Web Security: Apache and mod_ssl
by Paul Weinstein
As we covered in our last article, SSL/TLS (Secure Socket Layer/Transport Layer Security) are the protocols used to add encryption and authentication to TCP/IP and HTTP. Now comes the next step, adding SSL/TLS to an installed web server to take advantage of SSL/TLS. In this article we'll cover the most popular open source method; Adding mod_ssl to Apache.
The mod_ssl module takes advantage of Apache's modular setup to interface Apache with the open source, public-key infrastructure tool kit, OpenSSL. This is currently the most popular method for adding support for SSL/TLS to Apache with roughly 12% of all Apache installations running mod_ssl. The module fully integrates into Apache 1.3.x using the Extended API (EAPI) and can be loaded as a Dynamic Shared Object (DSO) for memory conservation while inactive. Commercial implementations of secured Apache such as Covalent's Raven solution or Red Hat's Secure Web Server and Stronghold, also rely on mod_ssl and OpenSSL.
Some of the features that mod_ssl brings to Apache via OpenSSL include, but are not limited to:
Support for SSL v2 and v3
Support for TLS v1
Advanced pass-phrase handling for private keys
X.509 based client & server authentication
X.509 Certification Revocation List
Support for Hardware Crypto Devices
Support for RSA and DSA/DH ciphers
Boolean-expression based access control
Backward compatibility to other SSL Solutions (Apache-SSL, Stronghold, etc.)
Inter-process SSL Session Cache
Powerful dedicated SSL engine logging facility
Assistance in X.503 certificate generation
The following general method will build and add mod_ssl to Apache. These steps, shown on a FreeBSD 4.2-STABLE machine, will, of course, vary depending on what OS you are using and how it is configured.
First, grab the latest source trees via your favorite method. As of this writing the current versions are:
Next, you can proceed to:
gunzip openssl-0.9.6a.tar.gz tar xf openssl-0.9.6a.tar cd openssl-0.9.6a su ./config -prefix=/usr/local/openssl-0.9.6a make make test make install cd .. gunzip apache_1.3.19.tar.gz tar xf apache_1.3.19.tar gunzip mod_ssl-2.8.2-1.3.19.tar.gz tar xf mod_ssl-2.8.2-1.3.19.tar cd mod_ssl-2.8.2-1.3.19 ./configure --with-apache=../apache_1.3.19 \ --with_ssl=/usr/local/openssl-0.9.6a \ --prefix=/usr/local/apache-1.3.19-ssl cd ../apache_1.3.19 SSL_BASE=/usr/local/openssl-0.9.6a ./configure --prefix=/usr/local/apache-1.3.19-ssl \ --enable-module=ssl make make certificate SSL Certificate Generation Utility (mkcert.sh) Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved. Generating test certificate signed by Snake Oil CA [TEST] WARNING: Do not use this for real-life/production systems ______________________________________________________________________ STEP 0: Decide the signature algorithm used for certificate The generated X.509 CA certificate can contain either RSA or DSA based ingredients. Select the one you want to use. Signature Algorithm ((R)SA or (D)SA) [R]: ______________________________________________________________________ STEP 1: Generating RSA private key (1024 bit) [server.key] 2273813 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ...........................++++++ ...........++++++ e is 65537 (0x10001) ______________________________________________________________________ STEP 2: Generating X.509 certificate signing request [server.csr] Using configuration from .mkcert.cfg You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- 1. Country Name (2 letter code) [XY]:US 2. State or Province Name (full name) [Snake Desert]:California 3. Locality Name (eg, city) [Snake Town]:Oakland 4. Organization Name (eg, company) [Snake Oil, Ltd]:Weinstein.org 5. Organizational Unit Name (eg, section) [Webserver Team]: 6. Common Name (eg, FQDN) [www.snakeoil.dom]:www.weinstein.org 7. Email Address (eg, name@FQDN) [email@example.com]:firstname.lastname@example.org 8. Certificate Validity (days) : ______________________________________________________________________ STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt] Certificate Version (1 or 3) : Signature ok subject=/C=US/ST=California/L=Oakland/O=Weinstein.org/OU=Webserver \ Team/CN=www.weinstein.org/Emailemail@example.com Getting CA Private Key Verify: matching certificate & key modulus read RSA key Verify: matching certificate signature ../conf/ssl.crt/server.crt: OK ______________________________________________________________________ STEP 4: Enrypting RSA private key with a pass phrase for security [server.key] The contents of the server.key file (the generated private key) has to be kept secret. So we strongly recommend you to encrypt the server.key file with a Triple-DES cipher and a Pass Phrase. Encrypt the private key now? [Y/n]: n Warning, you're using an unencrypted RSA private key. Please notice this fact and do this on your own risk. ______________________________________________________________________ RESULT: Server Certification Files o conf/ssl.key/server.key The PEM-encoded RSA private key file which you configure with the 'SSLCertificateKeyFile' directive (automatically done when you install via APACI). KEEP THIS FILE PRIVATE! o conf/ssl.crt/server.crt The PEM-encoded X.509 certificate file which you configure with the 'SSLCertificateFile' directive (automatically done when you install via APACI). o conf/ssl.csr/server.csr The PEM-encoded X.509 certificate signing request file which you can send to an official Certificate Authority (CA) in order to request a real server certificate (signed by this CA instead of our demonstration-only Snake Oil CA) which later can replace the conf/ssl.crt/server.crt file. WARNING: Do not use this for real-life/production systems
To test your setup:
and load your favorite SSL-enabled web browser and point it to https://localhost.
If we take a look at the Apache configuration file at /usr/local/apache-1.3.19-ssl/conf/httpd.conf we can see the basic SSL setup:
Port 80Note that https transactions by default take place on port 443 while non-SSL enabled http transactions take place on port 80.
Listen 80 Listen 443
SSLSessionCache dbm:/usr/local/apache-1.3.19-ssl/logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/usr/local/apache-1.3.19-ssl/logs/ssl_mutex
Our session cache and semaphore have also been configured.
SSLLog /usr/local/apache-1.3.19-ssl/logs/ssl_engine_log SSLLogLevel info
Our log of SSL transactions has also be configured. Note that SSLLogLevel takes the same type of arguments as LogLevel; debug, info, notice, warn, error, crit, alert, emerg.
DocumentRoot "/usr/local/apache-1.3.19-ssl/htdocs" ServerName baldur.build.oakland.redhat.com ServerAdmin firstname.lastname@example.org ErrorLog /usr/local/apache-1.3.19-ssl/logs/error_log TransferLog /usr/local/apache-1.3.19-ssl/logs/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache-1.3.19-ssl/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache-1.3.19-ssl/conf/ssl.key/server.key
Finally, our VirtualHost, where we define the document root, ciphers the server should accept, the server certificate and corresponding private key. We can also set access control to pages in this document's root to authenticate the user via a client certificate and what Certificate Authorities that client certificate can be assigned from.
Of course, if we where to put this server into production we'd first need to generate a Certificate Request (CSR), submit it to a public Certificate Authority and then install that signed certificate in place of the self-signed certificate generated before make install.
Now we have a version of Apache installed that can encrypt and authenticate HTTP transactions via SSL/TLS. For more information about Apache and SSL/TLS, take a look at http:// www.modssl.org.
Engelschall, Ralf Security Solutions with SSL. ApacheCon, Santa Clara. 4 Apr. 2001
Engelschall, Ralf User Manual mod_ssl Version 2.8 30 Jan. 2001 www.modssl.org/docs/2.8