Networking / Beginners

Configuring SSL

The security features described previously are all designed to protect information provided by the server. In addition to protecting the security of server data, you are responsible for protecting the security of your client's data. If you want to run an electronic commerce business, you must use a secure server that protects your customers' personal information, such as credit card numbers. Secure Apache servers use Secure Sockets Layer (SSL) to encrypt protected sessions.

SSL is both more powerful and more complex than the security features discussed so far. It is more powerful because it uses public key cryptography for strong authentication and to negotiate session encryption. When SSL is used, the exchange of data between the client and server is encrypted. Everything sent from the client and the server is protected. SSL is also more complex because external tools must be used to create the keys needed for encryption.

The mod_ssl package adds SSL support to Apache. In turn, mod_ssl depends on OpenSSL for encryption libraries, tools, and the underlying SSL protocols. Many Linux systems include OpenSSL. Before installing mod_ssl, make sure OpenSSL is installed on your system. If your distribution doesn't include OpenSSL, download the source code from http://www.openssl.org/. Run the config utility that comes with the source code and then run make to compile OpenSSL. Run make test, and make install to verify and install it.

After OpenSSL is installed, mod_ssl can be installed. Many Linux systems, including our sample Red Hat system, provide mod_ssl as part of the basic Apache system. If your distribution doesn't, download the mod_ssl package from http://www.modssl.org/. Recompile Apache using the --with-ssl option to incorporate the SSL extensions into Apache.

The mod_ssl installation inserts various SSL configuration lines into the sample Apache configuration, usually called httpd.conf.default. These new lines are placed inside of IfDefine containers so that SSL support is an option that can be invoked from the httpd command line. Red Hat, which bundles mod_ssl into the basic system, is a good example of how this is done. Here are the IfDefine containers for the mod_ssl LoadModule and AddModule directives from a Red Hat Linux 7.2 system:

<IfDefine HAVE_SSL>
LoadModule ssl_module 		modules/libssl.so
</IfDefine>
<IfDefine HAVE_SSL>
AddModule mod_ssl.c
</IfDefine>

The LoadModule and AddModule directives are only used if HAVE_SSL is defined on the httpd command line. The string HAVE_SSL is arbitrary. On another system, the string might be "SSL". The key is not what the string contains, but that it matches a value defined on the httpd command line. For example:

# httpd -DHAVE_SSL &

This command starts an SSL Apache server on a Red Hat Linux 7.2 system.

In addition to the containers for the LoadModule and AddModule directives, there are IfDefine containers that define the SSL server configuration. The active directives in the containers from the Red Hat httpd.conf file are shown in Listing below. The Red Hat file contains many additional comment lines that are not shown in the listing.

Red Hat's SSL Apache Server Configuration
<IfDefine HAVE_SSL>
Listen 80
Listen 443
</IfDefine>
<IfDefine HAVE_SSL>
AddType application/x-x509-ca-cert 	.crt
AddType application/x-pkcs7-crl 	.crl
</IfDefine>
<IfDefine HAVE_SSL>
<VirtualHost _default_:443>
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
     SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
	 nokeepalive ssl-unclean-shutdown \
	 downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
	 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>

The first IfDefine container tells the server to listen to port 443, as well as to the standard port 80. Port 443 is the standard port used by SSL.

The second IfDefine container defines two MIME file types. The file extension .crt is mapped to the MIME type application/x-x509-ca-cert, and the filename extension .crl is mapped to application/x-pkcs7-crl. These file types identify certificates and certificate revocation lists. (More about public-key certificates in a minute.)

The bulk of the SSL server configuration is contained in a VirtualHost container enclosed in the third IfDefine container. This virtual host configuration is invoked when a connection comes into the default server on port 443-the SSL port. Three special log files, two near the beginning of the container and one at the end, are created to track SSL errors and requests. (Logging is covered in more detail later.) Although no special document root is defined in Listing previous, most administrators insert a DocumentRoot directive into the VirtualHost container to define a directory in which secure documents are stored. Any standard configuration command can be used to configure the SSL virtual host, and there are several more directives that are valid only when SSL is running. The directives in Listing 6.8 that apply specifically to SSL are

SSLEngine Turns on SSL processing for this virtual host.

SSLOptions Sets special SSL protocol options. In the example, StdEnvVars are enabled for all files with the extensions .cgi, .shtml, .phtml, and .php3; and for the /var/www/cgi-bin directory. StdEnvVars are environment variables that are sent over the connection to the client. Retrieving these variables is time-consuming for the server, so they are sent only when it is possible that the client could use them, as is the case when CGI scripts or SSI files are involved.

ssl-unclean-shutdown In this case, the SetEnvIf directive performs essentially the same function as the BrowserMatch directives by checking to see whether the User-Agent (the browser) is Microsoft Internet Explorer. If it is, the ssl-unclean-shutdown option lets Apache know that this browser will not properly shut down the connection, and that keepalives should not be used with Internet Explorer.

SSLCertificateFile Points to the file that contains the server's public key.

SSLCertificateKeyFile Points to the file that contains the server's private key.

Public key cryptography requires two encryption keys: a public key made available to all clients, and a private key that is kept secret. The public key is in a special format called a certificate. Before starting SSL on your server, create these two keys.

OpenSSL provides the tools to create the public and private keys required for SSL. The simplest of these is the Makefile found in the ssl/certs directory, which allows you to create certificates and keys with a make command. Two different types of arguments can be used with the make command to create an SSL certificate or key. One type of argument uses the file extension to determine the type of certificate or key created:

make name.key Creates a private key and stores it in the file name.key.

make name.crt Creates a certificate containing a public key, and stores it in the file named name.crt.

make name.pem Creates a certificate and a key in the Privacy Enhanced Mail (PEM) format, and stores it in the file named name.pem.

make name.csr Creates a certificate signature request. A certificate can be digitally signed by a trusted agent, called a certificate authority (CA), which vouches for the authenticity of the public key contained in the certificate. (More about this later.)

Keywords are the other type of argument that can be used with this Makefile. The keywords create certificates and keys that are solely intended for use with Apache:

make genkey Creates a private key for the Apache server. The key is stored in the file pointed to by the KEY variable in the Makefile.

make certreq Creates a certificate signature request for the Apache server. The certificate signature request is stored in the file pointed to by the CSR variable in the Makefile.

make testcert Creates a certificate for the Apache server. This certificate can be used to boot and test the SSL server. However, the certificate is not signed by a recognized CA and therefore would not be acceptable for use on the Internet. The certificate is stored in the file pointed to by the CRT Makefile variable.

The /etc/httpd/conf directory on the Red Hat system has a link to the Makefile to make it easy to build the keys in the same place where the httpd.conf file expects to find them. A look at the /etc/ httpd/conf directory on a Red Hat Linux 7.2 system shows that the keys pointed to by the SSLCertificateFile directive and the SSLCertificateKeyFile directive already exist, even though you did not create them.

The Makefile uses the openssl command to create the certificates and keys. The openssl command has a large and complex syntax, so the Makefile provides real benefit. However, you can use the openssl command directly to do things that are not available through the Makefile.

There is a lot of information in a certificate. But only a few pieces of it are needed to determine whether or not this is a valid certificate for our server:

Issuer The Issuer is the distinguished name of the CA that issued and signed this certificate. A distinguished name is a name format designed to uniquely identify an organization. It is clear in the example that the name of the Issuer is just an example, not a real organization.

Subject The Subject is the distinguished name of the organization to which this certificate was issued. In our case, it should be the name of our organization. Clearly, the Subject in this certificate is just a sample.

Validity The Validity is the timeframe in which this certificate is valid. In the example, the certificate is valid for a year. Because the dates are valid, this certifi-cate can be used to test SSL.

To test that the SSL server is indeed running, use a browser to attach to the local server. However, instead of starting the URL with http://, start it with https://. https connects to port 443, which is the SSL port. The browser responds by warning you that the server has an invalid certificate.

[Previous] [Contents] [Next]