RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Armoring Apache HTTP Server with SSL : Page 2

These days, just about every Web site needs security. This simple, step-by-step guide will help you understand the various encryption schemes and show you how to set up SSL encryption on your Apache server.

An Overview of the Process
Before we endeavor to configure our HTTP server with SSL support, let's get a quick overview of what will go on during a typical secure transaction. Steps 1 through 4 are commonly referred to as the handshake phase of an SSL transaction.
  1. A client browser connects to the Apache HTTP server via a Web request.
  2. The browser and HTTP server exchange certificate information and their public keys.
  3. The browser analyzes the certificate and informs the user about its validity (e.g., was it issued by a recognized, trusted certificate authority?).
  4. The browser and server use their public keys (asymmetric cryptography) to transfer information about a symmetric key.
  5. The transaction is carried out using the private (symmetric) keys.
Setting up Apache with SSL on Windows
We will demonstrate how to setup Apache with SSL on Windows. The process should be very similar for Linux/Unix.

The two main software applications you will need are the Apache HTTP Server and OpenSSL. OpenSSL will be used to generate the keys that you will need for SSL to encrypt your data. You can either build Apache and OpenSSL from source code, or you can obtain binary distributions. Unfortunately, at the time of writing this article, the binary version of Apache HTTP Server (version 2.0.48) was not distributed with mod_ssl, the module that Apache uses to do SSL transactions. There is plenty of documentation available that describes how to build Apache and OpenSSL (see the resources section, left).

We found precompiled binary distributions of Apache and OpenSSL available at http://hunter.campbus.com. Archives are available as well (see resources, left). The file we downloaded was called: Apache_2.0.48-Openssl_0.9.7c-Win32.zip. Unzip this file into a folder. We will refer to this folder as [apache_root] . In the rest of this article, where you see [apache root], please fill in the name of your folder instead.

Openssl.cnf is a configuration file that you can find in the download for this article (see left column). Copy this file to the [apache_root]\bin directory. OpenSSL will use this file when you are generating your key. In order for this file to be visible from OpenSSL you will need to create an environment variable called OPENSSL_CONF. The method of setting environment variables varies on different versions of Windows, so refer to your Windows Help to find out how to do it for your version of Windows. The environment variable should be set as follows:

Open a command prompt window and change to the [apache_root]\bin directory.

Create a key pair by executing the following command:

openssl genrsa —des3 —out www.myhost.com.key 1024
When you issue this command, you will be asked to provide a pass phrase for your key. Use a non-trivial pass phrase and don't forget it, as you will need it later.

Now that we have a key, we need to create a Certificate Signing Request (CSR). This file would be sent to Verisign, Thawte, or some other certificate authority in order for them to sign it.

Create a certificate signing request by executing the following:

openssl req —new —key www.myhost.com.key —out www.myhost.com.csr
When creating your request, you will be asked to answer a series of survey questions that the certificate authority would like to know about you. After sending your request to the certificate authority, they would then, upon their discretion, provide you with a certificate file that you would use for secure HTTP transactions.

For demonstration purposes in this article, you will create your own self-signed certificate. This will work fine for testing purposes and for use in an intranet. However, for a commercial web site, a certificate should be obtained from a trusted certificate authority.

openssl x509 —req —days 30 —in www.myhost.com.csr —signkey www.myhost.com.key —out www.myhost.com.crt
Now create a directory called [apache_root]\ssl

Copy the following files from the [apache_root]\bin to [apache_root]\ssl:

Now we need to edit our Apache configuration files.

Open [apache_root]\conf\httpd.conf and do the following:

  1. Replace all occurrences of c:/apache with [apache_root]
  2. Set ServerAdmin to use your email address
  3. Uncomment LoadModule ssl_module modules/mod_ssl.so
Create a file called [apache_root]\conf\passphrase.bat that has the following text:

@echo [passphrase]
(Here, [passphrase] is the passphrase you used to generate your certificate key.)

Open [apache_root]/conf/ssl.conf and

  1. Replace all occurrences of c:/apache with [apache_root]
  2. Set SSLPassPhraseDialog builtin to SSLPassPhraseDialog exec:[apache_root]/conf/passphrase.bat
  3. Set ServerAdmin to use your email address
  4. Comment out the <IfDefine SSL> start and end tags (or if you want to leave them in, you will need to use "-D SSL" when you start apache in the next section)
  5. Set SSLCertificateFile to point to [apache_root]/ssl/www.myhost.com.crt
  6. Set SSLCertificateKeyFile to point to [apache_root]/ssl/www.myhost.com.key
  7. Comment out SSLMutex file:logs/ssl_mutex and create a new line that says SLMutex default
Now go to the [apache_root]\bin directory from the command prompt and issue the following commands:

apache —n "Apache" —k install
apache —n "Apache" —k start
Pull up your Windows services (In Windows XP: Start->Control Panel->Administrative Tools->Services) and make sure the Apache service is started. If it isn't running, try to start it from the Services view. If it gives you an error, you may have to pull up your Windows event log (In Windows XP: Start->Control Panel->Administrative Tools->Event Viewer) to see what the error is. If that doesn't help, try looking in the Apache log files in [apache_root]\logs.

Figure 1. Warning: When you are warned about an untrusted certificate in IE, you have the option to view the certificate before accepting it.
Figure 2. A Secure, but Untrusted Page: If you choose not to be prompted with the certificate warning, you'll get the page you requested and a padlock icon at the bottom to let you know you're on a secure page.

Now try pulling up Apache from your Web browser. Try both HTTP (http://localhost/) and HTTPS (https://localhost) to see if it works. In Internet Explorer (and most other mainstream Web browsers), after pulling up the secure URL, you'll get a message that the certificate is not signed by a Certificate Authority, and you will be prompted whether or not to accept the certificate. You are also given the option to view the certificate. Viewing the certificate in Internet Explorer will look something like Figure 1.

Internet Explorer allows you to install the certificate so that you do not have to be prompted again that the certificate is not trusted. If you accept the prompt to allow you to use the certificate, despite the fact that it is untrusted, you'll get a page like Figure 2.

If you'll notice, there is a little lock icon on the status bar at the bottom of the browser window. This denotes that any transaction with the server should be secure from within this page.

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date