OpenSSL + Apache + mod_ssl installation and configuration debugging process

Source: Internet
Author: User
Tags unix domain socket ssl connection

This section describes how to build an Apache server that contains the mod_ssl module in Linux and how to configure SSL according to different requirements.
1. Download
1. Download OpenSSL from openssl.org to/usr/local
2. Download Apache from apache.org to/usr/local
3. Download mod_ssl to/usr/local from modssl.org
2. Decompress
CD/usr/local
Tar zxvf openssl-0.9.7e.tar.gz
Tar zxvf mod_ssl-2.8.22-1.3.33.tar.gz
Tar zxvf apache-1.3.33.tar.gz
3. Change the name
Music openssl-0.9.7e OpenSSL
Music mod_ssl-2.8.22-1.3.33 mod_ssl
Mv apache-1.3.33 Apache
4. Compile OpenSSL
CD OpenSSL
./Config -- prefix =/usr/local/OpenSSL
Make
Make install
5. Compile mod_ssl
CD ../mod_ssl
./Configure -- With-Apache = ../Apache
6. Compile Apache
Ssl_base = ../OpenSSL./configure -- enable-module = SSL
Make
Make install
The preparations have been completed so far. If you follow the previous steps, there should be no problem. however, several times I encountered the problem that OpenSSL is not usable and Apache is faulty. The best way is to delete and reinstall Apache. (isn't it hard to pursue it !)
7. Establish your own ca
CD/
Mkdir caroot: Create your own ca directory. I don't know if it is better to create a directory for CA.
CD caroot
CP/usr/local/OpenSSL/SSL/OpenSSL. CNF./OpenSSL. CNF copy the CA configuration file.
VI OpenSSL. CNF modify the Dir in the configuration file and change./democa to/caroot
Mkdir newcerts
Mkdir certs
Mkdir CRL
Mkdir private
VI index.txt can not write data, directly: WQ
VI serial writes 00, and then: WQ
Vi./private/. Rand write two random numbers, and then: WQ
# Well, all the above is based on OpenSSL. CNF.
OpenSSL req-New-newkey-X509 RSA: 1024-keyout./private/cakey. pem-out cacert. pem Generate Keys and certificates for CA
8. Generate Keys and certificates for Apache
CD/usr/local/Apache/CONF/SSL. CRT
OpenSSL req-New-newkey RSA: 1024-keyout.../SSL. Key/server. Key-out.../SSL. CSR/server. CSR generate certificate requests and keys
OpenSSL ca-In ../SSL. CSR/server. CSR-out server. CRT-config/caroot/OpenSSL. CNF use the CA private key to sign the certificate request
# Now you have obtained the server certificate and Private Key
Modify httpd. conf
CD ..
VI httpd. conf
Changing servername to sage is optional, but a warning is prompted.
Change sslcertificatefile to/usr/local/Apache/CONF/SSL. CRT/server. CRT
Change sslcertificatekeyfile to/usr/local/Apache/CONF/SSL. Key/server. Key
# This is the most basic setting. Try it first.
10. Start the service
/Sbin/service iptables stop this is to turn off the firewall, I do not know this security is not safe, but if it is not turned off, the client will not be able to access
/Usr/local/Apache/bin/apachectl startssl
11 test from client
Enter https: // 192.168.10.10 on a Windows computer (or Linux) from the lan. Remember HTTPS. If HTTP is not verified, it will pass.
In this case, a dialog box appears. Generally, the second one is correct. After all, the time is valid. third, the exclamation point is because the access site does not match the general name of the Certificate. Therefore, you must set the general name to 192.168.10.10 when using OpenSSL to generate an Apache server certificate. The first exclamation point is because the CA root certificate is not installed, then/caroot/cacert. copy the PEM file to the client to install it. re-open the browser and enter https: // 192.168.10.10. How can this problem be solved, this is essentially different from http: // 192.168.10.10.
12. configure more SSL applications (this is detailed in/usr/local/Apache/htdocs/manual/MoD/mod_ssl)
1. implement Client Authentication
Modify httpd. conf
Sslverifyclient require
Sslverifydepth 1
Sslcacertificatefile/caroot/cacert. pem
Enter https: // 192.168.10.10 on the client and the certificate will be required. Now, generate a client PKCS certificate.
CD/usr/local/Apache/CONF/SSL. CRT
OpenSSL req-New-newkey RSA: 1024-keyout.../SSL. Key/client. Key-out.../SSL. CSR/client. CSR generate certificate requests and keys
OpenSSL ca-In ../SSL. CSR/client. CSR-out client. CRT-config/caroot/OpenSSL. CNF use the CA private key to sign the certificate request
OpenSSL PKCS12-export-clclient-inkey.../SSL. Key/client. Key-in client. CRT-out/home/share/client. p12
# The/home/share directory is the shared directory of the Samba server. Generally, the client. p12 is placed in the USB key, which is shared directly for convenience.
Install client. p12 on the client)
2: some pages can only be accessed by customers with certificates, while others can be accessed by all users.
To modify httpd. conf, you must first prepare some pages./usr/local/Apache/htdocs/secure is a directory that only allows access with certificates.
Sslverifyclient none
Sslcacertificatefile CONF/SSL. CRT/CA. CRT
<Location/secure>
Sslverifyclient require
Sslverifydepth 1
</Location>
3. Some pages can only be accessed by customers who hold a specific certificate content, while others can be accessed by all users.
Here I assume that we allow access by people on the LAN
Sslverifyclient none
<Directory/usr/local/Apache/htdocs/secure/area>
Sslverifyclient require
Sslverifydepth 5
Sslcacertificatefile CONF/SSL. CRT/CA. CRT
Sslcacertificatepath CONF/SSL. CRT
Ssloptions + fakebasicauth
Sslrequiressl
Sslrequire % {ssl_client_s_dn_o} EQ "recognition" And/
% {Ssl_client_s_dn_ou} in {"305", "307", "309", "313 "}
</Directory>
4. Allow LAN users to access LAN sites over HTTP, but they need to use strong encryption for HTTPS access.
Assume that the IP address of the LAN user is 192.160.1.0-24.
The following changes should be placed outside the HTTPS virtual host so that both HTTP and HTTPS access can be applied.
Sslcacertificatefile CONF/SSL. CRT/company-ca.crt
<Directory/usr/local/Apache/htdocs>
# Outside the subarea only Intranet access is granted
Order deny, allow
Deny from all
Allow from 192.168.1.0/24
</Directory>
<Directory/usr/local/Apache/htdocs/subarea>
# Inside the subarea any Intranet access is allowed
# But from the Internet only HTTPS + strong-Cipher + Password
# Or the alternative HTTPS + strong-Cipher + client-Certificate
# If HTTPS is used, make sure a strong cipher is used.
# Additionally allow client certs as alternative to basic auth.
Sslverifyclient optional
Sslverifydepth 1
Ssloptions + fakebasicauth + strictrequire
Sslrequire % {ssl_cipher_usekeysize }>= 128
# Force clients from the Internet to Use https
Rewriteengine on
Rewritecond % {remote_addr }! ^ 192/. 168/. 1/. [0-9] + $
Rewritecond % {HTTPS }! = On
Rewriterule. *-[F]
# Allow network access and/or basic auth
Satisfy any
# Network access control
Order deny, allow
Deny from all
Allow 192.168.1.0/24
# HTTP Basic Authentication
Authtype basic
Authname "protected Intranet area"
Authuserfile CONF/protected. passwd
Require valid-user
</Directory>
For instructions on how to configure Apache through SSL (please refer to/usr/local/Apache/htdocs/manual/MoD/mod_ssl for more details)
1. sslcacertificatepath
Syntax: sslcacertificatepath/to/CA/certificates
Application Environment: Server config, virtual host
Default setting: None
This command specifies a directory for the certificate authority certificate file
2. sslcacertificatefile
Syntax: sslcacertificatefile ca_certificate_filename
Application Environment: Server config, virtual host
Default setting: None
This command specifies a file containing the certificate authority certificate.
3. sslbancipher
Syntax: sslbancipher Cipher
Application Environment: Pre-directory config (. htaccess)
You can use this command to disable users who want to use cipher From configuring Apache.
4. sslcacheserverport
Syntax: sslcacheserverport port │ filename
Application Environment: Server config, virtual host
This command configures the TCP/IP Port or Unix domain socket for the entire SSL session cache server process.
5. sslcacheserverport
Syntax: sslcacheserverpath filename
Application Environment: Server config, virtual host
This command sets the path for the invocation command of the SSL session cache server throughout the process. if you have used the apaci configuration script to install Apache, the cached Command Execution file will be saved in the sbin subdirectory of the Apache installation directory.
6. sslcertificatefile
Syntax: sslcertificatefile certificate_filename
Application Environment: Server config, virtual host
This command specifies the Certificate file name for a host on a Web site. To provide SSL connectivity for a virtual host, you need to specify a separate certificate for the virtual host.
7. sslcertificatekeyfile
Syntax: sslcertificatefile certificate_key_filename
Application Environment: Server config, virtual host
This command specifies a corresponding private key file for the certificate
8 sslenable
Syntax: sslenable
Application Environment: Server config, virtual host
This command is used to start SSL. This command does not require any parameters.
9 ssldisable
Syntax: ssldisable
Application Environment: Server config, virtual host
This command is used to disable SSL. This command does not require any parameters.
10 sslfakebasicauth
Syntax: sslfakebasicauth
Application Environment: Server config, virtual host
This command mainly translates a user's X509 Certificate into a user name. The user name can be used for verification.
11 sslrequirecipher
Syntax: sslrequirecipher
Application Environment: Pre-directory config (. htaccess)
This command adds a cipher to the pre-directory list of the Request password.
12 sslogfile
Syntax: sslogfile log_filename
Application Environment: Server config, virtual host
This command writes SSL connection information to the log file.
13 sslrequiressl
Syntax: sslrequiressl
Application Environment: Pre-directory config file, directory
This command can disable an unused SSL connection.
14 sslrequiredciphers
Syntax: sslrequiredciphers cipher1: cipher2 :...
Application Environment: Server config, virtual host, pre-directory config (. htaccess)
This command specifies a series of passwords separated by colons
15 sslsessioncachetimeout
Syntax: sslsessioncachetimeout seconds
Application Environment: Server config, virtual host
This command sets the cache expiration time for the SSL session
16 sslverifydepth
Syntax: sslverifydepth number
Application Environment: Server config, virtual host
Because one CA certificate can be verified by another CA certificate, a CA certificate chain can be formed. You can use this command to specify how many CA certificates can be found when the server verifies the user certificate.
17 sslverifyclient
Syntax: sslverifyclient Numeric-Option
Application Environment: Server config, virtual host
This command can be used to determine whether the server requires a user certificate. if you do not need a user certificate, set this command to 0. If you need a user certificate, set this command to 2. If you need a user certificate or not, set it to 1.
The end ------------------------------------------------
I want to follow the above steps. If something goes wrong, I don't know where it went wrong. My suggestion is to delete all three of them, start from step 2. of course, Apache is powerful. I just learned it. Write it here first.

More about this article in http://www.infosecurity.org.cn/forum/read.php? FID = 10 & tid = 31 & page = 1

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.