Armoring Apache HTTP Server with SSL

nfortunately, there are individuals in the cyber world who have nefarious plots to use and abuse data that your Web site users might deem private and sensitive. But if you’re an Apache user (or are thinking about becoming one), you’re in luck. In this article, we’ll teach you how to configure the Apache HTTP Server Version 2.0 with SSL so that you can safely transfer encrypted data between your Web server and your Web site users.

SSL in a Nutshell
The Secure Sockets Layer (SSL) protocol and the Transport Layer Security (TLS) protocols are used to provide security for HTTP transactions. Though both protocols are used, SSL and TLS are commonly just referred to as SSL and the term secure HTTP is used to refer to HTTP running over SSL. A client connects to a secure HTTP server by specifying https as opposed to http as the protocol of the URI she is trying to access. By default, secure HTTP uses port 443.

When referring to the subject of secure communications on the Internet, we need to address three major concerns: confidentiality, data integrity, and authentication. Confidentiality refers to making sure that an unintended recipient does not get a hold of sensitive data. Data integrity refers to protecting data from malicious manipulation as it travels from one point to another. Authentication refers to making sure the party you are talking to is a trusted party and that they are who they say they are.

The methods in which you can address these concerns are more easily realized through an analogy. Pretend that you are on an island and that you want to send a bar of gold to a friend on another island. The only means to get the bar of gold to your friend is to pay an untrustworthy deliveryman who owns a boat. You could just hand the man the bar of gold and ask him to deliver it, but your friend would probably never get it.

If you and your friend both have keys to the same lock, you could put the bar of gold in a box, lock it with your key, then give it to the man to deliver it. The man doesn’t know what’s in the box, and because the box and the lock are impenetrable in our analogy, the box is worthless to him, so he just delivers it and makes his money. We’ll call this the “single lock” analogy.

But now let’s assume that your friend does not have a key to the lock. You could put the lock on the box and hand the man the box and a spare key, but there is nothing to stop him from opening it with the spare key after he departs. What to do?

Well, there are a couple ways to do it. One way is for your friend to send over a box that resembles a post-office drop box. Anybody can put something into the box using an insertion slot, but the box has a contraption that prevents anybody from removing anything back out from the box. Nobody can get anything out of the box without a private key. Conceptually, the insertion slot is a public key. You can slide the gold bar into the insertion slot of the box and send the box back to your friend. Your friend uses his private key to open the box and get the gold bar out.

In security software lingo, the single lock analogy is called symmetric cryptography and the mailbox analogy is called asymmetric cryptography.
The “no lock” model is analogous to a web transaction with no encryption. In security software lingo, the single lock analogy is called symmetric cryptography and the mailbox analogy is called asymmetric cryptography. Data that is not encrypted is typically called plain text. SSL is used to encrypt or “put a lock” on plain text data, so to speak. This encrypted data is typically called cipher text. To an eavesdropper, cipher text is incomprehensible. When the encrypted message reaches its destination, it can be decrypted back to its original, plain-text format.

In symmetric cryptography, the same key is used to both encrypt and decrypt a message. This seems simple and straightforward; however, the complexity lies in how to transfer a key securely to your recipient. How do you know that someone won’t intercept the key while it is being transferred? Common algorithms used for symmetric cryptography include DES, Triple-DES, and the RC2 algorithms.

Asymmetric cryptography, or public key cryptography, involves a pair of keys?a public key and private key. When one transmits data, they use a public key that was given to them by the intended recipient to encrypt the data. When the message is received, only the recipient’s private key can open that message. The most common public key algorithm is RSA.

SSL uses a tandem approach of both symmetric and asymmetric cryptography as it facilitates secure communication. Public key cryptography is used at the beginning of the transaction to securely transfer private keys. From there, private keys are used to encrypt communication across the wire.

The job of protecting data integrity is performed by a message digest. Before a message is sent, a message digest is created using a fixed representation of the message that uniquely identifies it. The message digest cannot be used to figure out what the original message was; it can only identify it uniquely. The message digest is used at the receiver’s end to make sure the message text was not altered. Because the possibility exists that the message text and the message digest could be hijacked and altered, the SSL protocol uses message authentication codes (MACs) to assure integrity. MACs use shared keys to protect the message and the digest.

As stated earlier, another key concern in the world of security lies in authentication. In the world of SSL, this concern is addressed by certificates. Digital certificates are electronic documents used to ensure that a person is who he says he is. They contain information about the owner of the certificate such as name, address, etc. To ensure this information is true, a trusted third party certificate authority is used as an intermediary. Certificate authorities ensure that a given public key in fact belongs to the claiming individual/organization.

One of the best known certificate authorities is VeriSign (see resources section, left column). By default, your Web browser most likely comes bundled with a set of certificates. These certificates recognize the major certificate authorities. In Microsoft Internet Explorer, you can click on Tools->Internet Options->Content->Certificates to see which certificate authorities are available.

An Overview of the Process
Before we endeavor to configure our HTTP server with SSL support, let’s get a quick overview of what will go on during a typical secure transaction. Steps 1 through 4 are commonly referred to as the handshake phase of an SSL transaction.

  1. A client browser connects to the Apache HTTP server via a Web request.
  2. The browser and HTTP server exchange certificate information and their public keys.
  3. The browser analyzes the certificate and informs the user about its validity (e.g., was it issued by a recognized, trusted certificate authority?).
  4. The browser and server use their public keys (asymmetric cryptography) to transfer information about a symmetric key.
  5. The transaction is carried out using the private (symmetric) keys.

Setting up Apache with SSL on Windows
We will demonstrate how to setup Apache with SSL on Windows. The process should be very similar for Linux/Unix.

The two main software applications you will need are the Apache HTTP Server and OpenSSL. OpenSSL will be used to generate the keys that you will need for SSL to encrypt your data. You can either build Apache and OpenSSL from source code, or you can obtain binary distributions. Unfortunately, at the time of writing this article, the binary version of Apache HTTP Server (version 2.0.48) was not distributed with mod_ssl, the module that Apache uses to do SSL transactions. There is plenty of documentation available that describes how to build Apache and OpenSSL (see the resources section, left).

We found precompiled binary distributions of Apache and OpenSSL available at http://hunter.campbus.com. Archives are available as well (see resources, left). The file we downloaded was called: Apache_2.0.48-Openssl_0.9.7c-Win32.zip. Unzip this file into a folder. We will refer to this folder as [apache_root] . In the rest of this article, where you see [apache root], please fill in the name of your folder instead.

Openssl.cnf is a configuration file that you can find in the download for this article (see left column). Copy this file to the [apache_root]in directory. OpenSSL will use this file when you are generating your key. In order for this file to be visible from OpenSSL you will need to create an environment variable called OPENSSL_CONF. The method of setting environment variables varies on different versions of Windows, so refer to your Windows Help to find out how to do it for your version of Windows. The environment variable should be set as follows:

OPENSSL_CONF=[apache_root]/bin/openssl.cnf

Open a command prompt window and change to the [apache_root]in directory.

Create a key pair by executing the following command:

openssl genrsa ?des3 ?out www.myhost.com.key 1024

When you issue this command, you will be asked to provide a pass phrase for your key. Use a non-trivial pass phrase and don’t forget it, as you will need it later.

Now that we have a key, we need to create a Certificate Signing Request (CSR). This file would be sent to Verisign, Thawte, or some other certificate authority in order for them to sign it.

Create a certificate signing request by executing the following:

openssl req ?new ?key www.myhost.com.key ?out www.myhost.com.csr

When creating your request, you will be asked to answer a series of survey questions that the certificate authority would like to know about you. After sending your request to the certificate authority, they would then, upon their discretion, provide you with a certificate file that you would use for secure HTTP transactions.

For demonstration purposes in this article, you will create your own self-signed certificate. This will work fine for testing purposes and for use in an intranet. However, for a commercial web site, a certificate should be obtained from a trusted certificate authority.

openssl x509 ?req ?days 30 ?in www.myhost.com.csr ?signkey www.myhost.com.key ?out www.myhost.com.crt

Now create a directory called [apache_root]ssl

Copy the following files from the [apache_root]in to [apache_root]ssl:

www.myhost.com.keywww.myhost.com.crt

Now we need to edit our Apache configuration files.

Open [apache_root]confhttpd.conf and do the following:

  1. Replace all occurrences of c:/apache with [apache_root]
  2. Set ServerAdmin to use your email address
  3. Uncomment LoadModule ssl_module modules/mod_ssl.so

Create a file called [apache_root]confpassphrase.bat that has the following text:

@echo [passphrase]

(Here, [passphrase] is the passphrase you used to generate your certificate key.)

Open [apache_root]/conf/ssl.conf and

  1. Replace all occurrences of c:/apache with [apache_root]
  2. Set SSLPassPhraseDialog builtin to SSLPassPhraseDialog exec:[apache_root]/conf/passphrase.bat
  3. Set ServerAdmin to use your email address
  4. Comment out the start and end tags (or if you want to leave them in, you will need to use “-D SSL” when you start apache in the next section)
  5. Set SSLCertificateFile to point to [apache_root]/ssl/www.myhost.com.crt
  6. Set SSLCertificateKeyFile to point to [apache_root]/ssl/www.myhost.com.key
  7. Comment out SSLMutex file:logs/ssl_mutex and create a new line that says SLMutex default

Now go to the [apache_root]in directory from the command prompt and issue the following commands:

apache ?n "Apache" ?k installapache ?n "Apache" ?k start

Pull up your Windows services (In Windows XP: Start->Control Panel->Administrative Tools->Services) and make sure the Apache service is started. If it isn’t running, try to start it from the Services view. If it gives you an error, you may have to pull up your Windows event log (In Windows XP: Start->Control Panel->Administrative Tools->Event Viewer) to see what the error is. If that doesn’t help, try looking in the Apache log files in [apache_root]logs.


Figure 1. Warning: When you are warned about an untrusted certificate in IE, you have the option to view the certificate before accepting it.
 
Figure 2. A Secure, but Untrusted Page: If you choose not to be prompted with the certificate warning, you’ll get the page you requested and a padlock icon at the bottom to let you know you’re on a secure page.

Now try pulling up Apache from your Web browser. Try both HTTP (http://localhost/) and HTTPS (https://localhost) to see if it works. In Internet Explorer (and most other mainstream Web browsers), after pulling up the secure URL, you’ll get a message that the certificate is not signed by a Certificate Authority, and you will be prompted whether or not to accept the certificate. You are also given the option to view the certificate. Viewing the certificate in Internet Explorer will look something like Figure 1.

Internet Explorer allows you to install the certificate so that you do not have to be prompted again that the certificate is not trusted. If you accept the prompt to allow you to use the certificate, despite the fact that it is untrusted, you’ll get a page like Figure 2.

If you’ll notice, there is a little lock icon on the status bar at the bottom of the browser window. This denotes that any transaction with the server should be secure from within this page.

Alternative Solutions
There are customized distributions of Apache HTTP Server available that take out the complexity of having to configure the modules like we did in this paper. One easy one to set up is OpenSa HTTP server. You can learn more about this server by clicking the links in the resources section in the left column. OpenSa is built on top of Apache 1.x, so if you need to use Apache 2.x for your Web site, OpenSa will not work.

In this article, we taught you how to configure your Apache HTTP Server Version 2 with SSL support. In today’s treacherous waters of identity theft and other plots to wreak just plain havoc, it is important for web site users to know that their data is protected while it gets from point A to point B. Also, it is important for them to know that point B is a trusted endpoint. A properly configured setup of Apache HTTP Server with SSL support can provide such assurance.

Share the Post:
Share on facebook
Share on twitter
Share on linkedin

Overview

Recent Articles: