mirror of https://gerrit.osmocom.org/osmo-pcap
77 lines
1.5 KiB
Plaintext
77 lines
1.5 KiB
Plaintext
TLS support
|
|
===========
|
|
|
|
Protect forwarded PCAP packet against eave-dropping by using
|
|
TLS between client and server.
|
|
|
|
Anonymous TLS
|
|
^^^^^^^^^^^^^
|
|
|
|
The minimal configuration will use TLS with perfect forward
|
|
secrecy but not use X509 certificates. This means a client
|
|
will not know if it connects to the intended server but an
|
|
attacker listening will not be able to determine the content
|
|
of the messages.
|
|
|
|
Client::
|
|
---
|
|
enable tls
|
|
tls dh generate
|
|
tls priority NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:+ANON-ECDH:+ANON-DH
|
|
----
|
|
|
|
Server::
|
|
----
|
|
enable tls
|
|
tls dh generate
|
|
tls allow-auth anonymous
|
|
----
|
|
|
|
|
|
Authenticate Server
|
|
^^^^^^^^^^^^^^^^^^^
|
|
|
|
This will use x509 certificates and allows a client to verify
|
|
it connects to a server with the right credentials. This will
|
|
protect messages against eaves-dropping and sending data to the
|
|
wrong system.
|
|
|
|
|
|
|
|
Client::
|
|
|
|
----
|
|
enable tls
|
|
tls verify-cert
|
|
tls capath /etc/osmocom/ca.pem
|
|
----
|
|
|
|
Server::
|
|
|
|
----
|
|
enable tls
|
|
tls allow-auth x509
|
|
tls capath /etc/osmocom/ca.pem
|
|
tls crlfile /etc/osmocom/server.crl
|
|
tls server-cert /etc/osmocom/server.crt
|
|
tls server-key /etc/osmosomc/server.key
|
|
client NAME IP store tls
|
|
----
|
|
|
|
Client certificate
|
|
^^^^^^^^^^^^^^^^^^
|
|
|
|
Currently this is not implemented. In the future a client
|
|
can be authenticated based on the SN/CN of a certificate.
|
|
|
|
Debugging
|
|
=========
|
|
|
|
GNUtls debugging can be enabled by setting the TLS debug
|
|
region to debug and then setting the _tls loglevel N_. The
|
|
setting will be applied on the next connection using TLS.
|
|
|
|
----
|
|
logging level tls debug
|
|
tls loglevel 9
|