Apache2 With Php5 And Ssl
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Apache2 With Php5 And Ssl as PDF for free.
More details
- Words: 1,702
- Pages: 8
Install and Configure Apache2 with PHP5 and SSL Support Introduction to SSL Secure Sockets Layer (SSL) is the most widely known protocol that offers privacy and good reliability for client-server communication over the Internet. SSL itself is conceptually quite simple: it negotiates the cryptography algorithms and keys between two sides of a communication, and establishes an encrypted tunnel through which other protocols (like HTTP) can be transported. Optionally, SSL can also authenticate both sides of communication through the use of certificates. SSL is a layered protocol and consists of four sub-protocols: • • • •
SSL SSL SSL SSL
Handshake Protocol Change Cipher Spec Protocol Alert Protocol Record Layer
The position of the above protocols according to the TCP/IP model has been illustrated on the following diagram in Figure 1.
Figure 1. SSL sub-protocols in the TCP/IP model
As the above diagrams shows, SSL is found in the application layer of the TCP/IP model. By dint of this feature, SSL can be implemented on almost every operating system that supports TCP/IP, without the need to modify the system kernel or the TCP/IP stack. This gives SSL a very strong advantage over other protocols like IPSec (IP Security Protocol), which requires kernel support and a modified TCP/IP stack. SSL can also be easily passed through firewalls and proxies, as well as through NAT (Network Address Translation) without issues.
Promathesh Mandal
1
How does SSL work? The diagram below, Figure 2, shows the simplified, step-bystep process of establishing each new SSL connection between the client (usually a web browser) and the server (usually an SSL web server).
Figure 2. How SSL established connections, step-by-step.
Promathesh Mandal
2
As you can see from Figure 2, the process of establishing each new SSL connection starts with exchanging encryption parameters and then optionally authenticating the servers (using the SSL Handshake Protocol). If the handshake is successful and both sides agree on a common cipher suite and encryption keys, the application data (usually HTTP, but it can be another protocol) can be sent through encrypted tunnel (using the SSL Record Layer). In reality, the above process is in fact a little bit more complicated. To avoid unnecessary handshakes, some of the encryption parameters are being cached. Alert messages may be sent. Ciphers suites can be changed as well. However, regardless of the SSL specification details, the most common way this process actually works is very similar to the above.
SSL, PCT, TLS and WTLS (but not SSH) Although SSL is the most known and the most popular, it is not the only protocol that has been used for the purpose of securing web transactions. It is important to know that since invention of SSL v1.0 (which has never been released, by the way) there have been at least five protocols that have played a more-or-less important role in securing access to World Wide Web, as we see below: •
•
•
•
SSL v2.0 Released by Netscape Communications in 1994. The main goal of this protocol was to provide security for transactions over the World Wide Web. Unfortunately, very quickly a number of security weaknesses were found in this initial version of the SSL protocol, thus making it less reliable for commercial use: o weak MAC construction o possibility of forcing parties to use weaker encryption o no protection for handshakes o possibility of an attacker performing truncation attacks PCT v1.0 Developed in 1995 by Microsoft. Privacy Communication Technology (PCT) v1.0 addressed some weaknesses of SSL v2.0, and was aimed to replace SSL. However, this protocol has never gained as much popularity as SSL v3.0. SSL v3.0 Released in 1996 by Netscape Communications. SSL v3.0 solved most of the SSL v2.0 problems, and incorporated many of the features of PCT. Pretty quickly become the most popular protocol for securing communication over WWW. TLS v1.0 (also known as SSL v3.1) Published by IETF in 1999 (RFC 2246). This protocol is based on SSL v3.0 and PCT and harmonizes both Netscape's and Microsoft's approaches. It is important to note that although TLS is based on SSL, it is not a 100% backward compatible with its predecessor. IETF did some security improvements, such as using HMAC instead of MAC, using a different calculation of the master secret and key material, adding additional alert codes, no support for Fortezza cipher suites, and so on. The end result of these improvements is that these protocols don't fully interoperate. Fortunately enough, TLS has also got a mode to fall back to SSL v3.0.
Promathesh Mandal
3
•
WTLS "Mobile and wireless" version of the TLS protocol that uses the UDP protocol as a carrier. It is designed and optimized for the lower bandwidth and smaller processing capabilities of WAP-enabled mobile devices. WTLS was introduced with the WAP 1.1 protocol, and was released by the WAP Forum. However, after the introduction of the WAP 2.0 protocol, WTLS has been replaced by a profiled version of the TLS protocol, which is much more secure -- mainly because there is no need for decryption and reencryption of the traffic at the WAP gateway.
Why has the SSH (Secure Shell) protocol not been used for the purpose of providing secure access to World Wide Web? There are few reasons why not. First of all, from the very beginning TLS and SSL were designed for securing web (HTTP) sessions, whereas SSH was indented to replace Telnet and FTP. SSL does nothing more than handshake and establishing encryption tunnel, and at the same time SSH offers console login, secure file transfer, and support for multiple authentication schemes (including passwords, public keys, Kerberos, and more). On the other hand, SSL/TLS is based on X.509v3 certificates and PKI, which makes the distribution and management of authentication credentials much easier to perform. Hence, these and other reasons make SSL/TLS more suitable for securing WWW access and similar forms of communication, including SMTP, LDAP and others -- whereas SSH is more convenient for remote system management.
To summarize, although several "secure" protocols do indeed exist, only two of them should be used for the purpose of securing web transactions (at least at the moment): TLS v1.0 and SSL v3.0. Both of them are further referred in this article series as simply SSL/TLS. Because of known weaknesses of SSL v2.0, and the famous "WAP gap" in case of WTLS, the use of these other protocols should be avoided or at least minimized.
Required Packages : apache2 openssl ssl-cert libapache2-mod-php5 php5-cli php5-common php5-cgi
Promathesh Mandal
4
Configuration Steps : Step 1: For generating certificate Use the following command to generate certificates #openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:West Bengal Locality Name (eg, city) []:Kolkata Organization Name (eg, company) [Internet Widgits Pty Ltd]:MAT3 Impex Pvt. Ltd. Organizational Unit Name (eg, section) []:Crypto-Devel Common Name (eg, YOUR name) []:Promathesh Mandal Email Address []:[email protected] This will complete the certificate now you need to make sure you have the correct permissions for .pem file if not use the following command to set the correct permissions #chmod 600 /etc/apache2/apache.pem Step 2: By default the server will listen for incoming HTTP requests on port 80 - and not SSL connections on port 443. So you need to enable SSL support by entering the following entry to the file /etc/apache2/ports.conf save and exit the file. Listen 443 Step 3: Enable SSL Support If you want to enable SSL support for your apache web server you need to use the following comamnd #a2enmod ssl Module ssl installed; run /etc/init.d/apache2 force-reload to enable. Now you need to restart the apache2 server using the following command #/etc/init.d/apache2 restart
Promathesh Mandal
5
Step 4: Configuring SSL Certificate to Virtual Hosts in Apache2 First you need to edit the /etc/apache2/sites-available/default file change NameVirtualHost * to NameVirtualHost *:80 NameVirtualHost *:443 Now you need to configure Virtual hosts using port 80 Example ServerAdmin webmaster@localhost . . . configure Virtual hosts using port 443 the main difference is you need to use the following two lines for each SSL hosts. SSLEngine on SSLCertificateFile /etc/apache2/apache.pem Example ServerAdmin webmaster@localhost . . . SSLEngine on SSLCertificateFile /etc/apache2/apache.pem Now you need to restrat your apache web server using the following comamnd # /etc/init.d/apache2 reload
Promathesh Mandal
6
Sample Files : sample for “ports.conf” file Listen 80 Listen 443 sample for “default” file NameVirtualHost *:80 NameVirtualHost *:443 DocumentRoot /var/www/ AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all ErrorLog /var/log/apache2/error.log crit,
# Possible values include: debug, info, notice, warn, error, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On
Alias /doc/ "/usr/share/doc/" Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128
Promathesh Mandal
7
ServerAdmin webmaster@localhost SSLEngine on SSLCertificateFile /etc/apache2/apache.pem DocumentRoot /var/www/ AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On
Alias /doc/ "/usr/share/doc/" Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128
Promathesh Mandal
8
SSL SSL SSL SSL
Handshake Protocol Change Cipher Spec Protocol Alert Protocol Record Layer
The position of the above protocols according to the TCP/IP model has been illustrated on the following diagram in Figure 1.
Figure 1. SSL sub-protocols in the TCP/IP model
As the above diagrams shows, SSL is found in the application layer of the TCP/IP model. By dint of this feature, SSL can be implemented on almost every operating system that supports TCP/IP, without the need to modify the system kernel or the TCP/IP stack. This gives SSL a very strong advantage over other protocols like IPSec (IP Security Protocol), which requires kernel support and a modified TCP/IP stack. SSL can also be easily passed through firewalls and proxies, as well as through NAT (Network Address Translation) without issues.
Promathesh Mandal
1
How does SSL work? The diagram below, Figure 2, shows the simplified, step-bystep process of establishing each new SSL connection between the client (usually a web browser) and the server (usually an SSL web server).
Figure 2. How SSL established connections, step-by-step.
Promathesh Mandal
2
As you can see from Figure 2, the process of establishing each new SSL connection starts with exchanging encryption parameters and then optionally authenticating the servers (using the SSL Handshake Protocol). If the handshake is successful and both sides agree on a common cipher suite and encryption keys, the application data (usually HTTP, but it can be another protocol) can be sent through encrypted tunnel (using the SSL Record Layer). In reality, the above process is in fact a little bit more complicated. To avoid unnecessary handshakes, some of the encryption parameters are being cached. Alert messages may be sent. Ciphers suites can be changed as well. However, regardless of the SSL specification details, the most common way this process actually works is very similar to the above.
SSL, PCT, TLS and WTLS (but not SSH) Although SSL is the most known and the most popular, it is not the only protocol that has been used for the purpose of securing web transactions. It is important to know that since invention of SSL v1.0 (which has never been released, by the way) there have been at least five protocols that have played a more-or-less important role in securing access to World Wide Web, as we see below: •
•
•
•
SSL v2.0 Released by Netscape Communications in 1994. The main goal of this protocol was to provide security for transactions over the World Wide Web. Unfortunately, very quickly a number of security weaknesses were found in this initial version of the SSL protocol, thus making it less reliable for commercial use: o weak MAC construction o possibility of forcing parties to use weaker encryption o no protection for handshakes o possibility of an attacker performing truncation attacks PCT v1.0 Developed in 1995 by Microsoft. Privacy Communication Technology (PCT) v1.0 addressed some weaknesses of SSL v2.0, and was aimed to replace SSL. However, this protocol has never gained as much popularity as SSL v3.0. SSL v3.0 Released in 1996 by Netscape Communications. SSL v3.0 solved most of the SSL v2.0 problems, and incorporated many of the features of PCT. Pretty quickly become the most popular protocol for securing communication over WWW. TLS v1.0 (also known as SSL v3.1) Published by IETF in 1999 (RFC 2246). This protocol is based on SSL v3.0 and PCT and harmonizes both Netscape's and Microsoft's approaches. It is important to note that although TLS is based on SSL, it is not a 100% backward compatible with its predecessor. IETF did some security improvements, such as using HMAC instead of MAC, using a different calculation of the master secret and key material, adding additional alert codes, no support for Fortezza cipher suites, and so on. The end result of these improvements is that these protocols don't fully interoperate. Fortunately enough, TLS has also got a mode to fall back to SSL v3.0.
Promathesh Mandal
3
•
WTLS "Mobile and wireless" version of the TLS protocol that uses the UDP protocol as a carrier. It is designed and optimized for the lower bandwidth and smaller processing capabilities of WAP-enabled mobile devices. WTLS was introduced with the WAP 1.1 protocol, and was released by the WAP Forum. However, after the introduction of the WAP 2.0 protocol, WTLS has been replaced by a profiled version of the TLS protocol, which is much more secure -- mainly because there is no need for decryption and reencryption of the traffic at the WAP gateway.
Why has the SSH (Secure Shell) protocol not been used for the purpose of providing secure access to World Wide Web? There are few reasons why not. First of all, from the very beginning TLS and SSL were designed for securing web (HTTP) sessions, whereas SSH was indented to replace Telnet and FTP. SSL does nothing more than handshake and establishing encryption tunnel, and at the same time SSH offers console login, secure file transfer, and support for multiple authentication schemes (including passwords, public keys, Kerberos, and more). On the other hand, SSL/TLS is based on X.509v3 certificates and PKI, which makes the distribution and management of authentication credentials much easier to perform. Hence, these and other reasons make SSL/TLS more suitable for securing WWW access and similar forms of communication, including SMTP, LDAP and others -- whereas SSH is more convenient for remote system management.
To summarize, although several "secure" protocols do indeed exist, only two of them should be used for the purpose of securing web transactions (at least at the moment): TLS v1.0 and SSL v3.0. Both of them are further referred in this article series as simply SSL/TLS. Because of known weaknesses of SSL v2.0, and the famous "WAP gap" in case of WTLS, the use of these other protocols should be avoided or at least minimized.
Required Packages : apache2 openssl ssl-cert libapache2-mod-php5 php5-cli php5-common php5-cgi
Promathesh Mandal
4
Configuration Steps : Step 1: For generating certificate Use the following command to generate certificates #openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:West Bengal Locality Name (eg, city) []:Kolkata Organization Name (eg, company) [Internet Widgits Pty Ltd]:MAT3 Impex Pvt. Ltd. Organizational Unit Name (eg, section) []:Crypto-Devel Common Name (eg, YOUR name) []:Promathesh Mandal Email Address []:[email protected] This will complete the certificate now you need to make sure you have the correct permissions for .pem file if not use the following command to set the correct permissions #chmod 600 /etc/apache2/apache.pem Step 2: By default the server will listen for incoming HTTP requests on port 80 - and not SSL connections on port 443. So you need to enable SSL support by entering the following entry to the file /etc/apache2/ports.conf save and exit the file. Listen 443 Step 3: Enable SSL Support If you want to enable SSL support for your apache web server you need to use the following comamnd #a2enmod ssl Module ssl installed; run /etc/init.d/apache2 force-reload to enable. Now you need to restart the apache2 server using the following command #/etc/init.d/apache2 restart
Promathesh Mandal
5
Step 4: Configuring SSL Certificate to Virtual Hosts in Apache2 First you need to edit the /etc/apache2/sites-available/default file change NameVirtualHost * to NameVirtualHost *:80 NameVirtualHost *:443 Now you need to configure Virtual hosts using port 80 Example ServerAdmin webmaster@localhost . . . configure Virtual hosts using port 443 the main difference is you need to use the following two lines for each SSL hosts. SSLEngine on SSLCertificateFile /etc/apache2/apache.pem Example ServerAdmin webmaster@localhost . . . SSLEngine on SSLCertificateFile /etc/apache2/apache.pem Now you need to restrat your apache web server using the following comamnd # /etc/init.d/apache2 reload
Promathesh Mandal
6
Sample Files : sample for “ports.conf” file Listen 80 Listen 443 sample for “default” file NameVirtualHost *:80 NameVirtualHost *:443
# Possible values include: debug, info, notice, warn, error, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On
Alias /doc/ "/usr/share/doc/"
Promathesh Mandal
7
ServerAdmin webmaster@localhost SSLEngine on SSLCertificateFile /etc/apache2/apache.pem DocumentRoot /var/www/
# alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On
Alias /doc/ "/usr/share/doc/"
Promathesh Mandal
8
Related Documents
Apache2 With Php5 And Ssl
November 2019 14
Php5 With Nginx + Fastcgi
May 2020 18
Ssl
May 2020 24
Ssl
November 2019 36
Ssl
December 2019 37