Friday, 25 July 2008
HughesJR.com
  Home arrow Guides arrow Guides arrow Using mod_gnutls on CentOS-5
Powered by CentOS
  
Main Menu
Home
Forum
Articles
Guides
News Feeds
Links
Search
Contact Us
Login Form





Lost Password?
No account yet? Register
Latest News
Popular
DS-Syndicate
feed image
Using mod_gnutls on CentOS-5 PDF Print E-mail
User Rating: / 1
PoorBest 
Written by Johnny Hughes   
Saturday, 11 August 2007

Apache web server has named based virtual host capability, whereby you may host many websites of different names on the same web server using the same IP address.  This works great with HTTP websites, however when using mod_ssl to do the same for SSL-Based (HTTPS) sites there are problems.

Server Name Indication (SNI) is a TLS extension which makes the configuration of HTTPS name-based virtual hosts on Apache possible.  mod_gnutls is an Apache Dynamic Shared Object (DSO) that implements SNI using gnutls and can be used in place of mod_ssl on servers where this capability is required.

Note: The mod_gnutls website says this about its current state.

mod_gnutls is a very new module.  If you truely care about making your server secure, do not use this module yet.  With time and love, this module can be a viable alternative to mod_ssl, but it is not ready.
     

So, mod_gnutls can currently be labeled as experimental and is currently not recommended for use on critical live sites.

 

mod_gnutls can only be used with gnutls versions greater than 1.2.0.  That means for CentOS installations, it can only be used on CentOS-5.0 or higher versions (CentOS-2 and 3 have no gnutls, CentOS-4 ships with gnutls-1.0.x and CentOS-5 ships with gnutls-1.4.x).

Installing mod_gnutls

At the time of this guide, mod_gnutls is currently in the CentOS Testing Repository, but will probably move from there to the CentOS Extras Repository in the future.

First lets cover installing mod_gnutls from the Extras repository as this is where stable CentOS RPMS reside (this currently does not work, but will be the normal install method in the future).  To install mod_gnutls, simply use this command:

yum install  mod_gnutls

While mod_gnutls is in the CentOS Testing Repository, to install you must first download the CentOS-Testing.repo file and place it in the /etc/yum.repos.d/ directory on your server.  After the repo file is in place, use this command to install mod_gnutls from the CentOS Testing Repository:

yum --enablerepo=c5-testing install mod_gnutls

Obtaining Web Server Certificates for HTTPS

This Guide assumes that you already have your web server's SSL certificate(s) for using to create SSL-enabled HTTPS website(s).  If you do not have such certificates then you have 2 choices for getting them:

1.  Generate your own self signed server certificates.  There are many articles on how to do this on the internet, here are a couple: Be your own CACreate and use my own CA

2. Generate a Certificate Signing Request (CSR) and send it to an official Certifying Authority (CA) to be signed: Obtaining a real server certificate

CentOS-5 uses openssl-0.9.8x so once obtained, your public .crt (certificate) file goes in /etc/pki/tls/certs/ and your private server key that you used to generate the certificate goes in /etc/pki/tls/private/

Configuring mod_gnutls

After you have your certificates in place, it is time to configure mod_gnutls.  The configuration file that comes with the package is located at /etc/httpd/conf.d/mod_gnutls.conf.

Here is an example file from my test setup:

##
## mod_gnutls uses the GnuTLS library to provide SSL v3, TLS 1.0 and TLS 1.1
## encryption for Apache HTTPD.  It is similar to mod_ssl in purpose, but does
## not use OpenSSL.
##

## Remarks have 2 (##) pound signs, options that you might enable have only 1 (#)

## Documentation Link:
## http://www.outoforder.cc/projects/apache/mod_gnutls/docs/

## Load the module into Apache.
LoadModule gnutls_module modules/mod_gnutls.so
##

## Set Certificate MIME-types, may instead be in ssl.conf
AddType application/x-x509-ca-cert .crt
#AddType application/x-pkcs7-crl    .crl
##

## Set TLS Cache info
GnuTLSCache dbm "/var/cache/mod_gnutls_cache"
GnuTLSCacheTimeout 300
##

## With normal SSL Websites, you need one IP Address per-site.
## This could also be 'Listen *:443', just like '*:80' is common for non-https
## This may instead be in your ssl.conf file
Listen 10.1.1.4:443
##

## This may be enabled instead in your ssl.conf file
NameVirtualHost 10.1.1.4:443
##

<VirtualHost 10.1.1.4:443>
    GnuTLSEnable on
    DocumentRoot /www/site1.example.com/html
    ServerName site1.example.com
    GnuTLSCertificateFile /etc/pki/tls/certs/site1.crt
    GnuTLSKeyFile /etc/pki/tls/private/site1.key
</VirtualHost>

<VirtualHost 10.1.1.4:443>
    GnuTLSEnable on
    DocumentRoot /www/site2.example.com/html
    ServerName site2.example.com
    GnuTLSCertificateFile /etc/pki/tls/certs/site2.crt
    GnuTLSKeyFile /etc/pki/tls/private/site2.key
</VirtualHost>

If you also have mod_ssl installed then there are several Apache directives (Listen,  AddType application, etc.) that may also be in your ssl.conf in /etc/httpd/conf.d/ .  You will need to edit both configuration files to co-exist if you plan to use both mod_ssl and mod_gnutls on the same server.

Notes

The mod_gnutls rpm from CentOS has support for dbm type session cache, it does not support the memcache session cache type.  The directory  /var/cache/mod_gnutls_cache is created and setup for use with dbm caching.

All recent web browsers (IE6, IE7, Firefox > 1.0, Seamonkey, konqueror,  Opera, etc.) support SNI, but there may be issues with Safari and also older web browsers.

Links

CentOS: Website | Documentation | CentOS-5 Downloads

mod_gnutls: Website | Documentation

Other mod_gnutls Guides: Fedora7 

 

 

 
Last Updated ( Saturday, 11 August 2007 )
 
[ Back ]

© 2008 HughesJR.com
Powered by CentOS