1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
mod_gnutls
This module started back in September of 2004 because I was tired of trying to
fix bugs in mod_ssl. mod_ssl is a giant beast of a module -- no offense to it's
authors is intended -- but I believe it has fallen prey to massive feature bloat.
When I started hacking on httpd, mod_ssl remained a great mystery to me, and
when I actually looked at it, I ran away. The shear ammount code is huge, and it
does not conform to the style guidelines. It was painful to read, and even harder
to debug. I wanted to understand how it worked, and I had recently heard about
GnuTLS, so long story short, I decided to implement a mod_gnutls.
Lines of Code in mod_ssl: 15,324
Lines of Code in mod_gnutls: 1,886
Because of writing mod_gnutls, I now understand how input and output filters work,
better than I ever thought possible. It was a little painful at times, and some parts
lift code and ideas directly from mod_ssl. Kudos to the original authors of mod_ssl.
----------------------------
Author: Paul Querna <chip force-elite.com>
Heavily modified by Nikos Mavrogiannopoulos <nmav gnutls.org>
License: Apache Software License v2.0. (see the LICENSE file for details)
Current Status:
- SSL and TLS connections with all popular browsers work!
- Sets enviromental vars for scripts (compatible with mod_ssl vars)
- Supports Memcached as a distributed SSL Session Cache
- Supports DBM as a local SSL Session Cache
- Support for Server Name Indication
- Support for Client Certificates
- Support for TLS-SRP
Basic Configuration:
LoadModule gnutls_module modules/mod_gnutls.so
# mod_gnutls can optionaly use a memcached server to store it's SSL Sessions.
# This is useful in a cluster enviroment, where you want all of your servers
# to share a single SSL Session Cache.
#GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
# The Default method is to use a DBM backed Cache. It isn't super fast, but
# it is portable and does not require another server to be running like memcached.
GnuTLSCache dbm conf/gnutls_cache
<VirtualHost 1.2.3.4:443>
# insert other directives ... here ...
# This enables the mod_gnutls Handlers for this Virtual Host
GnuTLSEnable On
# This is the Private key for your server.
GnuTLSKeyFile conf/server.key
# This is the Server Certificate.
GnuTLSCertificateFile conf/server.cert
</VirtualHost>
# a more advanced configuration
GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
GnuTLSCacheTimeout 500
GnuTLSProtocols TLS1.1 TLS1.0 SSL3.0
NameVirtualHost 1.2.3.4:443
<VirtualHost 1.2.3.4:443>
Servername server.com:443
GnuTLSEnable on
GnuTLSCiphers AES-128-CBC 3DES-CBC ARCFOUR-128
GnuTLSKeyExchangeAlgorithms RSA DHE-RSA DHE-DSS SRP SRP-RSA SRP-DSS
GnuTLSMACAlgorithms SHA1 MD5
GnuTLSCompressionMethods NULL
# To export exactly the same environment variables as mod_ssl to CGI scripts.
GNUTLSExportCertificates on
GnuTLSCertificateFile /etc/apache2/server-cert.pem
GnuTLSKeyFile /etc/apache2/server-key.pem
# To enable SRP you must have these files installed. Check the gnutls srptool.
GnuTLSSRPPasswdFile /etc/apache2/tpasswd
GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf
# In order to verify client certificates. Other options to
# GnuTLSClientVerify could be ignore or require. The GnuTLSClientCAFile
# contains the CAs to verify client certificates.
GnuTLSClientVerify request
GnuTLSClientCAFile ca.pem
...
</VirtualHost>
|