mod_ssl Introduction
Uniform Server 3.5-Apollo

This write-up shows how to get mod_ssl working on Uniform Server 3.5-Apollo it really is a continuation from my Stunnel write-up. I originally thought this one could be bashed out over a weekend until I faced these error messages:

[debug] ssl_engine_init.c(755): Configuring RSA server private key
[error] Unable to import RSA server private key
[error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

The solution seems so obvious now although I thought it was insurmountable. To get it working there are several things that need to be resolved. One of the main problems do not pick and mix, everything must be compatible for example Server: Apache/2.0.59, Interface: mod_ssl/2.0.59, Library: OpenSSL/0.9.8d they must be compiled together.

Top

Extra Pages

After following the above links you will have a secure server for completeness I thought a few extra pages would be of use.

Top

Compiled

Background:

Hey what is all this compile business! Don’t be alarmed; Hunter has already done the hard work for you http://hunter.campbus.com/ that’s where I found a solution to the above error messages.

It transpires Apache do not distribute a compiled version capable of running mod_ssl on a Windows platform. Along with Hunter's compiled binaries there are a few other things that you need to trawl the Internet for.

Update:

For Apache binaries Hunter was always my first port of call and probably explains why I missed the introduction of compiled SSL binaries with Apache since version 2.0.35. While transferring this write-up to the Wiki I discovered Hunter’s web site has long since gone, in order to maintain reproducibility I needed a set of binaries that you can download these I found in Apache’s archive.

I have converted this project to use these binaries out of respect I have included the above background to acknowledge Hunters time and effort was most appreciated.


I personally hate any type of run around hence to complete this project you will find all required files are down loadable from this site. They match 3.5-Apollo, if you use another version of Uniform Server then you will have to do the legwork.

The remainder of this write-up shows you how to plumb it altogether. Like Stunnel I cover only self-signed certificates. Where possible I keep to standard naming hence if you read books on this subject it should be a little easier to use Uniform Server to run any examples.

Please treat this solution as a reference point from were you can experiment with certificates and all the other cleaver stuff.

Note: Check out my Signed Certificate Project to obtain a free server certificate from CAcert.

Top

Step-by-Step

This step-by-step guide is comprehensive and assumes you are using a clean version of Uniform Server to experiment on.

There is a lot of tedious groundwork to cover; you can implement all the changes manually and it will get you to a working base point. However because most of this is typing error prone I have archived all the files in a 7Z exe double click and you have a working secure server.

I must stress, this is not a working plug-in for production, it is intended only for experimentation. It makes changes to core elements that may prove incompatible with other features of Uniform Server. After installation you need to secure the server by creating a new key and certificate.

Top

Security

Well there are degrees of security, most articles I read are concerned with commercial security, get yourself a proper signed certificated, for personal use, a rip off. If you are selling anything online at least a signed certificate is a first barrier of defence. Yep, even if that was one hundred percent impregnable you are open to human nature. I write this knowing full well that security, offered at best is a deterrent.

If you really need one hundred percent security, publish nothing on the Internet. You may have missed my point, do not connect your PC to the Internet if it contains valuable information.

Think “chip” and “pin” and then have a look at the king’s new clothes! or was that the emperor's new clothes!

Please do not get me wrong, when you implement this encryptions stuff it is fairly secure and will act as a reasonably secure interchange of information, but that is as good as it gets. No way can you take into account “human nature” all I am saying, do not be lulled into a false sense of security.

If I ever hear you utter words like, well I locked the cars doors these can only be opened with a retina scan but they smashed my windows. What was taken! I can only assume not the car that was probably immobilized as well. Well what was taken! It was the security system placed to order for another car.

By the way, they will match the security system colour to match your car, payment two extra beers. I have an interesting philosophy if its locked its worth steeling, if its unlocked its already been stolen.

I trust you will enjoy the rest of this write-up, never be complacent and make sure the perceived security meets your needs.

Where to next

If your are interested in obtaining Apache binaries jump to Apache Upgrade

These binaries are included in the mod_ssl Install download.

Top


  Ric