home   articles   archive   forum   masthead  
Published at 2.9.2001
Author: Thomas Kroll
Translator: Unknown
Languages: de nl cn
Printer printer-version
Support Us!
 

Installation of SSL encryption for Apache

Introduction

What fore SSL? I had a lot to do with data security and safety and found out that it is easy to read out sensible data from the network (e.g. passwords of mail providers like GMX, Web.de etc.). So I got in touch with the theme SSL (with SSL encryption it is not possible to read data easily) and I created this small HowTo which should help you installing a SSL web server

1. What is needed for the installation?

  • apache 1.3.19 (apache_1.3.19.tar.gz)
  • apache 1.3.19 SSL-encryption (apache_1.3.19+ssl_1.44.tar.gz)
  • patch 2.5.4
  • openssl
All packages can be found at www.apache.org, www.openssl.org or at www.tuxfinder.com.

2. Preparation to patch the sources

First you have to extract the sources of apache.

tar zxvf apache_1.3.19.tar.gz

Then you copy the package apache_1.3.19+ssl_1.44.tar.gz into the created apache directory (apache_1.3.19/).

This is unpacked with the command

tar zxvf apache_1.3.19+ssl_1.44.tar.gz

If patch 2.5.4 or higher and openssl have not been installed this should be done now because the packages are required for apache supporting SSL.

3. Patching the sources

To patch the sources you change into the apache directory and execute

./FixPatch

Now everything should be patched. It could be that FixPatch stops the script because it does not find openssl. In such a case you have to specify the path to openssl behind FixPatch:

./FixPatch /opt/openssl

Of course the path /opt/openssl depends on the local openssl installation

4. Installation of the web servers

To install the web server you execute the following commands 

  	 ./configure --prefix= INSTALLATIONSDESTINY e.g. /opt/apache-ssl
  
  	 make 
  
  	 make install
The web server is installed now.

Then you create a folder which will be needed later 

	
  	 mkdir /opt/apache-ssl/htdocs-ssl 
  	 chmod a+rx /opt/apache-ssl/htdocs-ssl 
  	 cd /opt/apache-ssl/
The structure of the directory should be 

   
   /opt/
        apache-ssl/
                   htdocs/
                   htdocs-ssl/
                   conf/
  		 ...
                   etc.
If your local setup looks identically you can go on.

5. The security certificate

It is necessary to discuss the settings for the security certificate now to make sure that you can follow this HowTo to its end.

Instead of "server" you can use any name in the following example.

For the creation of a certificate get a short instruction 

  	1.  openssl req -new > server.cert.csr
Next you need to set a password (remember it!). The other settings are relevant for the certificate! 

  	2.  openssl rsa -in privkey.pem -out server.cert.key
To write the RSA key you have to enter the password. 
  	3.  openssl x509 -in server.cert.csr -out server.cert.cert 
                                  -req -signkey server.cert.key -days 365
This key is valid for only 356 days!

Then you copy both keys, server.cert.key and server.cert.cert, to /opt/apache-ssl/conf

The reason why you had to create the key will become clear in the next point.

6. The configuration

The configuration takes most of the time because it is quite complicate. To make it simpler the configuration is explained using an example.

The configuration file is at /opt/apache-ssl/conf

First you edit the file httpsd.conf.
Here you have to set the lines to you requirements.
If you wanted to offer not encrypted pages as well you have to comment out the line 

  #Listen 3000
with a # in front of it.

If your (insecure) web server ran on port 8080 you should replace 3000 by 8080.

The main change appears at the end of the file. Before the last line you add two include commands.

/opt/apache-ssl/conf/httpsd.conf
Include "conf/ssl.conf"
  Include "conf/port-443.conf"


The meaning of them will be explained in the next section.

After finishing the configuration at the httpsd.conf you create a link. It will be needed later when starting the server. 

  	 ln -s httpsd.conf httpd.conf
That's it.

6.1 ssl.conf

In the ssl.conf you find e.g. the place of the program gcache and which port it used. Without gcache apache cannot work.

Next you create the file ssl.conf; the entry should look like:

/opt/apache-ssl/conf/ssl.conf
  SSLDisable
  SSLNoCAList
  
  SSLRandomFile file /var/tmp 1024
  
  SSLCacheServerPath /opt/apache-ssl/bin/gcache
  SSLCacheServerPort logs/gcache_port
  
  SSLCacheServerRunDir /tmp
  SSLSessionCacheTimeout 15

6.2 port-443.conf

Do not be scared by the name. The reason for me to name this file in such a way is simple: by default the port for SSL is 443. In this file you specify on which port the server has to wait for commands (listen) and where it finds the security certificates.

/opt/apache-ssl/conf/port-443.conf
  Listen 192.168.11.45:8887
  
  <VirtualHost 192.168.11.45:8887>
  DocumentRoot /opt/apache-ssl/htdocs-ssl
  SSLCertificateFile /opt/apache-ssl/conf/server.cert.cert
  SSLCertificateKeyFile /opt/apache-ssl/conf/server.cert.key
  
  SSLVerifyClient 0
  SSLVerifyDepth 10
  
  SSLBanCipher NULL-MD5:NULL-SHA
  CustomLog    logs/ssl_log "%t %{version}c %{cipher}c %{clientcert}c"
  
  SSLEnable
  </VirtualHost>


7. Start and test of the web server

You start the web server with 

  	 /opt/apache-ssl/bin/httpsdctl start
Now apache runs with SSL.

You can test apache by creating an index.html file and copying both into the directory /opt/apache-ssl/htdocs and /opt/apache-ssl/htdocs-ssl.

If you browsed to the URLs 

  
  http://192.168.11.45:8080
  https://192.168.11.45:8887
you should get the same result in both cases.


Talkback Area




Enter Own Comment