- The Secure Socket Layer and mod_ssl
- Overview of Secure Communications Concepts
- Creating a Secure Web Server Using mod_ssl
- Preparing Special Files Required for Security
- Special Security Directives
- Making Sure You Are Legal
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Creating a Secure Web Server Using mod_ssl
Because of governmental export restrictions in the United States, most Linux distributions do not provide secure Web server functionality directly. Linux is sold worldwide, and the U.S. government does not allow certain kinds of encryption to be shipped out of the country. Unfortunately, this means that you have to do a bit of legwork to obtain, build, and install the secure Web server functionality for Apache.
There are a couple of different options for adding SSL to Apache. The one described here—which is recommended—is called mod_ssl. It consists of a set of patches and a special module for use with the Apache source code. It uses a cryptography library that provides SSL functions called OpenSSL.
NOTE
OpenSSL is based on an older library called SSLeay. mod_ssl is based on an older package called Apache-SSL (which is still being developed). The fact that one package can form the base of another, even another competing package, is one of the great strengths of Open Source. Of course, this inheritance can also be quite confusing.
Obtaining Sources
To build Apache with mod_ssl, you need sources from three places. Examine the following Web sites, and follow the links to an appropriate download area to obtain the source code you need.
If there are U.S. mirrors for the download areas listed on the respective Web sites for these software pieces, use those instead if you are in the United States.
Apache Source Code
For the Apache source code itself, either use the source code from your distribution or obtain the latest release from the Apache organization download area.
The Apache organization Web site is http://www.apache.org/.
To obtain the latest release of Apache from the Apache organization, download the source tar file from http://httpd.apache.org/dist/.
OpenSSL Sources
OpenSSL is an essential cryptographic library for programs using SSL, including a secure Web server. The OpenSSL Web site is http://www.openssl.org/. The OpenSSL library can be obtained by downloading the latest version at this site.
mod_ssl Sources
mod_ssl is a set of patches for Apache that allows it to use the OpenSSL library. mod_ssl also provides a special module that adds additional functionality related to processing client and server security data.
The mod_ssl Web site is http://www.modssl.org. The mod_ssl tar file can be obtained from http://www.modssl.org/source/.
Notes on Building the Source
On the mod_ssl Web page, Ralf Engelschall (the primary author of mod_ssl) provides detailed instructions for installing and building all the required components. This Web page is http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL.
Download this document, print it, and follow it exactly. If you are in the United States, follow the U.S. instructions.
When you are finished with the instructions, the Apache software is installed in a subdirectory under the directory that you chose as the argument to --prefix. You can run the secure Apache software from that location (highly recommended), or you can install the software over the top of your existing Apache files.