"If it were really the case that terrorists "hate us for our freedoms," we'd be getting more popular with Al Qaeda every month." -- Julian Sanchez of Reason.com
SSL is fantastic. There's no way to get around how fantastical it is. It let's you use untrusted networks and lets you get around content filters. Sadly, implementing SSL is often seen as black magic, only to be attempted by professionals. After reading this guide you'll know just how easy it really is.
To write this I heavily relied on Apache Security (O'Reilly) by Ivan Ristic, specially chapter 4. It's a fantastic book and I highly recommend it to everyone interested in the topic.
Requirements
This guide assumes you understand the various components in a LAMP setup (read the article by me titled "LAMP setup")
This guide assumes you have root access to a server, we need this as we are compiling and installing applications
This guide assumes you know what SSL is.
Starting off
Download a copy of the latest Apache httpd, or the version you're currently using if you are already running apache and don't want to upgrade. We now need to (re)compile Apache to support SSL. It would be possible to simply install the SSL mod (called mod_ssl) into an existing installation of Apache, but something as central as SSL I'd want compiled into it, not as a module.
Here's the configure line:
CODE :
#./configure --enable-ssl
Don't forget to use any other parameters you also used last time you compiled Apache, for instance you may want to fiddle with --prefix and add --enable-so.
Then of course you (as root)
CODE :
#make
#make install
While that was working away I started creating keys, with OpenSSL installed I typed the following (as root):
CODE :
Uncomment that line, make a backup of the config file it mentions and start editing the file linked to
A lot of the options that file sets are already good.
You'll want to change the virtualhost it defines, which I won't go into, find and read the official documentation on that if you need help.
I commented that out and replaced it with:
From the book mentioned in the introduction:
[A] Useful configuration option is the following, which disallows the situation where, though the server supports high-grade encryption, the client negotiates a low-grade (eg., 40-bit) protocol suit, which offers little protection:
CODE :
# Disallow ciphers that are weak (obsolete or
# known to be flawed in some way). The use of
# an exclamation mark in front of a cipher code
# tells Apache to never use it. EXP refers to 40-bit
# and 56-bit ciphers, NULL ciphers offer no encryption.
# ADH refers to Anonymous Diffie-Hellman key exchange
# which effectively disables server certificate validation,
# and LOW refers to other low strength ciphers.
SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW
After that you need to change the paths to the keys
CODE :
Now to disable SSLv2. Here's why:
[quote=http://www.megasecurity.org/Info/ssl_servers.html#1.2]The SSLv2 protocol has two known flaws. The downgrade attack allows an active attacker (one who can change bits in the messages between client and server) to force an SSLv2 session to use weaker ciphersuites than would ordinarily be negotiated. Since the SSLv2 handshake packets between the client and server are not integrity checked, there's no way for the server to tell if the ciphersuite list has been modified. Once the attacker has forced the SSLv2 session into a weak ciphersuite, the attacker can use brute-force techniques to crack the small key.
...[/quote]
Here's how:
CODE :
# Allow SSLv3 and TLSv1 but not SSLv2
SSLProtocol All -SSLv2
Now start apache and try loading https://127.0.0.1/
Should be working. Of course you have self certified yourself, browsers will kick up a fuss about this. Still, you are using SSL.
Further work
If your site is to only use SSL, then you'd create a virtualhost not using SSL which uses RedirectPermanent to redirect all users to the SSL version of the site.
If your site allows users to use SSL and non-SSL content, then have the two sites as separate VirtualHosts in order to not accidentally leak confidential information over a non-SSL connection.
If you are a company and want to set up your own CA, perhaps to certify keys within your organisation, then just read up the documentation on OpenSSL, all you need is there. More user friendly projects to create your own CA are [url="http://www.openca.org/openca/"]OpenCA[/url] and [url="http://tinyca.sm-zone.net"]TinyCA[/url].
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 4 comments.
HackThisSite is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.
