Your Daily Source for Apache News and Information |
Breaking News | Preferences | Contribute | Triggers | Link Us | Search | About |
\n'); } if ( plugin ) { document.write(' '); } else if (!(navigator.appName && navigator.appName.indexOf("Netscape")>=0 && navigator.appVersion.indexOf("2.")>=0)){ document.write(''); } //-->
|
With ``e-commerce'' becoming an important part of many businesses, it's useful to know how to set up your server to run SSL for secure transfer of sensitive information. What's SSL?SSL, which stands for Secure Socket Layers, is a protocol by which a client (web browser) and server (Apache, for example) can communicate with one another securely, using encrypted messages. Anyone intercepting the message will receive only garbage, since the messages are encoded with the public keys of the conversants, but must be decrypted with their private keys, which are not distributed. Getting SSLThere are a variety of SSL solutions available, and you should probably check out all the options before making the decision that is right for your business, or that of your clients. Being an Open Source advocate, I am partial to OpenSSL. You can get OpenSSL from http://www.openssl.org/ in source code form. It is free software, and you can build it to run on whatever platform you are using. As of this writing, the latest version of OpenSSL is 0.9.6. The file is approximately 2 MB, so be prepared to wait a while. You need to click on the ``Source'' link, and get the file that is labelled as "LATEST". Installing SSLPlease note that SSL is the engine, and you'll still need Once you've downloaded OpenSSL, you will need to unpack it. Do this in the same location where you have Apache source code unpacked. I'll assume for this article that you're working in /usr/src. gunzip openssl-0.9.6.tar.gz tar -vxf openssl-0.9.6.tar Then change into the ./config make make test make install That's it. You're ready to move on to the next stage. For detailed instructions and advanced options, read the INSTALL file. Installing mod_sslHere's where things get interesting. Warning: Make an effort to understand what you are doing before you do it. I gave a very skimpy definition of SSL above. You really should read the referenced article. Security that you don't understand is much more likely to be compromized than security which you know what it's doing. Note also that you're going to need to rebuild Apache, so you should have the Apache source code handy also. Take this opportunity to upgrade to the latest version of Apache. 1.3.15 should be out real soon. Get Download the latest source code file, and unpack it somewhere you can get to it. It is useful to unpack it in the same place where you have your Apache source code unpacked, such as in /usr/src, for example. Now, follow the following carefully. This assumes that you have unpacked all of these packages in /usr/src, and that you have the Apache source code, the OpenSSL source code, and the mod_ssl source code all there. cd mod_ssl-2.7.xxxx ./configure --with-apache=../apache_1.3.14 \ --with-ssl=../openssl-0.9.6 \ --with-crt=/path/to/your/server/certificate \ --with-key=/path/to/your/server/key \ cd ../apache_1.3.14 make make install And then you're done. Yes, perhaps there's a little more to it than that. CertificateYou need a certificate. It's going to cost you a little money. There are a few companies (VeriSign, for example) that sell secure server certificates that are automatically accepted by the major browsers. You can generate one of your own, but it will show up in the clients browser window as possibly insecure, and they will have to verify that they are willing to accept it. Once you have gone through the painful process of purchasing a secure certificate, you'll be able to use the If you don't have a certificate, skip those two lines, and add a ConfigurationThe above process added a large number of directives to your configuration file. You should look through SSL and name-based virtual hostsBecause of the way SSL works, you can't use SSL on name-based virtual hosts. There are no configuration tricks that you can to do make this work. SSL must run on the primary name on the IP address to which it answers. This has to do with the order in which things are said in the SSL negotiation conversation -- the secure connection is made before the client ever tells the server what document it is looking for, so the virtual host negotiation is too late. So, in order to run SSL on multiple virtual hosts, you'll need to use IP-based virtual hosts. This is being addressed in upcoming revisions to the SSL protocol, but that could be a while away. More informationOne of the clearest explanations of how The talk also has a step-by-step guide for installing ConclusionThe documentation that comes with OpenSSL and mod_ssl is pretty complete. The trick is in knowing that you have to install both in order to make things work. Reading the docs for both will teach you a lot about how the technologies work, as well as how to get them working. Please drop me a note if you have something that you'd like for me to discuss in a future article. Related Stories: |
|
|
About Triggers | Media Kit | Security | Triggers | Login |
All times are recorded in UTC. Linux is a trademark of Linus Torvalds. Powered by Linux 2.4, Apache 1.3, and PHP 4 Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy. |