APACHE Web Server and SSL Authentication

Contact us

apache mod SSL

Contents [Hide]IntroductionIssuing OpenSSL certificatesOne-way SSL authenticationTwo-way SSL authenticationAnother advantages of SSL authenticationConclusionLinux Apache2 specific notes:

APACHE web server and SSL authentication

Author: Jaroslav Imrich

This article describes configuration techniques of module mod_ssl, whichextends a functionality of Apache HTTPD to support SSL protocol. The article will deal withauthentication of server (One-way SSL authentication), as well as it will also include authenticationof clients by using certificates (Two-way SSL authentication).

1. IntroductionIf you have decided to enable a SSL ( Secure Sockets Layer ) protocol on your web server it may be because you would like to extend itsfunctionality to achieve an integrity and confidentiality for a data transferred on unsecured networks. However, this protocol with thecombination of PKI ( Public Key Infrastructure ) principles can also along the side of integrity and confidentiality provide authenticationbetween both sides involved in the client-server communication.

One-way SSL authentication allows a SSL client to confirm an identity of SSL server. However, SSL server cannot confirm an identity ofSSL client. This kind of SSL authentication is used by HTTPS protocol and many public servers around the world this way provides servicessuch as webmail or Internet banking. The SSL client authentication is done on a application layer of OSI model by the client entering anauthentication credentials such as username and password or by using a grid card.

Two-way SSL authentication also known as mutual SSL authentication allows SSL client to confirm an identity of SSL server and SSLserver can also confirm an identity of the SSL client. This type of authentication is called client authentication because SSL client shows itsidentity to SSL server with a use of the client certificate. Client authentication with a certificate can add yet another layer of security or evencompletely replace authentication method such us user name and password.

In this document, we will discuss configuration of both types of SSL authentication one-way SSL authentication and two-way SSLauthentication.

2. Issuing OpenSSL certificatesThis section briefly describes a procedure to create all required certificates using an openssl application. The whole process of issuingopenssl certificates is simple. However, in case when a larger amount of issued certificates is required below described procedure would beinadequate, and therefore, I recommend for that case use OpenSSL's CA modul. Reader is expected to have a basic knowledge of PKI, andfor that reason all steps will be described just briefly. Please follow this link if you wish to refresh your knowledge about Public keyinfrastructure.

All certificates will be issued by using OpenSSL application and openssl.cnf configuration file. Please save this file into a directory from whichyou would run all openssl commands. Please note that this configuration file is optional, and we use it just to make the whole process easier.

openssl.cnf:

[ req ]default_md = sha1distinguished_name = req_distinguished_name

[ req_distinguished_name ]countryName = CountrycountryName_default = SKcountryName_min = 2countryName_max = 2localityName = LocalitylocalityName_default = BratislavaorganizationName = Organization

Menu Linux CareerMember Site

APACHE web server and SSL authentication 27.2.2015 .

http://linuxconfig.org/apache-web-server-ssl-authentication 1 / 8

organizationName_default = Jariq.sk EnterprisescommonName = Common NamecommonName_max = 64

[ certauth ]subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always,issuer:alwaysbasicConstraints = CA:truecrlDistributionPoints = @crl

[ server ]basicConstraints = CA:FALSEkeyUsage = digitalSignature, keyEncipherment, dataEnciphermentextendedKeyUsage = serverAuthnsCertType = servercrlDistributionPoints = @crl

[ client ]basicConstraints = CA:FALSEkeyUsage = digitalSignature, keyEncipherment, dataEnciphermentextendedKeyUsage = clientAuthnsCertType = clientcrlDistributionPoints = @crl

[ crl ]URI=http://testca.local/ca.crl

As a first step you need to generate self-signed certificate CA. Once prompted for value of Common Name insert string Test CA:

# openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes \ -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer

If you have not encountered any complications running the above command you would find in your current directory a file ca.key withprivate key of certificate authority (CA) and ca.cer with its self-signed certificate.

In the next step you need to generate private SSL key for the server:

# openssl genrsa -out server.key 2048

To generate Certificate Signing Request in PKCS#10 format you would use a following command as a common name you can specify itshostname for example localhost.

# openssl req -config ./openssl.cnf -new -key server.key -out server.req

With self-signed certificate authority issue server certificate with serial number 100:

# openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key \ -set_serial 100 -extfile openssl.cnf -extensions server -days 365 -outform PEM -out server.cer

New file server.key contains server's private key and file server.cer is a certificate itself. Certificate Signing Request file server.req is notneeded any more so it can be removed.

# rm server.req

Generete private key for SSL client:

# openssl genrsa -out client.key 2048

As for the server also for client you need to generate Certificate Signing Request and as a Common Name, I have used string: JaroslavImrich.

# openssl req -config ./openssl.cnf -new -key client.key -out client.req

With your self-signed Certificate Authority, issue a client certificate with serial number 101:



# openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key \ -set_serial 101 -extfile openssl.cnf -extensions client -days 365 -outform PEM -out client.cer

Save client's private key and certificate in a PKCS#12 format. This certificate will be secured by a password and this password will be used inthe following sections to import the certificate into the web browser's certificate manager:

# openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12

File client.p12 contains a private key and the client's certificate, therefore files client.key, client.cer and client.req are no longerneeded, so these files can be deleted.

# rm client.key client.cer client.req

3. One-way SSL authenticationOnce the server's private key and certificate are ready, you can begin with SSL configuration of Apache web server. In many cases, thisprocess is comprised of 2 steps enabling mod_ssl and creating virtual host for port 443/TCP. Enabling mod_ssl is very easy, all you need to do is to open httpd.conf file and remove comment mark from line:

LoadModule ssl_module modules/mod_ssl.so

Just because the server will serve the HTTPS requests on port 443 in is important to enable port 433/TCP in the apaches's configuration fileby adding a line:

Listen 443

Definition of a virtual host can be also defined in httpd.conf file and should look as the one below:

ServerAdmin webmaster@localhost

DocumentRoot /var/www Options FollowSymLinks AllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all

LogLevel warn ErrorLog /var/log/apache2/error.log CustomLog /var/log/apache2/ssl_access.log combined

SSLEngine on SSLCertificateFile /etc/apache2/ssl/server.cer SSLCertificateKeyFile /etc/apache2/ssl/server.key

BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

In the example above directive SSLEngine on enables SSL support virtual host. Directive SSLCertificateFile defines a full path of the



server's certificate and finally directive SSLCertificateKeyFile defines a full path to server's private key. If the private key is secured bypassword this password will be only needed when starting apache web server.

Any changes to https.conf file such as the changes above require a web server restart. If you encounter some problems during the restart itis likely that this is due to configuration errors in your https.conf file. The actual error should appear in deamon's error log.

Testing of a functionality of our new configuration can be done by using a web browser. The fist attempt to for connection most certainlydisplays an error message, that the attempt to verify server's certificate failed because, the issuer of the certificate is unknown.

The certificate is not trusted because the issuer certificate is unknown

Importing CA's certificate into the web browser's using its Certificate manager will solve this problem. To add a certificate into a Mozilla Firefoxbrowser navigate to Preferences > Advanced > Encryption > View certificates > Authorities and during the import tick the box which says:This certificate can identify web sites.

Next attempt to connect the web server should be successful.

SSL server verified certificate

If you want to avoid the need of importing a CA's certificate into the web browser, you can buy server certificate from some commercialauthority, which certificates are distributed by the web browser.

4. Two-way SSL authenticationIf you have decided that you will require certificate authentication from every client, all you need to do is to add following lines into a virtualhost configuration file:

SSLVerifyClient requireSSLVerifyDepth 10SSLCACertificateFile /etc/apache2/ssl/ca.cer

SSLVerifyClient require directive ensures that clients which do not provide a valid certificate from some of the trusted Certificate authoritieswould not be able to communicate with SSL server. Some CA rely on another CA, which may rely yet on another and so on. DirectiveSSLVerifyDepth 10 specifies how far down in the chain of CA reliance, the server will accept CA signed certificate as valid. If, for instance,SSLVerifyDepth directive will hold value 1 then the client's certificate must be signed directly by your trusted CA. In this article, the client'scertificate is signed directly by CA and therefore the only sensible value for SSLVerifyDepth directive is 1. Last directiveSSLCACertificateFile specifies a full path to a Certificate Authority certificate by which a client's certificate was signed.Do not forget to restart your apache web server after any change made to its configuration files:

# apachectl graceful

If you try to connect to the SSL server without a client certificate an error message will pop up:

SSL peer was unable to negotiate an acceptable set of security parameters.

All what needs to be done is to import previously created a client certificate in PKCS#12 form into to firefox's certificate manager under YourCertificates section. This task can be done by navigating to menu then Preferences > Advanced > Encryption > View certificates > Yourcertificates. During the import, you will be asked to enter a password which had been set during the creation of the certificate. Depending onthe browser version you use, you may also need to set main password for software token, which is used by the browser to safely storecertificates.

Firefox SSL certificate manager

If you make another attempt to connect to the SSL server, browser will automatically pop-up an appropriate certificate for SSL serverauthentication.

select ssl certificate to by used with ssl connection

After the selection of a valid certificate, the connection to the SSL server will be granted.

SSL server verified certificate

5. Another advantages of SSL authenticationValues from a client certificate can be used by web application for precise identification of the user. It is easy as to use a directiveSSLOptions +StdEnvVars and mode_ssl will provide information taken from a client certificate as well as a certificate itself to the given webapplication.

This operation will take a lot of server's run-time, and therefore, it is recommended to use this functionality on for files with certain extensionor for files within certain directory as it is shown in the following example:

SSLOptions +StdEnvVars



SSLOptions +StdEnvVars

List of the available variables can be found in a module mod_ssl documentation. Accessing variables provided my mod_ssl is languagespecific. However, for the sake of completeness, here is a sample of CGI script written in perl which will display a Common Name of theclient:

#!/usr/bin/perl

use strict;

print "Content-type: text/htmln";print "n";print $ENV{"SSL_CLIENT_S_DN_CN"}

Here is an output of the script after its execution by the SSL web server:

mod_ssl - information taken from the client certificate

Mod_ssl also supports a use of above mentioned variables directly from the server's configuration. This way you can restrict an access tosome resources for employees of a certain company:

SSLRequire %{SSL_CLIENT_S_DN_O} eq Jariq.sk Enterprises

These variables can be also used in conjunction with configuration directive CustomLog to enable logging a client's access details . Moreinformation can be found in the official mod_ssl documentation.

6. ConclusionIf you have not heard about Two-way SSL authentication yet, it is likely that after reading this article you asked yourself why is this type ofSSL authentication not used often in the production environment. The answer is simple cryptic operations used during SSL connectionsare difficult to process in regard to the web server resources. It is possible to boost web server performance by so called SSL accelerators (cards containing a processor optimized for cryptic operations). However, in many cases SSL accelerators are more expensive than theserver itself and therefore, Two-way SSL authentication is not attractive to use in the web server environment.

7. Linux Apache2 specific notes:openning a port 443 is not required, if a configuration file /etc/apache2/ports.conf has defined an IfModule mod_ssl.c directive:

Listen 443

Enabling ssl module can be done by:

a2enmod ssl

If directive IfModule mod_ssl.c in /etc/apache2/ports.conf is defined command a2enmod ssl will also automatically enable listenning on port443.

Definition of virtual host file needs a slight change:

BrowserMatch .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0

SSL Certificate SSL Web Server Authentication SSL Client



Free Linux eBooksFree Linux eBooks

Latest Linux JobsLatest Linux Jobs

United StatesLinux Systems Administrator - Launch OperationsFeb 26, 2015Manage and support a rapidly-growing, mission-critical, IT environment including: Linux, Solaris, and VMWare. Provide ...

Web Administrator / DevOps Engineer (Cloud/SaaS)Feb 17, 2015Do you have a passion for Cloud and Software as a Service Applications that run on Amazon Web Services or VMware? Do you have ...

Senior Technical Services EngineerFeb 11, 2015Bachelor's Degree in a technical field or equivalent technical certification (e.g.RHCE). 5+ years' experience in support of ...

https://jobs.linuxcareers.com/linux/job/linux-support-technician/807Feb 11, 2015Nexcess is looking for talented, self-driven, and service-oriented individuals to take on a role as a full-time Tier One ...



Senior System Administrator AWS Chef Production LinuxFeb 02, 2015Rapid deployment is a way of life for us. The best way to ensure that we are building features that our customers need is to ...

Sr. Linux Systems EngineerJan 28, 2015The following defines the job requirements and skills/qualities required for the Datacenter System Engineer at Concentrix. This ...

Technical Support (L2)Jan 19, 2015Due to hyper growth, WP Engine has opportunities for Level 2 Tech Support on first shift to support WP Engines customers over ...

Senior Technical Services EngineerJan 16, 2015The Senior Technical Services Engineer (Sr. TSE) is responsible for design, operation, configuration, monitoring and duties as ...

Technical Support EngineerJan 15, 2015Provide timely installation, configuration, and troubleshooting assistance to internal and external customers for Liquidware ...

Technical Support EngineerJan 15, 2015Provide timely installation, configuration, and troubleshooting assistance to internal and external customers for Liquidware ...

Post your job hereProvided by LinuxCareers.com

Search ArticlesSearch Articles

search ...

SearchSearch

Find Linux ProfessionalsFind Linux Professionals

Friendly SitesFriendly Sites

Tuxmachines.orgLinuxscrew.com

Suggest Website !

Latest ConfigsLatest Configs

How to expand/add an additional swap memory on Raspberry PI with RaspbianHow to expand an image background with ImagemagickImportError: No module named 'anydbm' on Debian Linux - SolutionQuick VNC server/client setup on Debian Linux Jessie 8How to Wake on LAN supported host over the network using LinuxHow to install Adobe Flash Player on Fedora Linux with FirefoxSetting up Django, Python and MySQL development environment on Debian Linux 8 JessieHow to switch between Python versions on Fedora LinuxHow to convert documents between LibreOffice and Microsoft Office file formats on LinuxHow to convert various eBook formats for Amazon Kindle on LinuxInstallation of Spotify client on Debian Linux 8 ( Jessie ) 64-bitHow to change from default to alternative Python version on Debian LinuxBuilding the main Guest Additions module ...fail! - Debian Linux - SolutionEnable SSH root login on Debian Linux ServerNVIDIA GeForce Driver Installation on Fedora Linux 64-bitHow to find a fastest Debian Linux mirror for your /etc/apt/sources.list



Linux Job Search Contact us

Linux Career - Member Site

Copyright 2007 - 2014 LinuxConfig.com. All rights reserved.

How to find a fastest Debian Linux mirror for your /etc/apt/sources.listSimple Firefox Web Browser installation on Debian 8 Jessie LinuxInstallation of Steam Client on Debian Jessie 8 Linux 64-bitNVIDIA GeForce Driver Installation on Debian Jessie Linux 8 64bitHow to use jigdo downloader to download Debian Linux installation ISO images

Find ideal linux career todayFind the job that's right for you ! Linux professionals on any experience level can now find latest employment opportunities on our LinuxJobs page.

Do you have the right skills?Our IT Skills Watch page reflects an up to date IT skills demand leaning towards the Linux and Unix environment. We have considered anumber of skills and operating systems.

See the result...

Linux Online TrainingLearn to run Linux servers and prepare for LPI certification with Linux Academy. 104 available video lessons with PDF course notes withyour own server!

Go to top



APACHE web server and SSL authentication1.Introduction2.Issuing OpenSSL certificates3.One-way SSL authentication4.Two-way SSL authentication5.Another advantages of SSL authentication6.Conclusion7.Linux Apache2 specific notes:Free Linux eBooksLatest Linux JobsSearch ArticlesFind Linux ProfessionalsFriendly SitesLatest ConfigsFind ideal linux career todayDo you have the right skills?Linux Online Training

Documents

APACHE Web Server and SSL Authentication