aboutsummaryrefslogtreecommitdiffstats
path: root/doc/tls.txt
blob: d2015f02eebfb79bbbaa0df07c96184a5c66232c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
TLS support
===========

Protect forwarded PCAP packet against eave-dropping by using
TLS between client and server.

Anonymous TLS
^^^^^^^^^^^^^

The minimal configuration will use TLS with perfect forward
secrecy but not use X509 certificates. This means a client
will not know if it connects to the intended server but an
attacker listening will not be able to determine the content
of the messages.

Client::
---
 enable tls
 tls dh generate
 tls priority NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:+ANON-ECDH:+ANON-DH
----

Server::
----
  enable tls
  tls dh generate
  tls allow-auth anonymous
----
  

Authenticate Server
^^^^^^^^^^^^^^^^^^^

This will use x509 certificates and allows a client to verify
it connects to a server with the right credentials. This will
protect messages against eaves-dropping and sending data to the
wrong system.



Client::

----
  enable tls
  tls verify-cert
  tls capath /etc/osmocom/ca.pem
----

Server::

----
  enable tls
  tls allow-auth x509
  tls capath /etc/osmocom/ca.pem
  tls crlfile /etc/osmocom/server.crl
  tls server-cert /etc/osmocom/server.crt
  tls server-key /etc/osmosomc/server.key
  client NAME IP store tls
----

Client certificate
^^^^^^^^^^^^^^^^^^

Currently this is not implemented. In the future a client
can be authenticated based on the SN/CN of a certificate.

Debugging
=========

GNUtls debugging can be enabled by setting the TLS debug
region to debug and then setting the _tls loglevel N_. The
setting will be applied on the next connection using TLS.

----
 logging level tls debug
 tls loglevel 9