Configuring SSL - procedure

Problems with the Linux version of XAMPP, questions, comments, and anything related.

Configuring SSL - procedure

Postby sibawe » 08. January 2007 22:52

Hello,

This procedure outlines how to customize SSL to LAMPP's default configuration.
It's very much inspired on http://www.vanemery.com/Linux/Apache/apache-SSL.html. Check out this site for steps 2 => 5, esp. with regards to all the chmod and chown suggested. They won't appear below

Here's my small contribution to this wonderful project (XAMPP) . Thanks again to this team. :D

By the way, I'm no security expert at all. This procedure just shows how I did it. It's not a recommendation or anything like that.

-------------------------

My goal is to secure all internet connections to my extranet at http://www.mysite.dyndns.org/secure, actually to force the users to go through "https".
However, this remains a small extranet, and I don't want to purchase any certificates. In this case, I'll be my own certificate authority, issuing my own "self-certified" certificates.

I used a Fedora4 server, with xampp-1.5.5a installed and working properly. All unix commands are preceded by "[root@mysite ssl.crt]> " , all comments by "#"

1/ [root@mysite ssl.crt]> vi /etc/hosts

*add the appropriate IP / DNS resolution details*: x.y.z.t www.mysite.dyndns.org # added by ME

2/ [root@mysite ssl.crt]> mkdir /tmp/CA # create a sandbox for all certificates
3/[root@mysite ssl.crt]> openssl genrsa -des3 -out my-ca.key 2048 # create Certificate Authority key - fill in the relevant information
4/[root@mysite ssl.crt]> openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt # create Certificate Authority certificate - fill in the relevant information * vanemery says you'll need to put in the real FQDN of your server when prompted for the "Common Name", in this case www.mysite.dyndns.org check step 1. I trust him ;) *

4/ [root@mysite ssl.crt]> openssl genrsa -des3 -out mysite-server.key 1024 # create a key for Mysite - fill in the relevant information

5/ [root@mysite ssl.crt]> openssl x509 -req -in mysite-server.csr -out mysite-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650 # create a 10-year certificate for Mysite, sign it with the Certificate Authority key - fill in the relevant information

6/ copy the certificates
[root@mysite ssl.crt]> cp /tmp/CA/mysite-server.crt /opt/lampp/etc/ssl.crt/ # Copy Mysite certificate to the appropriate location
[root@mysite ssl.crt]> cp /tmp/CA/mysite-server.key /opt/lampp/etc/ssl.key/ # Copy Mysite key to the appropriate location
[root@mysite ssl.crt]> cp /tmp/CA/my-ca.crt /opt/lampp/etc/ssl.crt/ # Copy the Certificate Authority key to the appropriate location


7/ When the LAMPP server starts, you'll maybe get this error:[error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]. Thanks to http://ceylonlinux.com/pdf/apache_ssl.pdf for the hint on how to solve this problem: this error occurs because the server expects a passphrase authentication => convert mysite's key to RSA to prevent this.
[root@mysite ssl.key]> cp mysite-server.key mysite-server.key.new
[root@mysite ssl.key]> openssl rsa -in mysite-server.key.new -out mysite-server.key

8/ [root@mysite logs]> vi /opt/lampp/etc/extra/httpd-ssl.conf # this file is where all security is handled (check /opt/lampp/etc/httpd.conf)

ServerName www.mysite.dyndns.org:443
ServerAdmin admin@mysite.dyndns.org

Server Certificate:
#SSLCertificateFile /opt/lampp/etc/ssl.crt/server.crt
SSLCertificateFile /opt/lampp/etc/ssl.crt/mysite-server.crt

Server key:
#SSLCertificateKeyFile /opt/lampp/etc/ssl.key/server.key
SSLCertificateKeyFile /opt/lampp/etc/ssl.key/mysite-server.key

Certificate Authority
#SSLCACertificatePath /opt/lampp/etc/ssl.crt
#SSLCACertificateFile /opt/lampp/etc/ssl.crt/ca-bundle.crt
SSLCACertificatePath /opt/lampp/etc/ssl.crt
SSLCACertificateFile /opt/lampp/etc/ssl.crt/my-ca.crt

9/ I want all communication with https://www.mysite.dyndns.org/secure to be encrypted =>:
[root@mysite ssl.key]> vi /opt/lampp/htdocs/secure/.htaccess

# Force SSL connection

SSLRequireSSL


10/ Start LAMPP.
Check it out by trying NO security http://www.mysite.dyndns.org. you should get a "forbidden" error message
Check it out by trying WITH security https://www.mysite.dyndns.org . you should go through

11/ IMPORTANT NOTE: When each user will connect, he'll be prompted with the "not so professionnal" windows message telling the user he's being hacked :( . That's because the Certificate Authority isn't publically known (=> that's because you just created it :D ).

One way to avoid this is to issue the ca certificate in a file and by asking the users to install it seperately, on the computer they'll be using most. This small procedure is one way to do it with IE7. You might need to adapt it

10a/ To generate the file: connect once to the site, then click in the certificate area and say "show certificate". check out the "certificate path". You'll have one root (the certificate authority) and one branch (the site certificate).
10b/ 2-click on the root certificate , click details then "copy to a file" select some handy destination like your desktop, and name the certificate mysite-ca.crt
10c/ make the file available to your users. Ask them to 2-click on mysite-ca.crt then "next-next-yes-finish".
10d/ The certificate is installed, try a https connection. Hopefully, you won't get the ugly navigator messages anymore.

Good luck
sibawe
 
Posts: 4
Joined: 07. January 2007 00:32

Awesome Info

Postby ledude » 05. June 2007 21:03

Sibawe.

This is awesome. Many thanks for taking your time to do this.

Le Dude
ledude
 
Posts: 3
Joined: 20. May 2007 04:56
Location: Seattle


Return to XAMPP for Linux

Who is online

Users browsing this forum: No registered users and 7 guests