Wednesday, November 22, 2006

configure apache with mod_ssl (Apache+mod_ssl+openssl)

I have worked with Apache for a long time, but never configured it for secure communication(https). Setting it up on windows was nearly impossible for me (Would welcome any help on this). On Redhat linux it was real eazy, as openssl and mod_ssl were already installed.

The setup cannot be done with just Apache+mod_ssl as I imagined before. The right combination is Apache+mod_ssl+OpenSSL. Quote from apache website "The Apache HTTP Server module mod_ssl provides an interface to the OpenSSL library, which provides Strong Encryption using the Secure Sockets Layer and Transport Layer Security protocols"

Realising that openssl implements the actual SSL protocol and mod_ssl is just an interface to openssl, took some time.

Now, I am not very sure how mod_ssl and openssl interact. But I believe that mod_ssl uses some of the shared libraries of openssl (which can be seen by looking at the memory map of the httpd process)
/root/> cat /proc/4807/maps grep -i ssl
00125000-00156000 r-xp 00000000 08:13 1068411 /lib/libssl.so.0.9.7a
00156000-00159000 rwxp 00031000 08:13 1068411 /lib/libssl.so.0.9.7a
00419000-0043d000 r-xp 00000000 08:13 658555 /usr/lib/httpd/modules/mod_ssl.so
0043d000-0043f000 rwxp 00023000 08:13 658555 /usr/lib/httpd/modules/mod_ssl.so
(4807 is the process id of httpd. And openssl-0.9.7a-43.1 is the openssl version installed on my machine.)

mod_ssl.so is a Dynamic Shared object(DSO), which can be plugged into apache without recompiling it. Find more details on DSO here.
check out "man dlopen", it's ineresting with an example in the end.

This [http://httpd.apache.org/docs/2.0/mod/mod_ssl.html] is a good link from apache on mod_ssl.

While installing mod_ssl, make sure you have the right version for your apache.
from mod_ssl faq.
---------------------------------------------------------------------------------------
How do I know which mod_ssl version is for which Apache version?

That's trivial: mod_ssl uses version strings of the syntax -, for instance 2.4.0-1.3.9. This directly indicates that it's mod_ssl version 2.4.0 for Apache version 1.3.9. And this also means you only can apply this mod_ssl version to exactly this Apache version (unless you use the --force option to mod_ssl's configure command ;-).

------------------------------------------------------------------------------------------

Having installed apache, mod_ssl and openssl it is relatively easy to configure the server.
Search the internet and find how to generate certificate using openssl commands, edit httpd.conf to put in the directives to point to the certificate.
I followed the instructions here, and it was easy going.

Happy secure browsing....