https://wiki.uniformserver.com/index.php?title=Coral:_apache_ssl&feed=atom&action=historyCoral: apache ssl - Revision history2024-03-29T14:01:55ZRevision history for this page on the wikiMediaWiki 1.41.0https://wiki.uniformserver.com/index.php?title=Coral:_apache_ssl&diff=6176&oldid=prevRic: Created page with "<div id="top" style="margin:0;padding: 0px 0px 0px 5px; color: #000; background-color: #FFFFEB; border: 1px solid darkslateblue;"><span id="top" style="margin:0;padding: 0px;font..."2011-11-12T13:35:40Z<p>Created page with "<div id="top" style="margin:0;padding: 0px 0px 0px 5px; color: #000; background-color: #FFFFEB; border: 1px solid darkslateblue;"><span id="top" style="margin:0;padding: 0px;font..."</p>
<p><b>New page</b></p><div><div id="top" style="margin:0;padding: 0px 0px 0px 5px; color: #000; background-color: #FFFFEB; border: 1px solid darkslateblue;"><span id="top" style="margin:0;padding: 0px;font-size:12px">'''''Coral'' :'''&nbsp; [[Coral: apache intro|Apache]] | [[Coral: apache basic configuration|Apache Basic Configuration]] | [[Coral: apache vhosts|Apache Vhosts]] | [[Coral: apache ssl|Apache - SSL]] | [[Coral: apache server cert self signed|Apache - Server Certificate Self-Signed]] | [[Coral: apache free server cert|Apache - Free Server Certificate]]</span></div><br />
<br />
{|style="margin-top:5px;"<br />
|-valign="top"<br />
|<br />
<span style="margin-bottom:5px;font-size:25px;color: #31799F;">Apache - SSL</span><br />
<br />
Secure Sockets Layer (SSL) offers privacy for client-server communication. SSL establishes an encrypted tunnel using cryptography algorithms and keys through which other protocols such as HTTP are transported.<br />
<br />
<br />
By default, The Uniform Server installation has SSL disabled, for the reason of security. A certificate/key pair are required and must be unique to the particular server. After creating a new server certificate/key pair, SSL will be automatically enabled in Apache's configuration file.<br />
<br />
__TOC__<br />
<br />
|<br />
{| cellpadding="0" cellspacing="0" style="margin-left:6px;margin-bottom:5px;padding-left:6px;padding-right:6px;font-size:11px;background-color: #FFFFEB;border: 1px solid darkslateblue;"<br />
|-<br />
|colspan="2" style="font-weight:bold;"| UniServer&nbsp;8-Coral<br />
|-<br />
|&nbsp;||[[Coral: Introduction|Home]]<br />
|-<br />
|&nbsp;||[[Coral: start quick start|Quick Start]]<br />
|-<br />
|&nbsp;||[[Coral: general intro|General]]<br />
|-<br />
|<span style="font-size: 14px;">ยป</span>||[[Coral: apache intro|Apache]]<br />
|-<br />
|&nbsp;||[[Coral: mysql intro|MySQL]]<br />
|-<br />
|&nbsp;||[[Coral: php intro|PHP]]<br />
|-<br />
|&nbsp;||[[Coral: msmtp intro|MSMTP]]<br />
|-<br />
|&nbsp;||[[Coral: cron intro|CRON]]<br />
|-<br />
|&nbsp;||[[Coral: dtdns intro|DtDNS]]<br />
|-<br />
|&nbsp;||[[Coral: dbbackup intro|Db Backup]]<br />
|-<br />
|&nbsp;||[[Coral: perl intro|Perl]]<br />
|-<br />
|&nbsp;||[[Coral: index main|Main Index]]<br />
|}<br />
|}<br />
<br />
==How to Enable SSL==<br />
After generating a self-signed certificate, SSL is automatically enabled. The "Server Certificate and Key generator" form has been pre-configured for a self-signed certificate and there is no need to change these values. Just click "Run Generate".<br />
<br />
Please note, however, that a self-signed certificate is not considered secure. Your browser will most likely complain about it. Nevertheless, it is fine for local testing, and you can set an override for most browsers.<br />
For the case of a production server environment, '''DO NOT USE''' a self-signed certificate, since it will not be accepted by your users.<br />
<br />
{|<br />
|-<br />
|<br />
<span style="padding:6px;background-color:#99FFFF"> '''UniController:''' Server Configuration > Apache > Generate Certificate</span><br />
* This opens '''Server Certificate and Key generator''' menu shown on right<br />
* D) Click Run Generate. After a short time a confirmation pop-up is displayed.<br />
* For the new configuration to become effective, '''restart Apache server'''.<br />
Note 1: A) If you have changed the server name using Apache configuration menu, that name will be displayed instead of localhost.<br />
<br />
<br />
Note 2: B) C) Are dropdown menus.<br />
<br />
<br />
Note 3: C) 2048 Bits provide high-grade encryption; no need to change this.<br />
|<br />
[[Image:Coral_apache_cert_gen_1.gif]]<br />
|}<br />
After generating a self-signed certificate the following configuration changes are made:<br />
<br />
'''''[[#top | Top]]'''''<br />
===Apache configuration file changes===<br />
<br />
Both php_openssl.dll and ssl.conf are enabled as follows:<br />
<br />
* Apache configuration file: UniServer\usr\local\apache2\conf\httpd.conf<br />
* Existing line: #LoadModule ssl_module modules/mod_ssl.so<br />
* Changed to: LoadModule ssl_module modules/mod_ssl.so<br />
<br />
{|<br />
|-<br />
|<br />
The above change in turn enables ssl.conf via this block<br />
|<br />
<pre><br />
<IfModule mod_ssl.c><br />
Include conf/extra/ssl.conf<br />
</IfModule><br />
</pre><br />
|}<br />
<br />
'''''[[#top | Top]]'''''<br />
==Background==<br />
The following provides an overview of SSL and background information on how SSL is implemented on The Uniform Server. This section can be skipped.<br />
<br />
===SSL Overview===<br />
The following outlines the SSL process with respect to a client. A Client is generally a user's browser. Let's assume your web-site server has the registered domain fred.com<br />
<br />
* A client makes a connection to fred.com on the SSL port (standard port is 443) by typing <nowiki>https://fred.com</nowiki> into their browser. Note the use of https instead of http. On connecting to web server, the client provides a list of available ciphers it can use.<br />
* The Server picks the strongest cipher that both understand and support. The Server sends back a certificate with its name and public encryption key, signed by a trusted Certificate Authority.<br />
* The Client checks the certificate with the CA. Browsers have a collection of CAs stored locally. These are checked first, avoiding the need to directely contact the CA, and thus speeding up the process.<br />
* If the certificate is approved, the Client sends back a random number encrypted with the server's public key. This Number is unique to the client and can only be decrypted by the server using its private key.<br />
* The Server and the Client use this random number to generate encrypted packets. Both Client browser and Server now communicate using encryption and all transactions are secured. The browser displays the secure icon.<br />
<br />
===IP addresses and SSL===<br />
An SSL certificate is bound to your fully qualified domain name, which is encrypted into the certificate. Modern browsers send the server name identification (SNI) along with a request. Apache can use this in Vhosts to resolve certificates.<br />
<br />
<br />
Unfortunately IE remains in the dark ages and expects servers to resolve using IP addresses. If you attempt to have more than one SSL certificate associated with the same IP address you will get undesired results. The bottom line: to appease IE, you are restricted to using a single Apache SSL Vhosts name. <br />
<br />
'''''[[#top | Top]]'''''<br />
==SSL Virtual Host==<br />
<br />
Generating a self-signed certificate enables the SSL Virtual Host configuration file. You can now access your server using either http or htpps; when using https all transactions are encrypted.<br />
<br />
Using https incurs a small speed penalty so generally a web-site is accessed using http and not https. If a user comes in on http and that linked resource requires https, it is forced (switched) to https. You can define a folder (ssl root folder) to specifically use only https.<br />
<br />
The Uniform Server is pre-configured to run both a secure server (on port 443) and a regular server (on port 80). These are separated using VirtualHosts, which has the advantage of maintainability.<br />
<br />
To highlight this separation, a default Server installation has a user configuration button View ssl pre-assigned to it. By default this button is greyed out and enabled only after a server certificate is generated. It then allows the secure folder's index page to be viewed in a browser. Note that you can re-assign this user button.<br />
<br />
===Default Virtual Host - Configuration===<br />
Configuration file: UniServer\usr\local\apache2\conf\extra\'''ssl.conf'''<br />
<br />
{|<br />
|-<br />
|<br />
<pre><br />
# File name: ssl.conf<br />
# Created By: The Uniform Server Development Team<br />
# Edited Last By: Mike Gleaves (ric) <br />
# Main Apache HTTP server configuration file.<br />
# V 1.0 27-6-2011<br />
#=========================================================<br />
<br />
#################### Global SSL ##########################<br />
Listen 443<br />
#== Some MIME-types for downloading Certificates and CRLs<br />
AddType application/x-x509-ca-cert .crt<br />
AddType application/x-pkcs7-crl .crl<br />
<br />
#== Pass Phrase Dialog:(`builtin' is a internal terminal dialog)<br />
SSLPassPhraseDialog builtin<br />
<br />
#== Inter-Process Session Cache:<br />
SSLSessionCache shmcb:logs/ssl_scache(512000)<br />
SSLSessionCacheTimeout 300<br />
<br />
#== SSL engine uses internally for inter-process synchronization. <br />
SSLMutex default<br />
<br />
#== Pseudo Random Number Generator (PRNG):<br />
SSLRandomSeed startup builtin<br />
SSLRandomSeed connect builtin<br />
<br />
########### SSL Virtual Host ############################<br />
<br />
NameVirtualHost *:443<br />
<VirtualHost _default_:443><br />
<br />
ServerName localhost<br />
DocumentRoot C:/UniServer/ssl<br />
ServerAdmin you@example.com<br />
<br />
ErrorLog logs/error_ssl.log<br />
TransferLog logs/access_ssl.log<br />
<br />
#== SSL Engine Switch:<br />
SSLEngine on<br />
SSLOptions +StrictRequire<br />
<br />
#== SSL Cipher Suite:<br />
SSLProtocol -all +TLSv1 +SSLv3<br />
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM<br />
<br />
#== Server Certificate:<br />
SSLCertificateFile C:/UniServer/usr/local/apache2/server_certs/server.crt<br />
<br />
#== Server Private Key:<br />
SSLCertificateKeyFile C:/UniServer/usr/local/apache2/server_certs/server.key<br />
<br />
#== StartSSL certificate chain for class 1 certificates<br />
# Disable when using a self-signed certificate<br />
# Enable remove # disable add #<br />
<br />
#SSLCertificateChainFile C:/UniServer/usr/local/apache2/server_certs/sub.class1.server.ca.pem<br />
#SSLCACertificateFile C:/UniServer/usr/local/apache2/server_certs/ca.pem<br />
<br />
SSLVerifyClient none<br />
SSLProxyEngine off<br />
<br />
#== Server Root folder:<br />
<Directory "C:/UniServer/ssl"> <br />
AllowOverride All<br />
Order allow,deny <br />
Allow from all<br />
SSLRequireSSL<br />
</Directory> <br />
<br />
<br />
#== Most problems of broken clients are related to the HTTP<br />
# keep-alive facility. Disable keep-alive for those clients.<br />
SetEnvIf User-Agent ".*MSIE.*" \<br />
nokeepalive ssl-unclean-shutdown \<br />
downgrade-1.0 force-response-1.0<br />
<br />
</VirtualHost> <br />
</pre><br />
|<br />
General notes:<br />
<br />
* Listen 443 - Informs Apache to listen on port 443 (Standard ssl port)<br />
* '''SSLEngine''' must be enabled for server to use SSL.<br />
* '''DocumentRoot''' sets the root directory for this virtual host. Allows you to separate secure content from regular content.<br />
* '''SSLRequireSSL''' forces SSL to be used (on this virtual host). A user can't connect using a regular HTTP request.<br />
* '''SSLProtocol''' Disable all protocols other than TLS v1.0 and SSL v3.0.<br />
* '''SSLCipherSuite''' is set to use only HIGH and MEDIUM security cipher suites.<br />
* '''SSLCertificateFile''' and '''SSLCertificateKeyFile''' set to your server certificate and key files location.<br />
* '''SSLCertificateChainFile''' Certificate chain (preconfigured for StartSSL)<br />
* '''SSLCACertificateFile''' Certificate chain (preconfigured for StartSSL)<br />
* '''SSLVerifyClient''' set to none if not using client authentication.<br />
<br />
<br />
'''Note:''' Depending on where you located your server, absolute paths shown in the configuration will differ.<br />
|}<br />
<br />
<br />
===Certificates and signing request (CSR) location===<br />
The Uniform Server uses OpenSSL to generate:<br />
<br />
* A self-signed certificate and server key.<br />
* Or a server key and certificate signing request.<br />
<br />
OpenSSL and supporting files are located in folder UniServer\'''openssl'''.<br /><br />
'''Note:''' To view installed server certificate details, run UniServer\openssl\'''View_cert_details.bat'''<br />
<br />
<br />
Server certificates are located or copied to folder UniServer\usr\local\apache2\'''server_certs'''<br />
A default installation pre-installs the required intermediate certificate for [[Coral: apache free server cert|StartSSL]] '''ca.pem''' and sub.class1.server.'''ca.pem'''<br />
<br />
'''''[[#top | Top]]'''''<br />
==Where to next==<br />
<br />
[[Coral: apache server cert self signed|Self-signed]] Self-signed test certificate details.<br />
<br />
[[Coral: apache free server cert|Free server certificate]] Howto obtain and install StartSSL free server certificate <br />
<br />
<br />
'''''[[#top | Top]]'''''<br />
<br />
----<br />
<br />
[[Category: Uniform Server 8-Coral]]</div>Ric