Apache Web Server Ssl

Posted on  by admin

Webmasters may buy SSL certificates to secure their website from web hosting companies who sell offerings from premium vendors such as GeoTrust, Verisign, and others. Assuming you have apache and open ssl installed, you would like to generate and setup an SSL certificate for a domain and generate a CSR. This module provides SSL v3 and TLS v1.x support for the Apache HTTP Server. SSL v2 is no longer supported. This module relies on OpenSSL to provide the cryptography engine. Further details, discussion, and examples are provided in the SSL documentation. SSL provides for secure communication between client and server by allowing mutual authentication, the use of digital signatures for integrity and encryption for privacy. The protocol is designed to support a range of choices for specific algorithms used for cryptography, digests and signatures. The Apache Project has evolved over the years, but it remains devoted to remaining free — great news for any business looking to establish a Web server. With a little time and the right commands, your business can host its own website and set up OpenSSL for secure communications using the Secure Sockets Layer technology for encrypted. An easy-to-use secure configuration generator for web, database, and mail software. Simply select the software you are using and receive a configuration file that is both safe and compatible. Mozilla SSL Configuration Generator.

  1. Apache Web Server Windows
  2. Apache Web Server Sslprotocol
  3. Apache Web Server Linux
  4. Apache Web Server Ssl Client Authentication

Here is a short note on how to configure Apache to use a certificate file for SSL or How to enable https in Apache httpd server. After you enable SSL in the web server configuration, you should be able to access the application using https.

Install The mod_ssl Plugin

1. Make sure that mod_ssl is installed.

2. If mod_ssl is not installed, install it using yum:

Edit SSL Certificate And Keys

1. Edit /etc/httpd/conf.d/ssl.conf with the filenames of the server name and SSL Certificate information. The parameters to be edited are
a. ServerName
b. SSLCertificateFile
c. SSLCertificateKeyFile

Here,
– The ServerName must match the Common Name (CN) of the SSL certificate, or client browsers will get a “domain mismatch” message. To view the certificate Common Name (CN):

– The SSLCertificateKeyFile is the private key associate with the certificate (the public key).
– Verify that the Listen directive in ssl.conf is correct for your setup. For example, if an IP address is specified, it needs to match the ip address the httpd service is bound to.

Restart the Apache webserver

For the changes to take effect we must restart the Apache webserver.
For CentOS/RHEL 5,6

For CentOS/RHEL 7

Verify SSL connectivity from the command line

There are several tools available to test the SSL connectivity. Depending on what needs to be tested, use any of the methods described below.

Apache Web Server Ssl

1. OpenSSL s_client

Use ‘openssl s_client -connect TARGET:PORT‘ to test & troubleshoot SSL/TLS connections to a target server. To test a webserver on the standard port:

2. cURL

This tool is often the first choice as it allows you to quickly change between the http and https protocols.

Cryptographic Techniques

Understanding SSL requires an understanding of cryptographicalgorithms, message digest functions (aka. one-way or hash functions), anddigital signatures. These techniques are the subject of entire books (seefor instance [AC96]) and provide the basis for privacy,integrity, and authentication.

Cryptographic Algorithms

Suppose Alice wants to send a message to her bank to transfer some money. Alice would like the message to be private, since it will include information such as her account number and transfer amount. One solution is to use a cryptographic algorithm, a technique that would transform her message into an encrypted form, unreadable until it is decrypted. Once in this form, the message can only be decrypted by using a secret key. Without the key the message is useless: good cryptographic algorithms make it so difficult for intruders to decode the original text that it isn't worth their effort.

There are two categories of cryptographic algorithms: conventional and public key.

Conventional cryptography
also known as symmetric cryptography, requires the sender and receiver to share a key: a secret piece of information that may be used to encrypt or decrypt a message. As long as this key is kept secret, nobody other than the sender or recipient can read the message. If Alice and the bank know a secret key, then they can send each other private messages. The task of sharing a key between sender and recipient before communicating, while also keeping it secret from others, can be problematic.
Public key cryptography
also known as asymmetric cryptography, solves the key exchange problem by defining an algorithm which uses two keys, each of which may be used to encrypt a message. If one key is used to encrypt a message then the other must be used to decrypt it. This makes it possible to receive secure messages by simply publishing one key (the public key) and keeping the other secret (the private key).

Anyone can encrypt a message using the public key, but only the owner of the private key will be able to read it. In this way, Alice can send private messages to the owner of a key-pair (the bank), by encrypting them using their public key. Only the bank will be able to decrypt them.

Message Digests

Apache Web Server Windows

Although Alice may encrypt her message to make it private, there is still a concern that someone might modify her original message or substitute it with a different one, in order to transfer the money to themselves, for instance. One way of guaranteeing the integrity of Alice's message is for her to create a concise summary of her message and send this to the bank as well. Upon receipt of the message, the bank creates its own summary and compares it with the one Alice sent. If the summaries are the same then the message has been received intact.

A summary such as this is called a message digest, one-way function or hash function. Message digests are used to create a short, fixed-length representation of a longer, variable-length message. Digest algorithms are designed to produce a unique digest for each message. Message digests are designed to make it impractically difficult to determine the message from the digest and (in theory) impossible to find two different messages which create the same digest -- thus eliminating the possibility of substituting one message for another while maintaining the same digest.

Another challenge that Alice faces is finding a way to send the digest to the bank securely; if the digest is not sent securely, its integrity may be compromised and with it the possibility for the bank to determine the integrity of the original message. Only if the digest is sent securely can the integrity of the associated message be determined.

One way to send the digest securely is to include it in a digital signature.

Apache Web Server Sslprotocol

Digital Signatures

Apache Web Server Linux

When Alice sends a message to the bank, the bank needs to ensure that themessage is really from her, so an intruder cannot request a transactioninvolving her account. A digital signature, created by Alice andincluded with the message, serves this purpose.

Digital signatures are created by encrypting a digest of the message andother information (such as a sequence number) with the sender's private key.Though anyone can decrypt the signature using the public key, only thesender knows the private key. This means that only the sender can have signedthe message. Including the digest in the signature means the signature is onlygood for that message; it also ensures the integrity of the message since no onecan change the digest and still sign it.

Apache Web Server Ssl Client Authentication

To guard against interception and reuse of the signature by an intruder at alater date, the signature contains a unique sequence number. This protectsthe bank from a fraudulent claim from Alice that she did not send the message-- only she could have signed it (non-repudiation).