Results 1 to 5 of 5

Thread: APACHE for Win32 with SSL support v 1.4

  1. #1
    Junior Member
    Join Date
    Jun 2006
    Posts
    6

    APACHE for Win32 with SSL support v 1.4

    Preface:
    I wanted to be able to download documents from home at work without having to worry about them reading my files in transit.

    APACHE for Win32 with SSL support v 1.4

    Original document found at:
    http://www.thompsonbd.com/tutorials/apachessl.php
    Version 1.2 (Up from 1.1 thanks to Mike Young)
    Version 1.3 (TheHorse13)
    Version 1.4 (Darius33)

    Additional resources:
    http://www.modssl.org/docs/2.8/ssl_faq.html

    1. Assumptions
    This tutorial assumes that you know how to turn on a computer. Any existing apache configuration files will be overwritten during this tutorial. My advice is to backup and uninstall the old version.

    1a. Notes
    If you see a command with quotes remove the outer-most set.

    I always write like I'm talking to a kindergartener. I'm not demeaning you.

    2. Needed Files
    You will need the 2.2.2 apache .msi installer(Link #1) (mainly to add it as a service without any hassle. If you know what you are doing you can skip this step but I recommend it). Also you will need a version of apache that has the mod_ssl.so extension enabled (Link #2). And you need the windows binaries of openssl (Link #3). And last you need the configuration file for openssl to make certs (Link #4).

    Links to files.
    1) http://archive.apache.org/dist/httpd...x86-no_ssl.msi
    2) http://brandleadershipmarketing.com/...9.8b-Win32.zip
    3) http://brandleadershipmarketing.com/...9.8b-Win32.zip
    4) http://www.thompsonbd.com/tutorials/files/openssl.cnf

    3. Installing apache
    Run apache_2.2.2-win32-x86-no_ssl.msi set it to install into c:\apache don't worry about any of the other settings. Double click the apache monitor and check that apache is stopped. Then extract Apache_2.2.2-Openssl_0.9.8b-Win32.zip into the c:\apache directory overwriting everything. Move openssl.cnf to c:\apache\conf .

    4. Setting Up OpenSSL
    Extract Openssl-0.9.8b-Win32.zip to c:\openssl

    Open the system control panel click the advanced tab. Click on the environment variables button at the bottom. On the window that pops up check to see if user variables has a path variable. If it doesn't click new under variable name type path and under variable name type c:\openssl. If it already exists then click edit and add c:\openssl to the end. Close the system windows.

    To see if it is working open a command shell (windows-key+R type cmd and hit enter) and type openssl. You should get a response like "OpenSSL>". If not then there is an error somewhere. Type quit to exit openssl. Leave the command prompt open for the next step.

    Note: I didn't have to copy libeay32.dll and ssleay32.dll to c:\windows\system32 (or c:\winnt\system32) like in the previous tutorial. If windows reports an error about missing either of these dlls juct copy them from c:\openssl to c:\windows\system32 or c:\apache\bin (windows looks in the directory that a program is called from first for a missing dll but by copying them to the system32 directory it is available for any program that requires these dlls).

    5. Creating a certificate
    Open a command prompt. Type "cd \apache\conf" to change to the configuration directory for apache.

    Type "openssl req -config openssl.cnf -new -out server.csr"

    I dont recommend changing the name to anything else as apache comes setup by default for this filename. When asked for "Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. www.my-server.com). The certificate belongs to this server name and browsers complain if the name doesn't match. If you dont have a domain name set it to whatever you want. Remember the PEM pass phrase for later!

    Type "openssl rsa -in privkey.pem -out server.key"

    This removes the passphrase from the private key. You MUST understand what this means; my-server.key should be only readable by the apache server and the administrator. You should delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.

    Type "openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365"

    This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if you don't want this.

    6. Configuring Apache and mod_ssl
    Open c:\apache\conf\httpd.conf and locate the LoadModule directives. the last line in this part is "#LoadModule ssl_module modules/mod_ssl.so" remove the # (comment character).

    At the very bottom of the file is a line that says "#Include conf/extra/httpd-ssl.conf" remove the # from it too. Save it and exit.

    Open httpd-ssl.conf file in the extras directory. Find the line that says "SSLMutex file:logs/ssl_mutex" its in the second page or so. Comment out that line by adding a # to the beginning of it. Add a line right below it that says "SSLMutex default"

    7. Start it up!
    Assuming that you followed all of these instructions you should now be able to start your server by left clicking on the apache monitor and selecting 2.2 and then start. The red square should shortly turn into a green triangle. If it doesn't you'll need to open another command shell to c:\apache\bin. Type "httpd" to start apache. It will give you a description of the error like:

    Syntax error on line 108 of C:/Apache/conf/extra/httpd-ssl.conf:
    SSLCertificateKeyFile: file 'C:/Apache/conf/server.key' does not exist or is empty

    In this case you forgot to make your server key!

    After fixing any errors resart apache through the apache monitor. Next open up your favorite browser and point it to https://127.0.0.1 . It should say "It works!".

    8. Clean up.
    Delete items one through three. They're not needed now. Also delete the .rnd file in C:\Apache\conf. If you want you can also delete server.csr and privkey.pem but I don't really think you should because it will create more work for you later when your cert expires.

    9. Final notes.
    If you are running anything that will be exposed to the internet you need to make sure that you are a)firewalled and b) Open port 443. Also, this server as configured will allow anyone to connect to it so you should enable some sort of authentication (see http://httpd.apache.org/docs/2.2/howto/auth.html and http://httpd.apache.org/docs/2.2/howto/access.html).

    I'd like to thank TheHorse13 for writing the last version of this it helped me out immensely.

  2. #2
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Nice, I'll have to give this one a whirl.

    I wanted to be able to download documents from home at work without having to worry about them reading my files in transit.
    Fwiw, I've been running EFTP to securely download docs, but I've got to have EFTP on both ends (server & client). Don't think I'd want to try to run the client on a PC that wasn't mine.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  3. #3
    Junior Member
    Join Date
    Jun 2006
    Posts
    6
    My work has very restrictive firewall settings and the admins are all over the access logs so I needed something that wouldn't raise any flags.

    Also you should take a look at http://www.truecrypt.org/ to keep your documents secure (and to remove the hassle of wiping your docs). When you're all done just unmount the container. It also has an option to run it in a 'travel' mode so there's no need to install it.

  4. #4
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Truecrypt looks interesting. I've been using Nick Payne's Cryptext but it's old now (2001) with no further development going...
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  5. #5
    Junior Member
    Join Date
    Jun 2006
    Posts
    6
    I used to use a couple of commercial solutions (don't remember the names anymore) but I have lately been trying to use open source. Hopefully I'll get enough skill in c++ to write a multifunction crypto system. i.e. files, passwords, calender. I just haven't ever seen a program like that. I use truecrypt for my files and Password Safe http://passwordsafe.sourceforge.net/ for my passwords.

    I'm working on a little project right now and when its finished I'll post it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •