diff options
Diffstat (limited to 'README')
-rw-r--r-- | README | 44 |
1 files changed, 31 insertions, 13 deletions
@@ -11,7 +11,7 @@ to debug. I wanted to understand how it worked, and I had recently heard about | |||
11 | GnuTLS, so long story short, I decided to implement a mod_gnutls. | 11 | GnuTLS, so long story short, I decided to implement a mod_gnutls. |
12 | 12 | ||
13 | Lines of Code in mod_ssl: 15,324 | 13 | Lines of Code in mod_ssl: 15,324 |
14 | Lines of Code in mod_gnutls: 1,886 | 14 | Lines of Code in mod_gnutls: 3,594 |
15 | 15 | ||
16 | Because of writing mod_gnutls, I now understand how input and output filters work, | 16 | Because of writing mod_gnutls, I now understand how input and output filters work, |
17 | better than I ever thought possible. It was a little painful at times, and some parts | 17 | better than I ever thought possible. It was a little painful at times, and some parts |
@@ -54,31 +54,26 @@ GnuTLSCache dbm conf/gnutls_cache | |||
54 | GnuTLSEnable On | 54 | GnuTLSEnable On |
55 | 55 | ||
56 | # This is the Private key for your server. | 56 | # This is the Private key for your server. |
57 | GnuTLSKeyFile conf/server.key | 57 | GnuTLSX509KeyFile conf/server.key |
58 | 58 | ||
59 | # This is the Server Certificate. | 59 | # This is the Server Certificate. |
60 | GnuTLSCertificateFile conf/server.cert | 60 | GnuTLSX509CertificateFile conf/server.cert |
61 | </VirtualHost> | 61 | </VirtualHost> |
62 | 62 | ||
63 | |||
64 | # a more advanced configuration | 63 | # a more advanced configuration |
65 | GnuTLSCache dbm "/var/cache/www-tls-cache/cache" | 64 | GnuTLSCache dbm "/var/cache/www-tls-cache/cache" |
66 | GnuTLSCacheTimeout 500 | 65 | GnuTLSCacheTimeout 600 |
67 | GnuTLSProtocols TLS1.1 TLS1.0 SSL3.0 | ||
68 | NameVirtualHost 1.2.3.4:443 | 66 | NameVirtualHost 1.2.3.4:443 |
69 | 67 | ||
70 | <VirtualHost 1.2.3.4:443> | 68 | <VirtualHost 1.2.3.4:443> |
71 | Servername server.com:443 | 69 | Servername server.com:443 |
72 | GnuTLSEnable on | 70 | GnuTLSEnable on |
73 | GnuTLSCiphers AES-128-CBC 3DES-CBC ARCFOUR-128 | 71 | GnuTLSPriority NORMAL |
74 | GnuTLSKeyExchangeAlgorithms RSA DHE-RSA DHE-DSS SRP SRP-RSA SRP-DSS | ||
75 | GnuTLSMACAlgorithms SHA1 MD5 | ||
76 | GnuTLSCompressionMethods NULL | ||
77 | # To export exactly the same environment variables as mod_ssl to CGI scripts. | 72 | # To export exactly the same environment variables as mod_ssl to CGI scripts. |
78 | GNUTLSExportCertificates on | 73 | GNUTLSExportCertificates on |
79 | 74 | ||
80 | GnuTLSCertificateFile /etc/apache2/server-cert.pem | 75 | GnuTLSX509CertificateFile /etc/apache2/server-cert.pem |
81 | GnuTLSKeyFile /etc/apache2/server-key.pem | 76 | GnuTLSX509KeyFile /etc/apache2/server-key.pem |
82 | 77 | ||
83 | # To enable SRP you must have these files installed. Check the gnutls srptool. | 78 | # To enable SRP you must have these files installed. Check the gnutls srptool. |
84 | GnuTLSSRPPasswdFile /etc/apache2/tpasswd | 79 | GnuTLSSRPPasswdFile /etc/apache2/tpasswd |
@@ -88,6 +83,29 @@ NameVirtualHost 1.2.3.4:443 | |||
88 | # GnuTLSClientVerify could be ignore or require. The GnuTLSClientCAFile | 83 | # GnuTLSClientVerify could be ignore or require. The GnuTLSClientCAFile |
89 | # contains the CAs to verify client certificates. | 84 | # contains the CAs to verify client certificates. |
90 | GnuTLSClientVerify request | 85 | GnuTLSClientVerify request |
91 | GnuTLSClientCAFile ca.pem | 86 | GnuTLSX509CAFile ca.pem |
92 | ... | 87 | ... |
93 | </VirtualHost> | 88 | </VirtualHost> |
89 | |||
90 | # A setup for OpenPGP and X.509 authentication | ||
91 | <VirtualHost 1.2.3.4:443> | ||
92 | Servername crystal.lan:443 | ||
93 | GnuTLSEnable on | ||
94 | GnuTLSPriorities NORMAL:+COMP-NULL | ||
95 | |||
96 | # setup the openpgp keys | ||
97 | GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc | ||
98 | GnuTLSPGPKeyFile /etc/apache2/test.sec.asc | ||
99 | |||
100 | # and the X.509 keys | ||
101 | GnuTLSCertificateFile /etc/apache2/server-cert.pem | ||
102 | GnuTLSKeyFile /etc/apache2/server-key.pem | ||
103 | GnuTLSClientVerify ignore | ||
104 | |||
105 | # To avoid using the default DH params | ||
106 | GnuTLSDHFile /etc/apache2/dh.pem | ||
107 | |||
108 | # these are only needed if GnuTLSClientVerify != ignore | ||
109 | GnuTLSClientCAFile ca.pem | ||
110 | GnuTLSPGPKeyringFile /etc/apache2/ring.asc | ||
111 | </VirtualHost> | ||