doc: Add initial documentation for the tls support

Change-Id: Ifc042e6755c223339fafbc3af9106073341f9b45
This commit is contained in:
Holger Hans Peter Freyther 2016-09-07 15:17:30 +02:00
parent cf29fd7069
commit 07b94157ec
1 changed files with 76 additions and 0 deletions

doc/tls.txt Normal file
View File

@ -0,0 +1,76 @@
TLS support
Protect forwarded PCAP packet against eave-dropping by using
TLS between client and server.
Anonymous TLS
The minimal configuration will use TLS with perfect forward
secrecy but not use X509 certificates. This means a client
will not know if it connects to the intended server but an
attacker listening will not be able to determine the content
of the messages.
enable tls
tls dh generate
enable tls
tls dh generate
tls allow-auth anonymous
Authenticate Server
This will use x509 certificates and allows a client to verify
it connects to a server with the right credentials. This will
protect messages against eaves-dropping and sending data to the
wrong system.
enable tls
tls verify-cert
tls capath /etc/osmocom/ca.pem
enable tls
tls allow-auth x509
tls capath /etc/osmocom/ca.pem
tls crlfile /etc/osmocom/server.crl
tls server-cert /etc/osmocom/server.crt
tls server-key /etc/osmosomc/server.key
client NAME IP store tls
Client certificate
Currently this is not implemented. In the future a client
can be authenticated based on the SN/CN of a certificate.
GNUtls debugging can be enabled by setting the TLS debug
region to debug and then setting the _tls loglevel N_. The
setting will be applied on the next connection using TLS.
logging level tls debug
tls loglevel 9