Your Daily Source for Apache News and Information  
Breaking News Preferences Contribute Triggers Link Us Search About
Apache Today [Your Apache News Source] To internet.com

Apache HTTPD Links
The Jakarta Project
Apache Project
PHP Server Side Scripting
The Apache Software Foundation
Apache Module Registry
The Apache FAQ
Apache-Perl Integration Project
Apache XML Project
The Java Apache Project
Apache-Related Projects
ApacheCon
  internet.com

Internet News
Internet Investing
Internet Technology
Windows Internet Tech.
Linux/Open Source
Web Developer
ECommerce/Marketing
ISP Resources
ASP Resources
Wireless Internet
Downloads
Internet Resources
Internet Lists
International
EarthWeb
Career Resources

Search internet.com
Advertising Info
Corporate Info
Installing a secure web server
Dec 11, 2000, 14 :58 UTC (10 Talkback[s]) (16948 reads) (Other stories by Rich Bowen)

With ``e-commerce'' becoming an important part of many businesses, it's useful to know how to set up your server to run SSL for secure transfer of sensitive information.

What's SSL?

SSL, which stands for Secure Socket Layers, is a protocol by which a client (web browser) and server (Apache, for example) can communicate with one another securely, using encrypted messages. Anyone intercepting the message will receive only garbage, since the messages are encoded with the public keys of the conversants, but must be decrypted with their private keys, which are not distributed.

Getting SSL

There are a variety of SSL solutions available, and you should probably check out all the options before making the decision that is right for your business, or that of your clients.

Being an Open Source advocate, I am partial to OpenSSL. You can get OpenSSL from http://www.openssl.org/ in source code form. It is free software, and you can build it to run on whatever platform you are using.

As of this writing, the latest version of OpenSSL is 0.9.6. The file is approximately 2 MB, so be prepared to wait a while.

You need to click on the ``Source'' link, and get the file that is labelled as "LATEST".

Installing SSL

Please note that SSL is the engine, and you'll still need mod_ssl for the interaction between SSL and Apache.

Once you've downloaded OpenSSL, you will need to unpack it. Do this in the same location where you have Apache source code unpacked. I'll assume for this article that you're working in /usr/src.

     gunzip openssl-0.9.6.tar.gz
     tar -vxf openssl-0.9.6.tar

Then change into the openssl-0.9.6 directory, and type the following:

     ./config
     make
     make test
     make install

That's it. You're ready to move on to the next stage. For detailed instructions and advanced options, read the INSTALL file.

Installing mod_ssl

Here's where things get interesting. mod_ssl has a reputation of being somewhat difficult to install, but it does not need to be.

Warning: Make an effort to understand what you are doing before you do it. I gave a very skimpy definition of SSL above. You really should read the referenced article. Security that you don't understand is much more likely to be compromized than security which you know what it's doing.

Note also that you're going to need to rebuild Apache, so you should have the Apache source code handy also. Take this opportunity to upgrade to the latest version of Apache. 1.3.15 should be out real soon.

Get mod_ssl from http://www.modssl.org/ You should notice a resemblance between this site and the OpenSSL web site. It's not a conicidence.

Download the latest source code file, and unpack it somewhere you can get to it. It is useful to unpack it in the same place where you have your Apache source code unpacked, such as in /usr/src, for example.

Now, follow the following carefully. This assumes that you have unpacked all of these packages in /usr/src, and that you have the Apache source code, the OpenSSL source code, and the mod_ssl source code all there.

     cd mod_ssl-2.7.xxxx
     ./configure --with-apache=../apache_1.3.14 \
          --with-ssl=../openssl-0.9.6 \
          --with-crt=/path/to/your/server/certificate \
          --with-key=/path/to/your/server/key \
     cd ../apache_1.3.14
     make
     make install

And then you're done.

Yes, perhaps there's a little more to it than that.

Certificate

You need a certificate. It's going to cost you a little money. There are a few companies (VeriSign, for example) that sell secure server certificates that are automatically accepted by the major browsers.

You can generate one of your own, but it will show up in the clients browser window as possibly insecure, and they will have to verify that they are willing to accept it.

Once you have gone through the painful process of purchasing a secure certificate, you'll be able to use the --with-crt and --with-key lines above to tell SSL to use those certificates.

If you don't have a certificate, skip those two lines, and add a make certificate between the make and the make install at the end of the process. This will generate a test certificate for you to use while you're waiting for the real one to arrive.

Configuration

The above process added a large number of directives to your configuration file. You should look through httpd.conf and see what sorts of new things are in there. As you learn more about SSL, the things in there will begin to make more sense. The purpose of this article is to get you running with SSL as quickly as possible, and so I'm not going to spend a lot of time on configuration, except to make the following important point.

SSL and name-based virtual hosts

Because of the way SSL works, you can't use SSL on name-based virtual hosts. There are no configuration tricks that you can to do make this work. SSL must run on the primary name on the IP address to which it answers. This has to do with the order in which things are said in the SSL negotiation conversation -- the secure connection is made before the client ever tells the server what document it is looking for, so the virtual host negotiation is too late.

So, in order to run SSL on multiple virtual hosts, you'll need to use IP-based virtual hosts. This is being addressed in upcoming revisions to the SSL protocol, but that could be a while away.

More information

One of the clearest explanations of how mod_ssl works is Ralf Engelschall's talk from ApacheCon in London. You can see this talk at http://www.modssl.org/docs/apachecon2000/. I was able to attend that talk, and learned a lot of interesting things.

The talk also has a step-by-step guide for installing mod_ssl. It does things a little differently than I do above, and it might give you some additional insight into what's going on.

Conclusion

The documentation that comes with OpenSSL and mod_ssl is pretty complete. The trick is in knowing that you have to install both in order to make things work. Reading the docs for both will teach you a lot about how the technologies work, as well as how to get them working.

Please drop me a note if you have something that you'd like for me to discuss in a future article.

Related Stories:
DevShed: The Soothingly Seamless Setup of Apache, SSL, MySQL, and PHP(Jun 09, 2000)
RootPrompt.org: Can IPv6 replace SSL?(May 30, 2000)

  Current Newswire:
Everything Solaris: Apache: Handling Traffic

LinuxEasyInstaller 2.0 final release

Apache 2.0.32 beta is available

Everything Solaris: Apache: The Basics

Apache Jakarta James Mailserver v2.0a2 Released

PostgreSQL v7.2 Final Release

Daemon News: Multiple webservers behind one IP address

Zend Technologies launches Zend Studio 2.0

NuSphere first to enable development of PHP web services

Covalent Technologies raises $18 million in venture capital

  [Home][Top of Page]
Index Mode   |   Flat Mode   |   Thread Mode   |   Thread Flat  
 Talkback(s) Name  Date
  Apache as a DSO
When installing ssl & mod_ssl to Apache that has been configured with DSO, I assume that I do not need to recompile Apache? What do I need to add to the httpd.conf file?

Thanks
  
  Dec 13, 2000, 04:53:25
  Re: Apache as a DSO
> When installing ssl & mod_ssl to Apache that has been configured with DSO, I assume that I do not need to recompile Apache? What do I need to add to the httpd.conf file?
Thanks


I'm hardly an expert on this, but your assumption is not entirely correct. mod_ssl patches the vanilla Apache source to support EAPI (extended API). If your current Apache is not similarly patched, it won't work if you plug in mod_ssl after the fact. Any other modules you currently use would also need to be recompiled under EAPI as well.

As for httpd.conf, you'll at least need to add the following directives:

LoadModule ssl_module libexec/libssl.so
AddModule mod_ssl.c

in the applicable locations.

I was hoping this article would be more meaty because I've been struggling to deploy Apache/mod_ssl on Solaris7. mod_ssl is included in-the-box in Red Hat 7.0 and works great. However, Solaris doesn't have a /dev/random and using mod_ssl's builtin random has provided mixed results (it generates copious errors in the logs & sometimes blocks for minutes for an inapparent reason). I'm still looking for a good mod_ssl/Apache-SSL resource for deployment on Solaris7.

One last thing worth mentioning is that users have reported mixed compatibility between mod_ssl and Internet Explorer, even with the hacks given in the mod_ssl FAQ. If you're absolutely concerned with MSIE compatibility, you should also look at Apache-SSL (www.apache-ssl.org) because it doesn't seem to share this issue.   
  Dec 14, 2000, 01:15:39
  Re: Apache as a DSO
> When installing ssl & mod_ssl to Apache that has been configured with DSO, I assume that I do not need to recompile Apache? What do I need to add to the httpd.conf file?
Thanks


Yes, you will need to recompile. It's not recommended that you run SSL as a DSO, although it can be done.   
  Dec 17, 2000, 22:54:32
  Re: Re: Apache as a DSO
>Yes, you will need to recompile. It's not recommended that you run SSL as a DSO, although it can be done.

Why is it not recommended to use the ssl lib as a dso?

narbey   
  Dec 19, 2000, 20:31:42
  Re: Re: Apache as a DSO
AND you can user virtual hosts with apache-ssl!

I think apache-ssl is much better..... :)   
  Dec 24, 2000, 13:12:52
  Re: Re: Re: Apache as a DSO
> >Yes, you will need to recompile. It's not recommended that you run SSL as a DSO, although it can be done.
Why is it not recommended to use the ssl lib as a dso?
narbey

There are two parts to the SSL module. There is something called the EAPI (that's Extended API). This part has to be compiled into Apache. There's no other way to do it. mod_ssl can be loaded as a DSO, but only if the EAPI is already in place. SSL and the EAPI are larger than Apache itself. There's an actual size comparison in the ApacheCon presentation that I linked to from the article. All this to say, with SSL being larger than Apache, it makes little sense to load it as a DSO.

Added to this size consideration, there's the sort of places where you'll be running SSL. Secure servers. Stable servers. Not the sort of place where you will want to reconfigure your server every week, which is the strength of DSOs - flexibility.

So, apparently, I don't have a strong technical reason for saying that it is not recommended, just gut-feeling sorts of reasons.

However, I've noticed (and I don't have any hard evidence of this, either) that mod_ssl and mod_perl definately don't seem to play nice together when they are DSOs, but seem to do just fine when they are built into the server. I have no particular notion of why this is, and I don't have any particularly reproducable scenario in which I can demonstrate this. Yet more gut feelings.

Sorry I don't have anything more concrete than that.   
  Dec 21, 2000, 02:18:13
  Real Certificate for $79 from Equifax...
Forget Verisign and all the other price gougers - check out Equifax
certs for $79 - they work perfect with Apache.   
  Dec 15, 2000, 05:17:40
  Re: Real Certificate for $79 from Equifax...
Thanks for the tip. I might do it now. I found the URL:
https://www.equifaxsecure.com/ebusinessid/ssl_demo.html
  
  Dec 21, 2000, 16:42:56
  Re: Real Certificate for $79 from Equifax...
Do you get the warnings in any browsers?   
  Dec 22, 2000, 02:40:39
  linux clustering
Dear Sir/Madam,

I would like to own a copy about linux clustering, I need it very badly.


Sincerely Yours,
john michael   
  Dec 10, 2001, 02:00:48
  Home | Search Talkbacks | Customize View 
  Top of Page  
Enter your comments below.
Your Name: Your Email Address:


Subject: CC: [will also send this talkback to an E-Mail address]
Comments:

See our talkback-policy for or guidelines on talkback content.

About Triggers Media Kit Security Triggers Login


All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.4, Apache 1.3, and PHP 4
Copyright 2002 INT Media Group, Incorporated All Rights Reserved.
Legal Notices,  Licensing, Reprints, & Permissions,  Privacy Policy.
http://www.internet.com/