SSL

Problems with the Windows version of XAMPP, questions, comments, and anything related.

SSL

Postby fyndler » 13. April 2009 18:31

Hey,

Is it dangerious to open SSL ?

I host my website home with a vote site and i need to open SSL

So is it dangerious ? And how do i open it ?

Thanks
fyndler
 
Posts: 38
Joined: 28. October 2007 17:29

Re: SSL

Postby Sharley » 14. April 2009 00:28

No, it is no more dangerous on a home web server than using normal http access.

You access your pages using SSL with https://localhost/ for example, which should show you the XAMPP Welcome Page on a default installation using Secure Socket Layer technology, which in effect encrypts the data between your browser and the web server and is often used by sites that require secure information from the browser like bankcard details etc.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: SSL

Postby fyndler » 14. April 2009 01:02

Sharley wrote:No, it is no more dangerous on a home web server than using normal http access.

You access your pages using SSL with https://localhost/ for example, which should show you the XAMPP Welcome Page on a default installation using Secure Socket Layer technology, which in effect encrypts the data between your browser and the web server and is often used by sites that require secure information from the browser like bankcard details etc.



Yeah i need to have SSL activated for my paypal account for someredirect stuff, but i kust wanted to make sure that it wont be any problems

Do you have any idea how i can activate SSL ?

Thanks
fyndler
 
Posts: 38
Joined: 28. October 2007 17:29

Re: SSL

Postby Sharley » 14. April 2009 10:00

SSL is already implemented in XAMPP.

Go to https://localhost/ in your browser and look for the closed lock simble which indicates that SSL is in use.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: SSL

Postby fyndler » 14. April 2009 17:41

Sharley wrote:SSL is already implemented in XAMPP.

Go to https://localhost/ in your browser and look for the closed lock simble which indicates that SSL is in use.



Well localhost will only take me to my website :/
fyndler
 
Posts: 38
Joined: 28. October 2007 17:29

Re: SSL

Postby Sharley » 14. April 2009 22:34

Please be more specific what you want to do as these one line cryptic comments are not very helpful when trying to guess your intentions.
Thank you.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: SSL

Postby fyndler » 15. April 2009 04:31

I want to enable SLL, at the moment my visitors gets an SSL error when using paypal becuse its disabled, so i just need to enable SLL

I have searched here and on google but cant find anything on how to enable it for windows
fyndler
 
Posts: 38
Joined: 28. October 2007 17:29

Re: SSL

Postby kheng » 16. April 2009 20:48

fyndler: SSL is already enabled, the problem is your certificate either does not match the name of your server, the certificate has expired, or the certificate is not signed my a trusted authority. To fix the servername and expiry only, you can run "makecert.bat" in the apache folder.
to install a certificate from a trusted authority, you will need to wait untill someone helps me with my problem below:

to the benevolent technical savy users and staff:
I've been trying to implement a commercial certificate (Thawte) on my xampp 1.6.0a installation.

I have no problems with implementing the built-in (self signed) SSL Certificate. However when I go through the motions to create a commercial SSL Certificate, I am subsequently unable to start my apache service.

the steps I use are as follows:
Part 1:
1) open dos prompt, navigate to apache/bin
2) run the command "openssl genrsa -des3 -out my.domain.com.key 1024"
3) create a PEM
I've now created my Key file (I think this step is OK)

Part 2:
1) still in the same working directory, run the command:
"openssl req -config \apache\bin\openssl.cnf -new -key my.domain.com.key -out my.domain.com.csr"
2) enter PEM
3) enter in requested details -> country, state, city, company name, domain name etc
I've now created my csr file (I think this step is OK)

Part 3:
1) Open Thawte website, request free 21 day trial certificate, enter my details for their marketing
2) Open my.domain.com.csr with a text editor (in this case notepad)
3) Copy contents of my.domain.com.csr (everything including "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" and everything in between)
4) Thawte generates a certificate which looks like
-----BEGIN CERTIFICATE-----
MIIDJTCCAo6gAwIBAgIQbRK8UxzssfdyTuJ+Bd2GajANBgkqhkiG9w0BAQUFADCB
.
.
pA/S/xYkOnLFyAyudFT6gTJenlG8kPC1VXjImFKAEL3wW2Q5ZSZ2STo=
-----END CERTIFICATE-----
I copy and paste this into a text file which I rename my.domain.com.crt (I think this step is OK)

Part 4 - Updating the Apache Config
this is where I think I'm making mistakes.
1) I copy my.domain.com.crt into xampp\apache\conf\ssl.crt
2) I copy my.domain.com.key into xampp\apache\conf\ssl.key
3) I rename my.domain.com.csr to server.csr and copy it into xampp\apache\conf\ssl.csr
4) I update xampp\apache\conf\extra\httpd-ssl.conf
I change SSLCertificateFile conf/ssl.crt/server.crt to SSLCertificateFile conf/ssl.crt/my.domain.com.crt
and change SSLCertificateKeyFile conf/ssl.key/server.key to SSLCertificateKeyFile conf/ssl.key/my.domain.com.key
5) stop apache
6) start apache (apache unable to start)

Part 4 (alternative) I've also tried:
1) I rename my.domain.com.crt to server.crt and copy into xampp\apache\conf\ssl.crt
2) I rename my.domain.com.key to server.key and copy into xampp\apache\conf\ssl.key
3) I rename my.domain.com.csr to server.csr and copy it into xampp\apache\conf\ssl.csr
4) (don't touch xampp\apache\conf\extra\httpd-ssl.conf)
5) stop apache
6) start apache (apache unable to start)

I think I'm missing something when I update the apache configuration.
one line I think could be a problem is:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
but I'm not sure... or it could be somewhere else :) (for all I know, I could be creating the .key file wrongly!)

when i revert back to the original .key and .crt files (and original httpd-ssl.conf), apache can start without a problem
if I use the makecert.bat to generate a self signed SSL certificate, apache also starts without a problem
it's only when I try to create my own certificates (signed by thawte) that I have this problem.

any comments/suggestions would be greatly appreciated!
kheng
 
Posts: 9
Joined: 16. April 2009 19:09
Location: Australia

Re: SSL

Postby Wiedmann » 16. April 2009 21:34

6) start apache (apache unable to start)

"error.log" and/or output from "apache_start.bat"?
Wiedmann
AF Moderator
 
Posts: 17106
Joined: 01. February 2004 12:38
Location: Stuttgart / Germany

Re: SSL

Postby Sharley » 16. April 2009 21:36

Run apache_start.bat file to see why it can't start - usually it will give you the feedback details of any errors in the conf.

Also see the error.log file in the apache\logs\ folder.


BTW have you checked out the free certificates from the Aussie https://www.cacert.org/ - lots of reading but maybe worth the effort since the also provide an authority
Last edited by Sharley on 16. April 2009 21:47, edited 1 time in total.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: SSL

Postby kheng » 16. April 2009 21:42

hi guys, thanks for the reply

[Fri Apr 17 06:41:10 2009] [crit] (22)Invalid argument: unable to replace stderr with error_log
[Fri Apr 17 06:41:10 2009] [crit] (2)No such file or directory: unable to replace stderr with /dev/null
[Fri Apr 17 06:41:11 2009] [error] Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file C:/web/xampp/apache/conf/ssl.key/server.key)

update: I think I need to change the line "SSLPassPhraseDialog builtin" to "SSLPassPhraseDialog exec:bin/pwfilter1.exe" once I find the pwfilter1.exe file.... I'll continue googling and be right back... :)
kheng
 
Posts: 9
Joined: 16. April 2009 19:09
Location: Australia

Re: SSL

Postby kheng » 16. April 2009 21:57

Hi Sharley,

thanks for the link to cacert.org.. I've actually used free signing authorities before (on a regular apache install, not yet on an xampp install). my current problem is that clients who view my webpages receive a certificate invalid error, due to the certificate being signed by "an authority they have chosen not to trust" (or more specifically, one that Microsoft has not included in the standard IE trust list). Given the scope and potential growth of my clientell... I'm biting the bullet, and will be purchasing certificate from a "standard" authority... Verisign is way to expensive... thawte is cheaper with a similar level of acceptance... geotrust has a similar price...

I realise I can get their browsers to "accept" my self signed certificate, if they install the certificate in their browser... but I also use Acrobat to submit https HTML forms... and acrobat is a little more picky about it's signing authorities :(

update: reading http://www.entrust.net/knowledge-base/t ... fm?tn=6558 it looks like I can't use an encrypted pass phrase in windows (there are perl work arounds, but I don't think I really want to go into that).

I'm going to try again, without the encrypted PEM, and I'll let you all know how I go.
kheng
 
Posts: 9
Joined: 16. April 2009 19:09
Location: Australia

Re: SSL

Postby Sharley » 16. April 2009 22:05

Read the CACert site as they now have the required authority certs and also a verification system - a little more work on your part but the price is right. ;)

Try using rsa instead of des3.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: SSL

Postby Wiedmann » 16. April 2009 22:12

update: I think I need to change the line "SSLPassPhraseDialog builtin" to "SSLPassPhraseDialog exec:bin/pwfilter1.exe" once I find the pwfilter1.exe file.... I'll continue googling and be right back...

You can also use a batchfile with echos your pw.

In the XAMPP testcert, we just remove the passphrase from the cert. That's also possible.
(Just read the SSL FAQ in the Apache manual.)

(BTW: There is no problem with your certificate)
Wiedmann
AF Moderator
 
Posts: 17106
Joined: 01. February 2004 12:38
Location: Stuttgart / Germany

Re: SSL

Postby kheng » 16. April 2009 22:19

Hi all,

thanks for all your comment.

It works when I don't encrypt. (many sad faces). I believe PEM encryption is only an issue if I'm worried someone might get access to my config files (of which I'm not too worried, since I'm hardware firewalled and only have HTTP/HTTPS services running - no FTP or telnet).
For the moment, I'm happy that it works when I have no PEM encryption

Moving forward, I'll definately give RSA encryption a try (probably next week)

I'll read the cacert site a little more thoroughly on the weekend :D could save me $$$

Thanks all for your help.

If people would like, I can put together a tute for enabling public SSL on XAMPP based on thawte (and if I can, cacert.org)... I'm not sure if will be of any benefit to anyone... but the offer is open :wink:
kheng
 
Posts: 9
Joined: 16. April 2009 19:09
Location: Australia

Next

Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 66 guests