[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [meek/turbotunnel] Regen man pages.
commit df63758ebbca4b89cc35dfdc80f6ae77e76c5f6e
Author: David Fifield <david@xxxxxxxxxxxxxxx>
Date: Thu Dec 19 00:12:30 2019 -0700
Regen man pages.
---
doc/meek-client.1 | 28 +++++++++++++++++++++++--
doc/meek-server.1 | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++-----
2 files changed, 82 insertions(+), 7 deletions(-)
diff --git a/doc/meek-client.1 b/doc/meek-client.1
index 58fd755..96b202e 100644
--- a/doc/meek-client.1
+++ b/doc/meek-client.1
@@ -2,12 +2,12 @@
.\" Title: meek-client
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 02/06/2019
+.\" Date: 12/19/2019
.\" Manual: \ \&
.\" Source: \ \&
.\" Language: English
.\"
-.TH "MEEK\-CLIENT" "1" "02/06/2019" "\ \&" "\ \&"
+.TH "MEEK\-CLIENT" "1" "12/19/2019" "\ \&" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -55,6 +55,23 @@ Front domain name\&. If provided, this domain name will replace the domain name
in the DNS request and TLS SNI field\&. The URL\(cqs true domain name will still appear in the Host header of HTTP requests\&.
.RE
.PP
+\fBquic\-tls\-pubkey\fR=\fIPUBKEYHASH\fR
+.RS 4
+Server public key hashes to accept for the inner QUIC TLS layer\&. These have nothing to do with the outer HTTPS layer, which verifies certificates in the usual PKI way\&. The format of
+\fIPUBKEYHASH\fR
+is a base64\-encoded SHA\-256 hash of the Subject Public Key Info, as in HPKP\&. This argument may be used more than once; all public key hashes provided are considered good to verify server certificates\&. To generate a public key hash from a certificate file,
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+$ openssl x509 \-in quic\&.pem \-pubkey \-noout | openssl pkey \-pubin \-outform der | openssl dgst \-sha256 \-binary | openssl enc \-base64
+.fi
+.if n \{\
+.RE
+.\}
+.RE
+.PP
\fButls\fR=\fICLIENTHELLOID\fR
.RS 4
Use the
@@ -284,6 +301,13 @@ options in a torrc file\&.
Name of a file to write log messages to (default stderr)\&.
.RE
.PP
+\fB\-\-quic\-tls\-pubkey\fR=\fIPUBKEYHASH\fR[,\fIPUBKEYHASH\fR]\&...
+.RS 4
+Comma\-separated list of server public key hashes to accept for the inner QUIC TLS layer\&. The option may be given only once, but you can separate multiple hashes using commas\&. Prefer using the
+\fBquic\-tls\-pubkey\fR
+SOCKS arg over using this command line option\&.
+.RE
+.PP
\fB\-\-url\fR=\fIURL\fR
.RS 4
URL to correspond with\&. Prefer using the
diff --git a/doc/meek-server.1 b/doc/meek-server.1
index 3b7a07e..3b1c233 100644
--- a/doc/meek-server.1
+++ b/doc/meek-server.1
@@ -2,12 +2,12 @@
.\" Title: meek-server
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 01/17/2019
+.\" Date: 12/19/2019
.\" Manual: \ \&
.\" Source: \ \&
.\" Language: English
.\"
-.TH "MEEK\-SERVER" "1" "01/17/2019" "\ \&" "\ \&"
+.TH "MEEK\-SERVER" "1" "12/19/2019" "\ \&" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -67,6 +67,40 @@ and
allow use to use your own externally acquired certificate\&.
.RE
.sp
+Besides the external HTTPS\-layer TLS, you will need to configure certificates for the internal QUIC TLS layer using the \fB\-\-quic\-tls\-cert\fR and \fB\-\-quic\-tls\-key\fR options\&. You cannot use an automatic Let\(cqs Encrypt certificate for this layer, but you also do not have to get it signed by a CA (you can use a self\-signed certificate), because the client will authenticate it by its public key\&. To generate a certificate and private key for the QUIC layer:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+$ openssl genpkey \-algorithm ED25519 > quic\&.key
+$ openssl req \-new \-key quic\&.key \-x509 \-days 1000 \-nodes \-out quic\&.crt
+Country Name (2 letter code) [AU]:\&.
+State or Province Name (full name) [Some\-State]:\&.
+Locality Name (eg, city) []:\&.
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:\&.
+Organizational Unit Name (eg, section) []:\&.
+Common Name (e\&.g\&. server FQDN or YOUR name) []:meek\-quic
+Email Address []:\&.
+$ cat quic\&.key quic\&.crt > quic\&.pem
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+You can pass quic\&.pem to both the \fB\-\-quic\-tls\-cert\fR and \fB\-\-quic\-tls\-key\fR options\&. To renew the certificate using the same key:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+$ openssl req \-new \-key quic\&.pem \-x509 \-days 1000 \-nodes \-out quic\&.pem\&.new
+$ mv quic\&.pem\&.new quic\&.pem
+.fi
+.if n \{\
+.RE
+.\}
+.sp
Configuration for meek\-server usually appears in a torrc file\&. Here is a sample configuration using automatic Let\(cqs Encrypt certificates:
.sp
.if n \{\
@@ -75,7 +109,7 @@ Configuration for meek\-server usually appears in a torrc file\&. Here is a samp
.nf
ExtORPort auto
ServerTransportListenAddr 0\&.0\&.0\&.0:443
-ServerTransportPlugin meek exec \&./meek\-server \-\-acme\-hostnames meek\-server\&.example \-\-log meek\-server\&.log
+ServerTransportPlugin meek exec \&./meek\-server \-\-acme\-hostnames meek\-server\&.example \-\-quic\-tls\-cert=quic\&.pem \-\-quic\-tls\-key=quic\&.pem \-\-log meek\-server\&.log
.fi
.if n \{\
.RE
@@ -89,7 +123,7 @@ Here is a sample configuration using externally acquired certificates:
.nf
ExtORPort auto
ServerTransportListenAddr meek 0\&.0\&.0\&.0:8443
-ServerTransportPlugin meek exec \&./meek\-server 8443 \-\-cert cert\&.pem \-\-key key\&.pem \-\-log meek\-server\&.log
+ServerTransportPlugin meek exec \&./meek\-server 8443 \-\-cert cert\&.pem \-\-key key\&.pem \-\-quic\-tls\-cert=quic\&.pem \-\-quic\-tls\-key=quic\&.pem \-\-log meek\-server\&.log
.fi
.if n \{\
.RE
@@ -101,7 +135,7 @@ To listen on ports 80 and 443 without needed to run as root, on Linux, you can u
.RS 4
.\}
.nf
-setcap \*(Aqcap_net_bind_service=+ep\*(Aq /usr/local/bin/meek\-server
+$ setcap \*(Aqcap_net_bind_service=+ep\*(Aq /usr/local/bin/meek\-server
.fi
.if n \{\
.RE
@@ -149,6 +183,23 @@ option in torrc, rather than use the
option\&.
.RE
.PP
+\fB\-\-quic\-tls\-cert\fR=\fIFILENAME\fR
+.RS 4
+Name of a PEM\-encoded TLS certificate for the inner QUIC TLS layer\&. The certificate will be reloaded at runtime if the file changes\&. The inner QUIC TLS layer is entirely independent of the outer HTTPS layer that is configured using
+\fB\-\-cert\fR
+and
+\fB\-\-key\fR\&.
+.RE
+.PP
+\fB\-\-quic\-tls\-key\fR=\fIFILENAME\fR
+.RS 4
+Name of a PEM\-encoded TLS private key file for the inner QUIC TLS layer\&. It may be the same file as
+\fB\-\-quic\-tls\-cert\fR\&. The private key will be reloaded at runtime if the file changes\&. The inner QUIC TLS layer is entirely independent of the outer HTTPS layer that is configured using
+\fB\-\-cert\fR
+and
+\fB\-\-key\fR\&.
+.RE
+.PP
\fB\-h\fR, \fB\-\-help\fR
.RS 4
Display a help message and exit\&.
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits