SSL Part 1: mod ssl Install: Difference between revisions
(New page: <span id="top"></span> <div style="padding:0;margin:0; border-bottom:3px inset #000000"> {| | MPG UniCenter || SSL Part 1: Home | [[...) |
m (Protected "SSL Part 1: mod ssl Install" [edit=sysop:move=sysop]) |
(No difference)
|
Revision as of 17:37, 9 June 2008
SSL Part 1: Home | Apache Upgrade | mod_ssl Install | httpd.conf | ssl.conf | Key & Certificate | |
Stunnel Introduction |
This page details how to set-up mod_ssl and OpenSSL on Uniform Server 3.5-Apollo. It assumes you are using a fresh install of UniServer.
What is mod_ssl?
The Apache module mod_ssl provides an interface to OpenSSL. Uniform Server uses the standard versions of Apache for Windows this does not have mod_ssl enabled by default.
Apache in the past considered Windows to be insecure hence actively discouraged the use of mod_ssl on this platform. If you wanted a secure system using mod_ssl you had to re-compile the binaries yourself and enable OpenSSL functionality.
Alternatively find someone who supplied a set of pre-complied binaries such as Hunter and overlay them on Uniform Server. Those dark days have gone. The binary version I am using is apache_2.0.59-win32-x86-openssl-0.9.7j.msi
The installed content from the above package is relatively large hence to retain Uniform Server's small footprint I have included only the files that are relevant. In addition there are a number of other files required to produce a complete working secure server again I have included these.
OpenSSL provide tools for generating server key and certificate you can use these tools however I have provided some batch files hence no need to worry about all the technical stuff.
Where to get it
I have created a complete working demo and packaged all the files into a self-extracting archive.
- Download file: uc_mod_ssl_1.exe
- Save to folder: Uniform Server.
- Check the MD5: 74231027954fe2d2b9b03cd0fef064d0
Extract the files
To extract double click on uc_mod_ssl_1.exe
This runs the 7Z self-extraction archive no need to change the path, allow it to overwrite
On completion creates new folders and updates files. For reference I have listed these:
New folder and files
*\Uniform Server\udrive\home\admin\www\plugins\uc_mod_ssl\key_cert_gen
File | Comment |
---|---|
howto generate.txt | Instruction how to create server key and certificate |
mpg1.bat | Create a private key and a CSR (Certificate Signing Request) |
mpg2.bat | Remove Passphrase from Key file |
mpg3.bat | Create a Self-Signed Certificate (personal server use only) |
libeay32.dll | Openssl library |
ssleay32.dll | Openssl library |
openssl.cnf | Openssl configuration file |
openssl.exe | Openssl executable used by mpg1.bat, mpg2.bat and mpg3.bat |
clean.bat | Delete the next five files before creating new key and certificate |
.rnd | Intermediate file |
server.pem | Intermediate file |
server.csr | Intermediate file |
server.crt | New certificate copy to folder *\Uniform Server\udrive\usr\local\apache2\conf\ssl.crt |
server.key | New key copy to folder *\Uniform Server\udrive\usr\local\apache2\conf\ssl.key |
New folder and files
File | Folder |
---|---|
.htpasswd | *\Uniform Server\udrive\htpasswd\modsslpass |
server.crt | *\Uniform Server\udrive\usr\local\apache2\conf\ssl.crt |
server.key | *\Uniform Server\udrive\usr\local\apache2\conf\ssl.key |
ssl.conf | *\Uniform Server\udrive\usr\local\apache2\conf |
Test sites
File | Folder |
---|---|
default_secure_index.html | *\Uniform Server\udrive\www\default_secure index.html |
default_unsecure_index.html | *\Uniform Server\udrive\www\default_unsecure index.html |
favicon.ico | Copy to all site root folders in test sites |
index.html | *\Uniform Server\udrive\www\site1 |
index.html | *\Uniform Server\udrive\www\site2 |
index.html | *\Uniform Server\udrive\www\site3 |
Content of folder *\Uniform Server\udrive\usr\local\apache2\bin replaced with:
Apache.exe | htdigest.exe | htpasswd.exe |
libapr.dll | libapriconv.dll | libaprutil.dll |
libeay32.dll | libhttpd.dll | logresolve.exe |
rotatelogs.exe | ssleay32.dll | wintty.exe |
Note: To save space you can now delete the file uc_mod_ssl_1.exe its no longer required.
Installation
Once the files have been extracted installation is complete hence nothing special to do other than perform a quick test.
Quick Test
A server test key and certificate have been installed this allows the server to be easily tested. Follow these four steps:
- Start servers using Server_Start.bat appease your security system
- Type http://loclhost into your browser. Result a page displayed with following message: This is the unsecured default page
- Type https://loclhost into your browser.
When challenged "Accept this certificate temporarily for this session" click OK
You will receive another challenge "Domain Name Mismatch" click OK
Result: Authentication challenge - Authentication Required type what’s highlighted in bold User name: name Password: password
Result: Padlock closed and site 3 displayed.
Note: If it fails make sure your firewall and or router is not blocking port 443
Summary
At this stage you have a working server template with test sites. This template requires modification not only to meet your site requirements but also to secure it with a new server key and certificate.
The remainder of this write-up deals with various areas that you may wish to change. Its difficult to be specific hence the reason for including the test web sites.
Next page looks at the Apache configuration file httpd.conf
Ric |