Using OpenSSL for Encrypted Connections

By default, the Apache web server sends all its traffic unencrypted. Therefore, if someone is listening with a sniffer and you send sensitive information, they could capture and read that information. To protect against this, you can use SSL encryption. In Chapter 21 you can read all about this encryption technique; therefore, in this chapter I won't go through the entire process of creating certificates and signing them. I'll just discuss how to create a test certificate and use that with the Apache web server. The resulting communication is as follows:

1. The user connects to a web address where the URL starts with https:// and connects to the default SSL port of the web server, which is port 443.

2. The web browser requests the server for its public key, and the web server sends it.

3. The browser verifies the public key certificate with the public key of the certificate authority that has signed the certificate.

4. If the key is valid, the browser and server will exchange a session key for symmetric encryption that they will use for secure communications.

To create a self-signed key, read Chapter 21 for the detailed procedure, or follow these steps:

1. Use the command cat /dev/random > /tmp/random to create a file containing random numbers. Interrupt the creation of this file after a few seconds by using the Ctrl+C key sequence.

2. Next, enter the command openssl genrsa -des3 -out webserver.key -rand /tmp/ random 1024.

3. Now make a self-signed certificate out of it by using the command openssl req -new -x509 -key webserver.key -out webserver.cert. Nowyou are prompted for a passphrase and all the locality information for your key. If you don't want to enter a passphrase when the private key is used (such as when starting the web server), consider creating the public/private key pair without a passphrase.

4. Now copy the two keys to their right location; both have to go to the directory /etc/apache2, where the other configuration files are. The private key must be copied to the subdirectory /etc/apache2/ssl.key, and the public key needs to be in /etc/apache2/ssl.crt.

Now that the key pair is in place (or if you already have a key pair), you need to tell Apache how to use it. First, you need to open /etc/sysconfig/apache2, which contains generic start-up options for Apache. If the private key you have created is passphrase protected, locate the variable APACHE_START_TIMEOUT and give it a value such as 5. This extends the start-up time for Apache and gives you some time to enter the passphrase. Next make the following setting in the same configuration file: APACHE_SERVER_FLAGS="SSL". This tells Apache to listen on port 443 as well as 80, and it creates some extra directives that are needed for complete SSL support.

Now that everything is in place, you need to tell Apache to use both keys. Do this by adding the code in Listing 22-9 to the /etc/apache2/default-server.conf file.

Listing 22-9. Make Sure Apache Listens for SSL Connections

SSLEngine on SSLCipherSuite

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl.crt/webserver.crt SSLCertificateFile /etc/apache2/ssl.key/webserver.key

Of these lines, the line SSLEngine on makes sure Apache is using SSL. Next, the two lines SSLCipherSuite and ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULLmake sure the proper encryption method is used. The lines in the example are the default setting for the Apache web server; don't change them unless you know exactly what you are doing. The final two lines of the example tell Apache where it can find its key files. Make sure the locations mentioned match the directories to where you have copied the files.

Everything is now in place to use SSL encryption when communicating with the Apache web server. Restart the web server using rcapache2 restart; from now on, it will listen on port 443 as well.

Though the previous example will work, it is not the best solution for making your web server secure because, in this example, users can choose for themselves how they want to connect. The server is reachable over port 80 and port 443. Ordinarily, on a web server, only some content needs to be offered encrypted, whereas other content doesn't need encryption. You can do this by adding the option SSLRequireSSL in the directive for the directory you want to protect.

As an alternative, you can also tell the entire web server that it should listen to a secure port only. To do this, edit /etc/apache2/listen.conf. By default, this file looks like the example in Listing 22-10.

Listing 22-10. Setting of the Default Port Configuration in listen.conf Listen 80

<IfDefine SSL>

<IfDefine !NoSSL>

<IfModule mod_ssl.c>

Listen 443

</IfModule> </IfDefine> </IfDefine>

This code is not hard to understand. By default, Apache listens on port 80. If the SSL settings are in default-server.conf or in the configuration of a virtual host, it will listen to connections coming in on port 443 as well. Disabling port 80 is not hard to do; just put a comment sign in front of it, and it won't be offered any longer.

An alternative to offering SSL on a complete server is to offer it for one or more virtual hosts only. If you want to do that, make sure the SSL port is specified as an argument in the definition of the virtual host. The line to do this would look like this: <VirtualHost myvirtualhost:443>.

Was this article helpful?

0 0

Post a comment