Your Daily Source for Apache News and Information  
Breaking News Preferences Contribute Triggers Link Us Search About
Installing a secure web server
(Dec 11th, 14:58:11 )

With ``e-commerce'' becoming an important part of many businesses, it's useful to know how to set up your server to run SSL for secure transfer of sensitive information.

What's SSL?

SSL, which stands for Secure Socket Layers, is a protocol by which a client (web browser) and server (Apache, for example) can communicate with one another securely, using encrypted messages. Anyone intercepting the message will receive only garbage, since the messages are encoded with the public keys of the conversants, but must be decrypted with their private keys, which are not distributed.

Getting SSL

There are a variety of SSL solutions available, and you should probably check out all the options before making the decision that is right for your business, or that of your clients.

Being an Open Source advocate, I am partial to OpenSSL. You can get OpenSSL from http://www.openssl.org/ in source code form. It is free software, and you can build it to run on whatever platform you are using.

As of this writing, the latest version of OpenSSL is 0.9.6. The file is approximately 2 MB, so be prepared to wait a while.

You need to click on the ``Source'' link, and get the file that is labelled as "LATEST".

Installing SSL

Please note that SSL is the engine, and you'll still need mod_ssl for the interaction between SSL and Apache.

Once you've downloaded OpenSSL, you will need to unpack it. Do this in the same location where you have Apache source code unpacked. I'll assume for this article that you're working in /usr/src.

     gunzip openssl-0.9.6.tar.gz
     tar -vxf openssl-0.9.6.tar

Then change into the openssl-0.9.6 directory, and type the following:

     ./config
     make
     make test
     make install

That's it. You're ready to move on to the next stage. For detailed instructions and advanced options, read the INSTALL file.

Installing mod_ssl

Here's where things get interesting. mod_ssl has a reputation of being somewhat difficult to install, but it does not need to be.

Warning: Make an effort to understand what you are doing before you do it. I gave a very skimpy definition of SSL above. You really should read the referenced article. Security that you don't understand is much more likely to be compromized than security which you know what it's doing.

Note also that you're going to need to rebuild Apache, so you should have the Apache source code handy also. Take this opportunity to upgrade to the latest version of Apache. 1.3.15 should be out real soon.

Get mod_ssl from http://www.modssl.org/ You should notice a resemblance between this site and the OpenSSL web site. It's not a conicidence.

Download the latest source code file, and unpack it somewhere you can get to it. It is useful to unpack it in the same place where you have your Apache source code unpacked, such as in /usr/src, for example.

Now, follow the following carefully. This assumes that you have unpacked all of these packages in /usr/src, and that you have the Apache source code, the OpenSSL source code, and the mod_ssl source code all there.

     cd mod_ssl-2.7.xxxx
     ./configure --with-apache=../apache_1.3.14 \
          --with-ssl=../openssl-0.9.6 \
          --with-crt=/path/to/your/server/certificate \
          --with-key=/path/to/your/server/key \
     cd ../apache_1.3.14
     make
     make install

And then you're done.

Yes, perhaps there's a little more to it than that.

Certificate

You need a certificate. It's going to cost you a little money. There are a few companies (VeriSign, for example) that sell secure server certificates that are automatically accepted by the major browsers.

You can generate one of your own, but it will show up in the clients browser window as possibly insecure, and they will have to verify that they are willing to accept it.

Once you have gone through the painful process of purchasing a secure certificate, you'll be able to use the --with-crt and --with-key lines above to tell SSL to use those certificates.

If you don't have a certificate, skip those two lines, and add a make certificate between the make and the make install at the end of the process. This will generate a test certificate for you to use while you're waiting for the real one to arrive.

Configuration

The above process added a large number of directives to your configuration file. You should look through httpd.conf and see what sorts of new things are in there. As you learn more about SSL, the things in there will begin to make more sense. The purpose of this article is to get you running with SSL as quickly as possible, and so I'm not going to spend a lot of time on configuration, except to make the following important point.

SSL and name-based virtual hosts

Because of the way SSL works, you can't use SSL on name-based virtual hosts. There are no configuration tricks that you can to do make this work. SSL must run on the primary name on the IP address to which it answers. This has to do with the order in which things are said in the SSL negotiation conversation -- the secure connection is made before the client ever tells the server what document it is looking for, so the virtual host negotiation is too late.

So, in order to run SSL on multiple virtual hosts, you'll need to use IP-based virtual hosts. This is being addressed in upcoming revisions to the SSL protocol, but that could be a while away.

More information

One of the clearest explanations of how mod_ssl works is Ralf Engelschall's talk from ApacheCon in London. You can see this talk at http://www.modssl.org/docs/apachecon2000/. I was able to attend that talk, and learned a lot of interesting things.

The talk also has a step-by-step guide for installing mod_ssl. It does things a little differently than I do above, and it might give you some additional insight into what's going on.

Conclusion

The documentation that comes with OpenSSL and mod_ssl is pretty complete. The trick is in knowing that you have to install both in order to make things work. Reading the docs for both will teach you a lot about how the technologies work, as well as how to get them working.

Please drop me a note if you have something that you'd like for me to discuss in a future article.

Related Stories:
DevShed: The Soothingly Seamless Setup of Apache, SSL, MySQL, and PHP(Jun 09, 2000)
RootPrompt.org: Can IPv6 replace SSL?(May 30, 2000)


Printed from Apache Today (https://apachetoday.com).
https://apachetoday.com/news_story.php3?ltsn=2000-12-11-001-06-OS-LF-AD

About Triggers Media Kit Security Triggers Login


All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.4, Apache 1.3, and PHP 4
Copyright 2002 INT Media Group, Incorporated All Rights Reserved.
Legal Notices,  Licensing, Reprints, & Permissions,  Privacy Policy.
http://www.internet.com/