|
|
| June 2001 | Get BSD | New to BSD? | Search BSD | Submit News | FAQ | Contact Us | Join Us |
|
As we covered in our last article, SSL/TLS (Secure Socket Layer/Transport Layer Security) are the protocols used to add encryption and authentication to TCP/IP and HTTP. Now comes the next step, adding SSL/TLS to an installed web server to take advantage of SSL/TLS. In this article we'll cover the most popular open source method; Adding mod_ssl to Apache.
The mod_ssl module takes advantage of Apache's modular setup to interface Apache with the open source, public-key infrastructure tool kit, OpenSSL. This is currently the most popular method for adding support for SSL/TLS to Apache with roughly 12% of all Apache installations running mod_ssl. The module fully integrates into Apache 1.3.x using the Extended API (EAPI) and can be loaded as a Dynamic Shared Object (DSO) for memory conservation while inactive. Commercial implementations of secured Apache such as Covalent's Raven solution or Red Hat's Secure Web Server and Stronghold, also rely on mod_ssl and OpenSSL.
Some of the features that mod_ssl brings to Apache via OpenSSL include, but are not limited to:
Support for SSL v2 and v3
Support for TLS v1
Advanced pass-phrase handling for private keys
X.509 based client & server authentication
X.509 Certification Revocation List
Support for Hardware Crypto Devices
Support for RSA and DSA/DH ciphers
Boolean-expression based access control
Backward compatibility to other SSL Solutions (Apache-SSL, Stronghold, etc.)
Inter-process SSL Session Cache
Powerful dedicated SSL engine logging facility
Assistance in X.503 certificate generation
The following general method will build and add mod_ssl to Apache. These steps, shown on a FreeBSD 4.2-STABLE machine, will, of course, vary depending on what OS you are using and how it is configured.
First, grab the latest source trees via your favorite method. As of this writing the current versions are:
Apache v1.3.19
mod_ssl v2.8.2
OpenSSL v0.9.6a
Next, you can proceed to:
gunzip openssl-0.9.6a.tar.gz
tar xf openssl-0.9.6a.tar
cd openssl-0.9.6a
su
./config -prefix=/usr/local/openssl-0.9.6a
make
make test
make install
cd ..
gunzip apache_1.3.19.tar.gz
tar xf apache_1.3.19.tar
gunzip mod_ssl-2.8.2-1.3.19.tar.gz
tar xf mod_ssl-2.8.2-1.3.19.tar
cd mod_ssl-2.8.2-1.3.19
./configure --with-apache=../apache_1.3.19 \
--with_ssl=/usr/local/openssl-0.9.6a \
--prefix=/usr/local/apache-1.3.19-ssl
cd ../apache_1.3.19
SSL_BASE=/usr/local/openssl-0.9.6a ./configure --prefix=/usr/local/apache-1.3.19-ssl \
--enable-module=ssl
make
make certificate
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.
Generating test certificate signed by Snake Oil CA [TEST]
WARNING: Do not use this for real-life/production systems
______________________________________________________________________
STEP 0: Decide the signature algorithm used for certificate
The generated X.509 CA certificate can contain either
RSA or DSA based ingredients. Select the one you want to use.
Signature Algorithm ((R)SA or (D)SA) [R]:
______________________________________________________________________
STEP 1: Generating RSA private key (1024 bit) [server.key]
2273813 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...........................++++++
...........++++++
e is 65537 (0x10001)
______________________________________________________________________
STEP 2: Generating X.509 certificate signing request [server.csr]
Using configuration from .mkcert.cfg
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name (2 letter code) [XY]:US
2. State or Province Name (full name) [Snake Desert]:California
3. Locality Name (eg, city) [Snake Town]:Oakland
4. Organization Name (eg, company) [Snake Oil, Ltd]:Weinstein.org
5. Organizational Unit Name (eg, section) [Webserver Team]:
6. Common Name (eg, FQDN) [www.snakeoil.dom]:www.weinstein.org
7. Email Address (eg, name@FQDN) [www@snakeoil.dom]:pdw@weinstein.org
8. Certificate Validity (days) [365]:
______________________________________________________________________
STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt]
Certificate Version (1 or 3) [3]:
Signature ok
subject=/C=US/ST=California/L=Oakland/O=Weinstein.org/OU=Webserver Team/CN=www.weinstein.org/Email=pdw@weinstein.org
Getting CA Private Key
Verify: matching certificate & key modulus
read RSA key
Verify: matching certificate signature
../conf/ssl.crt/server.crt: OK
______________________________________________________________________
STEP 4: Enrypting RSA private key with a pass phrase for security [server.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: n
Warning, you're using an unencrypted RSA private key.
Please notice this fact and do this on your own risk.
______________________________________________________________________
RESULT: Server Certification Files
o conf/ssl.key/server.key
The PEM-encoded RSA private key file which you configure
with the 'SSLCertificateKeyFile' directive (automatically done
when you install via APACI). KEEP THIS FILE PRIVATE!
o conf/ssl.crt/server.crt
The PEM-encoded X.509 certificate file which you configure
with the 'SSLCertificateFile' directive (automatically done
when you install via APACI).
o conf/ssl.csr/server.csr
The PEM-encoded X.509 certificate signing request file which
you can send to an official Certificate Authority (CA) in order
to request a real server certificate (signed by this CA instead
of our demonstration-only Snake Oil CA) which later can replace
the conf/ssl.crt/server.crt file.
WARNING: Do not use this for real-life/production systems
To test your setup:
/usr/local/apache-1.3.19-ssl/bin/httpd -DSSL
and load your favorite SSL-enabled web browser and point it to https://localhost.
If we take a look at the Apache configuration file at /usr/local/apache-1.3.19-ssl/conf/httpd.conf we can see the basic SSL setup:
Port 80Note that https transactions by default take place on port 443 while non-SSL enabled http transactions take place on port 80.Listen 80 Listen 443
SSLSessionCache dbm:/usr/local/apache-1.3.19-ssl/logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/usr/local/apache-1.3.19-ssl/logs/ssl_mutex
Our session cache and semaphore have also been configured.
SSLLog /usr/local/apache-1.3.19-ssl/logs/ssl_engine_log SSLLogLevel info
Our log of SSL transactions has also be configured. Note that SSLLogLevel takes the same type of arguments as LogLevel; debug, info, notice, warn, error, crit, alert, emerg.
DocumentRoot "/usr/local/apache-1.3.19-ssl/htdocs" ServerName baldur.build.oakland.redhat.com ServerAdmin root@baldur.build.oakland.redhat.com ErrorLog /usr/local/apache-1.3.19-ssl/logs/error_log TransferLog /usr/local/apache-1.3.19-ssl/logs/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache-1.3.19-ssl/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache-1.3.19-ssl/conf/ssl.key/server.key
Finally, our VirtualHost, where we define the document root, ciphers the server should accept, the server certificate and corresponding private key. We can also set access control to pages in this document's root to authenticate the user via a client certificate and what Certificate Authorities that client certificate can be assigned from.
Of course, if we where to put this server into production we'd first need to generate a Certificate Request (CSR), submit it to a public Certificate Authority and then install that signed certificate in place of the self-signed certificate generated before make install.
Now we have a version of Apache installed that can encrypt and authenticate HTTP transactions via SSL/TLS. For more information about Apache and SSL/TLS, take a look at
References:
Engelschall, Ralf Security Solutions with SSL. ApacheCon, Santa Clara. 4 Apr. 2001
Engelschall, Ralf User Manual mod_ssl Version 2.8 30 Jan. 2001 www.modssl.org/docs/2.8