[mod_gnutls-devel] New GnuTLS key handling API and TLS proxy support
Thomas Klute
thomas2.klute at uni-dortmund.de
Tue Apr 21 23:34:55 CEST 2015
Hi everyone!
I finally got around to merging Nikos Mavrogiannopoulos' patch [1] to
use the newer GnuTLS key handling API with my TLS proxy support. You can
find the result in the master branch of my Github repository:
https://github.com/airtower-luna/mod_gnutls
I had merged Nikos' patch with my bugfixes and test suite improvements a
while ago (see [2]), but then didn't have time to merge with the TLS
proxy support as well. Some notes on the current status (at commit
4133f2dd7749879a231db4aa1fcea63d3a8dc3c1 [3]):
a) There were a few problems with OpenPGP key handling in GnuTLS, which
required workarounds. Kudos to Nikos for very fast help with debugging
(you can see our conversation in the comments to [1])! The bugs should
be fixed in GnuTLS 3.3.12 and newer, so the workarounds use version
guards. However, I haven't actually tested with a version newer than
3.3.8 yet, so it would be great if someone could do that.
b) Using the new key handling API should make it possible to use PKCS
#11 URLs for X.509 keys and certificates, but I haven't tested that. I'd
welcome reports, and it would be even better if anyone could write PKCS
#11 test cases using a simulated HSM (maybe SoftHSM would work?).
c) At the moment, proxy TLS connections support only file based X.509
authentication.
Sadly, I can't make an upstream release, but I'd like to hear how this
works for you.
Regards,
Thomas
[1]
https://github.com/nmav/mod_gnutls/commit/031acac9c6541034777f8917633164b51f6bd10a
[2] https://github.com/airtower-luna/mod_gnutls/tree/new-gnutls-api
[3]
https://github.com/airtower-luna/mod_gnutls/commit/4133f2dd7749879a231db4aa1fcea63d3a8dc3c1
More information about the mod_gnutls-devel
mailing list