mod_gnutls

I'm trying out mod_gnutls and I really like what I see. I installed it on a debian lenny machine without any problems - I'm even using my own self-signed certificate. :-)

What I'm really excited about is its support for SNI:

http://www.outoforder.cc/projects/apache/mod_gnutls/sni/

Yay! I just tried it out and it works! At least with Firefox 3, haven't tried anything else out yet....

So mod_gnutls is in testing, but its an older version. There is another much newer version in sid, but I'm not going there yet. It looks like its actively managed so I won't stress it.

I'm probably not expressing the significance of this tool - its huge! The ability to serve SSL virtual hosts on a single IP addess is phenomenal.

Problems:

[Fri Mar 28 20:28:05 2008] [error] GnuTLS: Hanshake Alert (20) 'Bad record MAC'.
[Fri Mar 28 20:28:05 2008] [error] [client 192.168.1.174] GnuTLS: Handshake Failed (-12) 'A TLS fatal alert has been received.'
[Fri Mar 28 19:40:32 2008] [error] GnuTLS: Hanshake Alert (10) 'Unexpected message'.
[Fri Mar 28 19:40:32 2008] [error] [client 192.168.1.174] GnuTLS: Handshake Failed (-12) 'A TLS fatal alert has been received.'
[Fri Mar 28 19:49:09 2008] [notice] child pid 1711 exit signal Segmentation fault (11)

I finagled 0.5.1 onto my server from sid and its working great! Its setup with some lighter weight encryption and is working really well now. No errors so far... well I am getting these errors in the logs: 

[Sun Mar 30 00:40:17 2008] [error] [client 192.168.8.1] GnuTLS: Handshake Failed. Hit Maximum Attempts
[Sun Mar 30 00:40:22 2008] [error] [client 192.168.8.1] GnuTLS: Handshake Failed. Hit Maximum Attempts
[Sun Mar 30 00:40:27 2008] [error] [client 192.168.8.1] GnuTLS: Handshake Failed. Hit Maximum Attempts

but they don't seem to affect the browser.

By Albert on March 28, 2008 4:00 PM

Tags

3 Comments

Remy | May 11, 2008 2:25 PM | Reply

Hi Albert,

Thanks for sharing the info. I'm curious to know how the mod_gnutls is doing in a poduction environment. Have your users reported any untoward behavour? and have you had any downtime?
Would really appreciate your experiences.

Thanks again.

Albert | May 12, 2008 6:35 PM | Reply

Hi Remy, I'm only using it in a staging environment at the moment, but the version I'm using (.5 I think) is going great. There are still lots of warnings in the Apache logs, but I don't notice any performance or stability issues.

Now that I think about it, the log errors could be due to Nagios checking it but not fully completing the handshake... something similar happens with postfix tls.

I probably won't use it in production until lenny is released.

vjt | June 11, 2009 8:00 AM | Reply

Take care, the following outstanding issue is a big headache for me: http://issues.outoforder.cc/view.php?id=95

The new firefoxes based on xulrunner 1.9 cannot send more than 3kb of POST data while using mod_gnutls :(.