SSL does have a significant security history, beginning in September 1995, when two Berkeley students—Ian Goldberg and David Wagner—announced that they had cracked Netscape's random number generator scheme.

This news rocked the electronic commerce community and prompted sensational media coverage. Here's an excerpt from a NY Times article by John Markoff titled "Security Flaw Is Discovered in Software Used in Shopping":

Although Netscape quickly addressed the issue, the story serves as a sobering reminder that even excellent security tools can fail because of flawed implementation.

Goldberg and Wagner began their analysis in the dark, chiefly because Netscape held back source code on certain vital elements of SSL. The students therefore reverse-engineered the code, and in the process, they discovered a major flaw in how Netscape generated random numbers.

Random numbers have always been a problem in cryptography, even when functions used to derive them are fundamentally sound. This is because it is very difficult to generate a truly random number. In this context, the term random refers to a quality with minimal predictability. In science and nature, many systems and cycles that initially appear to be chaotic or random do in fact have observable predictability. Often, the key to recognizing that predictability, or recognizing a pattern in a seemingly patternless phenomenon, is time.

Indeed, deriving truly random numbers is such a difficult process that scientists have turned to unconventional means. For example, some researchers have focused their studies on chaos theory, the mathematical study of chaotic structures. Perhaps the most interesting, offbeat step in this direction is the use of lava lamps to generate random numbers. To see such a project in action, visit LavaRand at SGI: http://lavarand.sgi.com/.

Meanwhile, to compensate for our current inability to computationally create truly random numbers without help from outside chaotic systems, programmers rely on a rather complex parlor trick. Instead of trying to derive a random number from natural phenomena, programmers use functions that generate normal numbers and subject them to mathematical operations so complicated that the average human cannot perceive the observable predictability within them. The resulting number is, for all purposes, random enough. Or is it?

Much depends on the steps that programmers take to derive this random—or more appropriately, pseudo-random—number. Every number has a starting point or seed source, and depending on your initial seed source, your so-called pseudo-random number may be fundamentally flawed from the start.

For instance, suppose that you derived your seed source from standard multiplication tables, 1×1 to 9×9. Here, you'd have 89 possible numbers, or multiplication values, to choose from. Anyone could quickly identify all 89 combinations, even without pen and paper. Your resulting number, therefore, would never be random enough. This was essentially at the heart of SSL's first vulnerability.

Goldberg and Wagner determined that Netscape was using three values to generate the seed source for the initial secret key:

Because local users can easily obtain process IDs on UNIX and Linux, Goldberg and Wagner needed only to ascertain the time. And, as they explained in their paper "Randomness and the Netscape Browser: How secure is the World Wide Web?", this was not very difficult:

(From "Randomness and the Netscape Browser: How secure is the World Wide Web?", Ian Goldberg and David Wagner, Dr. Dobb's Journal, 1996. http://www.ddj.com/articles/1996/9601/9601h/9601h.htm)

This effectively gave them the time in seconds. (Milliseconds, as they pointed out, were a trivial issue at best because there are only one million milliseconds per unit, a infinitesimally small range to search given today's computing power.) The end result was that Goldberg and Wagner could crack Netscape's early SSL in less than a minute in some cases.

If you're interested in seeing the old SSL attack in action, get an old 40-bit version of Netscape and run this code against SSL encrypted traffic: http://www.geocities.com/SiliconValley/Lakes/8760/crypt/unssl.c.txt. The code will extract the 16-byte master key for that session.

In 1997, various researchers, including Edward Felten's team at Princeton and Frank O'Dwyer of Rainbow Diamond Limited, determined that SSL-enabled browsers were vulnerable to Hyperlink Spoofing and man-in-the-middle attacks:

Finally, SSL's more recent security history (June 1998) involved a peripheral issue: a vulnerability in RSA Laboratories' Public-Key Cryptography Standard #1 (PKCS#1). The flaw allowed attackers to recover information from SSL-encrypted sessions. The flaw has since been fixed. To get an excellent overview of how it worked, get Daniel Bleichenbacher's paper titled "Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1," available at http://www.bell-labs.com/user/bleichen/papers/pkcs.ps.

Despite these early problems, though, SSL ultimately emerged as the de facto standard for securing connections between Web clients and servers, and today many SSL implementations exist. Some of these are commercial, but as a Linux user you'll want a free SSL implementation with open source. Hence, this chapter focuses on Apache-SSL with SSLeay.

To unpack SSLeay, copy SSLeay-0_8_1b_tar.gz to /usr/src, unzip the compressed file, and un-tar the archive:

cp SSLeay-0_8_1b_tar.gz /usr/src
cd /usr/src
gunzip SSLeay-0_8_1b_tar.gz
tar-xvf SSLeay-0_8_1b_tar

SSLeay will extract to /usr/src/SSLeay-0.8.1b/. Next, change to that directory and run Configure:

cd /SSLeay-0.8.1b
perl ./Configure linux-elf

Note that the preceding example is for Linux ELF systems only. If your architecture or target is different, start Configure without arguments and it will print a wide range of options:

# perl ./Configure
Usage: Configure [-Dxxx] [-Lxxx] [-lxxx] os/compiler
pick os/compiler from:
BC-16              BC-32              FreeBSD            NetBSD-sparc
NetBSD-x86         SINIX-N            VC-MSDOS           VC-NT
VC-W31-16          VC-W31-32          VC-WIN16           VC-WIN32
aix-cc             aix-gcc            alpha-cc           alpha-gcc
alpha400-cc        bsdi-gcc           cc                 debug
debug-irix-cc      debug-linux-elf    dgux-R3-gcc        dgux-R4-gcc
dgux-R4-x86-gcc    dist               gcc                hpux-cc
hpux-gcc           hpux-kr-cc         irix-cc            irix-gcc
linux-aout         linux-elf          nextstep           purify
sco5-cc            solaris-sparc-cc   solaris-sparc-gcc  solaris-sparc-sc4
solaris-usparc-sc4 solaris-x86-gcc    sunos-cc           sunos-gcc
unixware-2.0       unixware-2.0-pentium

Note that in addition to architecture and binary targets, you can also set other options at the Configure command line, including

After you define your architecture and options, run Configure. In response, it will print out a brief summary of your pre-make configuration. Here's an example:

[root@linux7 SSLeay-0.8.1b]# perl Configure linux-elf
CC     =gcc
CFLAG  =-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall
-Wuninitialized
EX_LIBS=
BN_MULW=asm/x86-lnx.o
DES_ENC=asm/dx86-elf.o asm/cx86-elf.o
BF_ENC =asm/bx86-elf.o
THIRTY_TWO_BIT mode
DES_PTR used
DES_RISC1 used
DES_UNROLL used
BN_LLONG mode
RC4_INDEX mode
BF_PTR2 used

I recommend clipping and pasting these values into a temporary file. Some options on certain Linux systems can trigger a bad make. You may be forced to change them later, so it's nice to have them handy in that event.

Next, run make:

make

The make will take several minutes, but if you have ANSI C support installed, you shouldn't have any problems here. You'll know that you have a successful make when you see this message:

NOTE: The OpenSSL header files have been moved from include/*.h
to include/openssl/*.h.  To include OpenSSL header files, now
to include/openssl/*.h.  To include OpenSSL header files, now
directives of the form
     #include <openssl/foo.h>
should be used instead of #include <foo.h>.
These new file locations allow installing the OpenSSL header
files in /usr/local/include/openssl/ and should help avoid
conflicts with other libraries.
To compile programs that use the old form <foo.h>,
usually an additional compiler option will suffice: E.g., add
     -I/usr/local/ssl/include/openssl
or
     -I/openssl-0.9.3a/include/openssl
to the CFLAGS in the Makefile of the program that you want to compile
(and leave all the original -I...'s in place!).

Please make sure that no old OpenSSL header files are around:
The include directory should now be empty except for the openssl
subdirectory.

After you verify that the make was successful, run this command:

make rehash

Finally, try a test, like this:

make test

Here you may encounter problems. On some systems, the optimization flags in the Makefile will cause the test to fail. If that happens, edit the Makefile and remove the optimization flag from the CLFAGS option line.

Depending on your system's configuration, the relevant line will be either line 59 or 60, whichever is not commented out:

CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized

Here is the optimization flag to remove:

-03

After you remove the optimization flag, start again (make clean; make) and everything should be fine.

You'll know when your make test is clean because you'll see this message:

Signed certificate is in newcert.pem
newcert.pem: OK
make[1]: Leaving directory '/SSLeay-0.9.0b/test'
SSLeay 0.9.0b 29-Jun-1998
built on Wed Jun 30 01:20:01 PDT 1999
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int)
blowfish(ptr2)
C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486
-Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM

Once you verify that your test was successful, install the package, like this:

make install

Next, copy apache_1_2_6_tar.gz (or a later version) to /usr/src and unpack it:

cp apache_1_2_6_tar.gz /usr/src
cd /usr/src
gunzip apache_1_2_6_tar.gz
tar -xvf apache_1_2_6_tar

Apache will unpack to /usr/src/apache-1.2.6/. After you verify that it unpacked correctly, copy apache_1_2_6+ssl_1_17_tar.gz to /usr/src/apache-1.2.6 and unpack it:

cp apache_1_2_6+ssl_1_17_tar.gz /usr/src/apache-1.2.6
cd /usr/src/apache-1.2.6
gunzip apache_1_2_6+ssl_1_17_tar.gz
tar -xvf apache_1_2_6+ssl_1_17_tar

This should unpack the following files:

After verifying that the files have unpacked properly, and before compiling Apache, apply the supplied patch, like this:

patch -p1 < SSLpatch

Next, change to /usr/src/apache-1.2.6/src/, copy Configuration.tmpl to Configuration, and open Configuration for editing. In it (among other possible things), you must change the SSL_BASE variable. This tells Apache where to find the SSL libraries during compilation. To change that value, open Configuration and go to line 63. It should look like this:

#SSL_BASE= /u/ben/work/scuzzy-ssleay6

Change this to the SSLeay source directory. For this example, I changed mine to this:

SSL_BASE=/usr/src/SSLeay-0.8.1b

Once you set the SSL_BASE variable and exit, you're ready to make Apache:

make

To verify that your make went smoothly, check /usr/src/apache_1.2.6/src for the following file:

-rwxr-xr-x   1 root     root       543482 Jun 30 04:00 httpsd

If it exists, you're in business. Time to move on to certificate generation.

# SSLeay example configuration file.
# This is mostly being used for generation of certificate requests.
#
RANDFILE                = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = ./demoCA              # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = x509v3_extensions     # The extensions to add to the
cert
default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = md5                   # which md to use.
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes

attributes              = req_attributes

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = AU
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Some-State

localityName                    = Locality Name (eg, city)

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Internet Widgits Pty Ltd

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = CryptSoft Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName                      = Common Name (eg, YOUR name)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 40

[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20

unstructuredName                = An optional company name

[ x509v3_extensions ]

nsCaRevocationUrl               = http://www.cryptsoft.com/ca-crl.pem
nsComment                       = "This is a comment"

# under ASN.1, the 0 bit would be encoded as 80
nsCertType                      = 0x40

#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
#nsCertSequence
#nsCertExt
#nsDataType

# The following variables are defined.  For this example I will
#populate the various values
[ req ]
default_bits    = 512           # default number of bits to use.
default_keyfile = testkey.pem   # Where to write the generated keyfile
                                # if not specified.
distinguished_name= req_dn      # The section that contains the
                                # information about which 'object' we
                                # want to put in the DN.
attributes      = req_attr      # The objects we want for the
                                # attributes field.
encrypt_rsa_key = no            # Should we encrypt newly generated
                                # keys.  I strongly recommend 'yes'.

# The distinguished name section.  For the following entries, the
# object names must exist in the SSLeay header file objects.h.  If they
# do not, they will be silently ignored.  The entries have the following
# format.
# <object_name>         => string to prompt with
# <object_name>_default => default value for people
# <object_name>_value   => Automatically use this value for this field.
# <object_name>_min     => minimum number of characters for data (def. 0)
# <object_name>_max     => maximum number of characters for data (def.
inf.)
# All of these entries are optional except for the first one.
[ req_dn ]
countryName                     = Country Name (2 letter code)
countryName_default             = AU

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Queensland

make certificate

[root@linux7 apache_1.2.6]# cd /usr/src/apache_1.2.6/
[root@linux7 apache_1.2.6]# cd src
[root@linux7 src]# make certificate
/usr/src/SSLeay-0.8.1b/apps/ssleay req -config
/usr/src/SSLeay-0.8.1b/crypto/conf/ssleay.cnf 
-new -x509 -nodes -out ../SSLconf/conf/httpsd.pem 
-keyout ../SSLconf/conf/httpsd.pem; 
ln -sf ../SSLconf/conf/httpsd.pem
../SSLconf/conf/'/usr/src/SSLeay-0.8.1b/apps/ssleay 
x509 -noout -hash < ../SSLconf/conf/httpsd.pem'.0
Using configuration from /usr/src/SSLeay-0.8.1b/crypto/conf/ssleay.cnf
Generating a 512 bit RSA private key
..................+++++
....+++++
writing new private key to '../SSLconf/conf/httpsd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Queensland]:California
Locality Name (eg, city) []:Malibu
Organization Name (eg, company) [Mincom Pty Ltd]:Macmillan Publishing
Organizational Unit Name (eg, section) [MTR]:SAMS
Common Name (eg, YOUR name) []:Anonymous
Email Address []:[email protected]

/usr/src/apache_1.2.6/SSLconf/conf/httpsd.pem

You'll find sample configuration files (access.conf-dist, httpd.conf-dist, and srm.conf-dist) in /usr/src/apache_1.2.6/conf. These files are actually empty in some SSLeay distributions, but don't worry. In many respects, you can set options in these files precisely as you would for a normal Apache install.

The directives and options that differ from standard Apache values point to various resources (like your certificate). Here's a very lightweight example:

ServerType standalone
Port 80
Listen 443
User webssl
Group webssl
ServerAdmin [email protected]
ServerRoot /var/httpd/
ErrorLog logs/error_log
TransferLog logs/access_log
PidFile logs/httpd.pid
ServerName linux7.samshacker.net
MinSpareServers 3
MaxSpareServers 20
StartServers 3
SSLCACertificatePath /var/httpd/conf
SSLCACertificateFile /var/httpd/conf/httpsd.pem
SSLCertificateFile /var/httpd/conf/httpsd.pem
SSLLogFile /var/httpd/logs/ssl.log
SSLCacheServerPort 8080
SSLCacheServerPath /usr/src/SSLeay-0.8.1b
SSLSessionCacheTimeout 10000

Note that in order for the server to find your certificates, you must specify the correct directory and ensure that the certificates are actually there. For example, if you define this as your certificate file:

SSLCertificateFile /var/httpd/conf/httpsd.pem

you must copy httpsd.pem from here:

/usr/src/apache_1.2.6/SSLconf/conf/httpsd.pem

to here:

/var/httpd/conf/httpsd.pem

Lastly, before installing httpsd to its final resting place (and cleaning up), you should test your server. To do so, issue the httpsd command plus the -f flag defining your configuration file's location. For example:

httpsd -f /var/httpd/conf/httpd.conf

or

httpsd -f /usr/src/apache_1.2.6/conf/httpd.conf

In response, httpsd will start up:

./httpsd -f /usr/src/apache_1.2.6/conf/httpd.conf
Reading certificate and key for server linux7.samshacker.net:8080
PID 1342

To test-drive your new Apache-SSL server, crank up Netscape Communicator and connect to the port you assigned httpsd to. If your server is running correctly, Netscape will notify you with a New Cite Certificate window. Please see Figure 15.1.

Figure 15.1. The Netscape New Certificate Notification window.

Choose Next to examine details about the certificate. In response, Netscape Communicator will report the certificate's owner, signer, and encryption strength. Please see Figure 15.2.

To see expanded certificate information, choose More Info. Here, Communicator will display the identity, distinguished name, location, and duration of validity for the current certificate. Please see Figure 15.3.

Figure 15.2. Communicator's report on the current certificate.

Figure 15.3. Certificate details.

Because it doesn't initially recognize the certificate, Communicator will next prompt you to accept or decline it for the current sessions. Please see Figure 15.4.

If you choose to accept the certificate, Netscape will advise you that even though the current session will be encrypted, it may not necessarily protect you from fraud. And by default, Netscape highlights the option to notify you whenever you send data to the server. Please see Figure 15.5.

Finally, when you accept the certificate, Netscape will notify you that the current session is being encrypted but that you can later decide not to trust the certificate. Please see Figure 15.6.

Figure 15.4. Communicator requests authorization to accept the current certificate.

Figure 15.5. Communicator's advisory statement on fraud.

Figure 15.6. Communicator's final advisory about the current certificate and session.

print "$ENV{'SSL_CLIENT_CERT'}
";
print "$ENV{'SSL_CIPHER'}
";

char *myvariable
myvariable=getenv("SSL_CLIENT")

If you're planning to use Linux to establish an electronic commerce server, you should obtain certificates from a recognized certificate authority—a trusted third party that issues certificates and verifies their authenticity. Such certificates can greatly enhance your firm's credibility and help it meet the often-stringent requirements to be an electronic commerce trading partner.

Pricing schemes vary, but nearly all established certificate authorities demand that you produce legal proof that you're authorized to use your firm's legal business name in transactions. Typical examples are

Here are some established certificate authorities:

Apache-SSL is not the only available SSL implementation, but it's an excellent learning tool. Not only can you learn how to secure Web-based electronic commerce transactions, but because the SSLeay source is open, you can also see how various algorithms are used in authentication.

Finally, to learn more about SSL, check out the following resources.