Brief SSL Primer

shoulderslyricalΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

68 εμφανίσεις

Brief SSL Primer

This section will serve as a very brief introduction to SSL, the Secure Socket Layer.
Cryptography is a very extensive topic which literally fills volumes of texts. The
following is an extremely simplified view of how SSL is implemented an
d what part the
certificate plays in the entire process. There may be some small inaccuracies in an effort
to present the information in the easiest possible format.

Normal web traffic is sent unencrypted over the Internet. That is, anyone with access to
the right tools can snoop all of that traffic. Obviously, this can lead to problems,
especially where security and privacy is necessary, such as in credit card data and bank
transactions. The Secure Socket Layer is used to encrypt the data stream between t
he web
server and the web client (the browser).

SSL makes use of what is known as asymmetric cryptography, commonly referred to as
public key cryptography (PKI). With public key cryptography, two keys are created, one
public, one private. Anything encrypt
ed with either key can only be decrypted with its
corresponding key. Thus if a message or data stream were encrypted with the server's
private key, it can be decrypted only using its corresponding public key, ensuring that the
data only could have come fro
m the server.

If SSL utilizes public key cryptography to encrypt the data stream traveling over the
Internet, why is a certificate necessary? The technical answer to that question is that a
certificate is not really necessary
--
the data is secure and canno
t easily be decrypted by a
third party. However, certificates do serve a crucial role in the communication process.
The certificate, signed by a trusted Certificate Authority (CA), ensures that the certificate
holder is really who he claims to be. Without
a trusted signed certificate, your data may
be encrypted, however, the party you are communicating with may not be whom you
think. Without certificates, impersonation attacks would be much more common.


Apache need module ssl

You will need to go back and
rebuild apache with loadable module mod_ssl
. After you
have rebuilded Apache you will probably need to

# cd /usr/local/src/apache
-
2.2.0

# ./configure
--
enable
-
layout=SuSE
--
libexecdir=/usr/lib/httpd/modules
--
enable
-
mods
-
shared=all
--
enable
-
ssl

# make &&
make install

Then you will need to add the ssl_module to httpd.conf:

LoadModule ssl_module lib/httpd/modules/mod_ssl.so

Generating a Private Key and CSR

The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing
Request). It
can also be used to generate self
-
signed certificates which can be used for
testing purposes or internal usage. The utility used to do all of these tasks is known
simply as
openssl
. It should be installed in the
/usr/local/ssl/bin

directory. You
may want t
o add this directory to your
PATH
, or copy or link the openssl utility to a
directory that is already in your
PATH

so that you do not have to type the full path to the
executable. The examples below will assume that
openssl

is in a location that is
accessi
ble to you without using the full path to the command.

The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is
encrypted using Triple
-
DES and stored in a PEM format so that it is readable as ASCII
text. We will use severa
l files as random seed enhancers which will help to make the key
more secure. Text files that have been compressed with a utility such as
gzip

are good
choices. The key is generated using the following command, where
file1:file2:etc

represents the random c
ompressed files.

$ openssl genrsa
-
des3
-
rand file1:file2:file3:file4:file5
-
out
server.key 1024

The command will prompt you for a pass
-
phrase and then store the key in the file
server.key
.
It is critical that the pass
-
phrase be secure and not forgotten.

If either the
key is lost, or the pass
-
phrase is forgotten,
the certificate will be useless!

It cannot be
stressed enough how important the private key is to the certificate. If the private key and
pass
-
phrase are compromised, the certificate will have to
be revoked, costing you the
price of the certificate all over again if you have paid an authority for the certificate. It
may be a wise idea to back this file up to secure media, such as tape or diskette.

Remove passphrase:

One unfortunate side
-
effect of
the pass
-
phrased private key is that
Apache will ask for the pass
-
phrase each time the web server is started. Obviously this is
not necessarily convenient as someone will not always be around to type in the pass
-
phrase, such as after a reboot or crash. mod
_ssl includes the ability to use an external
program in place of the built
-
in pass
-
phrase dialog, however, this is not necessarily the
most secure option either. It is possible to remove the Triple
-
DES encryption from the
key, thereby no longer needing to
type in a pass
-
phrase. If the private key is no longer
encrypted, it is critical that this file
only be readable by the root user!

If your system is
ever compromised and a third party obtains your unencrypted private key, the
corresponding certificate will

need to be revoked. With that being said, use the following
command to remove the pass
-
phrase from the key:

$ openssl rsa
-
in server.key
-
out server.pem

Once the private key is generated a Certificate Signing Request can be generated. The
CSR is then use
d in one of two ways. Ideally, the CSR will be sent to a Certificate
Authority, such as
Thawte

or
Verisign

who will verify the identity of the requestor and
issue a signed certific
ate. The second option is to self
-
sign the CSR, which will be
demonstrated in the next section.

During the generation of the CSR, you will be prompted for several pieces of
information. These are the X.509 attributes of the certificate. One of the prompts

will be
for "
Common Name (e.g., YOUR name)
". It is important that this field be filled in with
the fully qualified domain name of the server to be protected by SSL. If the website to be
protected will be
https://www.my
-
site.com
, then enter
www.server.com

at this
prompt. The command to generate the CSR is as follows:

(
$ openssl req
-
new
-
key server.key
-
out server.csr
)


For our Apache we however use the passphrase less key:

$ openssl req
-
new
-
key server.pem
-
out server.csr


A sample CSR generation session

is shown below, with sample responses shown in bold:

$ openssl req
-
new
-
key server.
pem

-
out server.csr

Using configuration from /usr/local/ssl/openssl.cnf


(If you use the server.key
Enter PEM pass phrase:
Enter pass phrase
here
)

You are about to be aske
d to enter information that will be
incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a
DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default va
lue,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:
SE

State or Province Name (full name) [Some
-
State]:
Stockholm

Locality Name (eg, city) []:
Stockholm

Organization Name (eg, company) [Internet Widgits Pty Ltd]:
My
-
Si
te, AB.

Organizational Unit Name (eg, section) []:
.

Common Name (eg, YOUR name) []:
www.my
-
site.com

Email Address []:
webmaster@my
-
site.com


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An op
tional company name []:


Generating a Self
-
Signed Certificate

At this point you will need to generate a self
-
signed certificate because you either don't
plan on having your certificate signed by a CA, or you wish to test your new SSL
implementation while t
he CA is signing your certificate. In my experience dealing with
Thawte, it can take up to a week or more before receiving your signed certificate. The
time it takes to receive the certificate will vary based on how quickly they receive your
required docum
entation. This temporary certificate will generate an error in the client
browser to the effect that the signing certificate authority is unknown and not trusted.

To generate a temporary certificate which is good for 60 days, issue the following
command:

$ openssl x509
-
req
-
days 60
-
i
n server.csr
-
signkey server.pem

-
out
server.crt


Certificates and keys is normally not directly stored in /etc/httpd
they rather sit in subdirectories:


# mkdir /etc/httpd/certs

# mv /etc/httpd/server* /etc/httpd/certs/.


I
nstalling the Private Key and Certificate

When Apache with mod_ssl is installed, it creates several directories in the Apache
config directory. The location of this directory will differ depending on how Apache was
compiled. If using my instructions on com
piling Apache, the config directory is
/etc/httpd
. The directories mod_ssl creates include
ssl.crt
,
ssl.csr
, and
ssl.key
.
These are good locations to store server certificates, CSRs, and private keys, respectively.
If there will be multiple SSL enabled hos
ts on one server, it may be good practice to
name the files with the fully qualified domain name of the SSL enabled host.

When adding SSL enabled virtualhosts to the web server, I prefer to keep all of the SSL
virtualhosts in a separate file. This insures

that all SSL hosts can be easily found in one
location and helps to keep the
httpd.conf

file from growing too large. The SSL
virtualhosts will be kept in a file called httpd
-
ssl.conf
. In order for Apache to recognize
and parse this file, it must be includ
ed in the
httpd.conf

file with the following
directive:

Include /etc/httpd/extra/httpd
-
ssl.conf


Configuring SSL Enabled Virtual Hosts

Extensive examples of SSL configurations for a virtualhost are included as part of the
/etc/httpd/extra/httpd
-
ssl.conf

f
ile installed with mod_ssl. Please refer to this file
and to the mod_ssl documentation for more detailed information on configuration
options. A basic SSL enabled virtualhost will appear as follows in the ssl.conf file:

# SSL Virtual Hosts

<IfDefine SSL>


<VirtualHost _default_:443>

ServerAdmin webmaster@domain.com

DocumentRoot /usr/local/httpd/securedocs

ServerName www.my
-
site.com

#
ScriptAlias /cgi
-
bin/ /usr/local/httpd/cgi
-
bin/

SSLEngine on

SSLCertificateFile /etc/httpd/server.crt

SSLCertificateKeyFil
e /etc/httpd/server.pem

#
SetEnvIf User
-
Agent ".*MSIE.*" nokeepalive ssl
-
unclean
-
shutdown

CustomLog /var/log/httpd/ssl_request_log
\


"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x
\
"%r
\
" %b"

<Directory />


AllowOverride FileInfo AuthConfig Limit


Opti
ons Indexes MultiViews Includes ExecCGI FollowSymLinks


<Limit GET POST OPTIONS PROPFIND>


Order allow,deny


Allow from all


</Limit>


<Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>


Order deny,allow


De
ny from all


</Limit>

</Directory>

</VirtualHost>


</IfDefine>


This will create an SSL virtualhost named www.
my
-
site
.com, which is accessed via port
443 (the standard port for https) on the default IP address of the web server. It is possible
to add as

many additional virtualhosts as there are IP addresses that the web server listens
to. Simply add additional virtualhost blocks
inside

of the
<IfDefine SSL>

and
</IfDefine>

tags. Due to the nature of the SSL encryption of the HTTP traffic,
it is
NOT possi
ble to have name
-
based (HTTP1.1) SSL virtual hosts.

To create a new SSL
virtualhost on a different IP address, simply replace
_default_

with the IP address of the
virtualhost.

After adding the virtualhost to the
httpd
-
ssl.conf

file, Apache must be killed
and
restarted in order for it to recognize the new virtualhost. Unfortunately, this is one of the
rare instances where a simple
HUP

signal will not work. After restarting the server,
depending on whether the encrypted or unencrypted key was used, Apache wi
ll prompt
you for the pass
-
phrase(s) of the SSL virtualhost(s). Enter the pass
-
phrase(s) and the web
server will start.

Now, point your favorite browser to the new virtualhost you just created, remembering to
use https:// instead of http://, and you shoul
d be greeted with a warning dialog if you are
using the self
-
signed certificate. Acknowledge the dialog and the page will continue to
load, protected by SSL. The status bar of your browser should be graced by the 'lock'
icon, which signifies the page is pr
otected via SSL.
This is all there is to it!