Difference between pages "OpenSSL" and "Apache"

From Wikislax
(Difference between pages)
Jump to: navigation, search
(Using Certificates)
 
(Configuring Apache)
 
Line 1: Line 1:
 
{{RightTOC}}
 
{{RightTOC}}
  
== What is OpenSSL ? ==
+
== What is Apache ? ==
  
[http://www.openssl.org/ OpenSSL] is an OpenSource implementation of the TLS and SSL protocols. It is used as a base for securitizing the communications (authenticating, cyphering, signing) of the rest of the OpenSource server software. However, following a record of security issues, the security and quality of the software appears more uncertain. In 2013, WikiLeaks published documents obtained by Edward Snowden, which revealed that since 2010, the NSA had effectively broken/bypassed SSL/TLS by possibly exploiting vulnerabilities such as HeartBleed.
+
[http://httpd.apache.org Apache] is the most widespread and powerful Open Source HTTP server.
  
Since OpenSSL 1.0.1g, members of the [http://http://www.openbsd.org/ OpenBSD] project forked OpenSSL to create a project named [http://www.libressl.org/ LibreSSL] that can be used as a plugin replacement for OpenSSL.
+
Apache is included in the base Slackware distribution so it is possible to skip installation alltogether and proceed to [[Apache#Configuring Apache|Configuring Apache]] below. As part of Slackware, Apache benefits from Slackware security advisories.
  
To make things a bit less worrying, OpenSSL is part of the base Slackware distribution and so benefits from the [http://www.slackware.com/security/ Slackware security advisories]. The official documentation can be found on the official http site [http://www.openssl.org openssl.org] but is somewhat cryptic. '''man openssl''' is a better option.
+
== Installing Apache ==
  
From an historic point of view, the SSL suite of protocols was created by Netscape to securitize communications made over TCP/IP. SSL affords encrypting the data and authenticating the parties on the wire using various methods and algorithms. SSL was the base layer to ensure confidentiality of essential TCP protocols such as '''smtp http pop3 nntp imap ldap'''. SSL encapsulates these services (and others…) using alternate protocol names and port numbers. '''BUT''' the SSL protocols were superseded by [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and are now deprecated due to security weaknesses. SSL should not be used any longer. Instead, use TLS. Current version is TLS v1.2.
+
[http://httpd.apache.org/download.cgi Download] Apache and untar under /usr/local. The [http://httpd.apache.org/docs/2.2 documentation] is available online. By default apache is installed in '''/usr/local/apache2'''. Here we split apache in directories '''/etc''', '''/usr/local''' and '''/var/www'''. '''--enable-authnz-ldap''' and '''--enable-ldap''' enable LDAP based authentication, '''--enable-ssl''' enables SSL/TLS support, '''--with-openssl''' specifies the location of the openssl source and '''--enable-so''' is required for '''PHP''', to be installed at the next step.
  
{| {{thead}}
+
# groupadd apache
|-
+
# useradd -g apache apache
! {{chead}} | Protocol
+
# tar -C /usr/local -xvf httpd-x.y.z.txz
! {{chead}} | Port #
+
# cd /usr/local/httpd*
! {{chead}} | Secure Protocol
+
# ./configure --prefix=/var/www --bindir=/usr/local/bin \
! {{chead}} | Secure Port #
+
--sbindir=/usr/local/sbin --sysconfdir=/etc/httpd \
! {{chead}} | Service
+
--libdir=/usr/local/lib64 --includedir=/usr/local/include \
|-
+
  --datarootdir=/usr/local/share --mandir=/usr/local/man \
|SMTP||25||SMTPS||465||Mail exchange
+
  --enable-authnz-ldap --enable-ldap --enable-ssl \
|-
+
  --with-openssl=/usr/local/openssl-1.0.2a \
|HTTP||80||HTTPS||443||Web browsing
+
  --enable-so --enable-mime-magic
|-
 
|POP3||110||POP3S||995||Mail retrieval
 
|-
 
|NTTP||119||NTTPS||563||News exchange
 
|-
 
|IMAP||143||IMAPS||993||Mail retrieval
 
|-
 
|LDAP||389||LDAPS||636||Ldap Directory
 
|}
 
 
 
<br clear=all>
 
 
 
== Use only TLS ==
 
 
 
<u>Please note</u> : the SSL protocols were superseded by [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and are now deprecated due to security weaknesses. SSL should not be used any longer. Instead, use TLS. Current version is v1.2
 
 
 
== Compiling OpenSSL ==
 
 
 
OpenSSL is part of the base Slackware distribution and so benefits from the [http://www.slackware.com/security/ Slackware security advisories], which makes it very easy to upgrade to the most secure version at any time. If for some reason you'd nevertheless like to compile it from source, here's how to do it :
 
 
 
<font color=red>Beware : to avoid breaking other software in the distribution, openssl-x.y.z can be replaced only by a minor fix update. Be sure to check the current version number using '''ls /usr/lib/*ssl*''' first.</font>
 
 
 
Installing OpenSSL is otherwise quite straigthforward :
 
 
 
  # tar -C /usr/local -xvf openssl-x.y.z.tar.gz
 
# cd /usr/local
 
  # chown -R root openssl-x.y.z
 
  # chgrp -R root openssl-x.y.z
 
  # cd openssl-x.y.z
 
# vi README
 
# vi INSTALL
 
# make clean
 
# ./config --prefix=/usr/local --openssldir=/etc/ssl shared
 
 
  # make
 
  # make
  # make test
+
  # removepkg /var/log/packages/httpd-x.y.z
# cd /var/log/packages
+
  # mv /etc/httpd /etc/httpd.0
# removepkg openssl-x.y.z-X86_64-2
 
  # removepkg openssl-solibs-x.y.z-X86_64-2
 
# cd /usr/local/openssl-x.y.z
 
 
  # make install
 
  # make install
 
  # make clean
 
  # make clean
  # cd ../lib
+
  # cd /var
  # mv libssl* ../lib64
+
  # chown -R apache:apache www
# mv libcrypto* ../lib64
 
# cd pkgconfig
 
# mv *ssl.pc ../../lib64/pkgconfig
 
# mv *crypto.pc ../../lib64/pkgconfig
 
# cd /usr/lib64
 
# ln -sf /usr/local/lib64/libssl.so.1.0.0 libssl.so.1
 
# ln -sf /usr/local/lib64/libcrypto.so.1.0.0 libcrypto.so.1
 
# ldconfig
 
# cd /etc/ssl
 
# cp -r man /usr/local
 
# rm -r man
 
# reboot
 
 
 
'''reboot''' affords making sure that nothing was missed by the install and that the system is able to boot normally. If anything went wrong be ready to manually fix your system, for example by reinstalling the default Slackware OpenSSL package using '''installpkg'''.
 
 
 
== Using OpenSSL ==
 
  
Except for managing certificates (see the next paragraph) OpenSSL is not used directly but thru libraries to encapsulate other protocols such as '''smtp http pop3 nntp imap ldap'''.
+
== Configuring Apache ==
  
== Using Certificates ==
+
Edit '''/etc/httpd/httpd.conf''' to change the '''User''' and '''Group''' to '''apache''', enter the '''ServerAdmin''' e-mail address. To prevent apache from displaying version information, specify '''ServerSignature Off''' and '''ServerTokens prod'''. To prevent users from viewing directory content, remove the '''Indexes''' option in section '''<Directory "/var/www/htdocs">'''. Check section '''<IfModule dir_module>''' to make sure which file names will be served if a directory is requested (by default '''index.html''').
  
Using a server certificate will afford remote '''smtp http pop3 nntp imap ldap''' clients to make sure that they are connected to the right site. The server certificate contains the full domain name and other information, signed by a Certificate Authority.
+
  User '''apache'''
 
+
  Group '''apache'''
To effect the real checking the clients need to get copies of the server and Certificate Authority certificates. The server certificate comes as part of the TLS protocol. The Certificate Authority certificate however must be present on the client.
+
  . . .
 
+
  ServerAdmin '''postmaster@inner'''
This is the case for most commercial Certificate Authority certificates, that are preinstalled. Being your own Certificate Authority will save the cost of purchasing a server certificate and renewing it yearly, but it will be necessary to install the Certificate Authority certificate on every client using your services.
 
 
 
The home of the '''OpenSSL''' configuration is '''/etc/ssl'''. It initially include directories '''certs misc private''' to store the certificates, and a configuration file '''openssl.cnf''', that must be edited first. You might want to change dir and certificate to these values :
 
 
 
dir = /etc/ssl # Where everything is kept
 
certificate = $certs/cacert.pem # The CA certificate
 
 
 
<big><u>To create a self-signed certification authority certificate :</u></big>
 
 
 
<font color=red>Beware : for the certification to work, it is not possible to create a certification authority certificate and a server certificate with the same DN (X500 Directory Name).</font>
 
 
 
  # '''cd /etc/ssl'''
 
  # '''openssl req -new -x509 -days 3650 -keyout private/cakey.pem -out certs/cacert.pem -config openssl.cnf'''
 
   
 
Generating a 1024 bit RSA private key
 
.........++++++
 
.............++++++
 
  writing new private key to 'private/cakey.pem'
 
Enter PEM pass phrase:
 
Verifying - Enter PEM pass phrase:
 
-----
 
You are about to be asked to enter information that will be incorporated
 
into your certificate request.
 
What you are about to enter is what is called a Distinguished Name or a DN.
 
There are quite a few fields but you can leave some blank
 
For some fields there will be a default value,
 
If you enter '.', the field will be left blank.
 
-----
 
Country Name (2 letter code) [AU]:'''FR'''
 
State or Province Name (full name) [Some-State]:'''.'''
 
Locality Name (eg, city) []:'''Rennes'''
 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:'''Studioware'''
 
Organizational Unit Name (eg, section) []:'''CA'''
 
Common Name (eg, YOUR name) []:'''Studioware.com'''
 
Email Address []:'''nospam@studioware.com'''
 
 
 
<big><u>To create a server certificate request :</u></big>
 
 
 
<font color=red> Beware : for a server certificate, the common name must be the fully qualified domain name. A reverse DNS entry should also exist.</font>
 
 
 
# '''cd /etc/ssl'''
 
# '''mkdir newcerts'''
 
# '''openssl req -new -keyout newcerts/mtakey.pem -out newcerts/mtareq.pem -days 365 -config openssl.cnf'''
 
 
Generating a 1024 bit RSA private key
 
................................++++++
 
..................++++++
 
writing new private key to 'newkey.pem'
 
Enter PEM pass phrase:
 
Verifying - Enter PEM pass phrase:
 
-----
 
You are about to be asked to enter information that will be incorporated
 
into your certificate request.
 
What you are about to enter is what is called a Distinguished Name or a DN.
 
There are quite a few fields but you can leave some blank
 
For some fields there will be a default value,
 
If you enter '.', the field will be left blank.
 
-----
 
Country Name (2 letter code) [AU]:'''FR'''
 
State or Province Name (full name) [Some-State]:'''.'''
 
Locality Name (eg, city) []:'''Rennes'''
 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:'''Studioware'''
 
Organizational Unit Name (eg, section) []:'''MTA'''
 
Common Name (eg, YOUR name) []:'''inner.studioware.com'''
 
Email Address []:'''nospam@studioware.com'''
 
 
   
 
   
  Please enter the following 'extra' attributes
+
  '''ServerSignature Off'''
to be sent with your certificate request
+
  '''ServerTokens prod'''
A challenge password []:
 
An optional company name []:
 
 
 
<big><u>To sign the server certificate request :</u></big>
 
 
 
# '''cd /etc/ssl'''
 
  # '''cat </dev/null >index.txt'''
 
# '''cat >serial'''
 
'''01'''
 
'''<ctrl>d'''
 
# '''cat newcerts/mtareq.pem newcerts/mtakey.pem > newcerts/mta.pem'''
 
# '''openssl ca -policy policy_anything -out newcerts/mtacert.pem -config openssl.cnf -infiles newcerts/mta.pem'''
 
Using configuration from openssl.cnf
 
Enter pass phrase for /etc/ssl/private/cakey.pem:
 
Check that the request matches the signature
 
Signature ok
 
Certificate Details:
 
        Serial Number: 1 (0x1)
 
        Validity
 
            Not Before: Jan  2 13:40:43 2007 GMT
 
            Not After : Jan  2 13:40:43 2008 GMT
 
        Subject:
 
            countryName              = FR
 
            localityName              = Rennes
 
            organizationName          = Studioware
 
            organizationalUnitName    = MTA
 
            commonName                = Jean-Pierre Menicucci
 
            emailAddress              = nospam@studioware.com
 
        X509v3 extensions:
 
            X509v3 Basic Constraints:
 
                CA:FALSE
 
            Netscape Comment:
 
                OpenSSL Generated Certificate
 
            X509v3 Subject Key Identifier:
 
                06:08:16:E7:C0:A3:D3:9A:D1:92:4A:6F:B8:6E:E8:28:47:79:BD:12
 
            X509v3 Authority Key Identifier:
 
                keyid:92:59:DF:C2:26:D6:54:46:46:A8:10:4E:56:CB:09:A2:E9:B4:86:93
 
 
   
 
   
  Certificate is to be certified until Jan 2 13:40:43 2008 GMT (365 days)
+
  <Directory "/var/www/htdocs">
  Sign the certificate? [y/n]:'''y'''
+
  . . .
 +
  Options '''Indexes''' FollowSymLinks
 +
. . .
 +
</Directory>
 
   
 
   
  1 out of 1 certificate requests certified, commit? [y/n]'''y'''
+
  <IfModule dir_module>
  Write out database with 1 new entries
+
    DirectoryIndex '''index.html index.htm index.php'''
Data Base Updated
+
  </IfModule>
  
<big><u>To remove the pass phrase from the server private key :</u></big>
+
== Running Apache ==
  
<font color=red>Beware : it is necessary to remove this pass phrase so that sendmail could start without any human intervention.</font>
+
To automatically launch apache at startup, edit '''/etc/rc.d/rc.httpd''' and update the paths to reflect installation of the software under '''/usr/local/sbin'''. Give the file execution rights, launch the software using '''/etc/rc.d/rc.httpd start''', check if it's running by a '''ps -ef | grep httpd''', point your browser to http://localhost which should load the apache test page with the message '''It works!''', then open port 80 on the firewall.
  
  # '''openssl rsa -in newcerts/mtakey.pem -out newcerts/mtakey.pem.unsecure'''
+
  # '''vi /etc/rc.d/rc.httpd'''
  Enter pass phrase for newcerts/mtakey.pem:
+
. . .
  writing RSA key
+
case "$1" in
 +
  'start')
 +
    /usr'''/local/sbin'''/apachectl -k start
 +
  ;;
 +
  'stop')
 +
    /usr'''/local/sbin'''/apachectl -k stop
 +
    killall httpd
 +
    rm -f /var/www/logs/httpd/*.pid
 +
  ;;
 +
  'restart')
 +
    /usr'''/local/sbin'''/apachectl -k restart
 +
  ;;
 +
  'graceful')
 +
    /usr'''/local/sbin'''/apachectl -k graceful
 +
  ;;
 +
  'graceful-stop')
 +
    /usr'''/local/sbin'''/apachectl -k graceful-stop
 +
  ;;
 +
  *)
 +
    echo "Usage: $0 {start|stop|restart|graceful|graceful-stop}"
 +
  ;;
 +
esac
 +
''':x'''
 +
# '''chmod u+x /etc/rc.d/rc.httpd'''
 +
# '''/etc/rc.d/rc.httpd start'''
 +
# '''ps -ef | grep httpd'''
 +
  root      9875    1  1 07:52 ?        00:00:00 /usr/local/sbin/httpd -k start
 +
apache    9876  9875  0 07:52 ?        00:00:00 /usr/local/sbin/httpd -k start
 +
apache    9877  9875  0 07:52 ?        00:00:00 /usr/local/sbin/httpd -k start
 +
apache    9878  9875  0 07:52 ?        00:00:00 /usr/local/sbin/httpd -k start
 +
apache    9879  9875  0 07:52 ?        00:00:00 /usr/local/sbin/httpd -k start
 +
apache    9880  9875  0 07:52 ?        00:00:00 /usr/local/sbin/httpd -k start
 +
root      9882  3198  0 07:52 pts/1    00:00:00 grep httpd
 +
# '''vi /etc/rc.d/rc.firewall'''
 +
. . .
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW
 +
. . .
 +
''':x'''
 +
  # '''/etc/rc.d/rc.firewall restart'''
  
<big><u>To move the files to the right directories with the right rights and clean up :</u></big>
+
== Using encryption ==
  
# '''cd newcerts'''
+
As we use HTTP applications that require login with passwords, we configure httpd.conf with SSL/TLS. This is described simply in the Apache documentation [https://httpd.apache.org/docs/2.4/en/ssl/ssl_howto.html SSL/TLS Strong Encryption: How-To]. At least the directives below are required in '''/etc/httpd/httpd.conf'''. The '''SSLCipherSuite''' directive enables only the strongest ciphers. '''apache.mtacert.pem.unsecure''' is a copy of your server certificate owned by '''apache:apache''' :
# '''ls'''
 
01.pem  mta.pem  mtacert.pem  mtakey.pem  mtakey.pem.unsecure  mtareq.pem
 
# '''mv mtacert.pem ../certs'''
 
# '''mv mtakey* ../private'''
 
# '''rm 01.pem mta.pem mtareq.pem'''
 
# '''cd ../certs'''
 
# '''chmod go+r *'''
 
# '''cd ../private'''
 
# '''chmod go-r *'''
 
  
When renewing an existing certificate mtakey.pem, the following commands afford making the required copies :
+
  LoadModule ssl_module modules/mod_ssl.so
 
+
   
  # '''cp mtakey.pem.unsecure apache.mtakey.pem.unsecure'''
+
  Listen 443
  # '''cp mtakey.pem.unsecure asterisk.mtakey.pem.unsecure'''
+
  <VirtualHost *:443>
  # '''cp mtakey.pem.unsecure ldap.mtakey.pem.unsecure'''
+
    ServerName inner.studioware.com
  # '''cp mtakey.pem.unsecure news.mtakey.pem.unsecure'''
+
    SSLEngine on
# '''cp mtakey.pem.unsecure smmsp.mtakey.pem.unsecure'''
+
    SSLCertificateFile "/etc/ssl/certs/mtacert.pem"
# '''chown apache:apache apache.mtakey.pem.unsecure'''
+
    SSLCertificateKeyFile "/etc/ssl/private/apache.mtacert.pem.unsecure"
# '''chown asterisk:asterisk asterisk.mtakey.pem.unsecure'''
+
    SSLCipherSuite HIGH:!aNULL:!MD5
# '''chown ldap:ldap ldap.mtakey.pem.unsecure'''
+
  </VirtualHost>
# '''chown smmsp:smmsp smmsp.mtakey.pem.unsecure'''
 
# '''chown news:news news.mtakey.pem.unsecure'''
 
# '''cd ../certs'''
 
# '''vi mtacert.pem'''
 
d59d
 
:$
 
:r ../private/mtakey.pem.unsecure
 
:w! server.pem
 
:x
 
# '''chown cyrus:mail server.pem'''
 
  # '''chmod 600 server.pem'''
 
 
 
<big><u>To check an external certificate</u></big>
 
 
 
For OpenSSL to use an external certification authority certificate, you need to place in your '''/etc/ssl/certs''' directory a copy of it and a symbolic link to this copy. The name of this link must be based on the certificate hash code (see http://www.sendmail.org/~ca/email/starttls.html). This can be done in this way :
 
  
# C=CertificateFileName
+
For this example to work in Firefox with your self-signed CA certificate, you need to import it using the "Preferences" "Advanced" "Certificates" "View certificates" "Authorities" "Import" menu. We have chosen to encrypt all the site but it is possible to restrict directives to specific areas. More details can be found in the [https://httpd.apache.org/docs/2.4/en/mod/mod_ssl.html Apache Module mod_ssl] and [https://httpd.apache.org/docs/2.4/en/ Apache] documentations.
# ln -s $C `openssl x509 -noout -hash < $C`.0
 
  
<br>
+
<br/>
  
{{pFoot|[[Creating VMs]]|[[Main Page]]|[[OpenLDAP]]|}}
+
{{pFoot|[[MySQL]]|[[Main Page]]|[[PHP]]}}

Latest revision as of 15:40, 11 January 2025

What is Apache ?

Apache is the most widespread and powerful Open Source HTTP server.

Apache is included in the base Slackware distribution so it is possible to skip installation alltogether and proceed to Configuring Apache below. As part of Slackware, Apache benefits from Slackware security advisories.

Installing Apache

Download Apache and untar under /usr/local. The documentation is available online. By default apache is installed in /usr/local/apache2. Here we split apache in directories /etc, /usr/local and /var/www. --enable-authnz-ldap and --enable-ldap enable LDAP based authentication, --enable-ssl enables SSL/TLS support, --with-openssl specifies the location of the openssl source and --enable-so is required for PHP, to be installed at the next step. 

# groupadd apache
# useradd -g apache apache
# tar -C /usr/local -xvf httpd-x.y.z.txz
# cd /usr/local/httpd*
# ./configure --prefix=/var/www --bindir=/usr/local/bin \
--sbindir=/usr/local/sbin --sysconfdir=/etc/httpd \
--libdir=/usr/local/lib64 --includedir=/usr/local/include \
--datarootdir=/usr/local/share --mandir=/usr/local/man \
--enable-authnz-ldap --enable-ldap --enable-ssl \
--with-openssl=/usr/local/openssl-1.0.2a \
--enable-so --enable-mime-magic
# make
# removepkg /var/log/packages/httpd-x.y.z
# mv /etc/httpd /etc/httpd.0
# make install
# make clean
# cd /var
# chown -R apache:apache www

Configuring Apache

Edit /etc/httpd/httpd.conf to change the User and Group to apache, enter the ServerAdmin e-mail address. To prevent apache from displaying version information, specify ServerSignature Off and ServerTokens prod. To prevent users from viewing directory content, remove the Indexes option in section <Directory "/var/www/htdocs">. Check section <IfModule dir_module> to make sure which file names will be served if a directory is requested (by default index.html). 

User apache
Group apache
. . .
ServerAdmin postmaster@inner

ServerSignature Off
ServerTokens prod

<Directory "/var/www/htdocs">
. . .
Options Indexes FollowSymLinks
. . .
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html index.htm index.php
</IfModule>

Running Apache

To automatically launch apache at startup, edit /etc/rc.d/rc.httpd and update the paths to reflect installation of the software under /usr/local/sbin. Give the file execution rights, launch the software using /etc/rc.d/rc.httpd start, check if it's running by a ps -ef | grep httpd, point your browser to http://localhost which should load the apache test page with the message It works!, then open port 80 on the firewall. 

# vi /etc/rc.d/rc.httpd
. . .
case "$1" in
  'start')
    /usr/local/sbin/apachectl -k start
  ;;
  'stop')
    /usr/local/sbin/apachectl -k stop
    killall httpd
    rm -f /var/www/logs/httpd/*.pid
  ;;
  'restart')
    /usr/local/sbin/apachectl -k restart
  ;;
  'graceful')
    /usr/local/sbin/apachectl -k graceful
  ;;
  'graceful-stop')
    /usr/local/sbin/apachectl -k graceful-stop
  ;;
  *)
    echo "Usage: $0 {start|stop|restart|graceful|graceful-stop}"
  ;;
esac
:x
# chmod u+x /etc/rc.d/rc.httpd
# /etc/rc.d/rc.httpd start
# ps -ef | grep httpd
root      9875     1  1 07:52 ?        00:00:00 /usr/local/sbin/httpd -k start
apache    9876  9875  0 07:52 ?        00:00:00 /usr/local/sbin/httpd -k start
apache    9877  9875  0 07:52 ?        00:00:00 /usr/local/sbin/httpd -k start
apache    9878  9875  0 07:52 ?        00:00:00 /usr/local/sbin/httpd -k start
apache    9879  9875  0 07:52 ?        00:00:00 /usr/local/sbin/httpd -k start
apache    9880  9875  0 07:52 ?        00:00:00 /usr/local/sbin/httpd -k start
root      9882  3198  0 07:52 pts/1    00:00:00 grep httpd
# vi /etc/rc.d/rc.firewall
. . .
iptables -A INPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW
. . .
:x
# /etc/rc.d/rc.firewall restart

Using encryption

As we use HTTP applications that require login with passwords, we configure httpd.conf with SSL/TLS. This is described simply in the Apache documentation SSL/TLS Strong Encryption: How-To. At least the directives below are required in /etc/httpd/httpd.conf. The SSLCipherSuite directive enables only the strongest ciphers. apache.mtacert.pem.unsecure is a copy of your server certificate owned by apache:apache : 

LoadModule ssl_module modules/mod_ssl.so

Listen 443
<VirtualHost *:443>
    ServerName inner.studioware.com
    SSLEngine on
    SSLCertificateFile "/etc/ssl/certs/mtacert.pem"
    SSLCertificateKeyFile "/etc/ssl/private/apache.mtacert.pem.unsecure"
    SSLCipherSuite HIGH:!aNULL:!MD5
</VirtualHost>

For this example to work in Firefox with your self-signed CA certificate, you need to import it using the "Preferences" "Advanced" "Certificates" "View certificates" "Authorities" "Import" menu. We have chosen to encrypt all the site but it is possible to restrict directives to specific areas. More details can be found in the Apache Module mod_ssl and Apache documentations.


MySQL Main Page PHP
Retrieved from "http://studioware.com/wikislax/index.php?title=OpenSSL&oldid=108"