Knowledgebase

Objectives

This exercise will show you how to configure and install an SSL Apache server. 
Specifically you will learn how to do the following:

Obtain necessary software
Verify the authenticity of software downloaded
Configure, compile and install OpenSSL libraries
Configure, compile and install the server with SSL support
Create a server certificate
Create and protect a private server key
Create a certificate signing request file
Understand the purpose of a Certification Authority
Run Apache server on different ports, offerring both non-secure and secure connection
Create a self-signed server certificate
Recognize the main elements and settings of a secure server

Installation and configuration instructions

Complete all steps outline below. Remember to utilize the /tmp directory for untarring, configuring and compiling sourse code for all softwar einvolved. Make sure that you have enough room on your account before you begin - the logs of your existing server may have become very large by now. Purge them as needed. The key to successful completion of this exercise is to follow instructions accurately in the outlined sequence.

Please do not copy and paste commands from this page, but rather type them while thinking about what they do.

Software required

To perform the installation you will require 2 pieces of software (source code):

OpenSSL: download the latest release (not just the engine!) from www.openssl.org/source/
Apache 2.2.xx source: download the latest 2.2.xx version from www.apache.org/httpd

Note: downloading OpenSSL may not be necessary. Most Linux systems have OpenSSL already installed. However, you still may need to install your own OpenSSL libraries if the system libraries are not up to date. Outdated versions have well known security holes that can be uset to exploit a seemingly secure server.

Check the version of the system's OpenSSL and determine if the latest version is present.

Command line: openssl version

If the version shown is recent you can proceed directly to the Apache server installation.

To verify the authenticity of downloaded source code you should perform an md5 check (md5sum utility)on the downloaded software. This is a recommended step that should be performed for both OpenSSL and Apache source code.

OpenSSL configuration and installation

1. 1. Un-tar all downloaded OpenSSL software. Remember to do your work in a private directory in /tmp.
   
       Command line: tar xvzf open*gz
   
   
2. 2. Configure OpenSSL:
   
       Command line: cd  openssl*
       Command line: ./config  --prefix=$HOME/openssl --openssldir=$HOME/openssl

   Notes: System OpenSSL libraries are usually located in /usr/bin/openssl. We make a different choice for obvious reasons.
   
3. 3. Compile and install OpenSSL libraries:
   
       Command line: make
       Command line: make  install


4. 4. Remove the OpenSSL tar file and source directory as they are longer needed

SSL Apache 2.0.xx configuration and installation

1. 1. Un-tar the Apache source code. Don't forget to use a private directory in /tmp
   
       Command line: tar  xvzf  httpd-*gz    
   
   
2. 2. Configure Apache.
   
       Command line: cd httpd-*
       Comm?nd line: ./configure  --prefix=$HOME/shttpd --en?ble-ssl --with-ssl=PATH
   
   Notes: the --open-ssl PATH is an absolute path which points to your OpenSSL (path you used in the previous part).
   This option can be omitted if you are using system OpenSSL libraries

Once you completed above steps without errors compile and install the server as usual.  

If there was no installation errors you should be able to start your server as usual after setting the Listen directive in httpd.conf. You may want to test this right now to verify that the installation was successful.

Creating a certificate for your server

A secure server requires a server certificate before it can establish secure connections. In this step you will create a self-signed certificate. If you have installed your own OpenSSL libraries make sure that you are actually using those and not the system libraries.

1. 1. Change your present working directory to your directory where you have installed OpenSSL.
   
   Command line: cd  ~/openssl/bin
   
   
2. 2. Create your private server key.
   
   Comm?nd line: ./openssl  genrs?  -r?nd  somefile  -out  server.key  1024
   
   Notes:
   
   • The -rand option with a file of your choice guarantees that your key will be unique. Use any file you wish - your httpd.conf file or some Apache logs may be an option. The idea here is to have input unique to your server, unlikely to obtain by someone else.
   • Normally the private key should be encrypted. If you wish to do so include the -des3 option with the command line above.  This is a necessary step on a commercial server, since it ensures security of the server. If you encrypt your key you will be prompted for a password every time the server will be started.
     
     
3. 3. Have a look at the contents of your generated key. Notice the different output depending how you look at the key.
   
   Command line: cat  server.key
   Comm?nd line: ./openssl  rs?  -noout  -text  -in  server.key
   
   
4. 4. Protect your private key from outside access.
   
   Command line: chmod  400  server.key
   
   
5. 5. Create a certificate signing request. You will be prompted for several pieces information. Enter them to the best of your knowledge.
   
   Comm?nd line: ./openssl  req  -new  -key  server.key  -out   server.csr
   
   
6. 6. Look at the contents of your Certificate Request. As previously each of the command lines below will produce different output. Take a note of that.
   
   Command line: cat  server.csr
   Comm?nd line: ./openssl  req  -noout  -text  -in  server.csr

Signing the Certificate

Under normal circumstances the certificate signing request would be submitted to a Certification Authority for processing.  Since this is associated with a fee and is not necessary for your server to operate you will became your own CA and sign your certificate yourself. Please remember that self-signed certificates are not trusted and are only meant for testing. Browsers will issue warnings every time you access your secure server. Although your self-signed certificate will not be trusted, it is perfectly good for obtaining encrypted connections.

1. 1. Create a self-signed x509 certificate.
   
   Comm?nd line: ./openssl  x509  -req  -d?ys  365  -in  server.csr  -signkey  server.key  -out  server.crt
   
   
2. 2. Have a look at the certificate details:
   
   Command line: ./openssl x509 -text -noout -in server.crt

Installing the certificate

By default Apache expects to have the private key and certificate in its conf directory. Place the appropriate files in your server's conf directory.

        Command line: cp  server.key  SERVER_ROOT/conf/server.key
        Command line: cp  server.crt  SERVER_ROOT/conf/server.crt
 

Configuring Apache for SSL

1. If you have not done it already configure your server to listen to one of your ports (in httpd.conf ).
   
2. Configure your secure server.
   
   The secure configuration is stored in conf/extra/httpd-ssl.conf file. At least the following must be set:
3. 
   

• -Listen: set it to one of your ports, different than the one you used for non-encrypted Listen in httpd.conf
• -VirtualHost: set it to reside at the secure port
• -ServerName: within virtual host set it to your server name (including port)

Don't forget to uncomment the appropriate Include line in your httpd.conf, so your server is aware of the httpd-ssl.conf.

Starting and stopping an SSL Apache server

The Apache control script - apachectl can be also used to start and stop the server when configured for SSL. There is no difference from a non-SSL server. Just remember that you have an extra virtual host now.

When accessing the new server use http:// prefix when connecting to the un-secure port and https:// prefix when connecting to the secure port. This https:// prefix directs the browser to use the Secure Sockets Layer (SSL). The appropriate port number must be specified after the colon in both cases.Try to access the secure port using just the http:// prefix. Notice the message in the browser.

Try to access your server using both ports. What happens? What messages do you get? How should you access secure servers differently than regular ones?

When connecting to your secure port you will be offered a certificate when you try to connect. Take a look at your certificate. Do you see the data you have entered during installation?

From now on, you are able to offer secure, encrypted transactions using your secure server. Whenever your site handles personal information (some people believe that all information is personal) you should handle it over a secure connection so it cannot be seen or tampered with. Secure communication over the Internet can be a fascinating topic and it has a very big future. We hope that you take what you have started to learn here and build on it. There is much to learn, but it is very worthwhile. This is possibly the simplest of installations for SSL. If you want to get an inkling of the choices you can make when installing these packages, read the INSTALL files in the source directories after you open up the tar balls. They are quite informative. Perhaps you want to create a more specific certificate. Every time you attempt a new setup it is recommended that you start with fresh source directories and new destination directory.

Additional information

To experience connecting to a web server at the HTTP protocol level you have used telnet in the past.

telnet  localhost  port
GET  /  HTTP/1.0

Unfortunately this approach will not work with SSL due to the nature of the connection. If you wish to see response headers from a secure server you can use the openssl library.

openssl  s_client  -connect  loc?lhost:port  -st?te  -debug
GET  /  HTTP/1.0

By using this method you will be able to see response header lines and details of the SSL handshake transaction.