主要介绍在linux下怎么搭建一个包含mod_ssl模块的apache服务器,并且如何根据不同的要求配置SSL
一 下载
1,从www.openssl.org下载openssl到/usr/local/src
2.从www.apache.org下载apache到/usr/local/src
3.从www.modssl.org下载mod_ssl到/usr/local/src
二 解压缩
cd /usr/local/src
tar zxvf openssl-0.9.8b.tar.gz
tar zxvf mod_ssl-2.8.27-1.3.36.tar.gz
tar zxvf apache_1.3.36.tar.gz
三 编译openssl
cd /usr/local/src/openssl-0.9.8b
./config --prefix=/usr/local/openssl
make
make install
四 编译mod_ssl
cd /usr/local/src/mod_ssl-2.8.27-1.3.36
./configure --with-apache=/usr/local/src/apache_1.3.36
五 编译apache
SSL_BASE=/usr/local/openssl ./configure --enable-module=SSL --prefix=/usr/local/apache --enable-module=so ..........................
make
make install
到这里为止,已经把准备工作做好了。
六 建立自己的CA
[root@databack root] cd /usr/local/apache
[root@databack apache] mkdir CAroot
建立自己的CA目录,我不知道这样为CA建一个目录好不好
[root@databack apache] cd CAroot
[root@databack CAroot] cp /usr/local/openssl/ssl/openssl.cnf ./openssl.cnf
将CA配置文件拷过来
[root@databack CAroot] vi openssl.cnf
修改配置文件中的dir,将./demoCA修改为/usr/local/apache/CAroot
[root@databack CAroot] mkdir newcerts
[root@databack CAroot] mkdir certs
[root@databack CAroot] mkdir crl
[root@databack CAroot] mkdir private
[root@databack CAroot] vi index.txt
可以不写数据,直接:wq
[root@databack CAroot] vi serial
写入00,然后:wq
[root@databack CAroot] vi ./private/.rand
写入两行随机数,然后:wq
#呵呵,上面所作的这些全是根据openssl.cnf来的
[root@databack CAroot] /usr/local/openssl/bin/openssl req -new -x509 -newkey rsa:1024 -keyout ./private/cakey.pem -out cacert.pem
(按提示操作)
Generating a 1024 bit RSA private key
.......................++++++
.......++++++
writing new private key to './private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase: (这个地方的密码要记住,后面要用到)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN (随便,当然我天cn)
State or Province Name (full name) [Some-State]:Beijing (随便)
Locality Name (eg, city) []:Beijing (随便)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Securitycn Team (随便)
Organizational Unit Name (eg, section) []:securitycn (随便)
Common Name (eg, YOUR name) []:www.securitycn.net (随便)
Email Address []:vitter@mail.securitycn.net (随便)
为CA生成密钥和证书
七 为apache生成密钥和证书
[root@databack CAroot] cd /usr/local/apache/conf/ssl.crt
[root@databack ssl.crt]# /usr/local/openssl/bin/openssl req -new -newkey rsa:1024 -keyout ../ssl.key/server.key -out ../ssl.csr/server.csr
Generating a 1024 bit RSA private key
.......++++++
.++++++
writing new private key to '../ssl.key/server.key'
Enter PEM pass phrase: (跟上面一样)
Verifying - Enter PEM pass phrase: (跟上面一样)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN (跟上面一样)
State or Province Name (full name) [Some-State]:Beijing (跟上面一样)
Locality Name (eg, city) []:Beijing (跟上面一样)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Securitycn Team (跟上面一样)
Organizational Unit Name (eg, section) []:securitycn (跟上面一样)
Common Name (eg, YOUR name) []:www.securitycn.net (跟上面一样)
Email Address []:vitter@mail.securitycn.net (跟上面一样)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (不输)
An optional company name []: (不输)
生成证书请求和密钥
[root@databack ssl.crt]# /usr/local/openssl/bin/openssl ca -in ../ssl.csr/server.csr -out server.crt -config /usr/local/apache/CAroot/openssl.cnf
Using configuration from /usr/local/apache/CAroot/openssl.cnf
Enter pass phrase for /usr/local/apache/CAroot/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jul 21 10:08:26 2006 GMT
Not After : Jul 21 10:08:26 2007 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = Securitycn Team
organizationalUnitName = securitycn
commonName = www.securitycn.net
emailAddress = vitter@mail.securitycn.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1E:5D:F6:B4:21:0F:68:98:B2:5B:BE:79:CE:E1:B0:8D:1A:86:47:CE
X509v3 Authority Key Identifier:
keyid:18:70:E5:39:AF:E2:62:F3:2C:E7:87:B1:AD:AF:56:93:BB:28:FD:77
Certificate is to be certified until Jul 21 10:08:26 2007 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
用CA私钥签名证书请求(密码是在为CA生成密钥和证书的时候设置的密码)
#现在已经得到了服务器的证书和私钥
八 修改httpd.conf
[root@databack ssl.crt]# cd ..
[root@databack conf]# vi httpd.conf
将ServerName 更改为www0.securitycn.net 不设也可以,不过会出现警告
将SSLCertificateFile修改为/usr/local/apache/conf/ssl.crt/server.crt
将SSLCertificateKeyFile修改为/usr/local/apache/conf/ssl.key/server.key
#这是最基本的设置了,先用用试试看吧.
九 启动服务
/usr/local/apache/bin/apachectl startssl
十 测试下
https://192.168.10.10
十一 从客户端测试
找个windows电脑(LINUX也行)输入https://192.168.10.10 记住是https,要使http就直接不验证就通过了,此时将会出现一个对话框,一般第二个是对,毕竟时间都是有效的嘛.第三个是叹号那是因为访问站点与证书通用名不匹配,这需要在用openssl生成apache服务器证书时将通用名设定为192.168.10.10,第一个叹号是因为没有安装CA根证书,这时将/usr/local/apache/CAroot/cacert.pem 拷到客户机安装就可以了。
重新打开浏览器输入https://192.168.10.10,怎么什么反应也没有就进去了呢,呵呵,其实已经对服务器进行认真了,这和http://192.168.10.10有本质区别。
十二 配置更多的SSL应用(这个在/usr/local/apache/htdocs/manual/mod/mod_ssl有详细文档)
1,实现对客户端的认证
修改httpd.conf
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /usr/local/apache/CAroot/cacert.pem
现在在客户端输入https://192.168.10.10 ,将要求出示证书,那现在就生成一个客户PKCS格式证书吧
cd /usr/local/apache/conf/ssl.crt
openssl req -new -newkey rsa:1024 -keyout ../ssl.key/client.key -out ../ssl.csr/client.csr 生成证书请求和密钥
openssl ca -in ../ssl.csr/client.csr -out client.crt -config /CAroot/openssl.cnf 用CA私钥签名证书请求
openssl pkcs12 -export -clclient -inkey ../ssl.key/client.key -in client.crt -out /home/share/client.p12
#/home/share目录是samba服务器的共享目录,一般是将client.p12放在USBkey中,为了方便所以直接共享了.
在客户端上安装client.p12,呵呵这样就可以实现双方的认证了,双方通信也实现了SSL.(to be continuing)
2:某些页面只允许持有证书的客户访问,其他页面允许所有人访问
修改httpd.conf,当然需要先作一些页面的准备,/usr/local/apache/htdocs/secure是我们放只允许有证书访问的目录
SSLVerifyClient none
SSLCACertificateFile conf/ssl.crt/ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
3.某些页面只允许持有某种特定证书内容的客户访问,其它页面允许所有人访问
在这里我假设允许我们局域网的人访问
SSLVerifyClient none
SSLVerifyClient require
SSLVerifyDepth 5
SSLCACertificateFile conf/ssl.crt/ca.crt
SSLCACertificatePath conf/ssl.crt
SSLOptions +FakeBasicAuth
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "ATR" and \
%{SSL_CLIENT_S_DN_OU} in {"305", "307", "309","313"}
4.允许局域网用户使用http访问局域网站点,但是需要外网用户使用强加密的https访问.
假设局域网用户ip为192.160.1.0-24.
下面的修改要放在HTTPS虚拟主机的外面,这样就可以同时适用于http和https访问
SSLCACertificateFile conf/ssl.crt/company-ca.crt
# Outside the subarea only Intranet access is granted
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
# Inside the subarea any Intranet access is allowed
# but from the Internet only HTTPS + Strong-Cipher + Password
# or the alternative HTTPS + Strong-Cipher + Client-Certificate
# If HTTPS is used, make sure a strong cipher is used.
# Additionally allow client certs as alternative to basic auth.
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth +StrictRequire
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
# Force clients from the Internet to use HTTPS
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
RewriteCond %{HTTPS} !=on
RewriteRule .* - [F]
# Allow Network Access and/or Basic Auth
Satisfy any
# Network Access Control
Order deny,allow
Deny from all
Allow 192.168.1.0/24
# HTTP Basic Authentication
AuthType basic
AuthName "Protected Intranet Area"
AuthUserFile conf/protected.passwd
Require valid-user
有关SSL配置apache的指令(呵呵,在/usr/local/apache/htdocs/manual/mod/mod_ssl中有更详细的解释)
1.SSLCACertificatePath
语 法:SSLCACertificatePath /to/CA/certificates
应用环境:server config ,virtual host
默认设置:none
该指令为Certificate Authority证书文件指定一个目录
2.SSLCACertificatefile
语 法:SSLCACertificatefile CA_certificate_filename
应用环境:server config ,virtual host
默认设置:none
该指令为指定一个包含Certificate Authority证书的文件
3.SSLBanCipher
语 法:SSLBanCipher Cipher
应用环境:pre-directory config(.htaccess)
使用该指令可以禁止那些想使用cipher的用户对Apache进行配置
4.SSLCacheServerPort
语 法:SSLCacheServerPort port│filename
应用环境:server config ,virtual host
该指令为全程的SSL会话缓存服务器处理过程配置TCP/IP端口或UNIX domain socket
5.SSLCacheServerPort
语 法:SSLCacheServerPath filename
应用环境:server config ,virtual host
该指令为全程的SSL会话缓存服务器的执行指令设置路径.如果你已经使用APACI配置脚本将Apache安装好了,那么缓存执行指令的文件就保存在Apache安装目录的sbin子目录中
6.SSLCertificateFile
语 法:SSLCertificateFile certificate_filename
应用环境:server config ,virtual host
该指令为一个WEB站点上的主机指定证书文件名.如果为某个虚拟主机提供SSL连通性,就需要为该虚拟主机指定一个单独的证书.
7.SSLCertificateKeyFile
语 法:SSLCertificateFile certificate_key_filename
应用环境:server config ,virtual host
该指令为证书指定一个对应的私钥文件
8 SSLEnable
语 法:SSLEnable
应用环境:server config ,virtual host
该指令用来启动SSL,该指令的使用无需参数
9 SSLDisable
语 法:SSLDisable
应用环境:server config ,virtual host
该指令用来禁止SSL,该指令的使用无需参数
10 SSLFakeBasicAuth
语 法:SSLFakeBasicAuth
应用环境:server config ,virtual host
该指令主要将用户的X509证书翻译成一个用户名,转换的用户名可用于验证
11 SSLRequireCipher
语 法:SSLRequireCipher
应用环境:pre-directory config(.htaccess)
该指令为请求密码的pre-directory列表添加一个cipher.
12 SSLogFile
语 法:SSLogFile log_filename
应用环境:server config ,virtual host
该指令使得SSL连接信息写入日志文件中.
13 SSLRequireSSL
语 法:SSLRequireSSL
应用环境:pre-directory config file ,directory
对于一个未使用的SSL连接,该命令能够禁用该连接,该指令的使用无需参数
14 SSLRequiredCiphers
语 法:SSLRequiredCiphers cipher1:cipher2:...
应用环境:server config ,virtual host,pre-directory config(.htaccess)
该指令指定一系列由冒号分隔的密码
15 SSLSessionCacheTimeout
语 法:SSLSessionCacheTimeout seconds
应用环境:server config ,virtual host
该指令为SSL会话设置缓存过期时间
16 SSLVerifyDepth
语 法:SSLVerifyDepth number
应用环境:server config ,virtual host
因为一个CA证书能够被另一个CA证书验证,所以可以形成一个CA证书链.使用该指令可指定服务器验证用户证书时可以查找多少个CA证明.
17 SSLVerifyClient
语 法:SSLVerifyClient numeric-option
应用环境:server config ,virtual host
该指令可以用来决定服务器是否需要用户证书.如果不需要用户证书,将该指令设为0,如果需要用户证书,将该指令设为2;如果用户证书需要与否可选择,则设置为1.