Coral: apache ssl

Revision as of 13:35, 12 November 2011 by Ric (talk | contribs) (Created page with "<div id="top" style="margin:0;padding: 0px 0px 0px 5px; color: #000; background-color: #FFFFEB; border: 1px solid darkslateblue;"><span id="top" style="margin:0;padding: 0px;font...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Apache - SSL

Secure Sockets Layer (SSL) offers privacy for client-server communication. SSL establishes an encrypted tunnel using cryptography algorithms and keys through which other protocols such as HTTP are transported.


By default, The Uniform Server installation has SSL disabled, for the reason of security. A certificate/key pair are required and must be unique to the particular server. After creating a new server certificate/key pair, SSL will be automatically enabled in Apache's configuration file.

UniServer 8-Coral
  Home
  Quick Start
  General
» Apache
  MySQL
  PHP
  MSMTP
  CRON
  DtDNS
  Db Backup
  Perl
  Main Index

How to Enable SSL

After generating a self-signed certificate, SSL is automatically enabled. The "Server Certificate and Key generator" form has been pre-configured for a self-signed certificate and there is no need to change these values. Just click "Run Generate".

Please note, however, that a self-signed certificate is not considered secure. Your browser will most likely complain about it. Nevertheless, it is fine for local testing, and you can set an override for most browsers. For the case of a production server environment, DO NOT USE a self-signed certificate, since it will not be accepted by your users.

UniController: Server Configuration > Apache > Generate Certificate

  • This opens Server Certificate and Key generator menu shown on right
  • D) Click Run Generate. After a short time a confirmation pop-up is displayed.
  • For the new configuration to become effective, restart Apache server.

Note 1: A) If you have changed the server name using Apache configuration menu, that name will be displayed instead of localhost.


Note 2: B) C) Are dropdown menus.


Note 3: C) 2048 Bits provide high-grade encryption; no need to change this.

 

After generating a self-signed certificate the following configuration changes are made:

Top

Apache configuration file changes

Both php_openssl.dll and ssl.conf are enabled as follows:

  • Apache configuration file: UniServer\usr\local\apache2\conf\httpd.conf
  • Existing line: #LoadModule ssl_module modules/mod_ssl.so
  • Changed to: LoadModule ssl_module modules/mod_ssl.so

The above change in turn enables ssl.conf via this block

<IfModule mod_ssl.c>
  Include conf/extra/ssl.conf
</IfModule>

Top

Background

The following provides an overview of SSL and background information on how SSL is implemented on The Uniform Server. This section can be skipped.

SSL Overview

The following outlines the SSL process with respect to a client. A Client is generally a user's browser. Let's assume your web-site server has the registered domain fred.com

  • A client makes a connection to fred.com on the SSL port (standard port is 443) by typing https://fred.com into their browser. Note the use of https instead of http. On connecting to web server, the client provides a list of available ciphers it can use.
  • The Server picks the strongest cipher that both understand and support. The Server sends back a certificate with its name and public encryption key, signed by a trusted Certificate Authority.
  • The Client checks the certificate with the CA. Browsers have a collection of CAs stored locally. These are checked first, avoiding the need to directely contact the CA, and thus speeding up the process.
  • If the certificate is approved, the Client sends back a random number encrypted with the server's public key. This Number is unique to the client and can only be decrypted by the server using its private key.
  • The Server and the Client use this random number to generate encrypted packets. Both Client browser and Server now communicate using encryption and all transactions are secured. The browser displays the secure icon.

IP addresses and SSL

An SSL certificate is bound to your fully qualified domain name, which is encrypted into the certificate. Modern browsers send the server name identification (SNI) along with a request. Apache can use this in Vhosts to resolve certificates.


Unfortunately IE remains in the dark ages and expects servers to resolve using IP addresses. If you attempt to have more than one SSL certificate associated with the same IP address you will get undesired results. The bottom line: to appease IE, you are restricted to using a single Apache SSL Vhosts name.

Top

SSL Virtual Host

Generating a self-signed certificate enables the SSL Virtual Host configuration file. You can now access your server using either http or htpps; when using https all transactions are encrypted.

Using https incurs a small speed penalty so generally a web-site is accessed using http and not https. If a user comes in on http and that linked resource requires https, it is forced (switched) to https. You can define a folder (ssl root folder) to specifically use only https.

The Uniform Server is pre-configured to run both a secure server (on port 443) and a regular server (on port 80). These are separated using VirtualHosts, which has the advantage of maintainability.

To highlight this separation, a default Server installation has a user configuration button View ssl pre-assigned to it. By default this button is greyed out and enabled only after a server certificate is generated. It then allows the secure folder's index page to be viewed in a browser. Note that you can re-assign this user button.

Default Virtual Host - Configuration

Configuration file: UniServer\usr\local\apache2\conf\extra\ssl.conf

# File name: ssl.conf
# Created By: The Uniform Server Development Team
# Edited Last By: Mike Gleaves (ric) 
# Main Apache HTTP server configuration file.
# V 1.0 27-6-2011
#=========================================================

#################### Global SSL ##########################
Listen 443
#== Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

#== Pass Phrase Dialog:(`builtin' is a internal terminal dialog)
SSLPassPhraseDialog  builtin

#== Inter-Process Session Cache:
SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300

#== SSL engine uses internally for inter-process synchronization. 
SSLMutex default

#== Pseudo Random Number Generator (PRNG):
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

########### SSL Virtual Host ############################

NameVirtualHost *:443
<VirtualHost _default_:443>

ServerName localhost
DocumentRoot C:/UniServer/ssl
ServerAdmin you@example.com

ErrorLog logs/error_ssl.log
TransferLog logs/access_ssl.log

#== SSL Engine Switch:
SSLEngine on
SSLOptions +StrictRequire

#== SSL Cipher Suite:
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

#== Server Certificate:
SSLCertificateFile C:/UniServer/usr/local/apache2/server_certs/server.crt

#== Server Private Key:
SSLCertificateKeyFile C:/UniServer/usr/local/apache2/server_certs/server.key

#== StartSSL certificate chain for class 1 certificates
# Disable when using a self-signed certificate
# Enable remove # disable add #

#SSLCertificateChainFile C:/UniServer/usr/local/apache2/server_certs/sub.class1.server.ca.pem
#SSLCACertificateFile    C:/UniServer/usr/local/apache2/server_certs/ca.pem

SSLVerifyClient none
SSLProxyEngine off

#== Server Root folder:
<Directory "C:/UniServer/ssl"> 
  AllowOverride All
  Order allow,deny 
  Allow from all
  SSLRequireSSL
</Directory> 


#== Most problems of broken clients are related to the HTTP
# keep-alive facility. Disable keep-alive for those clients.
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

</VirtualHost> 

General notes:

  • Listen 443 - Informs Apache to listen on port 443 (Standard ssl port)
  • SSLEngine must be enabled for server to use SSL.
  • DocumentRoot sets the root directory for this virtual host. Allows you to separate secure content from regular content.
  • SSLRequireSSL forces SSL to be used (on this virtual host). A user can't connect using a regular HTTP request.
  • SSLProtocol Disable all protocols other than TLS v1.0 and SSL v3.0.
  • SSLCipherSuite is set to use only HIGH and MEDIUM security cipher suites.
  • SSLCertificateFile and SSLCertificateKeyFile set to your server certificate and key files location.
  • SSLCertificateChainFile Certificate chain (preconfigured for StartSSL)
  • SSLCACertificateFile Certificate chain (preconfigured for StartSSL)
  • SSLVerifyClient set to none if not using client authentication.


Note: Depending on where you located your server, absolute paths shown in the configuration will differ.


Certificates and signing request (CSR) location

The Uniform Server uses OpenSSL to generate:

  • A self-signed certificate and server key.
  • Or a server key and certificate signing request.

OpenSSL and supporting files are located in folder UniServer\openssl.
Note: To view installed server certificate details, run UniServer\openssl\View_cert_details.bat


Server certificates are located or copied to folder UniServer\usr\local\apache2\server_certs A default installation pre-installs the required intermediate certificate for StartSSL ca.pem and sub.class1.server.ca.pem

Top

Where to next

Self-signed Self-signed test certificate details.

Free server certificate Howto obtain and install StartSSL free server certificate


Top