README

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171


                mod_gnutls, Apache GnuTLS module.
                =================================

$LastChangedDate: $

Contents:

     I. ABOUT
    II. AUTHORS
   III. LICENSE
    IV. STATUS
     V. BASIC CONFIGURATION
    VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER


I.    ABOUT

      This module started back in September of 2004 because I was tired of
      trying to fix bugs in mod_ssl.  mod_ssl is a giant beast of a module --
      no offense to it&# 2008-10-04
|
* Allow openpgp-only sites d I had recently heard about GnuTLS, so long story short, I decided to
      implement a mod_gnutls.

         Lines of Code in mod_ssl: 15,324
         Lines of Code in mod_gnutls: 3,594

      Because of writing mod_gnutls, I now understand how input and output
      filters work, better than I ever thought possible.  It was a little
      painful at times, and some parts lift code and ideas directly from
      mod_ssl.  Kudos to the original authors of mod_ssl.


II.   AUTHORS

      Paul Querna <chip force-elite.com>
      Nikos Mavrogiannopoulos <nmav gnutls.org>


III.  LICENSE

      Apache License, Version 2.0 (see the LICENSE file for details)


IV.   STATUS

      * SSL and TLS connections with all popular browsers work!
      * Sets environmental vars for scripts (compatible with mod_ssl vars)
      * Supports memcached as a distributed SSL session cache
      * Supports DBM as a local SSL session cache
      * Support for server name indication (SNI), RFC3546
      * Support for client certificates
      * Support for secure remote password (SRP), RFC5054


V.    BASIC CONFIGURATION

      LoadModule gnutls_module modules/mod_gnutls.so
      
      # mod_gnutls can optionally use a memcached server to store it's SSL
      # Sessions.  This is useful in a cluster environment, where you want all
      # of your servers to share a single SSL session cache.
      #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
      
      # The Default method is to use a DBM backed Cache.  It isn't super fast,
      # but it is portable and does not require another server to be running
      # like memcached.
      GnuTLSCache dbm conf/gnutls_cache
      
      <VirtualHost 1.2.3.4:443>

        # Enable mod_gnutls handlers for this virtual host
        GnuTLSEnable On
      
        # This is the private key for your server
        GnuTLSX509KeyFile conf/server.key
      
        # This is the server certificate
        GnuTLSX509CertificateFile conf/server.cert

      </VirtualHost>
      
      # A more advanced configuration
      GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
      GnuTLSCacheTimeout 600
      NameVirtualHost 1.2.3.4:443
      
      <VirtualHost 1.2.3.4:443>

      	Servername server.com:443
        GnuTLSEnable on
      	GnuTLSPriority NORMAL

	# Export exactly the same environment variables as mod_ssl to CGI
	# scripts.
      	GNUTLSExportCertificates on
      
      	GnuTLSX509CertificateFile /etc/apache2/server-cert.pem
      	GnuTLSX509KeyFile /etc/apache2/server-key.pem
      
	# To enable SRP you must have these files installed.  Check the gnutls
	# srptool.
      	GnuTLSSRPPasswdFile /etc/apache2/tpasswd
      	GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf
      
	# In order to verify client certificates.  Other options to
	# GnuTLSClientVerify could be ignore or require.  The
	# GnuTLSClientCAFile contains the CAs to verify client certificates.
      	GnuTLSClientVerify request
      	GnuTLSX509CAFile ca.pem

      </VirtualHost>
      
      # A setup for OpenPGP and X.509 authentication
      <VirtualHost 1.2.3.4:443>

      	Servername crystal.lan:443
        GnuTLSEnable on
      	GnuTLSPriorities NORMAL:+COMP-NULL
      
        # Setup the openpgp keys
      	GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc
      	GnuTLSPGPKeyFile /etc/apache2/test.sec.asc
      
        # - and the X.509 keys
      	GnuTLSCertificateFile /etc/apache2/server-cert.pem
      	GnuTLSKeyFile /etc/apache2/server-key.pem

      	GnuTLSClientVerify ignore
      
        # To avoid using the default DH params
      	GnuTLSDHFile /etc/apache2/dh.pem
      
        # These are only needed if GnuTLSClientVerify != ignore
      	GnuTLSClientCAFile ca.pem
      	GnuTLSPGPKeyringFile /etc/apache2/ring.asc

      </VirtualHost>


VI.   CREATE OPENPGP CREDENTIALS FOR THE SERVER

      mod_gnutls currently cannot read encrypted OpenPGP credentials.  That is,
      when you generate a key with gpg and gpg prompts you for a passphrase,
      just press enter.  Then press enter again, to confirm an empty
      passphrase.  http://news.gmane.org/gmane.comp.apache.outoforder.modules

      These instructions are from the GnuTLS manual:
      http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html#Invoking-gnutls_002dserv

        $ gpg --gen-key
        ...enter whatever details you want, use 'test.gnutls.org' as name...

      Make a note of the OpenPGP key identifier of the newly generated key,
      here it was 5D1D14D8.  You will need to export the key for GnuTLS to be
      able to use it.

         $ gpg -a --export 5D1D14D8 > openpgp-server.txt
         $ gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171	`mod_gnutls, Apache GnuTLS module. ================================= $LastChangedDate: $ Contents: I. ABOUT II. AUTHORS III. LICENSE IV. STATUS V. BASIC CONFIGURATION VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER I. ABOUT This module started back in September of 2004 because I was tired of trying to fix bugs in mod_ssl. mod_ssl is a giant beast of a module -- no offense to it&#`	2008-10-04
\|
*	Allow openpgp-only sites	d I had recently heard about GnuTLS, so long story short, I decided to implement a mod_gnutls. Lines of Code in mod_ssl: 15,324 Lines of Code in mod_gnutls: 3,594 Because of writing mod_gnutls, I now understand how input and output filters work, better than I ever thought possible. It was a little painful at times, and some parts lift code and ideas directly from mod_ssl. Kudos to the original authors of mod_ssl. II. AUTHORS Paul Querna <chip force-elite.com> Nikos Mavrogiannopoulos <nmav gnutls.org> III. LICENSE Apache License, Version 2.0 (see the LICENSE file for details) IV. STATUS * SSL and TLS connections with all popular browsers work! * Sets environmental vars for scripts (compatible with mod_ssl vars) * Supports memcached as a distributed SSL session cache * Supports DBM as a local SSL session cache * Support for server name indication (SNI), RFC3546 * Support for client certificates * Support for secure remote password (SRP), RFC5054 V. BASIC CONFIGURATION LoadModule gnutls_module modules/mod_gnutls.so # mod_gnutls can optionally use a memcached server to store it's SSL # Sessions. This is useful in a cluster environment, where you want all # of your servers to share a single SSL session cache. #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com" # The Default method is to use a DBM backed Cache. It isn't super fast, # but it is portable and does not require another server to be running # like memcached. GnuTLSCache dbm conf/gnutls_cache <VirtualHost 1.2.3.4:443> # Enable mod_gnutls handlers for this virtual host GnuTLSEnable On # This is the private key for your server GnuTLSX509KeyFile conf/server.key # This is the server certificate GnuTLSX509CertificateFile conf/server.cert </VirtualHost> # A more advanced configuration GnuTLSCache dbm "/var/cache/www-tls-cache/cache" GnuTLSCacheTimeout 600 NameVirtualHost 1.2.3.4:443 <VirtualHost 1.2.3.4:443> Servername server.com:443 GnuTLSEnable on GnuTLSPriority NORMAL # Export exactly the same environment variables as mod_ssl to CGI # scripts. GNUTLSExportCertificates on GnuTLSX509CertificateFile /etc/apache2/server-cert.pem GnuTLSX509KeyFile /etc/apache2/server-key.pem # To enable SRP you must have these files installed. Check the gnutls # srptool. GnuTLSSRPPasswdFile /etc/apache2/tpasswd GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf # In order to verify client certificates. Other options to # GnuTLSClientVerify could be ignore or require. The # GnuTLSClientCAFile contains the CAs to verify client certificates. GnuTLSClientVerify request GnuTLSX509CAFile ca.pem </VirtualHost> # A setup for OpenPGP and X.509 authentication <VirtualHost 1.2.3.4:443> Servername crystal.lan:443 GnuTLSEnable on GnuTLSPriorities NORMAL:+COMP-NULL # Setup the openpgp keys GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc GnuTLSPGPKeyFile /etc/apache2/test.sec.asc # - and the X.509 keys GnuTLSCertificateFile /etc/apache2/server-cert.pem GnuTLSKeyFile /etc/apache2/server-key.pem GnuTLSClientVerify ignore # To avoid using the default DH params GnuTLSDHFile /etc/apache2/dh.pem # These are only needed if GnuTLSClientVerify != ignore GnuTLSClientCAFile ca.pem GnuTLSPGPKeyringFile /etc/apache2/ring.asc </VirtualHost> VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER mod_gnutls currently cannot read encrypted OpenPGP credentials. That is, when you generate a key with gpg and gpg prompts you for a passphrase, just press enter. Then press enter again, to confirm an empty passphrase. http://news.gmane.org/gmane.comp.apache.outoforder.modules These instructions are from the GnuTLS manual: http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html#Invoking-gnutls_002dserv $ gpg --gen-key ...enter whatever details you want, use 'test.gnutls.org' as name... Make a note of the OpenPGP key identifier of the newly generated key, here it was 5D1D14D8. You will need to export the key for GnuTLS to be able to use it. $ gpg -a --export 5D1D14D8 > openpgp-server.txt $ gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt