Howto GnuTLS

From HacktionLab: A UK-wide network tech-activists providing meet-ups, events, workshops, national skillshare gatherings and hacklabs
Jump to navigation Jump to search

I've recently installed GnuTLS on a server.

Why?

GnuTLS is a free way of serving up secure sites (https). One very specific advantage is that it can host more than one certificate on one IP address. Many pages on the internet will tell you that this is not possible. That's total BS.

How?

It's easy. The example here is for Debian Squeeze, assume you are using Apache2 as http server and already have it installed. You will need to have the mod-gnutls package libapache2-mod-gnutls installed. 

apt-get install libapache2-mod-gnutls

You may also get it installed by another method. Now you can run Debian's special commands to enable/disable the correct modules in Apache2: 

a2dismod ssl
a2enmod gnutls

I'm assuming you don't want to keep the old mod_ssl mod, it might well get in the way. So now you need to configure the https bit for your sites virtual host. Here's an example config. Put it in /etc/apache2/sites-available/mysitename and then, well, you should know the rest if you are using Apache2 already really. 

<IfModule mod_gnutls.c>
 <VirtualHost server.example.net:443>
    ServerName server.example.net:443
    ServerAlias server.example.net
    DocumentRoot /var/www/mywebsite/
 
 #    SSLEngine on
 #    SSLCertificateFile /etc/apache2/ssl/server.example.net.pem 
 
    GnuTLSEnable on
    GnuTLSCertificateFile /etc/ssl/certs/server.example.net.crt
    GnuTLSKeyFile /etc/ssl/private/server.example.net.key
    GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT
    
    # the next bit is optional for if you use a signing authority, such as Gandi.net whose
    # authority is not recognised by some web browser (Firefox 4 for example!)
    # this is an example only, check your system and certificate authority for the correct entry
    GnuTLSClientCAFile /etc/ssl/certs/GandiProSSLCA.pem

 </VirtualHost>
</IfModule>

Note here that the old equivalent mod_ssl declarations have been commented out, also that the certificate is handed to mod_gnutls as two seperate files, the .crt (certificate) and .key (key) files. mod_ssl was able to us the combined .pem format which was literally a concatenation of the the certificate and key files. Anyhow, mod_gnutls can't do that, so we have to have them separate.

Now restart Apache2.

What now?

Keep adding virtual hosts with different certificates, they will all work.

Retrieved from ‘https://hacktionlab.org/index.php?title=Howto_GnuTLS&oldid=3530