Last-Modified: Fri, 22 Nov 2024 20:37:31 GMT Expires: Mon, 20 Nov 2034 20:37:31 GMT README - mod_gnutls - mod_gnutls
aboutsummaryrefslogtreecommitdiffstats
path: root/README
blob: 85418ded3b05a32224098d793ae598cd50bba1e2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
mod_gnutls 

This module started back in September of 2004 because I was tired of trying to
fix bugs in mod_ssl.  mod_ssl is a giant beast of a module -- no offense to it's 
authors is intended -- but I believe it has fallen prey to massive feature bloat.

When I started hacking on httpd, mod_ssl remained a great mystery to me, and 
when I actually looked at it, I ran away.  The shear ammount code is huge, and it 
does not conform to the style guidelines.  It was painful to read, and even harder
to debug.  I wanted to understand how it worked, and I had recently heard about 
GnuTLS, so long story short, I decided to implement a mod_gnutls.

Lines of Code in mod_ssl: 15,324
Lines of Code in mod_gnutls: 1,886

Because of writing mod_gnutls, I now understand how input and output filters work, 
better than I ever thought possible.  It was a little painful at times, and some parts
lift code and ideas directly from mod_ssl. Kudos to the original authors of mod_ssl.

----------------------------

Author: Paul Querna <chip force-elite.com>

Heavily modified by Nikos Mavrogiannopoulos <nmav gnutls.org>

License: Apache Software License v2.0. (see the LICENSE file for details)

Current Status:
- SSL and TLS connections with all popular browsers work!
- Sets enviromental vars for scripts (compatible with mod_ssl vars)
- Supports Memcached as a distributed SSL Session Cache
- Supports DBM as a local SSL Session Cache
- Support for Server Name Indication
- Support for Client Certificates
- Support for TLS-SRP

Basic Configuration:

LoadModule gnutls_module  modules/mod_gnutls.so

# mod_gnutls can optionaly use a memcached server to store it's SSL Sessions.
# This is useful in a cluster enviroment, where you want all of your servers 
# to share a single SSL Session Cache.
#GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"

# The Default method is to use a DBM backed Cache.  It isn't super fast, but 
# it is portable and does not require another server to be running like memcached.
GnuTLSCache dbm conf/gnutls_cache

<VirtualHost 1.2.3.4:443>
    # insert other directives ... here ...

    # This enables the mod_gnutls Handlers for this Virtual Host
    GnuTLSEnable On

    # This is the Private key for your server.
    GnuTLSKeyFile conf/server.key

    # This is the Server Certificate.  
    GnuTLSCertificateFile conf/server.cert
</VirtualHost>


# a more advanced configuration
GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
GnuTLSCacheTimeout 500
GnuTLSProtocols TLS1.1 TLS1.0 SSL3.0
NameVirtualHost 1.2.3.4:443

<VirtualHost 1.2.3.4:443>
	Servername server.com:443
        GnuTLSEnable on
	GnuTLSCiphers AES-128-CBC 3DES-CBC ARCFOUR-128
	GnuTLSKeyExchangeAlgorithms RSA DHE-RSA DHE-DSS SRP SRP-RSA SRP-DSS
	GnuTLSMACAlgorithms SHA1 MD5
	GnuTLSCompressionMethods NULL
# To export exactly the same environment variables as mod_ssl to CGI scripts.
	GNUTLSExportCertificates on

	GnuTLSCertificateFile /etc/apache2/server-cert.pem
	GnuTLSKeyFile /etc/apache2/server-key.pem

# To enable SRP you must have these files installed. Check the gnutls srptool.
	GnuTLSSRPPasswdFile /etc/apache2/tpasswd
	GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf

# In order to verify client certificates. Other options to
# GnuTLSClientVerify could be ignore or require. The GnuTLSClientCAFile
# contains the CAs to verify client certificates.
	GnuTLSClientVerify request
	GnuTLSClientCAFile ca.pem
	...
</VirtualHost>
=13&d=retro' width='13' height='13' alt='Gravatar' /> Nokis Mavrogiannopoulos 2007-12-10 | | | * (no commit message)Gravatar Nokis Mavrogiannopoulos 2007-12-09 | | | * Do not allow resuming sessions on different servers.Gravatar Nokis Mavrogiannopoulos 2007-12-09 | | | * Corrected bug which did not allow the TLS session cache to be used.Gravatar Nokis Mavrogiannopoulos 2007-12-09 | | | * Added support for sending more than one certificate.Gravatar Nokis Mavrogiannopoulos 2007-12-08 | | | * RSA-EXPORT private keys and DH params no longer generated by defaultGravatar Nokis Mavrogiannopoulos 2007-12-08 | | * | added new branchGravatar Nokis Mavrogiannopoulos 2008-02-20 | | * | added tags0.4.2.10.4.2Gravatar Nokis Mavrogiannopoulos 2008-02-20 |/ * added more error checks.Gravatar Nokis Mavrogiannopoulos 2007-12-03 | * (no commit message)Gravatar Nokis Mavrogiannopoulos 2007-12-03 | * better handling of RSAFile and DHFileGravatar Nokis Mavrogiannopoulos 2007-12-03 | * report the missing GnuTLSPriorities for the gnutls enabled hosts only.Gravatar Nokis Mavrogiannopoulos 2007-12-02 | * (no commit message)Gravatar Nokis Mavrogiannopoulos 2007-12-02 | * No more defaults for dhparams, rsaparams. Check for GnuTLSPriorities.Gravatar Nokis Mavrogiannopoulos 2007-12-02 | * The compatibility mode can now be enabled only using the GnuTLSPriorities ↵Gravatar Nokis Mavrogiannopoulos 2007-12-02 | | | | string. * (no commit message)Gravatar Nokis Mavrogiannopoulos 2007-12-02 | * added SSL_SERVER/CLIENT_S_TYPEGravatar Nokis Mavrogiannopoulos 2007-12-02 | * (no commit message)Gravatar Nokis Mavrogiannopoulos 2007-12-02 | * export the alternative names of the certificateGravatar Nokis Mavrogiannopoulos 2007-12-02 | * added SSL_SERVER_M_SERIAL environment variableGravatar Nokis Mavrogiannopoulos 2007-12-02 | * more fixes for subject alternative name.Gravatar Nokis Mavrogiannopoulos 2007-12-02 | * some fixes in alternative name supportGravatar Nokis Mavrogiannopoulos 2007-12-02 | * (no commit message)Gravatar Nokis Mavrogiannopoulos 2007-12-01 | * (no commit message)Gravatar Nokis Mavrogiannopoulos 2007-12-01 | * Added support for subject alternative names. (untested)Gravatar Nokis Mavrogiannopoulos 2007-12-01 | * (no commit message)Gravatar Nokis Mavrogiannopoulos 2007-11-28 | * upgraded to 0.4.00.4.0Gravatar Nokis Mavrogiannopoulos 2007-11-28 | * Put a limit on the number of times we try to handshake.Gravatar Paul Querna 2005-09-25 | * - use the new python script for building configure scripts.Gravatar Paul Querna 2005-05-24 | * start the CA Certificate code.Gravatar Paul Querna 2005-05-24 | * - add lua to do client verificationGravatar Paul Querna 2005-05-17 | | | | | - only use gcrypt locking when required to * Refactor finding the correct server record to fix resumed sessions.0.2.00.2.xGravatar Paul Querna 2005-04-25 | * apr_table_setn doesn't copy the data. oops.Gravatar Paul Querna 2005-04-24 | * We already have a Certificate, use it directly. With SNI, GnuTLS doesn't ↵Gravatar Paul Querna 2005-04-24 | | | | properly update it's internal state. ick. * if there aren't any certs.. still set something.Gravatar Paul Querna 2005-04-24 | * add SSL_SERVER_S_DN and SSL_SERVER_I_DN Gravatar Paul Querna 2005-04-24 | * - move hooks to gnutls_hooks.cGravatar Paul Querna 2005-04-24 | | | | | - use 'mgs_' as the prefix for all symbols, instead of mixed prefixes. * move config functions to their own file. Gravatar Paul Querna 2005-04-24 | * - remove more debug logging.Gravatar Paul Querna 2005-04-22 | | | | | - fix a crash by changing the certificate structure *after* starting the handshake.