Thursday, May 01, 2008

SSL setup using Apache

Download stable version of Apache 2.2 from apache download site
Install Apache with ssl,

  • gzip -d httpd-.tar.gz | tar xvf
  • cd httpd-
  • ./configure -prefix --enable-ssl --enable-setenvif
  • make
  • make install
Use keytool or openssl to generate private key and certificate file (you can also obtain a certificate from CA). Create a directory named ssl in $APACHE_HOME/conf
copy the certificate (server.cert) and private key (server.key) files in this directory.
Secure the private key, by changing the permissions:
> cd /conf/ssl

> chmod 400 server.crt server.key


Minimal configuration for SSL in httpd.conf:
# Enable SSL
SSLEngine On
# Path to the server certificate
SSLCertificateFile /conf/ssl/server.crt
# Path to the server private key
SSLCertificateKeyFile /conf/ssl/server.key
#Change the server binding to listen on 443
Listen myserver.mydomain.com:443

Securing SSL setup : httpd.conf changes
# SSL-V2 is flawed, disallow its use
SSLProtocol All -SSLv2
# Disallows the situation where, though the server supports high-grade encryption, the client negotiates a low-grade (e.g., 40-bit) protocol suite, which offers little protection:
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
#Enforce strict SSL access policy
SSLOptions +StrictRequire
#Allow access only through SSL
<virtualhost>
RedirectPermanent / https://my.mchek.com/
</virtualhost>

Additional configuration:
SSLMutex file: /logs/ssl_mutex
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLSessionCache shm/logs/ssl_cache_shm
SSLSessionCacheTimeout 600
SSLVerifyClient none
SSLProxyEngine off
<Directory />
SSLRequireSSL
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0


For more detailed installation instruction and explanations this is a good article.

No comments: