Exercises: FreeBSD: Apache and SSL

SA-E Workshop AfNOG 2009: Cairo

May 14, 2009

Exercises

  1. Generate a Local Certificate
  2. Verify that http and https (Apache) are Working
  3. Advanced Verification Methods (Optional Exercise)

1.) Generate a Local Certificate [Top]

Remember the presentation? We'll use openssl to generate a local server key, local server certificate, a certificate signing request, and a server key that is unencrypted (no passphrase) to allow Apache to start without prompting for a passphrase. This implies that you believe your server to be secure so that others don't steal your unencrypted server key and certificate and use them in nefarious (bad) ways.

Realistically, however, it's not practical to have Apache ask you for a passphrase each time you boot your server. As a matter of fact this could be disastrous if, say, the power were to go out, your server reboots, and then hangs until you physically arrive to the console to type in a passphrase.

For these exercises you need to be root.

Lets create our own self signed certificate:

# cd /usr/local/etc/apache22
# mkdir mycert
# cd mycert
First use openssl to generate a key:
# openssl genrsa -des3 -out server.key 1024
Pick a passphrase that you'll remember when prompted. Longer is better...

We use triple DES encryption for the key and it's 1024 bits long. Don't make it longer, not all clients will understand how to use a longer key.

Now to remove the password from our key:

# openssl rsa -in server.key -out server.pem
And, you'll need to use the passphrase you just created above to do this.

Before you can generate a certificate you need to create a CSR file, a Certificate Signing Request. Below is the command and a sample session you can use as an example to create your own local certificate. Note, that common name is the name of the server (pcX.sae.ws.afnog.org, etc.). This is important:

First the command:

# openssl req -new -key server.key -out server.csr
And the sample session:
Country Name (2 letter code) [AU]:eg
State or Province Name (full name) [Some-State]:   (leave blank)
Locality Name (eg, city) []:Cairo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AfNOG
Organizational Unit Name (eg, section) []:Workshop
Common Name (eg, YOUR name) []:pcX.sae.ws.afnog.org 
Email Address []:inst@pcX.sae.ws.afnog.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:           (leave blank)
An optional company name []:       (leave blank)
Now we can sign our own certificate with our own private key as we are not sending this CSR to a CA for a commercially signed certificate. You'll need the private key passphrase again.
# openssl x509 -req -days 60 -in server.csr -signkey server.key -out server.crt
Note that the certficiate is only valid for 60 days. You can choose whatever number you like. This might be a typical act if you were waiting for a signed certificate from a CA, but needed to have something right away.

If it all works you should see something like this:

Signature ok
subject=/C=eg/ST=Some-State/L=Cairo/O=AfNOG/OU=Workshop/CN=pcX.sae.ws.afnog.org/emailAddress=inst@pcX.sae.ws.afnog.org
Getting Private key
Enter pass phrase for server.key:
Part Two

Now that we have our own locally signed certificate in /usr/local/etc/apache22/mycert we still need to configure Apache to actually use this certificate. Right now Apache is looking for the server.key and server.crt files located in /usr/local/etc/apache22 when starting. We're going to edit the file /usr/local/etc/apache22/httpd.conf and change where the Apache server looks. We'll use vi to edit httpd.conf in our example, but you can use whatever editor you choose:

# vi /usr/local/etc/apache22/extra/httpd-ssl.conf
Search for the line in the file that reads:
## SSL Virtual Host Context
You must now choose one of your virtual hosts that you will use this certifcate for. This is the issue with SSL certificate and name-based hosting we mentioned earlier. There is no way to correctly identify which virtual host belongs to which certificate using name-based virtual hosting.

You will see the VirtualHost lines below. Change them to something like this. Remember that "pcX" should be replaced with your PC's number.

<VirtualHost _default_:443>

#   General setup for the virtual host
DocumentRoot "/usr/local/www/share/default"
ServerName pcX.sae.ws.afnog.org:443
ServerAdmin inst@pcX.sae.ws.afnog.org
ErrorLog "/var/log/httpd-error.log"
TransferLog "/var/log/httpd-access.log"
Now scroll down a bit further until you find the line that reads:
SSLCertificateFile /usr/local/etc/apache22/server-dsa.crt
Comment that line out ("#" character at front of line), and below it add the following line:
SSLCertificateFile /usr/local/etc/apache22/mycert/server.crt
Now scroll down and find:
SSLCertificateKeyFile /usr/local/etc/apache22/server-dsa.key
Comment this out and below it add the line:
SSLCertificateKeyFile /usr/local/etc/apache22/mycert/server.pem
Note we used the ".pem" file as this is your server.key file, but without a passphrase.

Save the httpd-ssl.conf file and exit from it at this point (in vi :wq).

Now you need to make one minor change to the main httpd.conf configuration file for Apache. First we do:

# vi /usr/local/etc/apache22/httpd.conf
Now search for the following text in the file:
# Secure (SSL/TLS) connections
# Include etc/apache22/extra/httpd-ssl.conf
Uncomment the second line so that this now reads:
# Secure (SSL/TLS) connections
Include etc/apache22/extra/httpd-ssl.conf
Now save and exit from the file.

You can now stop and start your Apache web server using a facility called apachectl. This is the Apache HTTP server control interface. See man apachectl for more information.

# apachectl stop
# apachectl startt
If you run in to any errors try using the log files in /var/log to troubleshoot the problem. The important files are:
/var/log/messages
/var/log/httpd-error.log
/var/log/ssl_engine_log
If you've run in to problems or don't understand something let the instructor or an assistant know.

Congratulations, you now have a secure web server up and running.

2.) Verify that http and https (Apache) are Working [Top]

For this exercise you can be any user.

This is very simple. In the web browser of your choice go the to the following address:

http://localhost/
You should have gotten the page with text:
It worked!
Now go to this address:
https://pcX.sae.ws.afnog.org/
Depending on what version of Firefox you are using you will see different dialgoues warning you that the certificate is not trusted. Sample dialgoues include:

Firefox version 3

    

Firefox version 2

    

Go through the process of accepting the certfificate. When you get the chance to view the certificate take a look. You see the information you filled in when generating the CSR (what's that stand for?).

We'll discuss what just happened for a bit, and we'll take a look at a web browser, built-in trusted CA's, etc. After that we'll generate our own, signed certificate.

 

3.) Advanced Verification Methods (Optional exercise) [Top]

For this exercise you can run as a general user.

At the most simple level let's verify that the Apache web server daemon appears to be running. We can use the ps command to do this:

$ ps auxw | grep httpd
Remember that Apache uses the actual binary file /usr/local/sbin/httpd to start the Apache web server as indicated by the final message during installation. That's why we grep'ed on "httpd" instead of "apache".

The output you should see will look something like this:

root     54884  0.0  0.9  5224 3296  ??  Ss   12:43PM   0:00.22 /usr/local/sbin/httpd -DSSL
www      54885  0.0  0.9  5264 3328  ??  I    12:43PM   0:00.01 /usr/local/sbin/httpd -DSSL
www      54886  0.0  0.9  5264 3328  ??  I    12:43PM   0:00.01 /usr/local/sbin/httpd -DSSL
www      54887  0.0  0.9  5248 3324  ??  I    12:43PM   0:00.01 /usr/local/sbin/httpd -DSSL
www      54888  0.0  0.9  5248 3328  ??  I    12:43PM   0:00.01 /usr/local/sbin/httpd -DSSL
www      54889  0.0  0.9  5248 3324  ??  I    12:43PM   0:00.01 /usr/local/sbin/httpd -DSSL
www      54890  0.0  0.9  5240 3308  ??  I    12:43PM   0:00.00 /usr/local/sbin/httpd -DSSL
root     54951  0.0  0.2  1476  796  p5  S+   12:59PM   0:00.01 grep httpd
Note that Apache runs with multiple instances of the httpd daemon. This is so that the web server can rspond to multiple requests more efficiently. Also notice that the first httpd daemon that starts runs as root, but subsequent daemons use the user "www" - This is to make the web server less vulnerable to attacks that might gain root access.

So, this shows you that Apache is running, but is it accessible to users with web browsers? It's possible you might be on a machine in the future and not have a web browser available, even though the machine is running a web server. You can use telnet to verify if the web server is available. To do this type:

$ telnet 127.0.0.1 80
If you get back something like:
Trying 127.0.0.1...
Connected to pcX.sae.ws.afnog.org
Escape character is '^]'.
This is a good indication that you have a web server working. Still, to be sure that this is not some other server running on port 80 you could go a step further. You can view the initial web server page on port 80 by doing this:
^]                       [press CTRL key and ']' character to exit]

telnet> quit

$ cd                     [to go your home directory]

$ script apache.txt      [use FreeBSD script utility to save session to a file]

$ telnet 127.0.0.1 80

GET / HTTP/1.0           [press ENTER]

host: localhost          [press ENTER twice]

$ exit                   [to leave your script shell]
And you will see the initial Apache welcome page scroll by on your screen. Now that you saved the output of this session to the file ~/apache.txt) we can get some additional information.

Type the file apache.txt to your screen by doing:

$ cd                   [to go your home directory]

$ less apache.txt      [remember, "q" to exit the less screen]
In the first page of information presented you should see something lie:
HTTP/1.1 200 OK
Date: Thu, 14 May 2009 04:34:38 GMT
Server: Apache/2.2.11 (FreeBSD) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8e
Last-Modified: Thu, 14 May 2009 03:26:04 GMT
ETag: "3e3b1c-2c-469d6e3496b00"
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html
Notice that you can now see exactly what version of Apache is running, that it appears to be ssl-enabled and it is using OpenSSL 0.9.8e and mod_ssl to do this.

So, it appears that Apache is ssl-enabled on this machine, but how can we prove this? A web server with ssl support means that you can go to URL addresses that start with "https" (http secure).

We'll use a tool that comes with OpenSSL to allow us to make ssl connections, verify encryption in use, view certificates, etc. You can simply type "openssl" and then you will get a prompt where you can use the multiple openssl tools, or you can combine the command "openssl" with the various tools on your command line. This is what we will do using the openssl s_client tool. Try typing these commands:

$ cd

$ script ssltest.txt

$ openssl s_client -connect localhost:443

[Press ctrl-c to exit the information screen]

$ exit

$ less ssltest.txt

And you will get several screens of information about your Apache web server, the ssl certificate that is currently installed and it's detailed information, what protocols are in use, and more.

In most cases this is overkill and you can simply use a web browser to verify functionality, but having alternatives is always nice.

 

[Return to Top]

 


Last modified: Thu May 14 10:38:40 EEST 2009