use mod_gnutls replace mod_ssl in apache VirtualHost
作者: 2hei 发表于2009年3月11日 00:09 版权声明: 可以转载, 转载时务必以超链形式标明文章原始出处和作者信息及版权声明
http://www.2hei.net/mt/2009/03/use-mod-gnutls-replace-mod-ssl.html
use mod_gnutls replace mod_ssl in apache
mod_gnutls一个替换apache mod_ssl的模块。
mod_gnutls uses the GnuTLS library to provide SSL 3.0, TLS 1.0 and TLS 1.1 encryption for Apache HTTPD.
It is similar to mod_ssl in purpose, but does not use OpenSSL.
作者很有意思,写了为啥自己要写mod_gnutls模块,据说是厌倦了mod_ssl的bug,汗!
----------------------------------------
This module started back in September of 2004 because I was tired of trying to
fix bugs in mod_ssl. mod_ssl is a giant beast of a module -- no offense to it's
authors is intended -- but I believe it has fallen prey to massive feature bloat.
When I started hacking on httpd, mod_ssl remained a great mystery to me, and
when I actually looked at it, I ran away. The shear ammount code is huge, and it
does not conform to the style guidelines. It was painful to read, and even harder
to debug. I wanted to understand how it worked, and I had recently heard about
GnuTLS, so long story short, I decided to implement a mod_gnutls.
----------------------------------------
mod_gnutls代码很简洁,代码行数与mod_ssl相比如下:
Lines of code in mod_gnutls: 3,593
Lines of code in mod_ssl: 15,324
系统安装需求
GnuTLS >= 2.4.0
Apache HTTPd >= 2.0.42
APR Memcache Client >= 0.7.0 (Optional)
如下是安装过程,因为需要libgcrypt、gnutls等的支持,所以需要先安装其他关联模块:
ftp://ftp.gnupg.org/gcrypt/libgcrypt/
wget ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.4.tar.gz
./configure && make && make install
http://www.gnu.org/software/gnutls/download.html
wget http://ftp.gnu.org/pub/gnu/gnutls/gnutls-2.2.4.tar.bz2
./configure && make && make install
./configure --with-apxs=/home/webadm/bin/apxs --with-libgnutls=/usr/local/gnutils LDFLAGS='-L/usr/lib64'
make && make install
64位的configure是需要加上LDFLAGS='-L/usr/lib64'
文档:
http://www.outoforder.cc/projects/apache/mod_gnutls/docs/
基本配置,使用同一ip、同一端口配置多个虚拟主机:
# Load the module into Apache.
LoadModule gnutls_module modules/mod_gnutls.so
Listen 10.10.10.10:443
NameVirtualHost 10.10.10.10:443
<VirtualHost 10.10.10.10:443>
GnuTLSEnable on
GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT
DocumentRoot /home/apache2/htdocs/myhost
ServerName myhost.com:443
GnuTLSCertificateFile /home/apache2/conf/ssl/myhost.com.cer
GnuTLSKeyFile /home/apache2/conf/ssl/myhost.com.key
</VirtualHost>
<VirtualHost 10.10.10.10:443>
GnuTLSEnable on
GnuTLSDHFile /etc/apache2/dh.params
GnuTLSPriorities NORMAL:!AES-256-CBC:%COMPAT
DocumentRoot /home/apache2/htdocs/2hei
ServerName 2hei.net:443
GnuTLSCertificateFile /home/apache2/conf/ssl/2hei.net.cer
GnuTLSKeyFile /home/apache2/conf/ssl/2hei.net.key
</VirtualHost>
在具体使用中,我用mod_gnutls替换掉mod_ssl后,启动apache
遇到了这样的一个问题:
GnuTLS: Failed to Import Certificate (-34) Base64 decoding error.
说我的证书编码有问题,关于这个问题好像网上关联的比较少,还没人做出明确的回答,给作者发了邮件,希望能给我回复,呵呵。
mod_gnutls一个替换apache mod_ssl的模块。
mod_gnutls uses the GnuTLS library to provide SSL 3.0, TLS 1.0 and TLS 1.1 encryption for Apache HTTPD.
It is similar to mod_ssl in purpose, but does not use OpenSSL.
作者很有意思,写了为啥自己要写mod_gnutls模块,据说是厌倦了mod_ssl的bug,汗!
----------------------------------------
This module started back in September of 2004 because I was tired of trying to
fix bugs in mod_ssl. mod_ssl is a giant beast of a module -- no offense to it's
authors is intended -- but I believe it has fallen prey to massive feature bloat.
When I started hacking on httpd, mod_ssl remained a great mystery to me, and
when I actually looked at it, I ran away. The shear ammount code is huge, and it
does not conform to the style guidelines. It was painful to read, and even harder
to debug. I wanted to understand how it worked, and I had recently heard about
GnuTLS, so long story short, I decided to implement a mod_gnutls.
----------------------------------------
mod_gnutls代码很简洁,代码行数与mod_ssl相比如下:
Lines of code in mod_gnutls: 3,593
Lines of code in mod_ssl: 15,324
系统安装需求
GnuTLS >= 2.4.0
Apache HTTPd >= 2.0.42
APR Memcache Client >= 0.7.0 (Optional)
如下是安装过程,因为需要libgcrypt、gnutls等的支持,所以需要先安装其他关联模块:
ftp://ftp.gnupg.org/gcrypt/libgcrypt/
wget ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.4.tar.gz
./configure && make && make install
http://www.gnu.org/software/gnutls/download.html
wget http://ftp.gnu.org/pub/gnu/gnutls/gnutls-2.2.4.tar.bz2
./configure && make && make install
./configure --with-apxs=/home/webadm/bin/apxs --with-libgnutls=/usr/local/gnutils LDFLAGS='-L/usr/lib64'
make && make install
64位的configure是需要加上LDFLAGS='-L/usr/lib64'
文档:
http://www.outoforder.cc/projects/apache/mod_gnutls/docs/
基本配置,使用同一ip、同一端口配置多个虚拟主机:
# Load the module into Apache.
LoadModule gnutls_module modules/mod_gnutls.so
Listen 10.10.10.10:443
NameVirtualHost 10.10.10.10:443
<VirtualHost 10.10.10.10:443>
GnuTLSEnable on
GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT
DocumentRoot /home/apache2/htdocs/myhost
ServerName myhost.com:443
GnuTLSCertificateFile /home/apache2/conf/ssl/myhost.com.cer
GnuTLSKeyFile /home/apache2/conf/ssl/myhost.com.key
</VirtualHost>
<VirtualHost 10.10.10.10:443>
GnuTLSEnable on
GnuTLSDHFile /etc/apache2/dh.params
GnuTLSPriorities NORMAL:!AES-256-CBC:%COMPAT
DocumentRoot /home/apache2/htdocs/2hei
ServerName 2hei.net:443
GnuTLSCertificateFile /home/apache2/conf/ssl/2hei.net.cer
GnuTLSKeyFile /home/apache2/conf/ssl/2hei.net.key
</VirtualHost>
在具体使用中,我用mod_gnutls替换掉mod_ssl后,启动apache
遇到了这样的一个问题:
GnuTLS: Failed to Import Certificate (-34) Base64 decoding error.
说我的证书编码有问题,关于这个问题好像网上关联的比较少,还没人做出明确的回答,给作者发了邮件,希望能给我回复,呵呵。
发表一个评论