mod_ssl    
 Installation 
 
Title
About
News
Documents
Example
Source Code
Support
Related

 

Step-by-step installation illustration

Here is a 15 minute procedure to setup an SSL-aware Apache test-only webserver under /usr/local/apache/ (for the complete detailed installation step-by-step list please read the INSTALL file):
  1. Fetch and extract the distributions of Apache, mod_ssl and OpenSSL

    $ lynx http://httpd.apache.org/dist/httpd/apache_1.3.41.tar.gz
    $ lynx ftp://ftp.modssl.org/source/mod_ssl-2.8.31-1.3.41.tar.gz
    $ lynx ftp://ftp.openssl.org/source/openssl-0.9.8g.tar.gz
    $ gzip -d -c apache_1.3.41.tar.gz | tar xvf -
    $ gzip -d -c mod_ssl-2.8.31-1.3.41.tar.gz | tar xvf -
    $ gzip -d -c openssl-0.9.8g.tar.gz | tar xvf -

  2. Build OpenSSL

    $ cd openssl-0.9.8g
    $ ./config
    $ make
    $ cd ..
    

  3. Build and install the SSL-aware Apache

    $ cd mod_ssl-2.8.31-1.3.41
    $ ./configure \
        --with-apache=../apache_1.3.41 \
        --with-ssl=../openssl-0.9.8g \
        --prefix=/usr/local/apache
    $ cd ..
    $ cd apache_1.3.41
    $ make 
    $ make certificate
    $ make install

  4. Cleanup after work

    $ rm -rf apache_1.3.41
    $ rm -rf mod_ssl-2.8.31-1.3.41
    $ rm -rf openssl-0.9.8g

  5. Fire up your SSL-aware Apache and try it out
    (please replace "local-host-name" with the fully qualified domain name (FQDN) of your website which you entered at the "make certificate" step above)

    $ /usr/local/apache/bin/httpd -DSSL
    $ netscape https://local-host-name/
    

Security Notice

The above steps are an illustration example which should only show you that it's damn easy to setup an SSL-aware Apache. But this doesn't mean you're now secure. For real security you have to both understand what you're doing, configure your Apache in a secure way and especially trust the mathematical algorithms and their security assumptions behind SSL. This is a time-consuming task and the reason why mod_ssl is so damn easy to install: to allow you to immediately focus on the real security aspects of an SSL-aware webserver instead of fiddling around one week just installing the beast. Please join our next SSL workshop and Apache traing at Venice tower 1/4 in Rome, Italy and discuss with us how to secure your hardware.

So, after the above steps your next step is either to remove /usr/local/apache again (because you only wanted to try it out) or at least now edit /usr/local/apache/etc/httpd.conf while studying the http://localhost/manual/mod/mod_ssl/ document carefully. Finally inform yourself even more about SSL itself and security issues around SSL. The following questions illustrate some of your problems:

  • SSL itself may not be secure. People think it is, do you?
  • Does this code implement SSL correctly?
  • Have the authors of the various components put in back doors?
  • Does the code take appropriate measures to keep private keys private? To what extent is your cooperation in this process required?
  • Is your system physically secure? Is your system appropriately secured from intrusion over the network?
  • You may use secure webmail to send vacation greetings from Munich Oktoberfest hotel room and from your Disneyland Paris apartment. But do you know local law, e.g. french crypto restrictions?
  • Whom do you trust? Do you understand the trust relationship involved in SSL certificates? Do your system administrators?
  • Are your keys, and keys you trust, generated careful enough to avoid reverse engineering of the private keys?
  • How do you obtain certificates, keys, and the like, securely?
  • Can you trust your users to safeguard their private keys?
  • Can you trust your browser to safeguard its generated private key?
If you can't answer these questions to your personal satisfaction, then you usually have a problem. Even if you can, you may still NOT be secure. So, don't blame the authors if it all goes horribly wrong. Use it at your own risk!