From 07b94157ec329140f8b9549beac8c4de2aba4224 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Wed, 7 Sep 2016 15:17:30 +0200 Subject: doc: Add initial documentation for the tls support Change-Id: Ifc042e6755c223339fafbc3af9106073341f9b45 --- doc/tls.txt | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 doc/tls.txt (limited to 'doc/tls.txt') diff --git a/doc/tls.txt b/doc/tls.txt new file mode 100644 index 0000000..d2015f0 --- /dev/null +++ b/doc/tls.txt @@ -0,0 +1,76 @@ +TLS support +=========== + +Protect forwarded PCAP packet against eave-dropping by using +TLS between client and server. + +Anonymous TLS +^^^^^^^^^^^^^ + +The minimal configuration will use TLS with perfect forward +secrecy but not use X509 certificates. This means a client +will not know if it connects to the intended server but an +attacker listening will not be able to determine the content +of the messages. + +Client:: +--- + enable tls + tls dh generate + tls priority NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:+ANON-ECDH:+ANON-DH +---- + +Server:: +---- + enable tls + tls dh generate + tls allow-auth anonymous +---- + + +Authenticate Server +^^^^^^^^^^^^^^^^^^^ + +This will use x509 certificates and allows a client to verify +it connects to a server with the right credentials. This will +protect messages against eaves-dropping and sending data to the +wrong system. + + + +Client:: + +---- + enable tls + tls verify-cert + tls capath /etc/osmocom/ca.pem +---- + +Server:: + +---- + enable tls + tls allow-auth x509 + tls capath /etc/osmocom/ca.pem + tls crlfile /etc/osmocom/server.crl + tls server-cert /etc/osmocom/server.crt + tls server-key /etc/osmosomc/server.key + client NAME IP store tls +---- + +Client certificate +^^^^^^^^^^^^^^^^^^ + +Currently this is not implemented. In the future a client +can be authenticated based on the SN/CN of a certificate. + +Debugging +========= + +GNUtls debugging can be enabled by setting the TLS debug +region to debug and then setting the _tls loglevel N_. The +setting will be applied on the next connection using TLS. + +---- + logging level tls debug + tls loglevel 9 -- cgit v1.2.3