commit df63758ebbca4b89cc35dfdc80f6ae77e76c5f6e Author: David Fifield <david@bamsoftware.com> Date: Thu Dec 19 00:12:30 2019 -0700 Regen man pages. --- doc/meek-client.1 | 28 +++++++++++++++++++++++-- doc/meek-server.1 | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 82 insertions(+), 7 deletions(-) diff --git a/doc/meek-client.1 b/doc/meek-client.1 index 58fd755..96b202e 100644 --- a/doc/meek-client.1 +++ b/doc/meek-client.1 @@ -2,12 +2,12 @@ .\" Title: meek-client .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 02/06/2019 +.\" Date: 12/19/2019 .\" Manual: \ \& .\" Source: \ \& .\" Language: English .\" -.TH "MEEK\-CLIENT" "1" "02/06/2019" "\ \&" "\ \&" +.TH "MEEK\-CLIENT" "1" "12/19/2019" "\ \&" "\ \&" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -55,6 +55,23 @@ Front domain name\&. If provided, this domain name will replace the domain name in the DNS request and TLS SNI field\&. The URL\(cqs true domain name will still appear in the Host header of HTTP requests\&. .RE .PP +\fBquic\-tls\-pubkey\fR=\fIPUBKEYHASH\fR +.RS 4 +Server public key hashes to accept for the inner QUIC TLS layer\&. These have nothing to do with the outer HTTPS layer, which verifies certificates in the usual PKI way\&. The format of +\fIPUBKEYHASH\fR +is a base64\-encoded SHA\-256 hash of the Subject Public Key Info, as in HPKP\&. This argument may be used more than once; all public key hashes provided are considered good to verify server certificates\&. To generate a public key hash from a certificate file, +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ openssl x509 \-in quic\&.pem \-pubkey \-noout | openssl pkey \-pubin \-outform der | openssl dgst \-sha256 \-binary | openssl enc \-base64 +.fi +.if n \{\ +.RE +.\} +.RE +.PP \fButls\fR=\fICLIENTHELLOID\fR .RS 4 Use the @@ -284,6 +301,13 @@ options in a torrc file\&. Name of a file to write log messages to (default stderr)\&. .RE .PP +\fB\-\-quic\-tls\-pubkey\fR=\fIPUBKEYHASH\fR[,\fIPUBKEYHASH\fR]\&... +.RS 4 +Comma\-separated list of server public key hashes to accept for the inner QUIC TLS layer\&. The option may be given only once, but you can separate multiple hashes using commas\&. Prefer using the +\fBquic\-tls\-pubkey\fR +SOCKS arg over using this command line option\&. +.RE +.PP \fB\-\-url\fR=\fIURL\fR .RS 4 URL to correspond with\&. Prefer using the diff --git a/doc/meek-server.1 b/doc/meek-server.1 index 3b7a07e..3b1c233 100644 --- a/doc/meek-server.1 +++ b/doc/meek-server.1 @@ -2,12 +2,12 @@ .\" Title: meek-server .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 01/17/2019 +.\" Date: 12/19/2019 .\" Manual: \ \& .\" Source: \ \& .\" Language: English .\" -.TH "MEEK\-SERVER" "1" "01/17/2019" "\ \&" "\ \&" +.TH "MEEK\-SERVER" "1" "12/19/2019" "\ \&" "\ \&" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -67,6 +67,40 @@ and allow use to use your own externally acquired certificate\&. .RE .sp +Besides the external HTTPS\-layer TLS, you will need to configure certificates for the internal QUIC TLS layer using the \fB\-\-quic\-tls\-cert\fR and \fB\-\-quic\-tls\-key\fR options\&. You cannot use an automatic Let\(cqs Encrypt certificate for this layer, but you also do not have to get it signed by a CA (you can use a self\-signed certificate), because the client will authenticate it by its public key\&. To generate a certificate and private key for the QUIC layer: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ openssl genpkey \-algorithm ED25519 > quic\&.key +$ openssl req \-new \-key quic\&.key \-x509 \-days 1000 \-nodes \-out quic\&.crt +Country Name (2 letter code) [AU]:\&. +State or Province Name (full name) [Some\-State]:\&. +Locality Name (eg, city) []:\&. +Organization Name (eg, company) [Internet Widgits Pty Ltd]:\&. +Organizational Unit Name (eg, section) []:\&. +Common Name (e\&.g\&. server FQDN or YOUR name) []:meek\-quic +Email Address []:\&. +$ cat quic\&.key quic\&.crt > quic\&.pem +.fi +.if n \{\ +.RE +.\} +.sp +You can pass quic\&.pem to both the \fB\-\-quic\-tls\-cert\fR and \fB\-\-quic\-tls\-key\fR options\&. To renew the certificate using the same key: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ openssl req \-new \-key quic\&.pem \-x509 \-days 1000 \-nodes \-out quic\&.pem\&.new +$ mv quic\&.pem\&.new quic\&.pem +.fi +.if n \{\ +.RE +.\} +.sp Configuration for meek\-server usually appears in a torrc file\&. Here is a sample configuration using automatic Let\(cqs Encrypt certificates: .sp .if n \{\ @@ -75,7 +109,7 @@ Configuration for meek\-server usually appears in a torrc file\&. Here is a samp .nf ExtORPort auto ServerTransportListenAddr 0\&.0\&.0\&.0:443 -ServerTransportPlugin meek exec \&./meek\-server \-\-acme\-hostnames meek\-server\&.example \-\-log meek\-server\&.log +ServerTransportPlugin meek exec \&./meek\-server \-\-acme\-hostnames meek\-server\&.example \-\-quic\-tls\-cert=quic\&.pem \-\-quic\-tls\-key=quic\&.pem \-\-log meek\-server\&.log .fi .if n \{\ .RE @@ -89,7 +123,7 @@ Here is a sample configuration using externally acquired certificates: .nf ExtORPort auto ServerTransportListenAddr meek 0\&.0\&.0\&.0:8443 -ServerTransportPlugin meek exec \&./meek\-server 8443 \-\-cert cert\&.pem \-\-key key\&.pem \-\-log meek\-server\&.log +ServerTransportPlugin meek exec \&./meek\-server 8443 \-\-cert cert\&.pem \-\-key key\&.pem \-\-quic\-tls\-cert=quic\&.pem \-\-quic\-tls\-key=quic\&.pem \-\-log meek\-server\&.log .fi .if n \{\ .RE @@ -101,7 +135,7 @@ To listen on ports 80 and 443 without needed to run as root, on Linux, you can u .RS 4 .\} .nf -setcap \*(Aqcap_net_bind_service=+ep\*(Aq /usr/local/bin/meek\-server +$ setcap \*(Aqcap_net_bind_service=+ep\*(Aq /usr/local/bin/meek\-server .fi .if n \{\ .RE @@ -149,6 +183,23 @@ option in torrc, rather than use the option\&. .RE .PP +\fB\-\-quic\-tls\-cert\fR=\fIFILENAME\fR +.RS 4 +Name of a PEM\-encoded TLS certificate for the inner QUIC TLS layer\&. The certificate will be reloaded at runtime if the file changes\&. The inner QUIC TLS layer is entirely independent of the outer HTTPS layer that is configured using +\fB\-\-cert\fR +and +\fB\-\-key\fR\&. +.RE +.PP +\fB\-\-quic\-tls\-key\fR=\fIFILENAME\fR +.RS 4 +Name of a PEM\-encoded TLS private key file for the inner QUIC TLS layer\&. It may be the same file as +\fB\-\-quic\-tls\-cert\fR\&. The private key will be reloaded at runtime if the file changes\&. The inner QUIC TLS layer is entirely independent of the outer HTTPS layer that is configured using +\fB\-\-cert\fR +and +\fB\-\-key\fR\&. +.RE +.PP \fB\-h\fR, \fB\-\-help\fR .RS 4 Display a help message and exit\&.