 | License: Apache Software License v2.0. (see the LICENSE file for details) |
25 | 27 | ||
26 | Current Status: | 28 | Current Status: |
27 | - SSL and TLS connections with all popular browsers work! | 29 | - SSL and TLS connections with all popular browsers work! |
28 | - Sets some enviromental vars for scripts | 30 | - Sets enviromental vars for scripts (compatible with mod_ssl vars) |
29 | - Supports Memcached as a distributed SSL Session Cache | 31 | - Supports Memcached as a distributed SSL Session Cache |
30 | - Supports DBM as a local SSL Session Cache | 32 | - Supports DBM as a local SSL Session Cache |
31 | 33 | - Support for Server Name Indication | |
32 | Future Development: | ||
33 | - Support for Server Name Indication (partial support is in, but disabled) | ||
34 | - Support for Client Certificates | 34 | - Support for Client Certificates |
35 | - Support for TLS-SRP | ||
35 | 36 | ||
36 | Basic Configuration: | 37 | Basic Configuration: |
37 | 38 | ||
@@ -53,8 +54,58 @@ GnuTLSCache dbm conf/gnutls_cache | |||
53 | GnuTLSEnable On | 54 | GnuTLSEnable On |
54 | 55 | ||
55 | # This is the Private key for your server. | 56 | # This is the Private key for your server. |
56 | GnuTLSKeyFile conf/server.key | 57 | GnuTLSX509KeyFile conf/server.key |
57 | 58 | ||
58 | # This is the Server Certificate. | 59 | # This is the Server Certificate. |
59 | GnuTLSCertificateFile conf/server.cert | 60 | GnuTLSX509CertificateFile conf/server.cert |
61 | </VirtualHost> | ||
62 | |||
63 | # a more advanced configuration | ||
64 | GnuTLSCache dbm "/var/cache/www-tls-cache/cache" | ||
65 | GnuTLSCacheTimeout 600 | ||
66 | NameVirtualHost 1.2.3.4:443 | ||
67 | |||
68 | <VirtualHost 1.2.3.4:443> | ||
69 | Servername server.com:443 | ||
70 | GnuTLSEnable on | ||
71 | GnuTLSPriority NORMAL | ||
72 | # To export exactly the same environment variables as mod_ssl to CGI scripts. | ||
73 | GNUTLSExportCertificates on | ||
74 | |||
75 | GnuTLSX509CertificateFile /etc/apache2/server-cert.pem | ||
76 | GnuTLSX509KeyFile /etc/apache2/server-key.pem | ||
77 | |||
78 | # To enable SRP you must have these files installed. Check the gnutls srptool. | ||
79 | GnuTLSSRPPasswdFile /etc/apache2/tpasswd | ||
80 | GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf | ||
81 | |||
82 | # In order to verify client certificates. Other options to | ||
83 | # GnuTLSClientVerify could be ignore or require. The GnuTLSClientCAFile | ||
84 | # contains the CAs to verify client certificates. | ||
85 | GnuTLSClientVerify request | ||
86 | GnuTLSX509CAFile ca.pem | ||
87 | ... | ||
88 | </VirtualHost> | ||
89 | |||
90 | # A setup for OpenPGP and X.509 authentication | ||
91 | <VirtualHost 1.2.3.4:443> | ||
92 | Servername crystal.lan:443 | ||
93 | GnuTLSEnable on | ||
94 | GnuTLSPriorities NORMAL:+COMP-NULL | ||
95 | |||
96 | # setup the openpgp keys | ||
97 | GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc | ||
98 | GnuTLSPGPKeyFile /etc/apache2/test.sec.asc | ||
99 | |||
100 | # and the X.509 keys | ||
101 | GnuTLSCertificateFile /etc/apache2/server-cert.pem | ||
102 | GnuTLSKeyFile /etc/apache2/server-key.pem | ||
103 | GnuTLSClientVerify ignore | ||
104 | |||
105 | # To avoid using the default DH params | ||
106 | GnuTLSDHFile /etc/apache2/dh.pem | ||
107 | |||
108 | # these are only needed if GnuTLSClientVerify != ignore | ||
109 | GnuTLSClientCAFile ca.pem | ||
110 | GnuTLSPGPKeyringFile /etc/apache2/ring.asc | ||
60 | </VirtualHost> | 111 | </VirtualHost> |