Apache Security with SSL Using FreeBSD SANOG VI IP Services Workshop July 18, 2005 Hervey Allen Network Startup Resource Center.

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Apache Web Server Quick and Dirty Steve Gibbard for SANOG 16 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
APACHE SERVER By Innovationframes.com »
Secure Sockets Layer (SSL) Fred Schank Kevin Wetter.
SSL Technology Overview and Troubleshooting Tips.
JSSE API University of Palestine Eng. Wisam Zaqoot April 2010.
CSCI 6962: Server-side Design and Programming
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING AND.
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Masud Hasan Secue VS Hushmail Project 2.
1 Apache and Virtual Sites and SSL Dorcas Muthoni.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Web Security : Secure Socket Layer Secure Electronic Transaction.
1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Apache Web Server Quick and Dirty for AfNOG 2015 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Apache Web Server Quick and Dirty Evelyn NAMARA for AfNOG 2014 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Apache Web Server Quick and Dirty Ayitey Bulley for AfNOG 2011 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Apache Web Server Quick and Dirty Kevin G. Chege for AfNOG 2013 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Advanced Sendmail Part 1
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Cryptography CSS 329 Lecture 13:SSL.
Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.
Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
TOPIC: HTTPS (Security protocol)
Apache with SSL building from source
Apache Security with SSL Using FreeBSD
Secure Sockets Layer (SSL)
(Originally by Joel Jaeggli for AfNOG 2007)‏
The Secure Sockets Layer (SSL) Protocol
Presentation transcript:

Apache Security with SSL Using FreeBSD SANOG VI IP Services Workshop July 18, 2005 Hervey Allen Network Startup Resource Center

Some SSL background ● Invented by Netscape for secure commerce. ● Only available using Netscape and Netscape Commerce Server. ● Originally only one signing authority, RSA Data Security. ● Eric A. Young created SSLeay, an Open Source SSL implementation. ● OpenSSL project extends SSLeay for public use. ● RSA spun certificate services division to Verisign in ● Netscape and Microsoft decided to support multiple CA's. ● 1996 the IETF Transport Layer Security (TLS) task force was created. They published RFCs to support an open stream encryption standard. ● TLS is based on SSL version 3.0 with additions. TLS and SSL are just semantics. ● You might consider TSL to be SSL version 3.1.

What SSL Provides ● Secure communcation between client and server. ● SSL protocol works on top of the tcp/ip layer and below the application layer. ● Provides for authentication using certificates, multiple encryption cipher choices, methods to exchange session keys, and integrity checking. ● Server authentication almost always takes place. Client authentication is optional. ● Once authetication and handshaking are done then data is transmitted using the strongest mutually available cipher over tcp/ip. ● Weaker ciphers have resulted in some potential SSL security holes.

Apache+mod_ssl – What is it? Together Apache and mod_ssl create a system of security with digital certificates that allows you to offer secure, encrypted connections to your web server. mod_ssl is an Apache module that adds “secure sockets layer” (ssl) and “transport layer security” (tls) between a web server and it's clients (web browsers).

Apache-ssl – What is it? The original Apache with SSL software. mod_ssl is a “split” from the apache-ssl project. Aimed at stability and security with less features. You can install both Apache-ssl and Apache+mod_ssl via FreeBSD ports, packages, or from source.

What are we going to use? We'll use Apache Web server version with mod_ssl version Apache currently runs about 70% of all web sites on the Internet: mod_ssl is the most popular method for using SSL with apache at this time.

And, the name? What does “apache+mod_ssl” mean? Any guesses?... Apache = A Patchwork of programs mod = Module (an Apache program) SSL = Secure Socket Layer

Digital certificates and signatures If you generate a local digital certificate you can pay a signing authority to verify your certificate and they'll send it back to you with their “signature”. With the signing authority's signature your certificate will be accepted by clients (web browsers) without additional prompts. A digitally signed certificate implies trust that you are who you say you are between your server and the clients who connect to it.

How a certificate request is done To generate a signed digital certificate from a commercial CA for your site (using FreeBSD and openssl) you do the following: – Generate your own public and private keys using openssl. – Answer requested information for the CA you choose to use. – Send your public key and information to the CA. – The CA will verify you are who you say you are. – The CA creates a signed, digital certificate with their private key, using your public key and additional information. – The signed certificate is made available to you. – You place the certificate file in the appropriate location. – Apache will now use this for all https requests. If client browsers have the CA's public key, then a secure connection is made without additional prompting.

Issues with certificate requests ● Can you trust the Certificate Authority? ● Maybe you should sign your public key... ● Verisign bought Thawte. Verisign signs the majority of digital certificates. They are US- based. ● How does the CA know who you are? All these are good reasons to insist on expiration dates in certificates.

Creating a signed certificate locally ● Today we will sign our own certificate using our own private key. ● This can still be useful: – Encrypts data. – Deals with man-in-the middle attacks after the initial connection and certificate acceptance. – It doesn't cost anything!

Installing support for SSL with Apache As of FreeBSD 5.4 you can choose from the following three packages or ports: – apache13-modssl – apache13-modssl+ipv6 – apache13-ssl Some of the items installed include: – Local digital certificates in /usr/local/etc/apache/ – The configuration file /usr/local/etc/apache/httpd.conf – Docs in /usr/local/share/doc/apache/mod/mod_ssl/index.html

Installing SSL support cont. Another form to install mod_ssl is to compile Apache with mod_ssl together from source. You can download the code from: – – And, you can specify many options that you cannot do, or that are more difficult to do, using the package install or build from port methods.

Configure a digital certificate Do the following steps: – mkdir /usr/local/etc/apache/mycert – cd /usr/local/etc/apache/mycert – openssl genrsa -des3 -out server.key 2048 – openssl rsa -in server.key -out server.pem – openssl req -new -key server.key -out \ server.csr (answer the series of questions) – openssl x509 -req -days 60 -in server.csr \ - signkey server.key -out server.crt OpenSSL is installed with mod_ssl if it's not already on your system.

Configure a certificate cont. Explanation openssl genrsa -des3 -out server.key 2048 generates a 2048 bit RSA key using the OpenSSL libraries. The key is encoded with the des3 (triple des) algorithm. This key is private.

Configure a certificate cont. Explanation openssl rsa -in server.key -out server.pem This removes the passphrase from the private key and places the private key in server.pem for future use. We'll show why this is useful a bit later.

Configure a certificate cont. Explanation openssl req -new -key server.key -out server.csr This generates a “csr” (Certificate Signing Request) so that you can have the key signed, or to generate a self-signed certificate. openssl x509 -req -days 365 -in server.csr -signkey \ server.key -out server.crt This generates a certificate that's good for 365 days. You can make this shorter or longer if you wish.

Remove the password If we use the server.key default file then each time Apache starts you'll be prompted for the passphrase of your private key. To remove the passphase we'll use the file server.pem in place of the current server.key file. This is the same as server.key, but it's not encoded with a passphrase.

Making the connection OK, so you have a server.crt (server certificate) file and a server.key file (with our without a passphrase). Now what happens when someone actually connects to your ssl-enabled server? From winter/presentation/ssloverv.ppt ● 10 Steps to an SSL session – Client wants document from secure server: – Server sends its certificate to the client. – Checks if certificate was issued by trusted CA.

Making the connection cont. ● 10 Steps to an SSL session continued... – Client compares information in the the certificate with site’s public key and domain name. – Client tells the server what Cipher suites it has available. – The server picks the strongest mutually available cipher suite and notifies the client. – The client then generates a session key, encrypts it using the server’s public key and sends it to the server

Making the connection cont. ● 10 Steps to an SSL session continued... – The server receives the encrypted session key and decrypts it using its private key. – The client and the server use the session key to encrypt and decrypt the data they send to each other.

Solving problems If you cannot connect to the server check the following: ● Check if firewalling software is running and blocking access to port 443. ● Verify that Apache is listening for connections on port 443 using netstat -an | grep LISTEN ● To see certificate and/or configuration file errors look in: ==>

Solving problems cont. See errors in: – /var/log/messages (tail -f /var/log/messages) – /var/log/httpd-error.log – /var/log/ssl_engine_log And, as always, you can use: to look for other people having the same problem.

Understanding SSL: Some resources ● Original Open Source version by Eric Young: ● Nice published resource: Web Security, Privacy & Commerce, 2nd. Ed. O'Reilly Press: ● Apache+mod_ssl: ● Apache-ssl: ● The OpenSSL Project:

Conclusion The installation of Apache with mod_ssl permits you to run a “secure” web server. If you run webmail a secure server is essential for your security and your client's security. Apache with mod_ssl=https. This is an extra load on your server. If you have many webmail clients you may need to plan accordingly. We'll take a look at some of the signing authorities in your web browser now. Without a signed certificate there is a fundamental problem of trust when connecting to a server.

Exercises And, now let's install Apache with mod_ssl and generate our own local certificate that we'll sign using our own private key...

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.