Comments on Secure Websites Using SSL And Certificates
Secure Websites Using SSL And Certificates This how-to will guide you through the entire process of setting up a secure website using SSL and digital certificates. This guide assumes that you have already a fully functional (and configured) server running Apache, BIND, and OpenSSL. Just as a side note, this guide was written based on a Fedora Core 6 distribution, but should be the same for most other distros out there.
8 Comment(s)
Comments
Thanks for this nice article. There are many reasons why security is the most important part of development. A small list for website security: http://www.cafewebmaster.com/how-do-i-secure-my-web-site
You really should disable weak ciphers and allow only high encryption algorithms. Default installs of Apache usually allow any cipher, even the horribly outdated ones. It is possible to force a downgrade of the server-side encryption level by sending a custom crafted SSL handshake. After that, it may be possible to exploit security holes in the weaker encryption protocols.
Enter the following in your httpd.conf or in the virtual host container. This will enable only the high encryption ciphers (TLSv1 or SSLv3). If you really need a secure environment, enable only TLSv1. Please note that some (very outdated) browsers may have problems with the higher cipher suites and will not be able to connect after this change.
SSLCipherSuite HIGH:-SSLv2
You can test if your server is vulnerable to this attack with the following command (using the openssl binary);
openssl s_client -no_tls1 -no_ssl3 -cipher LOW -connect 255.255.255.255:443
Replace the 255... IP address with your server' address of course. You should see a handshaking failure if everything is OK. If not, you will be presented with a certificate and you will see the actual cipher used (probably MD5 or something), which is bad.
The issue itself was brought to my attention by TNO, a Dutch research group which was contracted to do security auditing on a group of servers I administer. They should get the props for this.
This was a great help! I finally could make https work on my computer. However I found some typos that you must fix (as a newbye, I got a bit lost in a couple of steps). I think you may rather to fix, instead of publish this comment (I do not mind if you don't give me this credit :-).
Instead of
# rm -rf ./../CA
I had to type
# rm -rf ../../CA
And
# cd /etc/httpf/conf/ssl.key
should be
# cd /etc/httpd/conf/ssl.key
Thanks a lot.
Thanks pspsilveira, I will revise the document. These are simple things I overlooked when I wrote it.
Graet post, I wanted to add two things :
- ssl modules must be loaded in the httpd.conf. This is generally performed by adding :
LoadModule ssl_module libexec/apache/libssl.so
AddModule mod_ssl.c
- The VirtualHost directive can be used in case multiple websites are served by the same Apache instance for a fine-grained SSL configuration.
I also came across a similar article that discusses these topics :
http://www.codealias.info/technotes/howto_add_ssl_support_to_apache_web_server
This is a fantastic article that I use each time I'm generating a Server Certificate. Only doing it each time the certificate needs renewing means I forget every time.
For a Trusted third party signing you only need steps 1,3,4B,5, i.e. you can leave out step 2 - this is just for signing the certificate request yourself. For those like me, not really understanding the process and stepping through everything very carefully, knowing this would have saved me some time!
Perhaps this might be worth pointing out at the beginning?
Love this howto - has so far helped me understand how to setup SSL on my servers. However I have a question on how to do configure Apache if you use a third party cert. You have the step: cp /etc/pki/tls/hostnameKey.pem ssl.key/server.key - but with the requests I submit, I do not get a key back, only a cert.
Thanks!
I followed this how-to and this just works great for me.