3.2. SSL Encryption
If you are accessing your Webmin server over an untrusted network such as the Internet, you should be aware that, by default, an attacker can capture your login and password by listening in on network traffic. This is particularly easy if you are using a non-switched Ethernet network shared by people that you do not fully trust, such as those in offices or universities.
Fortunately there is a solution that is relatively easy to set up—switching Webmin to use SSL so that all network traffic between your web browser and the server is encrypted. The RPM package of Webmin will run in SSL mode by default if the OpenSSL library and Net::SSLeay Perl module are installed. Most systems, however, do not meet these requirements so you will need to follow the steps below to enable SSL:
1. | Install the OpenSSL library, if you do not already have it. Most recent Linux distributions will include it as standard, but you may have to install it from your distribution CD. If there are separate packages for openssl and openssl-devel, make sure both are installed. If your operating system does not come with OpenSSL, you can download it from www.openssl.org/ instead. |
2. | Install the Net::SSLeay Perl module, if it is not already installed. If your system is connected to the Internet, the easiest way to do this is to enter the Perl Modules module of Webmin (under the Others category), enter Net::SSLeay into the From CPAN field and click the Install button. After the Perl module has finished downloading, click on Continue with install to have Webmin automatically compile and install it. |
3. | Once both are installed, go to the Webmin Configuration module and click on SSL Encryption. The form shown in Figure 3.2 will appear. Figure 3.2. The SSL activation form.
|
4. | On the top part of the page, change the Enable SSL if available? option to Yes, and click Save. If all goes well, Webmin will be switched to SSL mode and your browser will connect to it securely. |
5. | If this is the first time you have connected to Webmin in SSL mode, your browser will display a warning about the certificate being invalid. For now, you can ignore this warning and choose to accept the certificate. For more details, see Section 3.3 “Requesting a Valid SSL Certificate”. |
6. | |
7. | Go back to the SSL Encryption page and scroll down to the second form. If a warning starting with Because you are currently using the default Webmin SSL key… is displayed, you definitely should continue following these steps to create your own private SSL certificate and key. If, however, it does not appear, then a private key was created at installation time and there is no need to go on reading. |
8. | If your system is always accessed using the same hostname in the URL, enter it into the Server name in URL field, such as www.example.com. This will cause the generated certificate to be associated only with that hostname. Otherwise select Any hostname to allow the certificate to be used with any URL hostname. This is more convenient, but slightly less secure. |
9. | |
10. | |
11. | |
12. | |
13. | |
14. | Leave the Write key to file field unchanged, and the Use new key immediately field set to Yes. |
15. | Hit the Create Now button to generate a new key and certificate, write them to /etc/webmin/miniserv.pem and immediately activate them. Your browser will probably prompt you again to accept the new certificate. |
Older versions of Webmin just used a fixed SSL key that was included as part of the package. This, however, was completely useless for securing network traffic because anyone with a copy of that key can decrypt the data that is supposedly protected with SSL! For this reason, recent Webmin versions create a new private key at installation time if possible, and warn you if the old fixed SSL key is being used.