From 586e3bef5d34d090d9480e146783c33313f9dc34 Mon Sep 17 00:00:00 2001 From: Nokis Mavrogiannopoulos Date: Wed, 20 Feb 2008 18:50:41 +0000 Subject: added tags --- README | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 59 insertions(+), 8 deletions(-) (limited to 'README') diff --git a/README b/README index 557ba77..5198ed7 100644 --- a/README +++ b/README @@ -11,7 +11,7 @@ to debug. I wanted to understand how it worked, and I had recently heard about GnuTLS, so long story short, I decided to implement a mod_gnutls. Lines of Code in mod_ssl: 15,324 -Lines of Code in mod_gnutls: 1,886 +Lines of Code in mod_gnutls: 3,594 Because of writing mod_gnutls, I now understand how input and output filters work, better than I ever thought possible. It was a little painful at times, and some parts @@ -19,19 +19,20 @@ lift code and ideas directly from mod_ssl. Kudos to the original authors of mod_ ---------------------------- -Author: Paul Querna + +Heavily modified by Nikos Mavrogiannopoulos License: Apache Software License v2.0. (see the LICENSE file for details) Current Status: - SSL and TLS connections with all popular browsers work! -- Sets some enviromental vars for scripts +- Sets enviromental vars for scripts (compatible with mod_ssl vars) - Supports Memcached as a distributed SSL Session Cache - Supports DBM as a local SSL Session Cache - -Future Development: -- Support for Server Name Indication (partial support is in, but disabled) +- Support for Server Name Indication - Support for Client Certificates +- Support for TLS-SRP Basic Configuration: @@ -53,8 +54,58 @@ GnuTLSCache dbm conf/gnutls_cache GnuTLSEnable On # This is the Private key for your server. - GnuTLSKeyFile conf/server.key + GnuTLSX509KeyFile conf/server.key # This is the Server Certificate. - GnuTLSCertificateFile conf/server.cert + GnuTLSX509CertificateFile conf/server.cert + + +# a more advanced configuration +GnuTLSCache dbm "/var/cache/www-tls-cache/cache" +GnuTLSCacheTimeout 600 +NameVirtualHost 1.2.3.4:443 + + + Servername server.com:443 + GnuTLSEnable on + GnuTLSPriority NORMAL +# To export exactly the same environment variables as mod_ssl to CGI scripts. + GNUTLSExportCertificates on + + GnuTLSX509CertificateFile /etc/apache2/server-cert.pem + GnuTLSX509KeyFile /etc/apache2/server-key.pem + +# To enable SRP you must have these files installed. Check the gnutls srptool. + GnuTLSSRPPasswdFile /etc/apache2/tpasswd + GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf + +# In order to verify client certificates. Other options to +# GnuTLSClientVerify could be ignore or require. The GnuTLSClientCAFile +# contains the CAs to verify client certificates. + GnuTLSClientVerify request + GnuTLSX509CAFile ca.pem + ... + + +# A setup for OpenPGP and X.509 authentication + + Servername crystal.lan:443 + GnuTLSEnable on + GnuTLSPriorities NORMAL:+COMP-NULL + +# setup the openpgp keys + GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc + GnuTLSPGPKeyFile /etc/apache2/test.sec.asc + +# and the X.509 keys + GnuTLSCertificateFile /etc/apache2/server-cert.pem + GnuTLSKeyFile /etc/apache2/server-key.pem + GnuTLSClientVerify ignore + +# To avoid using the default DH params + GnuTLSDHFile /etc/apache2/dh.pem + +# these are only needed if GnuTLSClientVerify != ignore + GnuTLSClientCAFile ca.pem + GnuTLSPGPKeyringFile /etc/apache2/ring.asc -- cgit