Presentation is loading. Please wait.

Presentation is loading. Please wait.

Apache ssl Objectives Contents Practical Summary Setup Apache + ssl

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Apache ssl Objectives Contents Practical Summary Setup Apache + ssl"— Presentation transcript:

1 Apache ssl Objectives Contents Practical Summary Setup Apache + ssl
Recompile Apache for mod_ssl Generating Certifikates Self signed certificate SSL Virtualhos Practical Setup Apache with SSL Summary This section will serve as a very brief introduction to SSL, the Secure Socket Layer. Cryptography is a very extensive topic which literally fills volumes of texts. The following is an extremely simplified view of how SSL is implemented and what part the certificate plays in the entire process. There may be some small inaccuracies in an effort to present the information in the easiest possible format. Normal web traffic is sent unencrypted over the Internet. That is, anyone with access to the right tools can snoop all of that traffic. Obviously, this can lead to problems, especially where security and privacy is necessary, such as in credit card data and bank transactions. The Secure Socket Layer is used to encrypt the data stream between the web server and the web client (the browser). SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, two keys are created, one public, one private. Anything encrypted with either key can only be decrypted with its corresponding key. Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server. If SSL utilizes public key cryptography to encrypt the data stream traveling over the Internet, why is a certificate necessary? The technical answer to that question is that a certificate is not really necessary--the data is secure and cannot easily be decrypted by a third party. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority (CA), ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think. Without certificates, impersonation attacks would be much more common.

2 Apache need module ssl Goto Apache 2 sourcetree
Configure Apache2 for SSL support Make Apache2 Install Apache2 binaries and modules plus configuration Add ssl_module to /etc/httpd/httpd.conf After last LoadModule add: Include /etc/httpd/extras/httpd-ssl.conf in httpd.conf # cd /usr/local/src/apache-2.2.0 # ./configure --enable-layout=SuSE --libexecdir=/usr/lib/httpd/modules --enable-mods-shared=all --enable-ssl # make # make install You will need to go back and rebuild apache with loadable module mod_ssl. LoadModule ssl_module lib/httpd/modules/mod_ssl.so Include /etc/httpd/extra/httpd-ssl.conf

3 Generating a Private Key and CSR
Create a storage for certificates and keys Create your RSA Private Key 1024 bit RSA Triple-DES Remove the pass-phrase Unless you want to enter it everytime Apache2 is started/rebooted # cd /etc/httpd ; mkdir certs # openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server.key 1024 The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage. The utility used to do all of these tasks is known simply as openssl. It should be installed in the /usr/local/ssl/bin directory. You may want to add this directory to your PATH, or copy or link the openssl utility to a directory that is already in your PATH so that you do not have to type the full path to the executable. The examples below will assume that openssl is in a location that is accessible to you without using the full path to the command. The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text. We will use several files as random seed enhancers which will help to make the key more secure. Text files that have been compressed with a utility such as gzip are good choices. The key is generated using the following command, where file1:file2:etc represents the random compressed files. The command will prompt you for a pass-phrase and then store the key in the file server.key. It is critical that the pass-phrase be secure and not forgotten. If either the key is lost, or the pass-phrase is forgotten, the certificate will be useless! It cannot be stressed enough how important the private key is to the certificate. If the private key and pass-phrase are compromised, the certificate will have to be revoked, costing you the price of the certificate all over again if you have paid an authority for the certificate. It may be a wise idea to back this file up to secure media, such as tape or diskette. Remove passphrase: One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. # openssl rsa -in server.key -out server.pem

4 Make Certificate Signing Request (CSR)
CSR generation session You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. openssl req -new -key server.pem -out server.csr Country Name (2 letter code) [AU]:SE State or Province Name (full name) [Some-State]:Stockholm Locality Name (eg, city) []:Stockholm Organization Name (eg, company) [Internet Widgits Pty Ltd]:My-Site, AB. Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []: Address Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section. During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be then enter at this prompt. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

5 Generating a Self-Signed Certificate
To generate a temporary certificate which is good for 60 days, issue the following command Here you self-sign your server.csr to prove that you are you, it is nothing wrong with that and security is as high as any signing your certificates. Only difference is that some appz (browsers) will complain that it page / server is not signed by a trusted party. # openssl x509 -req -days 60 -in server.csr -signkey server.pem -out server.crt At this point you will need to generate a self-signed certificate because you either don't plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. In my experience dealing with Thawte, it can take up to a week or more before receiving your signed certificate. The time it takes to receive the certificate will vary based on how quickly they receive your required documentation. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted

6 Installing the Private Key and Certificate
Configuring SSL Enabled Virtual Hosts <IfDefine SSL> <VirtualHost _default_:443> ServerAdmin DocumentRoot /usr/local/httpd/securedocs ServerName #ScriptAlias /cgi-bin/ /usr/local/httpd/cgi-bin/ SSLEngine on SSLCertificateFile /etc/httpd/server.crt SSLCertificateKeyFile /etc/httpd/server.pem #SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog /var/log/httpd/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" <Directory /> AllowOverride FileInfo AuthConfig Limit Options Indexes MultiViews Includes ExecCGI FollowSymLinks <Limit GET POST OPTIONS PROPFIND> Order allow,deny Allow from all </Limit> <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> Order deny,allow Deny from all </Directory> </VirtualHost> </IfDefine> When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The location of this directory will differ depending on how Apache was compiled. If using my instructions on compiling Apache, the config directory is /etc/httpd. The directories mod_ssl creates include ssl.crt, ssl.csr, and ssl.key. These are good locations to store server certificates, CSRs, and private keys, respectively. If there will be multiple SSL enabled hosts on one server, it may be good practice to name the files with the fully qualified domain name of the SSL enabled host. When adding SSL enabled virtualhosts to the web server, I prefer to keep all of the SSL virtualhosts in a separate file. This insures that all SSL hosts can be easily found in one location and helps to keep the httpd.conf file from growing too large. The SSL virtualhosts will be kept in a file called httpd-ssl.conf. Extensive examples of SSL configurations for a virtualhost are included as part of the /etc/httpd/extra/httpd-ssl.conf file installed with mod_ssl. Please refer to this file and to the mod_ssl documentation for more detailed information on configuration options. This will create an SSL virtualhost named which is accessed via port 443 (the standard port for https) on the default IP address of the web server. It is possible to add as many additional virtualhosts as there are IP addresses that the web server listens to. Simply add additional virtualhost blocks inside of the <IfDefine SSL> and </IfDefine> tags. Due to the nature of the SSL encryption of the HTTP traffic, it is NOT possible to have name-based (HTTP1.1) SSL virtual hosts. To create a new SSL virtualhost on a different IP address, simply replace _default_ with the IP address of the virtualhost.

7 Restarting Apache2 and test ssl
Make the virtualhost DocumentRoot Add a ”testpage” to your secure DocumentRoot Stop and start Apache2 Check Apache2 logbook You should be able to see that mod_ssl is loaded and configured Open your secure page in a web-browser # mkdir /usr/local/httpd/securedocs # echo ”Not yet, soon now!” > /usr/local/httpd/securedocs/index.html # apachectl stop ; apachectl start # tail /var/log/httpd/error_log [Tue Feb 21 20:29: ] [notice] caught SIGTERM, shutting down [Tue Feb 21 20:29: ] [notice] Digest: generating secret for digest authentication ... [Tue Feb 21 20:29: ] [notice] Digest: done [Tue Feb 21 20:29: ] [notice] Apache/2.2.0 (Unix) DAV/2 PHP/5.1.2 mod_ssl/2.2.0 OpenSSL/0.9.7e configured -- resuming normal operations After adding the virtualhost to the httpd-ssl.conf file, Apache must be killed and restarted in order for it to recognize the new virtualhost. Unfortunately, this is one of the rare instances where a simple HUP signal will not work. After restarting the server, depending on whether the encrypted or unencrypted key was used, Apache will prompt you for the pass-phrase(s) of the SSL virtualhost(s). Enter the pass-phrase(s) and the web server will start. Now, point your favorite browser to the new virtualhost you just created, remembering to use instead of and you should be greeted with a warning dialog if you are using the self-signed certificate. Acknowledge the dialog and the page will continue to load, protected by SSL. The status bar of your browser should be graced by the 'lock' icon, which signifies the page is protected via SSL. This is all there is to it!

Download ppt "Apache ssl Objectives Contents Practical Summary Setup Apache + ssl"

Similar presentations

Pakiti.

Pakiti.
HTTPS/SSL Oleh: Idris Winarno. Persiapan Pastikan repository debian # vim /etc/apt/sources.list deb etch main contrib non-freehttp://kebo.vlsm.org/debian.

HTTPS/SSL Oleh: Idris Winarno. Persiapan Pastikan repository debian # vim /etc/apt/sources.list deb etch main contrib non-freehttp://kebo.vlsm.org/debian.
Apache2 HTTPS. 1. Install webserver Apache # apt-get install apache2 2. Buat direktori untuk menyimpan file https # mkdir /var/www/secure 3. Instalasi.

Apache2 HTTPS. 1. Install webserver Apache # apt-get install apache2 2. Buat direktori untuk menyimpan file https # mkdir /var/www/secure 3. Instalasi.
Introduction to OpenSSL Jing Dalhousie University.

Introduction to OpenSSL Jing Dalhousie University.
Dan Fleck.  WAMP – Windows Apache MySQL PHP -  LAMP – Linux Apache MySQL PHP ◦ There are.

Dan Fleck.  WAMP – Windows Apache MySQL PHP -  LAMP – Linux Apache MySQL PHP ◦ There are.
Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.

Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.
Configuring a Web Server. Overview  Understand how a Web server works  Install IIS (Internet Information Services) and Apache Web servers  Examine.

Configuring a Web Server. Overview  Understand how a Web server works  Install IIS (Internet Information Services) and Apache Web servers  Examine.
Customizing X.509 Certificate Fields Charles D. Short CS526 – S2008 University of Colorado, Colorado Springs Dr. C. Edward Chow 5/5/2008CDS - UCCS CS526.

Customizing X.509 Certificate Fields Charles D. Short CS526 – S2008 University of Colorado, Colorado Springs Dr. C. Edward Chow 5/5/2008CDS - UCCS CS526.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.
SquirrelMail for Webmail AfNOG 2012 Scalable Internet Services (SS-E) Presented by Michuki Mwangi Serrekunda, Gambia (Original Materials by Joelja)

SquirrelMail for Webmail AfNOG 2012 Scalable Internet Services (SS-E) Presented by Michuki Mwangi Serrekunda, Gambia (Original Materials by Joelja)
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
SquirrelMail for Webmail AfNOG 2013 Scalable Internet Services (SS-E) Presented by Michuki Mwangi Lusaka, Zambia (Original Materials by Joelja)

SquirrelMail for Webmail AfNOG 2013 Scalable Internet Services (SS-E) Presented by Michuki Mwangi Lusaka, Zambia (Original Materials by Joelja)
Apache Security with SSL Using FreeBSD SANOG VI IP Services Workshop July 18, 2005 Hervey Allen Network Startup Resource Center.

Apache Security with SSL Using FreeBSD SANOG VI IP Services Workshop July 18, 2005 Hervey Allen Network Startup Resource Center.
Virtual Hosts The apache server can handle multiple “web sites” at a time – a web service provider company may have multiple different sites to offer (see.

Virtual Hosts The apache server can handle multiple “web sites” at a time – a web service provider company may have multiple different sites to offer (see.
Secure Sockets Layer (SSL) Fred Schank Kevin Wetter.

Secure Sockets Layer (SSL) Fred Schank Kevin Wetter.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.
SSL Technology Overview and Troubleshooting Tips.

SSL Technology Overview and Troubleshooting Tips.
Linux Operations and Administration

Linux Operations and Administration
Setting up Greenstone for your organization Course material prepared by Greenstone Digital Library Project University of Waikato, New Zealand andNational.

Setting up Greenstone for your organization Course material prepared by Greenstone Digital Library Project University of Waikato, New Zealand andNational.

Similar presentations

Ads by Google