Mar 072013
 
Article Apache

A web site for e-commerce, or any other kind of service that receives confidential information from users, must protect the trasmission of that information. But the HTTP protocol is not secure for this type of use.

The most common way to improve the security of a site is to configure the web server to establish SSL connections with the browsers. HTTP data interchanged between clients and server through this kind of connection is sent encrypted. the combination HTTP+SSL is known as HTTPS (Secure HTTP).

This post details the steps to follow to configure the https protocol on an apache web server on a Linux system.

Pre-requisites

It is assumed that the system where this procedure is going to be applied already has a working apache installation, with the mod_ssl module enabled. The openssl package must also be installed in the system

If these pre-requisites are not met, information about the required elements can be found at:

 

Introduction to SSL

SSL uses an asymetric cryptography technique, commonly known as PKI (Public Key Cryptography).

In SSL, two keys are generated, one public and one private. Any information encrypted with one of those keys can only be un-encrypted using the other key. The server uses the private key to encrypt data to be sent, and make the public key available to the browser, that uses it to un-encrypt the data received.

But a certificate signed by a CA (Certificate Authority) is also required to aboid impersonation attacks by hackers.

In summary, the HTTP implementation process involves:

  • Generating the public and private keys.
  • Generating a CSR (Certificate Signing Request) and sending it to a Certificate Authority.
  • Installing in the web server the keys, and the signed certificate received from the CA

Generating the private key

The “openssl” command is used to generate the keys and the CSR.

First, we create a RSA private key. This is a Triple-DES encrypted 1024 bit key stored in PEM format, to be easy to manage in a text editor. The command can be given as input a set of files with random content. These files will act as a “seed” to produce a safer key. Files compressed in gzip format are a good choice for this purpose.

The command to generate the key is:

$ openssl genrsa -des3 -rand file1:file2:file3 -out server.key 1024

The command asks for a “pass-phrase”, and saves the key in a file “server.key”. The pass-phrase must be stored in a safe place, and not forgotten.

Removing the encryption of the private key

Using a key protected with a pass-phrase has a drawback: Every time the apache server is restarted, it asks for the pass-phrase. To avoid this inconvenience, we can remove the Triple-DES encryption from the key. If we do so, we must ensure that only the root user has reading permissions on the file holding the private key.

The command to remove the encryption from the private key is:

Generating the CSR

The next step is generatin a Certificate Signing Request (CSR). The request will then be sent to a Certificate Authority such as  Thawte or Verisign. The CA will verify the identity of the requestor and will return a signed certificate.

It is also possible to auto-sign the CSR. The https encryption will work with an auto-signed certificate, but the browser will display a warning every time the user acceses the web site.

The command to generate the CSR is:

In the process of generating the CSR, a series of data are requested, the “Common Name” among them. The value is this Common Name must be the domain name of the web server (for instance, “www.example.com”)

Below is a sample output of a CSR generation session:

 

Generating an auto-signed certificate

For testing purposes, or if there is no plan to use a Certificate Authority, an auto-signed certificate can be generated. The following command generates an auto-signed certificate valid for 60 days:

 

Installing the private key and the certificate

To install the private key and the certificate, the files “server.pem” and “server.crt” previously obtained must be copied to a subdirectory named “ssl” under the apache configuration directory (Usually “/etc/apache2” in a Debian server). The directory “ssl” must be created if it does not exist.

Then the SSL directives are added to the apahce configuration file. For instance, if our server is configured in a VirtualHost “www.domain.com”:

As we can see, the configuration specifies the port 443, which is the default https port.

Due to the nature of the SSL encryption, only one SSL VirtualHost can be defined for each available IP address. To configure a VirtualHost for a given address, just replace “_default_” with the desired IP address.

This is different from the non-secure HTTP protocol, where it is possible to define several name-based Virtual Hosts /HTTP 1.1) for the same IP address.

With the new configuration in place, after the web server is restarted, is is possible to access the site using “https://” instead of “http://”.

If we are using an auto-signed certificate, the browser will display a warning. For instance, in Firefox:

ssl-warning

Clicking on “I Understand the Risks” the page will be loaded. And that’s all!

 Posted by at 8:19 pm

 Leave a Reply

(required)

(required)