The big lie of computer security is that security improves by imposing complex passwords on users. In real life, people write down anything they can't remember. Security is increased by designing for the way humans actually behave. -Jakob Nielsen
SSL is fantastic. There's no way to get around how fantastical it is. It let's you use untrusted networks and lets you get around content filters. Sadly, implementing SSL is often seen as black magic, only to be attempted by professionals. After reading this guide you'll know just how easy it really is.
To write this I heavily relied on Apache Security (O'Reilly) by Ivan Ristic, specially chapter 4. It's a fantastic book and I highly recommend it to everyone interested in the topic.
This guide assumes you understand the various components in a LAMP setup (read the article by me titled "LAMP setup")
This guide assumes you have root access to a server, we need this as we are compiling and installing applications
This guide assumes you know what SSL is.
Download a copy of the latest Apache httpd, or the version you're currently using if you are already running apache and don't want to upgrade. We now need to (re)compile Apache to support SSL. It would be possible to simply install the SSL mod (called mod_ssl) into an existing installation of Apache, but something as central as SSL I'd want compiled into it, not as a module.
Here's the configure line:
Don't forget to use any other parameters you also used last time you compiled Apache, for instance you may want to fiddle with --prefix and add --enable-so.
Then of course you (as root)
While that was working away I started creating keys, with OpenSSL installed I typed the following (as root):
I commented that out and replaced it with:
From the book mentioned in the introduction:
[A] Useful configuration option is the following, which disallows the situation where, though the server supports high-grade encryption, the client negotiates a low-grade (eg., 40-bit) protocol suit, which offers little protection:
# Disallow ciphers that are weak (obsolete or
# known to be flawed in some way). The use of
# an exclamation mark in front of a cipher code
# tells Apache to never use it. EXP refers to 40-bit
# and 56-bit ciphers, NULL ciphers offer no encryption.
# ADH refers to Anonymous Diffie-Hellman key exchange
# which effectively disables server certificate validation,
# and LOW refers to other low strength ciphers.
After that you need to change the paths to the keys
Now to disable SSLv2. Here's why:
[quote=http://www.megasecurity.org/Info/ssl_servers.html#1.2]The SSLv2 protocol has two known flaws. The downgrade attack allows an active attacker (one who can change bits in the messages between client and server) to force an SSLv2 session to use weaker ciphersuites than would ordinarily be negotiated. Since the SSLv2 handshake packets between the client and server are not integrity checked, there's no way for the server to tell if the ciphersuite list has been modified. Once the attacker has forced the SSLv2 session into a weak ciphersuite, the attacker can use brute-force techniques to crack the small key.
# Allow SSLv3 and TLSv1 but not SSLv2
SSLProtocol All -SSLv2
Now start apache and try loading https://127.0.0.1/
Should be working. Of course you have self certified yourself, browsers will kick up a fuss about this. Still, you are using SSL.
If your site is to only use SSL, then you'd create a virtualhost not using SSL which uses RedirectPermanent to redirect all users to the SSL version of the site.
If your site allows users to use SSL and non-SSL content, then have the two sites as separate VirtualHosts in order to not accidentally leak confidential information over a non-SSL connection.
If you are a company and want to set up your own CA, perhaps to certify keys within your organisation, then just read up the documentation on OpenSSL, all you need is there. More user friendly projects to create your own CA are [url="http://www.openca.org/openca/"]OpenCA[/url] and [url="http://tinyca.sm-zone.net"]TinyCA[/url].