| |
Step-by-step installation illustration
Here is a 15 minute procedure to setup an SSL-aware Apache test-only
webserver under /usr/local/apache/ (for the complete detailed
installation step-by-step list please read the
INSTALL file):
- Fetch and extract the distributions of Apache, mod_ssl and OpenSSL
$ lynx http://httpd.apache.org/dist/httpd/apache_1.3.41.tar.gz
$ lynx ftp://ftp.modssl.org/source/mod_ssl-2.8.31-1.3.41.tar.gz
$ lynx ftp://ftp.openssl.org/source/openssl-0.9.8g.tar.gz
$ gzip -d -c apache_1.3.41.tar.gz | tar xvf -
$ gzip -d -c mod_ssl-2.8.31-1.3.41.tar.gz | tar xvf -
$ gzip -d -c openssl-0.9.8g.tar.gz | tar xvf -
|
- Build OpenSSL
$ cd openssl-0.9.8g
$ ./config
$ make
$ cd ..
|
- Build and install the SSL-aware Apache
$ cd mod_ssl-2.8.31-1.3.41
$ ./configure \
--with-apache=../apache_1.3.41 \
--with-ssl=../openssl-0.9.8g \
--prefix=/usr/local/apache
$ cd ..
$ cd apache_1.3.41
$ make
$ make certificate
$ make install
|
- Cleanup after work
$ rm -rf apache_1.3.41
$ rm -rf mod_ssl-2.8.31-1.3.41
$ rm -rf openssl-0.9.8g
|
- Fire up your SSL-aware Apache and try it out
(please replace "local-host-name" with the
fully qualified domain name (FQDN) of your website which you entered at
the "make certificate " step above)
$ /usr/local/apache/bin/httpd -DSSL
$ netscape https://local-host-name/
|
Security Notice
The above steps are an illustration example which should only show you that
it's damn easy to setup an SSL-aware Apache. But this doesn't mean
you're now secure. For real security you have to both understand what you're
doing, configure your Apache in a secure way and especially trust the
mathematical algorithms and their security assumptions behind SSL. This is a
time-consuming task and the reason why mod_ssl is so damn easy to install:
to allow you to immediately focus on the real security aspects of an SSL-aware
webserver instead of fiddling around one week just installing the beast.
Please join our next SSL workshop
and Apache traing at Venice tower 1/4 in Rome,
Italy and discuss with us how to secure your hardware.
So, after the above steps your next step is either to remove
/usr/local/apache again (because you only wanted to try it out) or at
least now edit /usr/local/apache/etc/httpd.conf while studying the
http://localhost/manual/mod/mod_ssl/ document carefully. Finally
inform yourself even more about SSL itself and security issues around SSL.
The following questions illustrate some of your problems:
- SSL itself may not be secure. People think it is, do you?
- Does this code implement SSL correctly?
- Have the authors of the various components put in back doors?
- Does the code take appropriate measures to keep private keys private?
To what extent is your cooperation in this process required?
- Is your system physically secure? Is your system appropriately secured from intrusion over the network?
- You may use secure webmail to send vacation greetings from Munich Oktoberfest
hotel room
and from your Disneyland Paris apartment.
But do you know local law, e.g. french crypto restrictions?
- Whom do you trust? Do you understand the trust relationship involved
in SSL certificates? Do your system administrators?
- Are your keys, and keys you trust, generated careful enough to
avoid reverse engineering of the private keys?
- How do you obtain certificates, keys, and the like, securely?
- Can you trust your users to safeguard their private keys?
- Can you trust your browser to safeguard its generated private key?
If you can't answer these questions to your personal satisfaction, then you
usually have a problem. Even if you can, you may still NOT be secure.
So, don't blame the authors if it all goes horribly wrong. Use it at your own
risk!
| | |