Starting up a local SSL Server

I gave a brief about things to know on Secure Socket Layer(SSL) in my last post. This post is related to setting up a local SSL server for development or testing. This will also get you started with OpenSSL, which is a secure software library.

Now we know that we need a Certificate to setup a secure channel and this certificate should have a public key cryptosystem. Mac OS, already comes with the installation of OpenSSL and for windows you can download from this source : https://www.openssl.org/source/

If required you can upgrade the OpenSSL Library using Homebrew or Ports.

We can either use a certificate generated by a secure Certificate Authority or we can generate our own using SSL for testing. Create a new directory to store the output and navigate to the directory using terminal or cmd. This command will generate a self signed certificate:

openssl req \
-newkey rsa:2048 -nodes -keyout ssl.key \
-x509 -days 365 -out ssl.crt

req
Public Key Cryptography Standards#10 certificate request and certificate generating utility.

-x509
This option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA.

-newkey arg
This option creates a new certificate request and a new private key. The argument takes one of several forms. rsa:nbits, where nbits is the number of bits, generates an RSA key nbits in size. (Bigger the size of the key, slower will be the algorithm, In this case I am using 2048 bits, you can also use 4096 bits)

-keyout filename
This gives the filename to write the newly created private key.

-out filename
This specifies the output filename to write to or standard output by default.

-days XXX
When the -x509 option is being used this specifies the number of days to certify the certificate i.e the validity(The default is 30 days and I am using 365)

-nodes
If this option is specified then if a private key is created it will not be encrypted.

Enabling SSL in Apache Server

The mac operating system comes with installation of Apache Server. On windows you install Apache Server. Now to setup the SSL , We need to modify httpd.conf located at:

/etc/apache2/httpd.conf

To modify the httpd.conf file we will use nano text editor. You might need to give root permissions to the commands, so just add “sudo” in front of them.

$ cd /etc/apache2/
$ sudo nano httpd.conf

Find the following lines and uncomment it. Just in case you are not sure, comments have a leading pound/hash symbol ( # ) – just remove it.

LoadModule ssl_module libexec/apache2/mod_ssl.so
Include /private/etc/apache2/extra/httpd-ssl.conf

Save the file using ctrl+X and type ‘yes’ and press return.

The last step is to configure httpd-ssl.conf which is located at:
/etc/apache2/conf/httpd-ssl.conf
To modify the httpd-ssl.conf file we will again use nano text editor.

$ cd /etc/apache2/extra
$ sudo nano httpd-ssl.conf

Add the following NameVirtualHost directive :

NameVirtualHost *:443
Listen 443

You can specify your own port number. The default is 443
Also configure your default virtualhost :


DocumentRoot "/Users/mayank/Sites"
ServerName localhost:443
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile "/private/etc/apache2/ssl/ssl.crt"
SSLCertificateKeyFile "/private/etc/apache2/ssl/ssl.key"

You can either copy the cert and key to the directory or specify your own directory for Certificate file and Key file.

Additional Virtual Host setup (not required for test server):
To setup a new virtualhost, enable ssl in your vhost directive :
ServerAlias http://www.192.168.90.25.xip.io
DocumentRoot “/Users/charles/Sites/project
Options FollowSymLinks Indexes
AllowOverride All
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile “/private/etc/apache2/ssl/www_192_168_90_25_xip_io.crt”
SSLCertificateKeyFile “/private/etc/apache2/ssl/www_192_168_90_25_xip_io.key”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s