diff options
Diffstat (limited to 'README')
| -rw-r--r-- | README | 67 | 
1 files changed, 59 insertions, 8 deletions
| @@ -11,7 +11,7 @@ to debug. I wanted to understand how it worked, and I had recently heard about | |||
| 11 | GnuTLS, so long story short, I decided to implement a mod_gnutls. | 11 | GnuTLS, so long story short, I decided to implement a mod_gnutls. | 
| 12 | 12 | ||
| 13 | Lines of Code in mod_ssl: 15,324 | 13 | Lines of Code in mod_ssl: 15,324 | 
| 14 | Lines of Code in mod_gnutls: 1,886 | 14 | Lines of Code in mod_gnutls: 3,594 | 
| 15 | 15 | ||
| 16 | Because of writing mod_gnutls, I now understand how input and output filters work, | 16 | Because of writing mod_gnutls, I now understand how input and output filters work, | 
| 17 | better than I ever thought possible. It was a little painful at times, and some parts | 17 | better than I ever thought possible. It was a little painful at times, and some parts | 
| @@ -19,19 +19,20 @@ lift code and ideas directly from mod_ssl. Kudos to the original authors of mod_ | |||
| 19 | 19 | ||
| 20 | ---------------------------- | 20 | ---------------------------- | 
| 21 | 21 | ||
| 22 | Author: Paul Querna <chip force-elite.com | 22 | Author: Paul Querna <chip force-elite.com> | 
| 23 | |||
| 24 | Heavily modified by Nikos Mavrogiannopoulos <nmav gnutls.org> | ||
| 23 | 25 | ||
| 24 | License: Apache Software License v2.0. (see the LICENSE file for details) | 26 | License: Apache Software License v2.0. (see the LICENSE file for details) | 
| 25 | 27 | ||
| 26 | Current Status: | 28 | Current Status: | 
| 27 | - SSL and TLS connections with all popular browsers work! | 29 | - SSL and TLS connections with all popular browsers work! | 
| 28 | - Sets some enviromental vars for scripts | 30 | - Sets enviromental vars for scripts (compatible with mod_ssl vars) | 
| 29 | - Supports Memcached as a distributed SSL Session Cache | 31 | - Supports Memcached as a distributed SSL Session Cache | 
| 30 | - Supports DBM as a local SSL Session Cache | 32 | - Supports DBM as a local SSL Session Cache | 
| 31 | 33 | - Support for Server Name Indication | |
| 32 | Future Development: | ||
| 33 | - Support for Server Name Indication (partial support is in, but disabled) | ||
| 34 | - Support for Client Certificates | 34 | - Support for Client Certificates | 
| 35 | - Support for TLS-SRP | ||
| 35 | 36 | ||
| 36 | Basic Configuration: | 37 | Basic Configuration: | 
| 37 | 38 | ||
| @@ -53,8 +54,58 @@ GnuTLSCache dbm conf/gnutls_cache | |||
| 53 | GnuTLSEnable On | 54 | GnuTLSEnable On | 
| 54 | 55 | ||
| 55 | # This is the Private key for your server. | 56 | # This is the Private key for your server. | 
| 56 | GnuTLSKeyFile conf/server.key | 57 | GnuTLSX509KeyFile conf/server.key | 
| 57 | 58 | ||
| 58 | # This is the Server Certificate. | 59 | # This is the Server Certificate. | 
| 59 | GnuTLSCertificateFile conf/server.cert | 60 | GnuTLSX509CertificateFile conf/server.cert | 
| 61 | </VirtualHost> | ||
| 62 | |||
| 63 | # a more advanced configuration | ||
| 64 | GnuTLSCache dbm "/var/cache/www-tls-cache/cache" | ||
| 65 | GnuTLSCacheTimeout 600 | ||
| 66 | NameVirtualHost 1.2.3.4:443 | ||
| 67 | |||
| 68 | <VirtualHost 1.2.3.4:443> | ||
| 69 | Servername server.com:443 | ||
| 70 | GnuTLSEnable on | ||
| 71 | GnuTLSPriority NORMAL | ||
| 72 | # To export exactly the same environment variables as mod_ssl to CGI scripts. | ||
| 73 | GNUTLSExportCertificates on | ||
| 74 | |||
| 75 | GnuTLSX509CertificateFile /etc/apache2/server-cert.pem | ||
| 76 | GnuTLSX509KeyFile /etc/apache2/server-key.pem | ||
| 77 | |||
| 78 | # To enable SRP you must have these files installed. Check the gnutls srptool. | ||
| 79 | GnuTLSSRPPasswdFile /etc/apache2/tpasswd | ||
| 80 | GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf | ||
| 81 | |||
| 82 | # In order to verify client certificates. Other options to | ||
| 83 | # GnuTLSClientVerify could be ignore or require. The GnuTLSClientCAFile | ||
| 84 | # contains the CAs to verify client certificates. | ||
| 85 | GnuTLSClientVerify request | ||
| 86 | GnuTLSX509CAFile ca.pem | ||
| 87 | ... | ||
| 88 | </VirtualHost> | ||
| 89 | |||
| 90 | # A setup for OpenPGP and X.509 authentication | ||
| 91 | <VirtualHost 1.2.3.4:443> | ||
| 92 | Servername crystal.lan:443 | ||
| 93 | GnuTLSEnable on | ||
| 94 | GnuTLSPriorities NORMAL:+COMP-NULL | ||
| 95 | |||
| 96 | # setup the openpgp keys | ||
| 97 | GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc | ||
| 98 | GnuTLSPGPKeyFile /etc/apache2/test.sec.asc | ||
| 99 | |||
| 100 | # and the X.509 keys | ||
| 101 | GnuTLSCertificateFile /etc/apache2/server-cert.pem | ||
| 102 | GnuTLSKeyFile /etc/apache2/server-key.pem | ||
| 103 | GnuTLSClientVerify ignore | ||
| 104 | |||
| 105 | # To avoid using the default DH params | ||
| 106 | GnuTLSDHFile /etc/apache2/dh.pem | ||
| 107 | |||
| 108 | # these are only needed if GnuTLSClientVerify != ignore | ||
| 109 | GnuTLSClientCAFile ca.pem | ||
| 110 | GnuTLSPGPKeyringFile /etc/apache2/ring.asc | ||
| 60 | </VirtualHost> | 111 | </VirtualHost> | 
