1 files changed, 146 insertions, 86 deletions
diff --git a/README b/README
index 5198ed7..ad7f9c6 100644
--- a/README
+++ b/README
@@ -1,111 +1,171 @@
-mod_gnutls 
-This module started back in September of 2004 because I was tired of trying to
+                mod_gnutls, Apache GnuTLS module.
-fix bugs in mod_ssl.  mod_ssl is a giant beast of a module -- no offense to it's 
+                =================================
-authors is intended -- but I believe it has fallen prey to massive feature bloat.
-When I started hacking on httpd, mod_ssl remained a great mystery to me, and 
+$LastChangedDate: $
-when I actually looked at it, I ran away.  The shear ammount code is huge, and it 
-does not conform to the style guidelines.  It was painful to read, and even harder
-to debug.  I wanted to understand how it worked, and I had recently heard about 
-GnuTLS, so long story short, I decided to implement a mod_gnutls.
-Lines of Code in mod_ssl: 15,324
+Contents:
-Lines of Code in mod_gnutls: 3,594
-Because of writing mod_gnutls, I now understand how input and output filters work, 
+     I. ABOUT
-better than I ever thought possible.  It was a little painful at times, and some parts
+    II. AUTHORS
-lift code and ideas directly from mod_ssl. Kudos to the original authors of mod_ssl.
+   III. LICENSE
+    IV. STATUS
+     V. BASIC CONFIGURATION
+    VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER
----------------------------
-Author: Paul Querna <chip force-elite.com>
-Heavily modified by Nikos Mavrogiannopoulos <nmav gnutls.org>
+I.    ABOUT
-License: Apache Software License v2.0. (see the LICENSE file for details)
+      This module started back in September of 2004 because I was tired of
+      trying to fix bugs in mod_ssl.  mod_ssl is a giant beast of a module --
+      no offense to it's authors is intended -- but I believe it has fallen
+      prey to massive feature bloat.
-Current Status:
+      When I started hacking on httpd, mod_ssl remained a great mystery to me,
- SSL and TLS connections with all popular browsers work!
+      and when I actually looked at it, I ran away.  The shear amount code is
- Sets enviromental vars for scripts (compatible with mod_ssl vars)
+      huge, and it does not conform to the style guidelines.  It was painful to
- Supports Memcached as a distributed SSL Session Cache
+      read, and even harder to debug.  I wanted to understand how it worked,
- Supports DBM as a local SSL Session Cache
+      and I had recently heard about GnuTLS, so long story short, I decided to
- Support for Server Name Indication
+      implement a mod_gnutls.
- Support for Client Certificates
- Support for TLS-SRP
-Basic Configuration:
+         Lines of Code in mod_ssl: 15,324
+         Lines of Code in mod_gnutls: 3,594
-LoadModule gnutls_module  modules/mod_gnutls.so
+      Because of writing mod_gnutls, I now understand how input and output
+      filters work, better than I ever thought possible.  It was a little
+      painful at times, and some parts lift code and ideas directly from
+      mod_ssl.  Kudos to the original authors of mod_ssl.
-# mod_gnutls can optionaly use a memcached server to store it's SSL Sessions.
-# This is useful in a cluster enviroment, where you want all of your servers 
-# to share a single SSL Session Cache.
-#GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
-# The Default method is to use a DBM backed Cache.  It isn't super fast, but 
-# it is portable and does not require another server to be running like memcached.
-GnuTLSCache dbm conf/gnutls_cache
-<VirtualHost 1.2.3.4:443>
+II.   AUTHORS
-    # insert other directives ... here ...
-    # This enables the mod_gnutls Handlers for this Virtual Host
+      Paul Querna <chip force-elite.com>
-    GnuTLSEnable On
+      Nikos Mavrogiannopoulos <nmav gnutls.org>
-    # This is the Private key for your server.
-    GnuTLSX509KeyFile conf/server.key
-    # This is the Server Certificate.  
-    GnuTLSX509CertificateFile conf/server.cert
-</VirtualHost>
-# a more advanced configuration
+III.  LICENSE
-GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
-GnuTLSCacheTimeout 600
-NameVirtualHost 1.2.3.4:443
-<VirtualHost 1.2.3.4:443>
+      Apache License, Version 2.0 (see the LICENSE file for details)
-        Servername server.com:443
+IV.   STATUS
+      * SSL and TLS connections with all popular browsers work!
+      * Sets environmental vars for scripts (compatible with mod_ssl vars)
+      * Supports memcached as a distributed SSL session cache
+      * Supports DBM as a local SSL session cache
+      * Support for server name indication (SNI), RFC3546
+      * Support for client certificates
+      * Support for secure remote password (SRP), RFC5054
+V.    BASIC CONFIGURATION
+      LoadModule gnutls_module modules/mod_gnutls.so
+      
+      # mod_gnutls can optionally use a memcached server to store it's SSL
+      # Sessions.  This is useful in a cluster environment, where you want all
+      # of your servers to share a single SSL session cache.
+      #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
+      
+      # The Default method is to use a DBM backed Cache.  It isn't super fast,
+      # but it is portable and does not require another server to be running
+      # like memcached.
+      GnuTLSCache dbm conf/gnutls_cache
+      
+      <VirtualHost 1.2.3.4:443>
+        # Enable mod_gnutls handlers for this virtual host
+        GnuTLSEnable On
+      
+        # This is the private key for your server
+        GnuTLSX509KeyFile conf/server.key
+      
+        # This is the server certificate
+        GnuTLSX509CertificateFile conf/server.cert
+      </VirtualHost>
+      
+      # A more advanced configuration
+      GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
+      GnuTLSCacheTimeout 600
+      NameVirtualHost 1.2.3.4:443
+      
+      <VirtualHost 1.2.3.4:443>
+        Servername server.com:443
        GnuTLSEnable on
-        GnuTLSPriority NORMAL
+        GnuTLSPriority NORMAL
-# To export exactly the same environment variables as mod_ssl to CGI scripts.
-        GNUTLSExportCertificates on
+        # Export exactly the same environment variables as mod_ssl to CGI
+        # scripts.
-        GnuTLSX509CertificateFile /etc/apache2/server-cert.pem
+        GNUTLSExportCertificates on
-        GnuTLSX509KeyFile /etc/apache2/server-key.pem
+      
+        GnuTLSX509CertificateFile /etc/apache2/server-cert.pem
-# To enable SRP you must have these files installed. Check the gnutls srptool.
+        GnuTLSX509KeyFile /etc/apache2/server-key.pem
-        GnuTLSSRPPasswdFile /etc/apache2/tpasswd
+      
-        GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf
+        # To enable SRP you must have these files installed.  Check the gnutls
+        # srptool.
-# In order to verify client certificates. Other options to
+        GnuTLSSRPPasswdFile /etc/apache2/tpasswd
-# GnuTLSClientVerify could be ignore or require. The GnuTLSClientCAFile
+        GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf
-# contains the CAs to verify client certificates.
+      
-        GnuTLSClientVerify request
+        # In order to verify client certificates.  Other options to
-        GnuTLSX509CAFile ca.pem
+        # GnuTLSClientVerify could be ignore or require.  The
-        ...
+        # GnuTLSClientCAFile contains the CAs to verify client certificates.
-</VirtualHost>
+        GnuTLSClientVerify request
+        GnuTLSX509CAFile ca.pem
-# A setup for OpenPGP and X.509 authentication
-<VirtualHost 1.2.3.4:443>
+      </VirtualHost>
-        Servername crystal.lan:443
+      
+      # A setup for OpenPGP and X.509 authentication
+      <VirtualHost 1.2.3.4:443>
+        Servername crystal.lan:443
        GnuTLSEnable on
-        GnuTLSPriorities NORMAL:+COMP-NULL
+        GnuTLSPriorities NORMAL:+COMP-NULL
+      
+        # Setup the openpgp keys
+        GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc
+        GnuTLSPGPKeyFile /etc/apache2/test.sec.asc
+      
+        # - and the X.509 keys
+        GnuTLSCertificateFile /etc/apache2/server-cert.pem
+        GnuTLSKeyFile /etc/apache2/server-key.pem
+        GnuTLSClientVerify ignore
+      
+        # To avoid using the default DH params
+        GnuTLSDHFile /etc/apache2/dh.pem
+      
+        # These are only needed if GnuTLSClientVerify != ignore
+        GnuTLSClientCAFile ca.pem
+        GnuTLSPGPKeyringFile /etc/apache2/ring.asc
+      </VirtualHost>
+VI.   CREATE OPENPGP CREDENTIALS FOR THE SERVER
+      mod_gnutls currently cannot read encrypted OpenPGP credentials.  That is,
+      when you generate a key with gpg and gpg prompts you for a passphrase,
+      just press enter.  Then press enter again, to confirm an empty
+      passphrase.  http://news.gmane.org/gmane.comp.apache.outoforder.modules
-# setup the openpgp keys
+      These instructions are from the GnuTLS manual:
-        GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc
+      http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html#Invoking-gnutls_002dserv
-        GnuTLSPGPKeyFile /etc/apache2/test.sec.asc
-# and the X.509 keys
+        $ gpg --gen-key
-        GnuTLSCertificateFile /etc/apache2/server-cert.pem
+        ...enter whatever details you want, use 'test.gnutls.org' as name...
-        GnuTLSKeyFile /etc/apache2/server-key.pem
-        GnuTLSClientVerify ignore
-# To avoid using the default DH params
+      Make a note of the OpenPGP key identifier of the newly generated key,
-        GnuTLSDHFile /etc/apache2/dh.pem
+      here it was 5D1D14D8.  You will need to export the key for GnuTLS to be
+      able to use it.
-# these are only needed if GnuTLSClientVerify != ignore
+         $ gpg -a --export 5D1D14D8 > openpgp-server.txt
-        GnuTLSClientCAFile ca.pem
+         $ gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
-        GnuTLSPGPKeyringFile /etc/apache2/ring.asc
-</VirtualHost>

diff --git a/README b/README index 5198ed7..ad7f9c6 100644 --- a/README +++ b/README
@@ -1,111 +1,171 @@
1	mod_gnutls
2		1
3	This module started back in September of 2004 because I was tired of trying to	2	mod_gnutls, Apache GnuTLS module.
4	fix bugs in mod_ssl. mod_ssl is a giant beast of a module -- no offense to it's	3	=================================
5	authors is intended -- but I believe it has fallen prey to massive feature bloat.
6		4
7	When I started hacking on httpd, mod_ssl remained a great mystery to me, and	5	$LastChangedDate: $
8	when I actually looked at it, I ran away. The shear ammount code is huge, and it
9	does not conform to the style guidelines. It was painful to read, and even harder
10	to debug. I wanted to understand how it worked, and I had recently heard about
11	GnuTLS, so long story short, I decided to implement a mod_gnutls.
12		6
13	Lines of Code in mod_ssl: 15,324	7	Contents:
14	Lines of Code in mod_gnutls: 3,594
15		8
16	Because of writing mod_gnutls, I now understand how input and output filters work,	9	I. ABOUT
17	better than I ever thought possible. It was a little painful at times, and some parts	10	II. AUTHORS
18	lift code and ideas directly from mod_ssl. Kudos to the original authors of mod_ssl.	11	III. LICENSE
		12	IV. STATUS
		13	V. BASIC CONFIGURATION
		14	VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER
19		15
20	----------------------------
21		16
22	Author: Paul Querna <chip force-elite.com>
23		17
24	Heavily modified by Nikos Mavrogiannopoulos <nmav gnutls.org>	18	I. ABOUT
25		19
26	License: Apache Software License v2.0. (see the LICENSE file for details)	20	This module started back in September of 2004 because I was tired of
		21	trying to fix bugs in mod_ssl. mod_ssl is a giant beast of a module --
		22	no offense to it's authors is intended -- but I believe it has fallen
		23	prey to massive feature bloat.
27		24
28	Current Status:	25	When I started hacking on httpd, mod_ssl remained a great mystery to me,
29	- SSL and TLS connections with all popular browsers work!	26	and when I actually looked at it, I ran away. The shear amount code is
30	- Sets enviromental vars for scripts (compatible with mod_ssl vars)	27	huge, and it does not conform to the style guidelines. It was painful to
31	- Supports Memcached as a distributed SSL Session Cache	28	read, and even harder to debug. I wanted to understand how it worked,
32	- Supports DBM as a local SSL Session Cache	29	and I had recently heard about GnuTLS, so long story short, I decided to
33	- Support for Server Name Indication	30	implement a mod_gnutls.
34	- Support for Client Certificates
35	- Support for TLS-SRP
36		31
37	Basic Configuration:	32	Lines of Code in mod_ssl: 15,324
		33	Lines of Code in mod_gnutls: 3,594
38		34
39	LoadModule gnutls_module modules/mod_gnutls.so	35	Because of writing mod_gnutls, I now understand how input and output
		36	filters work, better than I ever thought possible. It was a little
		37	painful at times, and some parts lift code and ideas directly from
		38	mod_ssl. Kudos to the original authors of mod_ssl.
40		39
41	# mod_gnutls can optionaly use a memcached server to store it's SSL Sessions.
42	# This is useful in a cluster enviroment, where you want all of your servers
43	# to share a single SSL Session Cache.
44	#GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
45		40
46	# The Default method is to use a DBM backed Cache. It isn't super fast, but
47	# it is portable and does not require another server to be running like memcached.
48	GnuTLSCache dbm conf/gnutls_cache
49		41
50	<VirtualHost 1.2.3.4:443>	42	II. AUTHORS
51	# insert other directives ... here ...
52		43
53	# This enables the mod_gnutls Handlers for this Virtual Host	44	Paul Querna <chip force-elite.com>
54	GnuTLSEnable On	45	Nikos Mavrogiannopoulos <nmav gnutls.org>
55		46
56	# This is the Private key for your server.
57	GnuTLSX509KeyFile conf/server.key
58		47
59	# This is the Server Certificate.
60	GnuTLSX509CertificateFile conf/server.cert
61	</VirtualHost>
62		48
63	# a more advanced configuration	49	III. LICENSE
64	GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
65	GnuTLSCacheTimeout 600
66	NameVirtualHost 1.2.3.4:443
67		50
68	<VirtualHost 1.2.3.4:443>	51	Apache License, Version 2.0 (see the LICENSE file for details)
69	Servername server.com:443	52
		53
		54
		55	IV. STATUS
		56
		57	* SSL and TLS connections with all popular browsers work!
		58	* Sets environmental vars for scripts (compatible with mod_ssl vars)
		59	* Supports memcached as a distributed SSL session cache
		60	* Supports DBM as a local SSL session cache
		61	* Support for server name indication (SNI), RFC3546
		62	* Support for client certificates
		63	* Support for secure remote password (SRP), RFC5054
		64
		65
		66
		67	V. BASIC CONFIGURATION
		68
		69	LoadModule gnutls_module modules/mod_gnutls.so
		70
		71	# mod_gnutls can optionally use a memcached server to store it's SSL
		72	# Sessions. This is useful in a cluster environment, where you want all
		73	# of your servers to share a single SSL session cache.
		74	#GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
		75
		76	# The Default method is to use a DBM backed Cache. It isn't super fast,
		77	# but it is portable and does not require another server to be running
		78	# like memcached.
		79	GnuTLSCache dbm conf/gnutls_cache
		80
		81	<VirtualHost 1.2.3.4:443>
		82
		83	# Enable mod_gnutls handlers for this virtual host
		84	GnuTLSEnable On
		85
		86	# This is the private key for your server
		87	GnuTLSX509KeyFile conf/server.key
		88
		89	# This is the server certificate
		90	GnuTLSX509CertificateFile conf/server.cert
		91
		92	</VirtualHost>
		93
		94	# A more advanced configuration
		95	GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
		96	GnuTLSCacheTimeout 600
		97	NameVirtualHost 1.2.3.4:443
		98
		99	<VirtualHost 1.2.3.4:443>
		100
		101	Servername server.com:443
70	GnuTLSEnable on	102	GnuTLSEnable on
71	GnuTLSPriority NORMAL	103	GnuTLSPriority NORMAL
72	# To export exactly the same environment variables as mod_ssl to CGI scripts.	104
73	GNUTLSExportCertificates on	105	# Export exactly the same environment variables as mod_ssl to CGI
74		106	# scripts.
75	GnuTLSX509CertificateFile /etc/apache2/server-cert.pem	107	GNUTLSExportCertificates on
76	GnuTLSX509KeyFile /etc/apache2/server-key.pem	108
77		109	GnuTLSX509CertificateFile /etc/apache2/server-cert.pem
78	# To enable SRP you must have these files installed. Check the gnutls srptool.	110	GnuTLSX509KeyFile /etc/apache2/server-key.pem
79	GnuTLSSRPPasswdFile /etc/apache2/tpasswd	111
80	GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf	112	# To enable SRP you must have these files installed. Check the gnutls
81		113	# srptool.
82	# In order to verify client certificates. Other options to	114	GnuTLSSRPPasswdFile /etc/apache2/tpasswd
83	# GnuTLSClientVerify could be ignore or require. The GnuTLSClientCAFile	115	GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf
84	# contains the CAs to verify client certificates.	116
85	GnuTLSClientVerify request	117	# In order to verify client certificates. Other options to
86	GnuTLSX509CAFile ca.pem	118	# GnuTLSClientVerify could be ignore or require. The
87	...	119	# GnuTLSClientCAFile contains the CAs to verify client certificates.
88	</VirtualHost>	120	GnuTLSClientVerify request
89		121	GnuTLSX509CAFile ca.pem
90	# A setup for OpenPGP and X.509 authentication	122
91	<VirtualHost 1.2.3.4:443>	123	</VirtualHost>
92	Servername crystal.lan:443	124
		125	# A setup for OpenPGP and X.509 authentication
		126	<VirtualHost 1.2.3.4:443>
		127
		128	Servername crystal.lan:443
93	GnuTLSEnable on	129	GnuTLSEnable on
94	GnuTLSPriorities NORMAL:+COMP-NULL	130	GnuTLSPriorities NORMAL:+COMP-NULL
		131
		132	# Setup the openpgp keys
		133	GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc
		134	GnuTLSPGPKeyFile /etc/apache2/test.sec.asc
		135
		136	# - and the X.509 keys
		137	GnuTLSCertificateFile /etc/apache2/server-cert.pem
		138	GnuTLSKeyFile /etc/apache2/server-key.pem
		139
		140	GnuTLSClientVerify ignore
		141
		142	# To avoid using the default DH params
		143	GnuTLSDHFile /etc/apache2/dh.pem
		144
		145	# These are only needed if GnuTLSClientVerify != ignore
		146	GnuTLSClientCAFile ca.pem
		147	GnuTLSPGPKeyringFile /etc/apache2/ring.asc
		148
		149	</VirtualHost>
		150
		151
		152
		153	VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER
		154
		155	mod_gnutls currently cannot read encrypted OpenPGP credentials. That is,
		156	when you generate a key with gpg and gpg prompts you for a passphrase,
		157	just press enter. Then press enter again, to confirm an empty
		158	passphrase. http://news.gmane.org/gmane.comp.apache.outoforder.modules
95		159
96	# setup the openpgp keys	160	These instructions are from the GnuTLS manual:
97	GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc	161	http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html#Invoking-gnutls_002dserv
98	GnuTLSPGPKeyFile /etc/apache2/test.sec.asc
99		162
100	# and the X.509 keys	163	$ gpg --gen-key
101	GnuTLSCertificateFile /etc/apache2/server-cert.pem	164	...enter whatever details you want, use 'test.gnutls.org' as name...
102	GnuTLSKeyFile /etc/apache2/server-key.pem
103	GnuTLSClientVerify ignore
104		165
105	# To avoid using the default DH params	166	Make a note of the OpenPGP key identifier of the newly generated key,
106	GnuTLSDHFile /etc/apache2/dh.pem	167	here it was 5D1D14D8. You will need to export the key for GnuTLS to be
		168	able to use it.
107		169
108	# these are only needed if GnuTLSClientVerify != ignore	170	$ gpg -a --export 5D1D14D8 > openpgp-server.txt
109	GnuTLSClientCAFile ca.pem	171	$ gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
110	GnuTLSPGPKeyringFile /etc/apache2/ring.asc
111	</VirtualHost>