Difference between revisions of "Apache HTTP Server/mod gnutls"

From ArchWiki
Jump to: navigation, search
(Updates to reflect AUR upgrade to v0.6. eg, replace 404 web links with current...)
Line 1: Line 1:
 
{{DISPLAYTITLE:mod_gnutls}}
 
{{DISPLAYTITLE:mod_gnutls}}
 
[[Category:Web Server]]
 
[[Category:Web Server]]
From [http://modgnutls.sourceforge.net/ mod_gnutls - Apache SSL/TLS module using GnuTLS library]:
+
From [https://mod.gnutls.org/wiki mod_gnutls is an extension for ​Apache's httpd uses the ​GnuTLS library to provide HTTPS.]:
  
:''mod_gnutls uses the GnuTLS library to provide SSL 3.0, TLS 1.0, TLS 1.1 and 1.2 encryption for Apache HTTPD. It is similar to mod_ssl in purpose, but does not use OpenSSL.''
+
:''It is similar to ​mod_ssl in purpose, but it supports some features and protocols that mod_ssl does not, and it does not use ​OpenSSL.''
  
 
== Installation ==
 
== Installation ==
Line 19: Line 19:
 
{{bc|
 
{{bc|
 
Include conf/extra/httpd-ssl.conf}}
 
Include conf/extra/httpd-ssl.conf}}
 +
 +
* Make sure no vhost definitions include mod_ssl
  
 
* Create the file {{ic|/etc/httpd/conf/extra/httpd-gnutls.conf}} with the following content:
 
* Create the file {{ic|/etc/httpd/conf/extra/httpd-gnutls.conf}} with the following content:
Line 52: Line 54:
 
* Check that Apache loaded correctly and answers on port 443.
 
* Check that Apache loaded correctly and answers on port 443.
  
 +
Additional documentation of configuration directives is on the [http://www.outoforder.cc/projects/apache/mod_gnutls/docs/ outoforder.cc mod_gnutls] documentation page.
 +
 +
== Additional Resources ==
 +
 +
You can test or verify your https configuration via [https://www.ssllabs.com/ssltest/analyze.html  SSL Labs analyze tool].
 
== Known issues ==
 
== Known issues ==
  
===GnuTLS 3.0.5===
+
None known as of November 2014
With version 3.0.5 libgnutls-extra was removed from GnuTLS. Therefore mod_gnutls fails to compile with GnuTLS versions higher than 3.0.4. But it does not use any functions of libgnutls-extra, it only includes its header file. Therefore it can easily be patched. The patch is already included in the PKGBUILD found in the AUR.
 
 
 
===Connections from localhost===
 
mod_gnutls 0.5.10 (the version currently found in AUR) contains a bug that answers all connections from localhost in plain text. The bug was introduced in 0.5.10, previous versions do not show the problem. Please do not use 0.5.10 when running some kind of SSL/SSH multiplexer like sslh as it will break the HTTPS connection. The bug has already been resolved and will be fixed in the next release.
 

Revision as of 07:13, 29 November 2014

From mod_gnutls is an extension for ​Apache's httpd uses the ​GnuTLS library to provide HTTPS.:

It is similar to ​mod_ssl in purpose, but it supports some features and protocols that mod_ssl does not, and it does not use ​OpenSSL.

Installation

Install package

Install mod_gnutlsAUR, available in the Arch User Repository.

Configure Apache

  • Add these lines to /etc/httpd/conf/httpd.conf:
LoadModule gnutls_module modules/mod_gnutls.so
Include conf/extra/httpd-gnutls.conf
  • Make sure that the following line is commented in /etc/httpd/conf/httpd.conf:
Include conf/extra/httpd-ssl.conf
  • Make sure no vhost definitions include mod_ssl
  • Create the file /etc/httpd/conf/extra/httpd-gnutls.conf with the following content:
/etc/httpd/conf/extra/httpd-gnutls.conf
Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

GnuTLSCache dbm "/var/run/httpd/gnutls_scache"
GnuTLSCacheTimeout 600

<VirtualHost _default_:443>

DocumentRoot "/srv/http"
ServerName www.example.org
ServerAdmin youremail@example.org
ErrorLog "/var/log/httpd/error_log"
TransferLog "/var/log/httpd/access_log"

GnuTLSEnable on
GnuTLSPriorities NORMAL

GNUTLSExportCertificates on

GnuTLSCertificateFile /path/to/certificate/domain.tld.crt
GnuTLSKeyFile /path/to/certificate/domain.tld.key

</VirtualHost>
  • Check that Apache loaded correctly and answers on port 443.

Additional documentation of configuration directives is on the outoforder.cc mod_gnutls documentation page.

Additional Resources

You can test or verify your https configuration via SSL Labs analyze tool.

Known issues

None known as of November 2014