commit df63758ebbca4b89cc35dfdc80f6ae77e76c5f6e Author: David Fifield david@bamsoftware.com Date: Thu Dec 19 00:12:30 2019 -0700

Regen man pages. --- doc/meek-client.1 | 28 +++++++++++++++++++++++-- doc/meek-server.1 | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 82 insertions(+), 7 deletions(-)

diff --git a/doc/meek-client.1 b/doc/meek-client.1 index 58fd755..96b202e 100644 --- a/doc/meek-client.1 +++ b/doc/meek-client.1 @@ -2,12 +2,12 @@ ." Title: meek-client ." Author: [FIXME: author] [see http://docbook.sf.net/el/author] ." Generator: DocBook XSL Stylesheets v1.79.1 http://docbook.sf.net/ -." Date: 02/06/2019 +." Date: 12/19/2019 ." Manual: \ & ." Source: \ & ." Language: English ." -.TH "MEEK-CLIENT" "1" "02/06/2019" "\ &" "\ &" +.TH "MEEK-CLIENT" "1" "12/19/2019" "\ &" "\ &" ." ----------------------------------------------------------------- ." * Define some portability stuff ." ----------------------------------------------------------------- @@ -55,6 +55,23 @@ Front domain name&. If provided, this domain name will replace the domain name in the DNS request and TLS SNI field&. The URL(cqs true domain name will still appear in the Host header of HTTP requests&. .RE .PP +\fBquic-tls-pubkey\fR=\fIPUBKEYHASH\fR +.RS 4 +Server public key hashes to accept for the inner QUIC TLS layer&. These have nothing to do with the outer HTTPS layer, which verifies certificates in the usual PKI way&. The format of +\fIPUBKEYHASH\fR +is a base64-encoded SHA-256 hash of the Subject Public Key Info, as in HPKP&. This argument may be used more than once; all public key hashes provided are considered good to verify server certificates&. To generate a public key hash from a certificate file, +.sp +.if n {\ +.RS 4 +.} +.nf +$ openssl x509 -in quic&.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 +.fi +.if n {\ +.RE +.} +.RE +.PP \fButls\fR=\fICLIENTHELLOID\fR .RS 4 Use the @@ -284,6 +301,13 @@ options in a torrc file&. Name of a file to write log messages to (default stderr)&. .RE .PP +\fB--quic-tls-pubkey\fR=\fIPUBKEYHASH\fR[,\fIPUBKEYHASH\fR]&... +.RS 4 +Comma-separated list of server public key hashes to accept for the inner QUIC TLS layer&. The option may be given only once, but you can separate multiple hashes using commas&. Prefer using the +\fBquic-tls-pubkey\fR +SOCKS arg over using this command line option&. +.RE +.PP \fB--url\fR=\fIURL\fR .RS 4 URL to correspond with&. Prefer using the diff --git a/doc/meek-server.1 b/doc/meek-server.1 index 3b7a07e..3b1c233 100644 --- a/doc/meek-server.1 +++ b/doc/meek-server.1 @@ -2,12 +2,12 @@ ." Title: meek-server ." Author: [FIXME: author] [see http://docbook.sf.net/el/author] ." Generator: DocBook XSL Stylesheets v1.79.1 http://docbook.sf.net/ -." Date: 01/17/2019 +." Date: 12/19/2019 ." Manual: \ & ." Source: \ & ." Language: English ." -.TH "MEEK-SERVER" "1" "01/17/2019" "\ &" "\ &" +.TH "MEEK-SERVER" "1" "12/19/2019" "\ &" "\ &" ." ----------------------------------------------------------------- ." * Define some portability stuff ." ----------------------------------------------------------------- @@ -67,6 +67,40 @@ and allow use to use your own externally acquired certificate&. .RE .sp +Besides the external HTTPS-layer TLS, you will need to configure certificates for the internal QUIC TLS layer using the \fB--quic-tls-cert\fR and \fB--quic-tls-key\fR options&. You cannot use an automatic Let(cqs Encrypt certificate for this layer, but you also do not have to get it signed by a CA (you can use a self-signed certificate), because the client will authenticate it by its public key&. To generate a certificate and private key for the QUIC layer: +.sp +.if n {\ +.RS 4 +.} +.nf +$ openssl genpkey -algorithm ED25519 > quic&.key +$ openssl req -new -key quic&.key -x509 -days 1000 -nodes -out quic&.crt +Country Name (2 letter code) [AU]:&. +State or Province Name (full name) [Some-State]:&. +Locality Name (eg, city) []:&. +Organization Name (eg, company) [Internet Widgits Pty Ltd]:&. +Organizational Unit Name (eg, section) []:&. +Common Name (e&.g&. server FQDN or YOUR name) []:meek-quic +Email Address []:&. +$ cat quic&.key quic&.crt > quic&.pem +.fi +.if n {\ +.RE +.} +.sp +You can pass quic&.pem to both the \fB--quic-tls-cert\fR and \fB--quic-tls-key\fR options&. To renew the certificate using the same key: +.sp +.if n {\ +.RS 4 +.} +.nf +$ openssl req -new -key quic&.pem -x509 -days 1000 -nodes -out quic&.pem&.new +$ mv quic&.pem&.new quic&.pem +.fi +.if n {\ +.RE +.} +.sp Configuration for meek-server usually appears in a torrc file&. Here is a sample configuration using automatic Let(cqs Encrypt certificates: .sp .if n {\ @@ -75,7 +109,7 @@ Configuration for meek-server usually appears in a torrc file&. Here is a samp .nf ExtORPort auto ServerTransportListenAddr 0&.0&.0&.0:443 -ServerTransportPlugin meek exec &./meek-server --acme-hostnames meek-server&.example --log meek-server&.log +ServerTransportPlugin meek exec &./meek-server --acme-hostnames meek-server&.example --quic-tls-cert=quic&.pem --quic-tls-key=quic&.pem --log meek-server&.log .fi .if n {\ .RE @@ -89,7 +123,7 @@ Here is a sample configuration using externally acquired certificates: .nf ExtORPort auto ServerTransportListenAddr meek 0&.0&.0&.0:8443 -ServerTransportPlugin meek exec &./meek-server 8443 --cert cert&.pem --key key&.pem --log meek-server&.log +ServerTransportPlugin meek exec &./meek-server 8443 --cert cert&.pem --key key&.pem --quic-tls-cert=quic&.pem --quic-tls-key=quic&.pem --log meek-server&.log .fi .if n {\ .RE @@ -101,7 +135,7 @@ To listen on ports 80 and 443 without needed to run as root, on Linux, you can u .RS 4 .} .nf -setcap *(Aqcap_net_bind_service=+ep*(Aq /usr/local/bin/meek-server +$ setcap *(Aqcap_net_bind_service=+ep*(Aq /usr/local/bin/meek-server .fi .if n {\ .RE @@ -149,6 +183,23 @@ option in torrc, rather than use the option&. .RE .PP +\fB--quic-tls-cert\fR=\fIFILENAME\fR +.RS 4 +Name of a PEM-encoded TLS certificate for the inner QUIC TLS layer&. The certificate will be reloaded at runtime if the file changes&. The inner QUIC TLS layer is entirely independent of the outer HTTPS layer that is configured using +\fB--cert\fR +and +\fB--key\fR&. +.RE +.PP +\fB--quic-tls-key\fR=\fIFILENAME\fR +.RS 4 +Name of a PEM-encoded TLS private key file for the inner QUIC TLS layer&. It may be the same file as +\fB--quic-tls-cert\fR&. The private key will be reloaded at runtime if the file changes&. The inner QUIC TLS layer is entirely independent of the outer HTTPS layer that is configured using +\fB--cert\fR +and +\fB--key\fR&. +.RE +.PP \fB-h\fR, \fB--help\fR .RS 4 Display a help message and exit&.