This chapter is from the book
This chapter is from the book
This chapter is from the book
Installing SSL
Now that you've learned all about SSL, you need to install SSL support for Apache. SSL support is provided by mod_ssl, a module that is included with Apache but is not enabled by default. mod_ssl, in turn, requires the OpenSSL library—an open source implementation of the SSL/TLS protocols and a variety of other cryptographic algorithms. OpenSSL is based on the SSLeay library developed by Eric A. Young and Tim J. Hudson. You can learn more about mod_ssl and OpenSSL in the Web sites noted in the reference section at the end of the hour.
OpenSSL
This section explains how to download and install the OpenSSL toolkit for both Windows and Unix variants.
Windows
At the time of writing this book, the Apache Software Foundation does not provide an SSL-enabled binary installer for Windows due to legal restrictions. That situation is likely to change soon, and you will be able to access precompiled SSL module and libraries. Check the Apache site for up-to-date information. The rest of the hour assumes that you have access to the openssl.exe command line utility, which will be included in the bin/ directory of the SSL-enabled Apache distribution. It is a utility for generating certificates, keys, signing requests, and so on.
Unix
If you are running a recent Linux or FreeBSD distribution, OpenSSL might already be installed in your system. Use the package management tools bundled with your distribution to determine whether that is the case or, otherwise, to install it.
If you need to install OpenSSL from source, you can download OpenSSL from http://www.openssl.org. After you have downloaded the software, you need to uncompress it and cd into the created directory:
# gunzip < openssl*.tar.gz | tar xvf - # cd openssl*
OpenSSL contains a config script to help you build the software. You must provide the path to which the software will install. The path used in this hour is /usr/local/ssl/install, and you probably need to have root privileges to install the software there. You can install the software as a regular user, but to do so, you will need to change the path. Then you must build and install the software:
# ./config --prefix=/usr/local/ssl/install --openssldir=/usr/local/ssl/install/openssl # make # make install
If everything went well, you have now successfully installed the OpenSSL toolkit. The openssl command-line tool will be located in /usr/local/ssl/install/bin/.
This tool is used to create and manipulate certificates and keys and its usage is described in a later section on certificates.
mod_ssl
In the past, SSL extensions for Apache had to be distributed separately because of export restrictions. Although there are limitations in redistribution of binaries that need to be solved and clarified, these restrictions no longer exist for distribution of source code, and mod_ssl is bundled and integrated with Apache 2.0. This section describes the steps necessary to build and install this module. mod_ssl depends on the OpenSSL library, so a valid OpenSSL installation is required.
Unix
If you are using the Apache 2.0 server that came installed with your operating system, chances are that it already includes mod_ssl. Use the package management tools bundled with your distribution to install mod_ssl if it is not present in your system.
When you build Apache 2.0 from source, you must pass the following options to enable and build mod_ssl at compile time.
--enable-ssl --with-ssl=/usr/local/ssl/install/openssl
This assumes that you installed OpenSSL in the location described in previous sections.
If you compiled mod_ssl statically into Apache, you can check whether it is present by issuing the following command, which provides a list of compiled-in modules:
# /usr/local/apache2/bin/httpd -l
The command assumes that you installed Apache in the /usr/local/apache2 directory.
If mod_ssl was compiled as a dynamic loadable module, the following line must be added or uncommented to the configuration file:
LoadModule ssl_module modules/libmodssl.so