環境: Debian Testing/Unstable , Apache 1.3, OpenWebMail, 已完成網站設定並可以正常運行於端口80.
目的: 用SSL加密client 與 server的連線.
安裝apache SSL module:
debian:/usr/lib/apache/1.3# apt-get install libapache-mod-ssl
.....
Get:1 http://ftp.hk.debian.org testing/main libapache-mod-ssl 2.8.25-1 [328kB]
....
Unpacking libapache-mod-ssl (from .../libapache-mod-ssl_2.8.25-1_i386.deb) ...
Setting up libapache-mod-ssl (2.8.25-1) ...
./ca-bundle.crt ... Skipped
./snakeoil-dsa.crt ... 5d8360e1.0
./snakeoil-rsa.crt ... 82ab5372.0
./snakeoil-ca-dsa.crt ... 0cf14d7d.0
./snakeoil-ca-rsa.crt ... e52d41d0.0
之後系統提示使用那一方的設置(用戶現行設置/軟件開發者設置), 因選了保留用戶現行設置, 故需自己設定config file. 要自己修改/etc/apache/module.conf, httpd.conf
今次誤打誤撞試用apache-modconf.
debian:/etc/apache# apache-modconf apache-ssl
Creating config file /etc/apache-ssl/httpd.conf with new version
Creating config file /etc/apache-ssl/modules.conf with new version
比較過設置檔, 運行完apache-modconf apache-ssl後在module.conf會加入
LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so
但没有在httpd.conf 中作出合適設定.在httpd.conf或者/etc/apache/conf.d/加入
<IfModule mod_ssl.c>若用virtual host 則加入:
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
Listen 443
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First either `none'
# or `dbm:/path/to/file' for the mechanism to use and
# second the expiring timeout (in seconds).
#SSLSessionCache none
#SSLSessionCache shm:logs/ssl_scache(512000)
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual explusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:/var/run/ssl_mutex
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
# Logging:
# The home of the dedicated SSL protocol logfile. Errors are
# additionally duplicated in the general error log file. Put
# this somewhere where it cannot be used for symlink attacks on
# a real server (i.e. somewhere where only root can write).
# Log levels are (ascending order: higher ones include lower ones):
# none, error, warn, info, trace, debug.
#SSLLog /var/log/apache/ssl_engine_log
#SSLLogLevel info
</IfModule>
若没有用virtual host則將上斜體字 部份加入之前的
<VirtualHost newvhost.domain.org:443>
<IfModule mod_ssl.c>SSLEngine on
SSLCertificateFile /etc/apache/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</IfModule>
</VirtualHost>
建立SSL Cert:
debian:/etc/apache# mod-ssl-makecert
/etc/apache/ssl.crt/server.crt: already present
/etc/apache/ssl.csr/server.csr: already present
/etc/apache/ssl.key/server.key: already present
Do you really want to overwrite the existing certificate ? [y/N]: y (因第一次設置時誤輸入pass phrase)
What type of certificate do you want to create?
1. dummy (dummy self-signed Snake Oil cert)
2. test (test cert signed by Snake Oil CA)
3. custom (custom cert signed by own CA)
4. existing (existing cert)
Use dummy when you are a vendor package maintainer,
test when you are an admin but want to do tests only,
custom when you are an admin willing to run a real server
existing when you are an admin who upgrades a server.
Normally you would choose 2.
your choice: 2 (測試用)
Which algorithm should be used to generate required key(s)?
1. RSA
2. DSA
Normally you would choose 1.
your choice: 1
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.
Generating test certificate signed by Snake Oil CA [TEST]
WARNING: Do not use this for real-life/production systems
______________________________________________________________________
STEP 1: Generating RSA private key (1024 bit) [server.key]
1376666 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.++++++
................................................++++++
e is 65537 (0x10001)
______________________________________________________________________
STEP 2: Generating X.509 certificate signing request [server.csr]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name (2 letter code) [XY]:mo(輸入與自己服務器有關資料)
2. State or Province Name (full name) [Snake Desert]:macau
3. Locality Name (eg, city) [Snake Town]:macau
4. Organization Name (eg, company) [Snake Oil, Ltd]:asum
5. Organizational Unit Name (eg, section) [Webserver Team]:asum it
6. Common Name (eg, FQDN) [www.snakeoil.dom]:debsrv.asum.edu.mo
7. Email Address (eg, name@FQDN) [www@snakeoil.dom]:netadm@asum.edu.mo
8. Certificate Validity (days) [365]:(有效期自定)
______________________________________________________________________
STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt]
Certificate Version (1 or 3) [3]:
Signature ok
subject=/C=mo/ST=macau/L=macau/O=asum/OU=asum it/CN=debsrv.asum.edu.mo/emailAddress=netadm@asum.edu.mo
Getting CA Private Key
Verify: matching certificate & key modulus
Verify: matching certificate signature
/etc/apache/ssl.crt/server.crt: OK
______________________________________________________________________
STEP 4: Encrypting RSA private key with a pass phrase for security [server.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: y
writing RSA key
Enter PEM pass phrase: (輸入加密密碼, 此密碼會在啟動apahce 發問)
Verifying - Enter PEM pass phrase: (兩次必需相同)
Fine, you're using an encrypted RSA private key.
______________________________________________________________________
RESULT: Server Certification Files
o /etc/apache/ssl.key/server.key
The PEM-encoded RSA private key file which you configure
with the 'SSLCertificateKeyFile' directive (automatically done
when you install via APACI). KEEP THIS FILE PRIVATE!
o /etc/apache/ssl.crt/server.crt
The PEM-encoded X.509 certificate file which you configure
with the 'SSLCertificateFile' directive (automatically done
when you install via APACI).
o /etc/apache/ssl.csr/server.csr
The PEM-encoded X.509 certificate signing request file which
you can send to an official Certificate Authority (CA) in order
to request a real server certificate (signed by this CA instead
of our demonstration-only Snake Oil CA) which later can replace
the /etc/apache/ssl.crt/server.crt file.
WARNING: Do not use this for real-life/production systems
debian:/etc/apache# apachectl start (重新啟動apache)
Apache/1.3.34 mod_ssl/2.8.25 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server localhost:443 (RSA)
Enter pass phrase: (輸入建立cert時用的密碼)
Ok: Pass Phrase Dialog successful.
/usr/sbin/apachectl start: httpd started
之後在瀏覽器中輸入https://name_or_ip
第一次連接會提示是否接納該cert.
未完成:
1.使啟動apache 免輸入pass phrase,以免令啟動Script出現等候.
2.squrriel web mail 未能接IMAP server, 未知是否與轉用SSL連線有關.
參考:
http://www.debian-administration.org/articles/31
