If you are within the United States or Canada, Community ConneXion allows you to download the Apache-SSL server under a 30-day evaluation agreement. To do this, you need to have an Internet connection and an existing web browser such as Netscape.
To start the download process, travel to the URL:
http://apachessl.c2.org/
Select the link “Download Stronghold: The Apache-SSL-US.”
You will now be presented with three questions, each of which must be answered in the affirmative by clicking the appropriate button on your display:[117]
Are you a United States or Canadian citizen? No/Yes Are you obtaining Apache-SSL-US for end-use in Canada or the United States by Canadian or United States citizens only? No/Yes Do you agree not to transmit or make available Apache-SSL-US to any persons who are not United States or Canadian citizens? No/Yes
Click the button labeled “Next.”
Now select the kind of license that you wish. At the time of this writing, Community ConneXion offered three kinds:
Commercial ($495)
Evaluation (30-day trial)
Noncommercial
Most users will pick evaluation (30-day trial).
Fill out the form with your contact information. Be sure that your email address is correct.
Click the “Next” button.
You will now be presented with a complicated license agreement. At the bottom of this agreement is the statement:
I consent to be bound by the above agreement: No/Yes
Nobody knows if contracts agreed to in this way are legally binding or not, but there is currently work underway on the Uniform Commercial Code’s section 2B that would make them binding.
If you agree with the license agreement, click “Yes” and “Next.”
You will now see the message:
Check your mail In order to verify your email address, we've mailed the instructions download the software to the address you provided. Read that mail for instructions on downloading Apache-SSL from Community ConneXion.
Within a few moments, you should receive a message by email containing a URL, a username, and a password.
Jump to the URL. Your web browser will prompt you for the username and password.
You will now be given the choice of downloading one of several versions of the Apache-SSL server. Pick the version that is appropriate for your hardware configuration. These versions come with both the full source code and ready-to-run binaries. If you pick “source,” you’ll just get the source code without the binaries.
When you click the link, your web browser should start downloading the file immediately.
Simson was running the BSDI operating system on an old 486 PC with
24MB of RAM. The file that he downloaded was called
apachessl_us-1.0.5+1.0+1.1.1-i3.tgz.
The .tgz
extension means that the file is a tar archive that was then
compressed with gzip.
Uncompress and untar the file. If you have gnutar, you can do this in one step with the command:
% gtar zfvx apachessl_us-1.0.5+1.0+1.1.1-i3.tgz
ApacheSSL/
ApacheSSL/00README
ApacheSSL/CHANGES
ApacheSSL/CREDITS
ApacheSSL/INSTALL.sh
...
ApacheSSL/telnet/TODO
ApacheSSL/telnet/README.OLD
%
If you do not have gnutar, you will need to use both gunzip and tar to uncompress it:
% gunzip < apachessl_us-1.0.5+1.0+1.1.1-i3.tgz | tar xfv -
Congratulations! You have now obtained Apache-SSL. The next step is to install it.
The Apache-SSL server must be installed as superuser on your computer. The installation process is straightforward and completely handled by the INSTALL.sh shell script. This script copies the Apache-SSL source, binaries, and various support files from the directory in which it was unpacked to the directories that you specify.
The default configuration uses the directories described in Table 2.1. We suggest that you use them as well.
Table B-1. Default Directories Used by Apache-SSL
Directory |
Purpose |
---|---|
/usr/local/apache |
Root directory for Apache web server |
/usr/local/ssl |
Root directory for SSLeay SSL implementation |
/usr/local/apache/logs |
Holds web server logs for httpd server |
/usr/local/apache/ssl_logs |
Holds web server logs for httpsd server |
The INSTALL.sh script then steps you through the process of creating the necessary cryptographic keys to enable the secure server.
Become superuser and set up the necessary environment variables:
% su
Password: mypassword
#
Run the installation script INSTALL.sh. This script will prompt you in the creation of the directories and the creation of two SSL keys.
vineyard#./INSTALL.sh
Available platforms: i386-unknown-bsdi2.0 Pick your platform >i386-unknown-bsdi2.0
Where do you want to install SSLeay? [/usr/local/ssl] Testing permissions...done Installing SSLeay...done Where would you like to locate the ServerRoot? [/usr/local/apache] Where would you like to locate the non-SSL logs? [/usr/local/apache/logs] Where would you like to locate the SSL logs? [/usr/local/apache/ssl_logs] What's the name of your server? [vineyard.net]www.vineyard.net
What is the email address of the server admin? [[email protected]] What port do you want to run the plain server on? [80] What port do you want to run the SSL server on? [443] What user should the server run as? [nobody] Installing Apache-SSL... Configuring Apache-SSL...done Now you must add SSLTOP=/usr/local/ssl to your environment. Make sure you have it set before you run any additional utilities. Also add /usr/local/ssl/bin to your PATH. > setenv SSLTOP /usr/local/ssl > setenv PATH /usr/local/ssl/bin:/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin sh: $ SSLTOP=/usr/local/ssl $ PATH=/usr/local/ssl/bin:/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin $ export SSLTOP PATH vineyard#
At this point, the Apache-SSL server has been installed in the directories that you specified. The installation script will now guide you through the process of creating two certificates, the first of which will be sent to VeriSign (or another CA) for their signature; the second will be for your immediate use. Alternatively, the installation script will convert an existing Netscape key and certificate pair.
Now you need to install a key/cert pair. A) Convert an existing Netscape Commerce key/cert pair B) Generate a new key/cert pair Choose [A/B]B
The key will be called httpd.key. The certificate will be called httpd.cert They will be stored in /usr/local/ssl ********* READ ME ************* You are now generating a new key and key request. The key request will be sent to the CA of your choice and the keyfile will reside /usr/local/ssl/private/httpd.key. If you have already sent off a key request for this server before, make sure you aren't overwriting your old key which is awaiting a corresponding certificate from your CA. If the key generation fails, move the file /usr/local/ssl/private/httpd.key to a backup location and try again. ********* READ ME ************* Choose the size of your key. The smaller the key you choose the faster your server response will be, but you'll have less security. Keys of less than 512 bits are trivially cracked, while for high security applications you probably don't want a key of less than 1024 bits. Choosing an appropriate keysize is your responsibility. How many bits of key (384 minimum, 1024 maximum):1024
Now we will generate some random data, using the truerand library developed by Matt Blaze, Jim Reeds, and Jack Lacy at AT&T. This may take some time. Generating 2048 bits of randomness .............................................. .................. Now we generate more random data, from keystrokes We need to generate 2048 random bits. This is done by measuring the time intervals between your keystrokes. Please enter some random text on your keyboard until you hear the beep: 2048Now you should type random text. It doesn't matter how much random text that you type. You should simply be careful not to hold down the repeat key. A very good way to generate random text is to have your cat walk across thekeyboard. buy more O'Reilly books.0 * -Enough, thank you. Finally, choose some files with random bits, to complete our random number seed generation. You might want to put in logfiles, utmp, wtmp, etc. Enter colon-separated list of files:/var/log/maillog:/var/log/messages
Now we are generating the key. This may also take some time. Be patient. The passphrase you enter here is very important. Do not lose it. unable to load 'random state' 1162802 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus 1162802 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ..............................................+++++ ................................+++++ e is 65537 (0x10001) Enter PEM pass phrase:mysuperpassword
Verifying password Enter PEM pass phrase:mysuperpassword
Key generated Would you like to send a Certificate Request to a CA? [Y/n]y
NOTE: There is a bug in the software VeriSign uses to run their Certificate Authority. In order to work around this bug, our software creates CSR in a different form if you are going to use a Certificate Authority with a bug such as the one used by VeriSign. Please answer the following question about whether or not your CA is affected by this bug. (VeriSign is affected by this bug.) Does your CA need the ASN1-Kludge? [Y/n] Y Working around CA bug. Now we will generate a certificate request. After that we will create a temporary certificate for testing until you receive the certificate from your CA. Enter the following information: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [California]:Massachusetts
Locality Name (city, town, etc.) [Springfield]:Vineyard Haven
Organization Name (company) [Random Corporation]:Vineyard.NET, Inc.
Organizational Unit Name (division) [Secure Services Division]:.
Common Name (webserver FQDN) [www.random.com]:www.vineyard.net
Certificate Request: Data: Version: 0 (0x0) Subject: C=US, SP=Massachusetts, L=Vineyard Haven, O=Vineyard.NET, Inc., CN=www.vineyard.net Subject Public Key Info: Public Key Algorithm: rsaEncryption Public Key: (1024 bit) Modulus: 00:f5:85:28:b5:20:61:4c:dd:c5:e1:2d:be:4d:a8: 4f:ec:5f:7c:fc:cf:82:a7:48:4c:3d:ac:57:e3:bb: 19:5d:d8:3a:7e:1a:fa:d6:26:d5:69:12:a0:b3:d1: 36:ed:b0:83:d6:38:7b:71:ca:af:6d:37:55:87:d3: 2b:7f:cf:45:3b:b0:80:69:d2:47:e3:d0:7f:1f:6f: 21:bd:62:e1:a9:06:21:22:73:b9:da:20:93:97:cd: 00:c0:66:98:26:aa:dd:20:8a:e4:0c:48:35:55:de: 43:12:47:5c:35:e0:6f:8f:cf:25:3e:99:d0:53:b7: cd:57:d1:b0:90:56:3f:4a:53 Exponent: 65537 (0x10001) Attributes: Signature Algorithm: md5withRSAEncryption c5:c4:a0:5b:37:fd:79:d0:81:88:05:54:37:db:c1:15:59:e5: 33:d6:c0:fe:99:00:73:a1:5b:f2:cb:4a:4d:b9:29:fd:53:7c: b4:42:11:b9:25:6b:32:75:82:cb:c1:cd:62:3f:04:65:54:1f: 1d:42:e9:7b:f0:15:a3:2c:dc:7a:c7:8e:23:3b:74:ef:4f:ef: 2d:ee:56:b9:0e:f7:fc:32:60:f3:e8:08:d0:00:c3:6d:6d:c7: d7:39:a2:6c:2f:cd:c8:66:7c:9d:8e:1f:87:5a:56:60:e7:f3: e1:6f:fd:14:d7:f4:3b:b8:c6:cf:d7:e2:bf:40:7b:3d:d6:a3: 86:50 Webmaster email:[email protected]
Webmaster phone:508-696-6688
Send certification request to [[email protected]]: Your certificate request was sent to your apachessl-us-request- [email protected]. Make sure you send them the appropriate paperwork and money, unless this is a renewal. See http://www.verisign.com/apachessl-us/index.html for more information about the Verisign CA process. Now we will create a self-signed certificate for use until the CA of your choice signs your certificate. You will have to use this cert until your CA responds with the actual signed certificate. You are about to be asked to enter information that will be incorperated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [California]:Massachusetts
Locality Name (city, town, etc.) [Springfield]:Vineyard Haven
Organization Name (company) [Random Corporation]:Vineyard.NET, Inc.
Organizational Unit Name (division) [Secure Services Division]:.
Common Name (webserver FQDN) [www.random.com]:www.vineyard.net
--COMPLETE-- Your key has been generated and a test certificate has been installed --COMPLETE-- vineyard#
Your encrypting server is now installed, a public/secret key pair has been created, and your server has been equipped with a “self-signed” test certificate.
The test certificate will allow you to begin immediately using your server’s cryptographic features. However, because the certificate is not signed by a recognized certification authority, when users click into your web site they should be informed by their browser that the server has not been properly authenticated.
To complete the installation of your server, you need to install a public key certificate signed by a recognized CA. The following section describes how to install a public key signed by VeriSign.
As part of the installation procedure of Apache-SSL , a copy of your public key is sent off to a certification authority. The default authority is VeriSign, a company that was formed in 1995 by RSA Data Security Systems and other partners. (For more information about CAs, see Chapter 7)
The email address for VeriSign is specified in the installation procedure:
Send certification request to [[email protected]]: Your certificate request was sent to your apachessl-us-request- [email protected]. Make sure you send them the appropriate paperwork and money, unless this is a renewal. See http://www.verisign.com/ apachessl-us/index.html for more information about the Verisign CA process.
Shortly after you complete the installation process, you should get a response from VeriSign’s computers indicating that your public key has been received:
You have new mail. % mail Mail version 8.1 6/6/93. Type ? for help. "/var/mail/simsong": 1 message 1 unread >N 1 owner-apachessl-us-r Tue May 28 19:39 90/4235 & p1 Message 1: From [email protected] Tue May 28 19:39:46 1996 From: [email protected] Date: Tue, 28 May 1996 16:38:31 -0700 (PDT) To: "Simson L. Garfinkel" <[email protected]> Unique ID Number: 14996062 The above number identifies your certificate request. Please refer to this number in any correspondence with VeriSign regarding this certificate. Thank you for submitting your Digital ID server request. If you haven't already, please go to our Digital ID Center at: http://digitalid.verisign.com/ You will be asked to complete an online enrollment form with information required to authenticate your server. The information you supply will be used to generate an electronic Authorization Letter. Once you execute the letter, it will be automatically emailed to VeriSign. This letter designates you as an authorized representative of your organization, responsible for requesting and utilizing a Digital ID. Just as in applying for a business license or trademark, your Digital ID cannot be issued until your subscriber information is complete and independently verified. Imagine the potential damage to your business or reputation if someone could masquerade as your company or organization on the net. We will verify your information with 3rd- party data sources and perform additional due-diligence as appropriate. If the information you supplied is complete and can be verified, we will typically issue your Digital ID within 3-5 business days. VeriSign assigns a Request Tracking Number to each Digital ID server request when received. The number listed below identifies your Digital ID server request. Please refer to this number in any correspondence with VeriSign regarding this certificate. Request Tracking Number: __________________ By affixing VeriSign's digital signature to your Digital ID, VeriSign is attesting that we, as an independent third party, followed certain procedures to verify that your company or organization has the legal right to use the organization name and common name (typically your domain name) embedded in the certificate. This level of assurance gives your customers and business partners confidence that you are who you say you are. We will process your request as quickly as possible. Our customer service team will be in contact with you (via email and or phone) until we have issued your Digital ID. We will also notify you in advance of pending renewal issues before your Digital ID expires. If you have additional questions, please refer to our Digital ID Center at http://digitalid.verisign.com/. Thank you in advance for your patronage. ----------- Your original message is below ---------- Webmaster: [email protected] Phone: 508-696-6688 Server: Apache-SSL-US Common-name: www.vineyard.net Organization Unit: Organization: Vineyard.NET Locality: Vineyard Haven State: Massachusetts Country: US -----BEGIN CERTIFICATE REQUEST----- MIIBtDCCAR0CAQAwdjELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0 dHMxFzAVBgNVBAcTDlZpbmV5YXJkIEhhdmVuMRswGQYDVQQKExJWaW5leWFyZC5O RVQsIEluYy4xGTAXBgNVBAMTEHd3dy52aW5leWFyZC5uZXQwgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAPWFKLUgYUzdxeEtvk2oT+xffPzPgqdITD2sV+O7GV3Y On4a+tYm1WkSoLPRNu2wg9Y4e3HKr203+YfTK3/PRTuwgGnSR+PQfx9vIb1i4akG ISJzudogk5fNAMBmmCaq3SCK5BxINVXeQxJHXDXgb4/PJT6Z0FO3zVfRsJBWP0pT AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAxcSgWzf9edCBiAVUN9vBFVnlM9bA/pkA c6Fb8stKTbkp/VN8tEIRuSVrMnWCy8HNYj8EFVQfHULpe/AVoyzceseOIzt070/v Le5WuQ73/DJg8+gI0ADDbW3H1zmibC/NyGZ8nY4fh1pWYOfz4W/9FNf0O7jGz9fi v0B7PdajhlA= -----END CERTIFICATE REQUEST----- & q Held 1 message in /var/mail/simsong %
Now you have nothing to do but wait.[118] VeriSign will validate the information provided in your certificate request. This process can take a week or more.
Eventually, you should get a message back from VeriSign:
X-Sender: certs@dustin Mime-Version: 1.0 X-Priority: 1 (Highest) Date: Wed, 05 Jun 1996 01:26:24 -0700 To: [email protected] From: Certificate Services <[email protected]> Subject: Digital ID approval X-Attachments: S:LETTERSNewlegal.txt; Dear Valued VeriSign Customer, Server/Common Name: www.vineyard.net Following is your official Digital ID (Certificate) which will certify your identity and your public key in electronic transactions. It has been digitally signed by VeriSign guaranteeing that your Digital ID hasn't been corrupted or otherwise modified since it was signed and that it will be trusted by others conducting electronic commerce. Prior to your one year expiring we will notify you of the renewal procedures. Please refer to your server manual for proper instructions on installing your Digital ID (Certificate). -----BEGIN CERTIFICATE----- MIICRDCCAbECBQJ6AAd3MA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjA2MDUwMDAwMDBa Fw05NzA2MDUyMzU5NTlaMHYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNo dXNldHRzMRcwFQYDVQQHEw5WaW5leWFyZCBIYXZlbjEbMBkGA1UEChMSVmluZXlh cmQuTkVULCBJbmMuMRkwFwYDVQQDExB3d3cudmluZXlhcmQubmV0MIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQD1hSi1IGFM3cXhLb5NqE/sX3z8z4KnSEw9rFfj uxld2Dp+GvrWJtVpEqCz0TbtsIPWOHtxyq9tN/mH0yt/z0U7sIBp0kfj0H8fbyG9 YuGpBiEic7naIJOXzQDAZpgmqt0giuQMSDVV3kMSR1w14G+PzyU+mdBTt81X0bCQ Vj9KUwIDAQABMA0GCSqGSIb3DQEBAgUAA36ABH64fDO4lx8I+9ZNamaZDuUo5GlO pr6AJtUIjcREymHjUeyvP0nAP79rt6tI5ywGHWIqDXq8gfL3XvW48rVbjaAajzZO xcO9t2Xe19JY/eKLCPT6hf4SMtNtIFl2FCSeU8slgzu+H7tLq8xmstb8h+koRHbv OYPz6BGqZbk= -----END CERTIFICATE----- Providing Driver Licenses for the Information Superhighway[(TM)] VeriSign COMMERCE SERVER LEGAL AGREEMENT ----------------------------------------------------------------------- PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE DIGITAL ID ISSUED TO YOUR ORGANIZATION. BY USING THE DIGITAL ID, YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, PROMPTLY RETURN THE UNUSED DIGITAL ID TO VERISIGN AND YOUR MONEY WILL BE REFUNDED.
(The rest of the message contains a long legal agreement that we won’t reprint here.)
Save this message in a file on your computer. In the middle of this
message, between the lines "——-BEGIN CERTIFICATE——-
" and
"——-END CERTIFICATE——-
" is your server
certificate. To install this certificate on your web server, follow
these steps:
Save a copy of the certificate in a file (e.g., /tmp/verisign).
You have new mail. %s /tmp/verisign
"/tmp/verisign" [New file] &x
%
Become superuser
% su
Password:mypass
#
Set your SSLTOP environment variable.
# setenv SSLTOP /usr/local/ssl
#
Run the getverisign script, using the certificate as standard input.
# /usr/local/ssl/bin/getverisign < /tmp/verisign
#
The private key for the Apache-SSL server needs to be stored on the hard disk. Otherwise, it can’t decrypt the incoming data over a SSL connection. Unfortunately, this creates a potential vulnerability: if someone were to steal your computer, he would have access to your organization’s secret key.
To solve this problem, Apache-SSL can store your organization’s private key in one of two ways:
Apache-SSL can store your private key encrypted with a passphrase. Encryption protects your private key from unauthorized use: to use the private key, a person must be present who knows your passphrase and is willing to type it into your computer.[119] The advantage of storing your private key encrypted is that it makes the private key difficult to steal, because the decrypted private key is stored in the computer’s memory but is never written onto the computer’s disk drive. Even if somebody breaks into your computer room and steals your secure web server, he will probably not be able to get your private key, because the web server will be unplugged during the theft. When he plugs the computer in again, it will not be able to use the private key, because the key is encrypted with a passphrase that the thief (presumably) does not know.
Apache-SSL can also store your private key unencrypted on the hard disk. If you chose to store the private key encrypted, then a passphrase must be typed at the computer’s keyboard. If the key is stored encrypted, then it must be decrypted before it can be used. This means that the server can restart automatically after a crash or reboot without anyone being present. It also means that someone stealing your computer or backup tapes will gain possession of the key and can masquerade as you.
For most web sites, there is no reason not to store the web server’s private key unencrypted. That’s because while an unencrypted key stored on a computer’s hard disk is only protected by the computer’s operating system, the same is true of the web server itself. An attacker who can compromise your computer’s security and steal your key can just as easily steal your encrypted key and then booby-trap your web server so that when the decryption password is typed, the password is automatically sent over the net to some other location. Furthermore, storing the private key encrypted makes the web server considerably more difficult to operate. Everybody who reloads the server or reboots the computer needs to know the decryption password.
In practice, the minor security improvement that comes from storing passwords encrypted is not worth the increased difficulty of operations.
Apache-SSL comes with three shell scripts for controlling the operation of the httpd and httpsd servers:
Command |
Function |
---|---|
/usr/local/apache/start |
Starts the httpd and httpsd servers. |
/usr/local/apache/reload |
Causes the servers to reload their configuration files. |
/usr/local/apache/stop |
Stops both servers. |
You should run the reload command after you make any changes to the Apache configuration files.
Many sites set up their computers so that their web servers are run automatically when the system reboots. If you wish your cryptographically enabled web server to immediately begin accepting transactions, you will need to store the server’s secret key decrypted, or store the decryption password on the hard drive so that it is automatically entered, or have some sort of physical device connected to your computer that contains the decrypted key or the decryption password.
[117] If you lie in answering these questions so as to obtain the server code, you may be in violation of U.S. federal law pertaining to munitions export. Consult your attorney if you have any concerns or questions about this.
[118] Assuming, of course, that you have already gone through VeriSign’s web site and arranged for payment of your server certificate. If you have not done this, turn to Chapter 8 and do it at once.
[119] This is the same technique that programs like PGP use to protect their secret keys.
3.16.69.143