Web Security: Apache and mod_ssl

by Paul Weinstein

First published: June 2001 for Daemon News.
Republished July 6th edition of Apache Week

As we covered in our last article, SSL/TLS (Secure Socket Layer/Transport Layer Security) are the protocols used to add encryption and authentication to TCP/IP and HTTP. Now comes the next step, adding SSL/TLS to an installed web server to take advantage of SSL/TLS. In this article we'll cover the most popular open source method; Adding mod_ssl to Apache.

The mod_ssl module takes advantage of Apache's modular setup to interface Apache with the open source, public-key infrastructure tool kit, OpenSSL. This is currently the most popular method for adding support for SSL/TLS to Apache with roughly 12% of all Apache installations running mod_ssl. The module fully integrates into Apache 1.3.x using the Extended API (EAPI) and can be loaded as a Dynamic Shared Object (DSO) for memory conservation while inactive. Commercial implementations of secured Apache such as Covalent's Raven solution or Red Hat's Secure Web Server and Stronghold, also rely on mod_ssl and OpenSSL.

Some of the features that mod_ssl brings to Apache via OpenSSL include, but are not limited to:

  • Support for SSL v2 and v3

  • Support for TLS v1

  • Advanced pass-phrase handling for private keys

  • X.509 based client & server authentication

  • X.509 Certification Revocation List

  • Support for Hardware Crypto Devices

  • Support for RSA and DSA/DH ciphers

  • Boolean-expression based access control

  • Backward compatibility to other SSL Solutions (Apache-SSL, Stronghold, etc.)

  • Inter-process SSL Session Cache

  • Powerful dedicated SSL engine logging facility

  • Assistance in X.503 certificate generation

The following general method will build and add mod_ssl to Apache. These steps, shown on a FreeBSD 4.2-STABLE machine, will, of course, vary depending on what OS you are using and how it is configured.

First, grab the latest source trees via your favorite method. As of this writing the current versions are:

  • Apache v1.3.19

  • mod_ssl v2.8.2

  • OpenSSL v0.9.6a

Next, you can proceed to:

gunzip openssl-0.9.6a.tar.gz
	tar xf openssl-0.9.6a.tar
	cd openssl-0.9.6a

	su 

	./config -prefix=/usr/local/openssl-0.9.6a
	make
	make test
	make install

	cd ..
	gunzip apache_1.3.19.tar.gz
	tar xf apache_1.3.19.tar
	gunzip mod_ssl-2.8.2-1.3.19.tar.gz
	tar xf mod_ssl-2.8.2-1.3.19.tar
	cd mod_ssl-2.8.2-1.3.19

	./configure --with-apache=../apache_1.3.19 \
		--with_ssl=/usr/local/openssl-0.9.6a \
		--prefix=/usr/local/apache-1.3.19-ssl
	cd ../apache_1.3.19
	SSL_BASE=/usr/local/openssl-0.9.6a ./configure --prefix=/usr/local/apache-1.3.19-ssl \
        	--enable-module=ssl
	make
	make certificate
	SSL Certificate Generation Utility (mkcert.sh)
	Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.

	Generating test certificate signed by Snake Oil CA [TEST]
	WARNING: Do not use this for real-life/production systems
	______________________________________________________________________

	STEP 0: Decide the signature algorithm used for certificate
	The generated X.509 CA certificate can contain either
	RSA or DSA based ingredients. Select the one you want to use.
	Signature Algorithm ((R)SA or (D)SA) [R]:
	______________________________________________________________________
	
	STEP 1: Generating RSA private key (1024 bit) [server.key]
	2273813 semi-random bytes loaded
	Generating RSA private key, 1024 bit long modulus
	...........................++++++
	...........++++++
	e is 65537 (0x10001)
	______________________________________________________________________
	
	STEP 2: Generating X.509 certificate signing request [server.csr]
	Using configuration from .mkcert.cfg
	You are about to be asked to enter information that will be incorporated
	into your certificate request.
	What you are about to enter is what is called a Distinguished Name or a DN.
	There are quite a few fields but you can leave some blank
	For some fields there will be a default value,
	If you enter '.', the field will be left blank.
	-----
	1. Country Name             (2 letter code) [XY]:US
	2. State or Province Name   (full name)     [Snake Desert]:California
	3. Locality Name            (eg, city)      [Snake Town]:Oakland
	4. Organization Name        (eg, company)   [Snake Oil, Ltd]:Weinstein.org
	5. Organizational Unit Name (eg, section)   [Webserver Team]:
	6. Common Name              (eg, FQDN)      [www.snakeoil.dom]:www.weinstein.org
	7. Email Address            (eg, name@FQDN) [www@snakeoil.dom]:pdw@weinstein.org
	8. Certificate Validity     (days)          [365]:
	______________________________________________________________________
	
	STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt]
	Certificate Version (1 or 3) [3]:
	Signature ok
	subject=/C=US/ST=California/L=Oakland/O=Weinstein.org/OU=Webserver \
		Team/CN=www.weinstein.org/Email=pdw@weinstein.org
	Getting CA Private Key
	Verify: matching certificate & key modulus
	read RSA key
	Verify: matching certificate signature
	../conf/ssl.crt/server.crt: OK
	______________________________________________________________________
	
	STEP 4: Enrypting RSA private key with a pass phrase for security [server.key]
	The contents of the server.key file (the generated private key) has to be
	kept secret. So we strongly recommend you to encrypt the server.key file
	with a Triple-DES cipher and a Pass Phrase.
	Encrypt the private key now? [Y/n]: n
	Warning, you're using an unencrypted RSA private key.
	Please notice this fact and do this on your own risk.
	______________________________________________________________________
	
	RESULT: Server Certification Files

	o  conf/ssl.key/server.key
	   The PEM-encoded RSA private key file which you configure
	   with the 'SSLCertificateKeyFile' directive (automatically done
	   when you install via APACI). KEEP THIS FILE PRIVATE!

	o  conf/ssl.crt/server.crt
	   The PEM-encoded X.509 certificate file which you configure
	   with the 'SSLCertificateFile' directive (automatically done
	   when you install via APACI).

	o  conf/ssl.csr/server.csr
	   The PEM-encoded X.509 certificate signing request file which
	   you can send to an official Certificate Authority (CA) in order
	   to request a real server certificate (signed by this CA instead
	   of our demonstration-only Snake Oil CA) which later can replace
	   the conf/ssl.crt/server.crt file.

	WARNING: Do not use this for real-life/production systems

To test your setup:

 /usr/local/apache-1.3.19-ssl/bin/httpd -DSSL

and load your favorite SSL-enabled web browser and point it to https://localhost.

If we take a look at the Apache configuration file at /usr/local/apache-1.3.19-ssl/conf/httpd.conf we can see the basic SSL setup:

Port 80
	
Listen 80
	Listen 443
	

Note that https transactions by default take place on port 443 while non-SSL enabled http transactions take place on port 80.
SSLSessionCache         dbm:/usr/local/apache-1.3.19-ssl/logs/ssl_scache
	SSLSessionCacheTimeout  300
	SSLMutex  file:/usr/local/apache-1.3.19-ssl/logs/ssl_mutex

Our session cache and semaphore have also been configured.

SSLLog      /usr/local/apache-1.3.19-ssl/logs/ssl_engine_log
	SSLLogLevel info

Our log of SSL transactions has also be configured. Note that SSLLogLevel takes the same type of arguments as LogLevel; debug, info, notice, warn, error, crit, alert, emerg.



DocumentRoot "/usr/local/apache-1.3.19-ssl/htdocs"
	ServerName baldur.build.oakland.redhat.com
	ServerAdmin root@baldur.build.oakland.redhat.com
	ErrorLog /usr/local/apache-1.3.19-ssl/logs/error_log
	TransferLog /usr/local/apache-1.3.19-ssl/logs/access_log

	SSLEngine on

	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

	SSLCertificateFile /usr/local/apache-1.3.19-ssl/conf/ssl.crt/server.crt

	SSLCertificateKeyFile /usr/local/apache-1.3.19-ssl/conf/ssl.key/server.key

	

Finally, our VirtualHost, where we define the document root, ciphers the server should accept, the server certificate and corresponding private key. We can also set access control to pages in this document's root to authenticate the user via a client certificate and what Certificate Authorities that client certificate can be assigned from.

Of course, if we where to put this server into production we'd first need to generate a Certificate Request (CSR), submit it to a public Certificate Authority and then install that signed certificate in place of the self-signed certificate generated before make install.

Now we have a version of Apache installed that can encrypt and authenticate HTTP transactions via SSL/TLS. For more information about Apache and SSL/TLS, take a look at http:// www.modssl.org.


References:

Engelschall, Ralf Security Solutions with SSL. ApacheCon, Santa Clara. 4 Apr. 2001

Engelschall, Ralf User Manual mod_ssl Version 2.8 30 Jan. 2001 www.modssl.org/docs/2.8