You have no doubt noticed the URLs that begin with https:// (instead of the usual http://)-those are HTTPS requests that use HTTP together with encryption performed using the SSL. HTTPS requests are commonly used to securely send sensitive information such as your date of birth or a credit card number to a website. The 's' in the protocol name https means that the Web server communicates with your Web browser using HTTP over an SSL connection.
The Apache Web server supports SSL through the mod_ssl module that, in turn, relies on the OpenSSL toolkit to perform the encryption function. Red Hat Linux comes with everything you need to turn Apache into a secure server. The configuration file /etc/httpd/conf.d/ssl.conf loads the mod_ssl module and configures various parameters that mod_ssl needs. You do not have to do anything to the ssl.conf configuration file to enable HTTPS support, but you do have to create some additional files required for encryption using SSL.
The same Apache server can handle both HTTP and HTTPS requests because these two protocols use two different ports by default. HTTP uses port 80, whereas HTTPS uses port 443.
The following sections provide an overview of how to create a secure Apache server using SSL. In addition to the simple setup I show in the following sections, there are many different ways to configure SSL. For more information on SSL configuration of Apache, consult the online documentation at http://httpd.apache.org/docs-2.0/ssl/.
There are two versions of SSL:
SSL v2.0-This is the original version of SSL protocol, developed by Netscape Communications. This version of SSL uses only RSA keys.
SSL v3.0-A version of the SSL protocol revised to prevent certain security attacks and to support non-RSA keys and certificate chains.
SSL 3.0 is the basis for the Transport Layer Security (TLS) protocol, which is currently being developed by the Internet Engineering Task Force (IETF).
Establishing an SSL session involves a handshake sequence between the client and the server, followed by encrypted data exchange using an agreed upon secret key. The overall sequence has the following key steps:
The client sends a client hello message to which the server must respond with a server hello message, or else a fatal error will occur and the connection will fail. The client hello and server hello establish the following attributes: SSL protocol version, a session ID, and the cipher suite-the method to exchange the key, the secret key, and the message digest algorithm to be used to create the message authentication code that ensures integrity.
Optionally, the server sends its certificate to the client for authentication. The server may also send a key exchange message, and it may request a certificate from the client. The details of the exchanges between the server and the client depend on the cipher suite selected and whether the client had a digital certificate or not.
The client sends a change cipher message and uses the secret key to send an encrypted message indicating it's done.
The client and server begin to exchange encrypted data using the secret key.
To support SSL, your Apache server needs a public-private key pair and a digital certificate to provide the public key to any Web browser that connects to the server with a HTTPS request. Ideally the certificate should be signed by a well-known certificate authority so that anyone coming to your website can trust the certificate. The next section explains how to set up the keys and the certificate.
To support SSL, the Apache Web server needs a public-private key pair and a digital certificate with its public key. You can perform these tasks by using the make command and the Makefile in the /etc/httpd/conf directory.
The next step is to generate a certificate request that you can send to a Certificate Authority requesting a signed digital certificate. Typically, you have to pay an annual fee for the CA's services. Verisign, Entrust, Thawte are some of the well-known CAs in the United States. You can find links to other CAs at the PKI Page (http://www.pki-page.org/). To generate the certificate request, type:
cd /etc/httpd/conf make certreq
You will be prompted for the pass phrase-enter the same pass phrase you typed when creating key. You will also be prompted for the following information:
Country name-Enter the two-letter country code (for example, US for the United States). For the official list of two-letter country codes, consult http://www.iso.org/iso/en/prods-services/iso3166ma/02iso-3166-code-lists/list-en1.html.
State or province name-Enter the full name (for example, Maryland).
Locality name-Enter the name of your city or town (for example, North Potomac).
Organization name-Enter the name of your organization.
Organization unit name-Enter the name of division or section where you work (or type anything you want).
Common name-Enter the server's hostname.
Email address-Enter the email address of the person responsible for the server.
When you finish entering this information, the certificate request is created and saved in the file /etc/httpd/conf/ssl.csr/server/csr.
After you create the certificate request, select a CA and visit its website for further instructions on how to send the certificate request and how to pay for the certificate.
After the CA is satisfied about your identity and receives payment for the certificate, it will send the signed certificate back to you by email. You should save the certificate in the file /etc/httpd/conf/ssl.crt/server.crt (overwrite the existing file).
For the purposes of testing, you can create a self-signed certificate. To generate the test certificate, log in as root, and type the following commands:
cd /etc/httpd/conf make testcert
You will see output similar to the following:
umask 77 ; \ /usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt Using configuration from /usr/share/ssl/openssl.cnf Enter PEM pass phrase:
You have to type the same pass phrase that you used when generating the key. After you enter the pass phrase and press Enter, you have to provide the same set of information that you enter when preparing the certificate request (see the 'Generating a Certificate Request' section). Provide the requested information and, at the end, a test certificate should be created and saved in the /etc/httpd/conf/ssl.crt/server.crt file.
After installing a CA-signed certificate or creating a test certificate, you can try out the secure server. Assuming that Apache is already running, log in as root and type the following command to restart the server:
service httpd restart
Because your server key is encrypted, you will be prompted for the pass phrase, like this:
Starting httpd: Apache/2.0.40 mod_ssl/2.0.40 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server new.host.name:443 (RSA) Enter pass phrase:
Type the pass phrase you used when creating the key and press Enter. The Apache server should now be up and running.
You can now try connecting to the secure server from a Web browser on another PC on the LAN. For example, if the IP address of your Red Hat Linux system (the one running the Apache secure server) is 192.168.0.8, then type the following URL:
Make sure that you type https and not http. If you are using a test certificate, the browser displays a dialog box explaining that the certificate is from an unknown certificate authority. You can view the certificate and accept it. Because this is only a test, you can accept the certificate, and the Web browser should then show you the home page on your Red Hat Linux system.