Adding to the previous post titled “An Apache Implementation“, today we will discuss implementing OpenSSL under Apache. To quote from the OpenSSL site, OpenSSL is “a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.” Most operating system have OpenSSL installed, so do not download and install it. Doing so could break applications that rely on the pre-installed version of OpenSSL. Work with what you have. After all, there is more to life than just installation. There is configuration and certification.
If you are using Apache 2.x, which is what we installed in the previous post, Apache supports SSL already with the mod_ssl module. If you need to check if mod_ssl is part of your Apache configuration, do so with the command:
/usr/local/apache/bin/httpd -l
Having established that mod_ssl module is installed, we will now go through the steps of generating a certificate request, approving the certificate, and add to Apache configuration file required lines to create a SSL enabled Apache server.
Key Generation
We start off by generating a non password protected 1024 bit server private key using the RSA algorithm. We will have the key stored in the file server.key.
root# cd /usr/local/apache/conf /usr/local/apache/conf root# mkdir ssl /usr/local/apache/conf root# cd ssl /usr/local/apache/conf/ssl root# openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus .....................................................................++++++ ....++++++ e is 65537 (0x10001) /usr/local/apache/conf/ssl root# cat server.key -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDS1A7eGdTo39tnYdzYI3Ifl1/sA4ZiY7PzkDU68tZoA4WzJB9n aSJHCbd0ESG0oPiyf/yqMyNR2ECwjLUFo1m1nrON2w3QdM5zFZZv6v7jDt40u3bT 95XwdFG4FYDw+gq6liuRAkAe2+B6WM1Qv5rN3IzhmZmPA8YjV/sbPzNmzIuNHrVw FY0WkRzrEF6P36Z6RVJQSzgzx4pDeu5rRX88HxLdTm4Uz6maiwhLsxZv0QIDAQAB hsqZuAY7esEvSlL9xxXHxHL9Ywl/EXnXSMcJ9ktSobs/T0favkQKulgq6ov9TzIQ v2Z2vLEABQJBANeKaGm41GgDZp3yEIuNKUp0OjwnORpkuYf/DFA+ox1AAS2OPGjV iua7aiHYPPF6O6Knb+6SiBRFVkjB6Pz1Fl0CQFs7mxCIHrvTjGN8EcHQ038IP/iu AoGBAMLjcFLzghM7TDBHEMVkDs0RO4SKxaESFXkjZ3F0papFB0TQMY+AakVMwB80 7vlwjDVFhqU23IF97F7H01bA590DfIxg6c11w4PdlxHVb9Kv+K7P7mve3wbJEUV+ rYr8r+Hr25Fegzwg1tfgFLDDkDoeC3u1wbQNCmL/qksSrD6hAkEA+mc0g4S92Y6S gDQ3JU/YLaYV4aw2Xk/v5RtNmk++73QtU++azuXSFeDbHHHsZdm2tXBOdRkCQQCv vg68hRPLa1p0VjbfUk3kgzgoa+LHfnE4TeEAXNIqu1E6j8r5v4Pt9cnnpqSqT/vn qzTyQmTBW621ioer5A4v2QocJ2R6XhgjDwFOmKTGs0mH -----END RSA PRIVATE KEY----- /usr/local/apache/conf/ssl root# chmod 400 server.key |
Certificate Signing Request (CSR)
The next step is to create a certificate-signing request (CSR), which is used as a message sent asking a certificate authority (CA) to sign a certificate. If you want a field to be empty, do not hit return. That would just select the default value. Instead, use “.”. Below, I have left my responses off. Enter your own appropriate values. The generated CSR will be the file server.csr.
/usr/local/apache/conf/ssl root# openssl req -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: State or Province Name (full name) [Berkshire]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: /usr/local/apache/conf/ssl root# cat server.csr |
You can now send the CSR server.csr to your public CA. The CA will generate and sign the certificate. To make things more interesting, we are now going to sign our own CSR and generate a signed certificate server.crt. You can use the command “openssl x509″ to examine the certificate.
/usr/local/apache/conf/ssl root# openssl x509 -req -days 365 -in server.csr \ -signkey server.key -out server.crt Signature ok subject=/C=US/ST=New Jersey/L=Princetown/O=PU/OU=RS/CN=podus.pu.edu/emailAddress=jbond@pu.edu Getting Private key /usr/local/apache/conf/ssl root# openssl x509 -text -in server.crt /usr/local/apache/conf/ssl root# chmod 400 server.crt |
Configuration
Now we are going to enable SSL on our Apache server running the server off port 443. The server will use the certificate generated above. We are also going to disable SSLv2 since it has some problems and is disabled by default in Internet Explorer 7, Firefox 2, Opera 9, and Safari.
Modify the apache configuration file:
/usr/local/apache/conf/httpd.conf
adding the lines:
Listen 443
<virtualhost _default_:443>
# SSL Engine Switch:
SSLEngine on
# Path to the server certificcate
SSLCertificateFile "/usr/local/apache/conf/ssl/server.crt"
# Path to the server private key
SSLCertificateKeyFile "/usr/local/apache/conf/ssl/server.key"
# Allow SSLv3 only
SSLProtocol All -SSLv2
# SSL Cipher Suite:
# Disallow ciphers that are weak
SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW
# Make SSL work with Internet Explorer
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</virtualhost>
|
Depending on your requirements, you might want to run the server only over SSL. You can do this by stopping the server from listening on port 80. That would result in unable to connect message. Instead, it might be better to redirect traffic coming to http over to https. A great source of recipes for rewrite rule is the mod_rewrite Cookbook site.
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
|
We will also add limitations to who can access the site by limiting who access the “/” directory. In the example below, we will limit it to 127.0.0.1. In the httpd.conf file, after the line “<Directory />” add the line:
SSLRequire %{REMOTE_ADDR} =~ m/^127.0.0.1$/
Start Apache with the command:
/usr/local/apache/bin/apachectl start
You can try and access the web server with the URL:
http://yourhostname/
you will get the message:
Forbidden You don't have permission to access / on this server.
Notice that the URL has changed from “http://yourhostname” to “https://yourhostname”. Now try and access the site using:
http://127.0.0.1/
You will get prompted whether to accept the certificate. Since you are accessing 127.0.0.1, it will complain about a domain name mismatch. The host you are trying to access needs to match the entry you provided for “Common Name” in the CSR, otherwise it will complain. If you accept the certificate, you can access the site.
Final Thoughts
At this point, we have secured communication between the client and the Apache web server. In my next post, we will discuss installing one more module, mod_security. Mod_security is a web application firewall and serves as another layer in our web defenses. It is not meant as a replacement for implementing good security in databases, web servers, or applications. That is why we have gone through all these additional steps first. Remember, once, SSLv2 was thought to be secure. Now we know otherwise. Vulnerabilities are continuously being discovered. Good security is about building up one’s defenses. It is a process, not a destination. Maybe one day some company will have a security solution that will defend systems against all threats. I know that is not today, no matter what sales folks might say. When that day comes, you can bet before that solution makes it to market, hackers will have found a way around it. So while we wait for the security rapture to take us to a secure promise land, implement security in layers. It is your best defense.
[...] Apache and OpenSSL [...]