mod_gnutls, Apache GnuTLS module. ================================= $LastChangedDate: $ Contents: I. ABOUT II. AUTHORS III. LICENSE IV. STATUS V. BASIC CONFIGURATION VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER I. ABOUT This module started back in September of 2004 because I was tired of trying to fix bugs in mod_ssl. mod_ssl is a giant beast of a module -- no offense to it's authors is intended -- but I believe it has fallen prey to massive feature bloat. When I started hacking on httpd, mod_ssl remained a great mystery to me, and when I actually looked at it, I ran away. The shear amount code is huge, and it does not conform to the style guidelines. It was painful to read, and even harder to debug. I wanted to understand how it worked, and I had recently heard about GnuTLS, so long story short, I decided to implement a mod_gnutls. Lines of Code in mod_ssl: 15,324 Lines of Code in mod_gnutls: 3,594 Because of writing mod_gnutls, I now understand how input and output filters work, better than I ever thought possible. It was a little painful at times, and some parts lift code and ideas directly from mod_ssl. Kudos to the original authors of mod_ssl. II. AUTHORS Paul Querna Nikos Mavrogiannopoulos III. LICENSE Apache License, Version 2.0 (see the LICENSE file for details) IV. STATUS * SSL and TLS connections with all popular browsers work! * Sets environmental vars for scripts (compatible with mod_ssl vars) * Supports memcached as a distributed SSL session cache * Supports DBM as a local SSL session cache * Support for server name indication (SNI), RFC3546 * Support for client certificates * Support for secure remote password (SRP), RFC5054 V. BASIC CONFIGURATION LoadModule gnutls_module modules/mod_gnutls.so # mod_gnutls can optionally use a memcached server to store it's SSL # Sessions. This is useful in a cluster environment, where you want all # of your servers to share a single SSL session cache. #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com" # The Default method is to use a DBM backed Cache. It isn't super fast, # but it is portable and does not require another server to be running # like memcached. GnuTLSCache dbm conf/gnutls_cache # Enable mod_gnutls handlers for this virtual host GnuTLSEnable On # This is the private key for your server GnuTLSX509KeyFile conf/server.key # This is the server certificate GnuTLSX509CertificateFile conf/server.cert # A more advanced configuration GnuTLSCache dbm "/var/cache/www-tls-cache/cache" GnuTLSCacheTimeout 600 NameVirtualHost 1.2.3.4:443 Servername server.com:443 GnuTLSEnable on GnuTLSPriority NORMAL # Export exactly the same environment variables as mod_ssl to CGI # scripts. GNUTLSExportCertificates on GnuTLSX509CertificateFile /etc/apache2/server-cert.pem GnuTLSX509KeyFile /etc/apache2/server-key.pem # To enable SRP you must have these files installed. Check the gnutls # srptool. GnuTLSSRPPasswdFile /etc/apache2/tpasswd GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf # In order to verify client certificates. Other options to # GnuTLSClientVerify could be ignore or require. The # GnuTLSClientCAFile contains the CAs to verify client certificates. GnuTLSClientVerify request GnuTLSX509CAFile ca.pem # A setup for OpenPGP and X.509 authentication Servername crystal.lan:443 GnuTLSEnable on GnuTLSPriorities NORMAL:+COMP-NULL # Setup the openpgp keys GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc GnuTLSPGPKeyFile /etc/apache2/test.sec.asc # - and the X.509 keys GnuTLSCertificateFile /etc/apache2/server-cert.pem GnuTLSKeyFile /etc/apache2/server-key.pem GnuTLSClientVerify ignore # To avoid using the default DH params GnuTLSDHFile /etc/apache2/dh.pem # These are only needed if GnuTLSClientVerify != ignore GnuTLSClientCAFile ca.pem GnuTLSPGPKeyringFile /etc/apache2/ring.asc VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER mod_gnutls currently cannot read encrypted OpenPGP credentials. That is, when you generate a key with gpg and gpg prompts you for a passphrase, just press enter. Then press enter again, to confirm an empty passphrase. http://news.gmane.org/gmane.comp.apache.outoforder.modules These instructions are from the GnuTLS manual: http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html#Invoking-gnutls_002dserv $ gpg --gen-key ...enter whatever details you want, use 'test.gnutls.org' as name... Make a note of the OpenPGP key identifier of the newly generated key, here it was 5D1D14D8. You will need to export the key for GnuTLS to be able to use it. $ gpg -a --export 5D1D14D8 > openpgp-server.txt $ gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt