TLS support
===========

Protect forwarded PCAP packet against eave-dropping by using
TLS between client and server.

Anonymous TLS
^^^^^^^^^^^^^

The minimal configuration will use TLS with perfect forward
secrecy but not use X509 certificates. This means a client
will not know if it connects to the intended server but an
attacker listening will not be able to determine the content
of the messages.

Client::
---
 enable tls
 tls dh generate
 tls priority NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:+ANON-ECDH:+ANON-DH
----

Server::
----
  enable tls
  tls dh generate
  tls allow-auth anonymous
----
  

Authenticate Server
^^^^^^^^^^^^^^^^^^^

This will use x509 certificates and allows a client to verify
it connects to a server with the right credentials. This will
protect messages against eaves-dropping and sending data to the
wrong system.



Client::

----
  enable tls
  tls verify-cert
  tls capath /etc/osmocom/ca.pem
----

Server::

----
  enable tls
  tls allow-auth x509
  tls capath /etc/osmocom/ca.pem
  tls crlfile /etc/osmocom/server.crl
  tls server-cert /etc/osmocom/server.crt
  tls server-key /etc/osmosomc/server.key
  client NAME IP store tls
----

Client certificate
^^^^^^^^^^^^^^^^^^

Currently this is not implemented. In the future a client
can be authenticated based on the SN/CN of a certificate.

Debugging
=========

GNUtls debugging can be enabled by setting the TLS debug
region to debug and then setting the _tls loglevel N_. The
setting will be applied on the next connection using TLS.

----
 logging level tls debug
 tls loglevel 9