Quick Guide: Configuring Apache-SSL

From: Subject: Quick Guide: Configuring Apache-SSL Date: Wed, 14 Nov 2001 08:38:41 +0100 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_004B_01C16CE7.C3932490"; type="text/html" X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 This is a multi-part message in MIME format. ------=_NextPart_000_004B_01C16CE7.C3932490 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Content-Location: http://ist.uwaterloo.ca/security/lib-proxy/howto/ssleay/ Quick Guide: Configuring Apache-SSL

Quick Guide: Configuring Apache-SSL
Information Systems = and=20 Technology
University of Waterloo

15-Sept-1998 =

=20

The Unix Apache-SSL server can be configured to use the Secure = Sockets Layer=20 (SSL) for secure transmission of sensitive information. This paper = documents the=20 steps required to configure Apache-SSL using a private key and = certificate=20 signed by the UW/IST = Certificate Authority (CA). This is a quick guide and = intentionally=20 brief. You'll need root access on your Unix server and will follow this = plan:=20

Obtain a private key and certificate (the UW/IST CA offers that = service)=20 then install them on your system.=20
Configure Apache (from the httpd.conf file) to support SSL = with the=20 private key and certificate you installed.=20
Restart the web server and test the results.

These instructions have been tested on Solaris 2.6 using the Apache = v1.2.6=20 server (which includes SSLeay v0.8) distributed using xhier at the = University of=20 Waterloo. They should apply to other systems with similar versions of = Apache-SSL=20 (including those outside of xhier). They may apply to other web servers = (eg.=20 Microsoft IIS) but we have not tested them. A companion document Apache-SSL:=20 Certificates, Configuration and More goes into more detail, = addresses some=20 potential security issues and notes alternate methods of setting up = Apache as a=20 secure web server.=20

Obtaining and Installing a Site Certificate

The SSL protocol = uses public=20 key technology and X.509 certificates to verify the identity of one or = both=20 participants in a secure communication. The secure web server requires a = site=20 certificate and a corresponding private key:=20

Send mail to ist-ca@ist.uwaterloo.ca = and ask for=20 a host certificate. Specify clearly the name of the host you want the=20 certificate for. Within a few business days you will receive = electronic mail=20 containing the private key and certificate (after it has been verified = that=20 you have authority for the host involved).=20
Store the private key in the file httpsd.pem in the = Apache-SSL=20 private area. The private area and the private key file should be = owned by=20 root and readable only by root:
```
   cd =
/software/sslCerts-1/config/certs/private
   chown root httpsd.pem  ! you saved private key here
   chmod 400 httpsd.pem   ! protect the contents
   chown root .               ! protect the directory
   chmod go-rw .
```
The private key is a secret so we can't show you the key used by a=20 production server. If you could see it would look something like this = sample=20 key.=20
Store the certificate in the file httpsd.pem in the SSLeay=20 certificate area. This file should be owned by root but anyone can = read it=20 (certificates are public documents):
```
   cd =
/software/sslCerts-1/config/certs
   chown root httpsd.pem      ! you saved certificate here
   chmod 444 httpsd.pem       ! protect the contents
   chown root .               ! protect the directory
   chmod 755 .
```
The certificate is a public document. You can see the certificate=20 for this web server.

Beware: the private key (and any copy of it) are your = responsiblity:=20 make sure that no one ever sees the contents. After installation, delete = the=20 mail message containing the private key. There should be only one = copy on=20 your system: the copy filed and protected in the private area. The = UW/IST CA=20 will not keep a copy of your private key. If you lose your key = and cannot=20 recover it from backup media a new key and certificate must be created.=20

Configuring the Apache Web Server

To enable SSL, after = installing your=20 key and certificate, the following changes must be made to Apache's=20 httpd.conf configuration file (in the config directory of = the=20 wwwapache_server package). These instructions define a = virtual host=20 with SSL enabled that uses the same document root as the main web = server.=20

Add Listen=20 directives so the web server will listen for normal HTTP requests on = port 80=20 and HTTPS secure requests on port 443:
Listen 80 Listen 443
Ensure SSL is turned off in the main server; the HTTP service on = port 80=20 should not use SSL. The directive
SSLDisable
should already be present outside of any VirtualHost = stanzas.
Use a Virtual= Host=20 directive to add a secure web space to the server. The secure document = space=20 should use directives similar to these, most of which should be = present but=20 commented out in either your httpd.conf or the sample = configuration=20 file (data/httpd.conf.default)=20 in the wwwapache_server package:
<VirtualHost = your-site.uwaterloo.ca:443> # use SSL with default configuration SSLEnable SSLCertificateFile /software/sslCerts-1/config/certs/httpsd.pem SSLCertificateKeyFile = /software/sslCerts-1/config/certs/private/httpsd.pem SSLVerifyClient 0 SSLVerifyDepth 10 SSLLogFile /software/wwwapache_server/logs/SSL_log SSLRequiredCiphers = NULL-MD5:RC4-MD5:EXP-RC4-MD5:RC2-CBC-MD5:IDEA-CBC-MD5:DES-CBC-MD5:DES-CBC= -SHA:DES-CBC3-MD5:DES-CBC3-SHA:DES-CFB-M1 SSLRequireCipher NULL-MD5 RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5 IDEA-CBC-MD5 = DES-CBC-MD5 DES-CBC-SHA DES-CBC3-MD5 DES-CBC3-SHA DES-CFB-M1 SSLBanCipher NULL </VirtualHost>

The virtual host your-site.uwaterloo.ca must be the same = name as=20 given in your certificate. Browsers may not trust systems which = present=20 certificates that don't belong to them -- even if it's a hostname = alias.=20
This server implements SSL -- you may see the httpd.conf=20 file we use. Feel free to cut and paste the sections you need to = configure=20 your server.=20
Start or restart the web server (the maintenance command=20 httpd.reload will perform this function). Use a web browser to = verify=20 that normal documents may be read using a URL of the form=20 http://your-site/* and secure documents may be accessed using a = URL of=20 the form https://your-site/*.

Note: If you have not configured your web browser to accept=20 certificates signed by the UW/IST Certificate = Authority,=20 your browser will display information about the server certificate and = prompt=20 you to accept it (and use the secure web space) when you connect to your = web=20 server using https://your-site.=20

See Also
For more information about SSLeay and Apache:=20

Apache-SSL:=20 Certificates, Configuration and More (D. Whiteside, et al)=20
Apache User's Guide = (for=20 version we're using)=20
Introducing SSL=20 and Certificates using SSLeay (Frederick J. Hirsch)=20
The World Wide Web = Security=20 FAQ (Lincoln Stein)=20
Apache-SSL Server = Project=20 (various authors)=20
SSLeay FAQ = (T.J. Hudson,=20 E.A. Young)

15-Sep-1998; (by) Dawn Whiteside=20
------=_NextPart_000_004B_01C16CE7.C3932490 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://ist.uwaterloo.ca/ISTlogo.gif R0lGODlhYABfALMAAP///wAAAJ2dnYAGHPDm6F1dXSwsLNK3vKJJWkZGRv7+/saQmrNreIKCgpIq PeHM0CH5BAEAAAAALAAAAABgAF8AAAT+EMhJq7046827/2AojmRpnmiqrmzrvuZxbAoB3yAzT8ww MJPHAOHY4Y4SI2AxUCQHB6ZzCR0ikUKGDXCASoSL3rQHcAAzhMP2SmIOtorfhFnkaQcLjcMhZ48I CE0TCGcbBGsXe10Pfh0EOhMEPkonj10OD4iNFwd7A4wSCwdTKZKieJsbCAt7DqQuXT6gCpSpAAoO C4SaLWmgAEK/jWu4XpsMDo+8OIF5Eq9sTg5EdVcKrM22EmY+DNDMA8nI32wPZsJHgEXhBOTat3vL KQqBMgju2g9drDfF6O8UOmHDh4LAAoLvEARyoaAQQA7XaqFghfDhhUcM/oWQhMrih2v+PpyZIMDH oUcNgfZU9HBA40kLZm693KQPxQMG3jIcaMCTp4cHDwQIHSpgCwGiSJMOlXgCFx8EGQQEmBrAgKEC BqhqnbpD6tavXwtguKlFhBBaDqJuzaCgAditOw68nRtArIU4Q6BuDBcTg9epVi8oSECXatfCYO1W MCVFxIFV+P5WxVAAMdcklrcqrpAr3EoRAgyINpDgguTCcUUnUJ1V62rSohtgeLTA5QVR8kQQaE21 AFMNbqkGhkHkUwq5WmWPCA4YRycfuU4wn/rZwvThH/SJ3BDl8W8JAlav3iyhcu8S10HgDQdLK/by WsmDSA9ClLncJCS/B2B+qvwP9H3+cAAyxqygn3Xu4QeceyHQYdwGQoTEwYEVnNZAdRQECMIDCnHQ BU7fgcfgYl8ZUFQIGjriQx8aCKTGhCNW0N9WBhRwIgcpdoBbBz1MAqNwF/E2l4345OgCUAoCQKEF u2XWwDJGarMkk9PRZQAvUWpwyAtTXhQeYldWkGUG65g0G5IexmjITqu9pdwEXXJAEgNEbMDHitv5 peYHRwlJXYZ7yllSWijhtEBtPzZHwmBbCQAokCHgVBMLcYJAgGaPKupRpSDMWNoEY27CKYBqhtrI qB5MaaofqHag4ao2VdQqB55mOlkID2D4WJ6cbJUkW1u9CQCsc5hR3T4IKRBsCTP+BqDErIv15cEh tlFAWHzV3nWAnwG8QuwzW76A3FfKKcAabOi6KWagDzXr3zOZJbgupC8xiikAl8Z72byaspGkAs3a pWy8Bmi06iMotERIBwdcW5cE+SKWgADurLqPCXixku0EtAiwgwJKIZUrhEjJqU+BIxSxh5kzwbTi gyMUg0nLNGgn7QgMHEQzWxTgEmJ29+xMwS5BqBCLzjs35AMCvwoYThZCd/EIOytcQ09HNEuyBxMb R4r1zo/lnEwvOxiURyYPDbgGMk2TEMgPN6eCDB9tV4JHLHWrAAcUwfg7Dd1yuyJBOGz7MXUt7Rxx Mb5EN0LLBcgskLfXk18x9Q94lWNACyhaC91D4aV44sxjmePQOQtMAFCn0KEUiI1tq0MchRVUsMLy TBR98UNjSzROhC42aN2DDdeYUbotHwZiw4c4SfB5R9OYwnoH9CjifBNrDwBAH2KsMv20I+M7RB9S 9PUA0t//IUMkB6Gd/vvwxy///PTXz0EEADs= ------=_NextPart_000_004B_01C16CE7.C3932490--