Install and Configure Apache2 with PHP5 and SSL Support

Introduction to SSL

Secure Sockets Layer (SSL) is the most widely known protocol that offers privacy
and good reliability for client-server communication over the Internet. SSL itself
is conceptually quite simple: it negotiates the cryptography algorithms and keys
between two sides of a communication, and establishes an encrypted tunnel
through which other protocols (like HTTP) can be transported. Optionally, SSL can
also authenticate both sides of communication through the use of certificates.

SSL is a layered protocol and consists of four sub-protocols:

• SSL Handshake Protocol

• SSL Change Cipher Spec Protocol
• SSL Alert Protocol
• SSL Record Layer

The position of the above protocols according to the TCP/IP model has been
illustrated on the following diagram in Figure 1.

Figure 1. SSL sub-protocols in the TCP/IP model

As the above diagrams shows, SSL is found in the application layer of the TCP/IP
model. By dint of this feature, SSL can be implemented on almost every
operating system that supports TCP/IP, without the need to modify the system
kernel or the TCP/IP stack. This gives SSL a very strong advantage over other
protocols like IPSec (IP Security Protocol), which requires kernel support and a
modified TCP/IP stack. SSL can also be easily passed through firewalls and
proxies, as well as through NAT (Network Address Translation) without issues.

Promathesh Mandal 1
How does SSL work? The diagram below, Figure 2, shows the simplified, step-by-
step process of establishing each new SSL connection between the client (usually
a web browser) and the server (usually an SSL web server).

Figure 2. How SSL established connections, step-by-step.

Promathesh Mandal 2
As you can see from Figure 2, the process of establishing each new SSL
connection starts with exchanging encryption parameters and then optionally
authenticating the servers (using the SSL Handshake Protocol). If the handshake
is successful and both sides agree on a common cipher suite and encryption keys,
the application data (usually HTTP, but it can be another protocol) can be sent
through encrypted tunnel (using the SSL Record Layer).

In reality, the above process is in fact a little bit more complicated. To avoid
unnecessary handshakes, some of the encryption parameters are being cached.
Alert messages may be sent. Ciphers suites can be changed as well. However,
regardless of the SSL specification details, the most common way this process
actually works is very similar to the above.

SSL, PCT, TLS and WTLS (but not SSH)

Although SSL is the most known and the most popular, it is not the only protocol
that has been used for the purpose of securing web transactions. It is important
to know that since invention of SSL v1.0 (which has never been released, by the
way) there have been at least five protocols that have played a more-or-less
important role in securing access to World Wide Web, as we see below:

• SSL v2.0
Released by Netscape Communications in 1994. The main goal of this
protocol was to provide security for transactions over the World Wide Web.
Unfortunately, very quickly a number of security weaknesses were found
in this initial version of the SSL protocol, thus making it less reliable for
commercial use:
o weak MAC construction
o possibility of forcing parties to use weaker encryption
o no protection for handshakes
o possibility of an attacker performing truncation attacks
• PCT v1.0
Developed in 1995 by Microsoft. Privacy Communication Technology (PCT)
v1.0 addressed some weaknesses of SSL v2.0, and was aimed to replace
SSL. However, this protocol has never gained as much popularity as SSL
v3.0.
• SSL v3.0
Released in 1996 by Netscape Communications. SSL v3.0 solved most of
the SSL v2.0 problems, and incorporated many of the features of PCT.
Pretty quickly become the most popular protocol for securing
communication over WWW.
• TLS v1.0 (also known as SSL v3.1)
Published by IETF in 1999 (RFC 2246). This protocol is based on SSL
v3.0 and PCT and harmonizes both Netscape's and Microsoft's approaches.
It is important to note that although TLS is based on SSL, it is not a 100%
backward compatible with its predecessor. IETF did some security
improvements, such as using HMAC instead of MAC, using a different
calculation of the master secret and key material, adding additional alert
codes, no support for Fortezza cipher suites, and so on. The end result of
these improvements is that these protocols don't fully interoperate.
Fortunately enough, TLS has also got a mode to fall back to SSL v3.0.

Promathesh Mandal 3
 • WTLS
"Mobile and wireless" version of the TLS protocol that uses the UDP
protocol as a carrier. It is designed and optimized for the lower bandwidth
and smaller processing capabilities of WAP-enabled mobile devices. WTLS
was introduced with the WAP 1.1 protocol, and was released by the WAP
Forum. However, after the introduction of the WAP 2.0 protocol, WTLS has
been replaced by a profiled version of the TLS protocol, which is much
more secure -- mainly because there is no need for decryption and re-
encryption of the traffic at the WAP gateway.

Why has the SSH (Secure Shell) protocol not been used for the purpose of
providing secure access to World Wide Web? There are few reasons why not. First
of all, from the very beginning TLS and SSL were designed for securing web
(HTTP) sessions, whereas SSH was indented to replace Telnet and FTP. SSL does
nothing more than handshake and establishing encryption tunnel, and at the
same time SSH offers console login, secure file transfer, and support for multiple
authentication schemes (including passwords, public keys, Kerberos, and more).
On the other hand, SSL/TLS is based on X.509v3 certificates and PKI, which
makes the distribution and management of authentication credentials much
easier to perform. Hence, these and other reasons make SSL/TLS more suitable
for securing WWW access and similar forms of communication, including SMTP,
LDAP and others -- whereas SSH is more convenient for remote system
management.

To summarize, although several "secure" protocols do indeed exist, only two of them
should be used for the purpose of securing web transactions (at least at the moment):
TLS v1.0 and SSL v3.0. Both of them are further referred in this article series as
simply SSL/TLS. Because of known weaknesses of SSL v2.0, and the famous "WAP
gap" in case of WTLS, the use of these other protocols should be avoided or at least
minimized.

Required Packages :

apache2
openssl ssl-cert
libapache2-mod-php5
php5-cli
php5-common
php5-cgi

Promathesh Mandal 4
Configuration Steps :

Step 1:

For generating certificate Use the following command to generate certificates

#openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout
/etc/apache2/apache.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:West Bengal
Locality Name (eg, city) []:Kolkata
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MAT3 Impex Pvt. Ltd.
Organizational Unit Name (eg, section) []:Crypto-Devel
Common Name (eg, YOUR name) []:Promathesh Mandal
Email Address []:promatesh@mat3impex.com
This will complete the certificate now you need to make sure you have the correct
permissions for .pem file if not use the
following command to set the correct permissions
#chmod 600 /etc/apache2/apache.pem

Step 2:
By default the server will listen for incoming HTTP requests on port 80 - and not SSL
connections on port 443. So you need to enable SSL support by entering the following
entry to the file /etc/apache2/ports.conf save and exit the file.
Listen 443

Step 3:
Enable SSL Support
If you want to enable SSL support for your apache web server you need to use the
following comamnd
#a2enmod ssl
Module ssl installed; run /etc/init.d/apache2 force-reload to enable.
Now you need to restart the apache2 server using the following command
#/etc/init.d/apache2 restart

Promathesh Mandal 5
Step 4:
Configuring SSL Certificate to Virtual Hosts in Apache2
First you need to edit the /etc/apache2/sites-available/default file change
NameVirtualHost *
to
NameVirtualHost *:80
NameVirtualHost *:443
Now you need to configure Virtual hosts using port 80
Example
ServerAdmin webmaster@localhost
.
.
.
configure Virtual hosts using port 443 the main difference is you need to use the
following two lines for each SSL hosts.
SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
Example
ServerAdmin webmaster@localhost
.
.
.
SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
Now you need to restrat your apache web server using the following comamnd
# /etc/init.d/apache2 reload

Promathesh Mandal 6
Sample Files :

sample for “ports.conf” file

Listen 80
Listen 443

sample for “default” file

NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default
start page
# in /apache2-default/, but still have / go to the
right place
#RedirectMatch ^/$ /apache2-default/
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error,

crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined

ServerSignature On

Alias /doc/ "/usr/share/doc/"

<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

</VirtualHost>

<VirtualHost *:443>

Promathesh Mandal 7
 ServerAdmin webmaster@localhost
SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem

DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default
start page
# in /apache2-default/, but still have / go to the
right place
#RedirectMatch ^/$ /apache2-default/
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error,

crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined

ServerSignature On

Alias /doc/ "/usr/share/doc/"

<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

</VirtualHost>

Promathesh Mandal 8