SSL Part 1: mod ssl Install

Revision as of 17:37, 9 June 2008 by Ric (talk | contribs) (Protected "SSL Part 1: mod ssl Install" [edit=sysop:move=sysop])

Stunnel Introduction

This page details how to set-up mod_ssl and OpenSSL on Uniform Server 3.5-Apollo. It assumes you are using a fresh install of UniServer.

What is mod_ssl?

The Apache module mod_ssl provides an interface to OpenSSL. Uniform Server uses the standard versions of Apache for Windows this does not have mod_ssl enabled by default.

Apache in the past considered Windows to be insecure hence actively discouraged the use of mod_ssl on this platform. If you wanted a secure system using mod_ssl you had to re-compile the binaries yourself and enable OpenSSL functionality.

Alternatively find someone who supplied a set of pre-complied binaries such as Hunter and overlay them on Uniform Server. Those dark days have gone. The binary version I am using is apache_2.0.59-win32-x86-openssl-0.9.7j.msi

The installed content from the above package is relatively large hence to retain Uniform Server's small footprint I have included only the files that are relevant. In addition there are a number of other files required to produce a complete working secure server again I have included these.

OpenSSL provide tools for generating server key and certificate you can use these tools however I have provided some batch files hence no need to worry about all the technical stuff.

Where to get it

I have created a complete working demo and packaged all the files into a self-extracting archive.

  • Download file: uc_mod_ssl_1.exe
  • Save to folder: Uniform Server.
  • Check the MD5: 74231027954fe2d2b9b03cd0fef064d0

Extract the files

To extract double click on uc_mod_ssl_1.exe

This runs the 7Z self-extraction archive no need to change the path, allow it to overwrite

On completion creates new folders and updates files. For reference I have listed these:

New folder and files

*\Uniform Server\udrive\home\admin\www\plugins\uc_mod_ssl\key_cert_gen

File Comment
howto generate.txt Instruction how to create server key and certificate
mpg1.bat Create a private key and a CSR (Certificate Signing Request)
mpg2.bat Remove Passphrase from Key file
mpg3.bat Create a Self-Signed Certificate (personal server use only)
libeay32.dll Openssl library
ssleay32.dll Openssl library
openssl.cnf Openssl configuration file
openssl.exe Openssl executable used by mpg1.bat, mpg2.bat and mpg3.bat
clean.bat Delete the next five files before creating new key and certificate
.rnd Intermediate file
server.pem Intermediate file
server.csr Intermediate file
server.crt New certificate copy to folder *\Uniform Server\udrive\usr\local\apache2\conf\ssl.crt
server.key New key copy to folder *\Uniform Server\udrive\usr\local\apache2\conf\ssl.key

New folder and files

File Folder
.htpasswd *\Uniform Server\udrive\htpasswd\modsslpass
server.crt *\Uniform Server\udrive\usr\local\apache2\conf\ssl.crt
server.key *\Uniform Server\udrive\usr\local\apache2\conf\ssl.key
ssl.conf *\Uniform Server\udrive\usr\local\apache2\conf

Test sites

File Folder
default_secure_index.html *\Uniform Server\udrive\www\default_secure index.html
default_unsecure_index.html *\Uniform Server\udrive\www\default_unsecure index.html
favicon.ico Copy to all site root folders in test sites
index.html *\Uniform Server\udrive\www\site1
index.html *\Uniform Server\udrive\www\site2
index.html *\Uniform Server\udrive\www\site3

Content of folder *\Uniform Server\udrive\usr\local\apache2\bin replaced with:

Apache.exe htdigest.exe htpasswd.exe
libapr.dll libapriconv.dll libaprutil.dll
libeay32.dll libhttpd.dll logresolve.exe
rotatelogs.exe ssleay32.dll wintty.exe

Note: To save space you can now delete the file uc_mod_ssl_1.exe its no longer required.

Top

Installation

Once the files have been extracted installation is complete hence nothing special to do other than perform a quick test.

Quick Test

A server test key and certificate have been installed this allows the server to be easily tested. Follow these four steps:

  1. Start servers using Server_Start.bat appease your security system
  2. Type http://loclhost into your browser. Result a page displayed with following message: This is the unsecured default page
  3. Type https://loclhost into your browser.
    When challenged "Accept this certificate temporarily for this session" click OK
    You will receive another challenge "Domain Name Mismatch" click OK
    Result: Authentication challenge
  4. Authentication Required type what’s highlighted in bold User name: name Password: password
    Result: Padlock closed and site 3 displayed.


Note: If it fails make sure your firewall and or router is not blocking port 443

Top

Summary

At this stage you have a working server template with test sites. This template requires modification not only to meet your site requirements but also to secure it with a new server key and certificate.

The remainder of this write-up deals with various areas that you may wish to change. Its difficult to be specific hence the reason for including the test web sites.

Next page looks at the Apache configuration file httpd.conf

Top


  Ric