荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: Lg (创造人生的传奇), 信区: Linux
标 题: The High-Tech How Not to be Seen, Part 6
发信站: BBS 荔园晨风站 (Sun Dec 12 15:39:13 1999), 站内信件
The High-Tech How Not to be Seen, Part 6
by Marcel Gagn? <mggagne@salmar.com>
10-Dec-1999
Warning! Your root Certificate has expired!
Welcome back, everyone, to Sys Admin's Corner. By now, you've all built your
OpenSSL libraries, compiled and played with
your cool, text-only SSL web browser--so now it's time to build your own
SSL-enabled web server.
But first! No, this is not a Y2K bug, despite what it may look like. Remember
those web site certificates? Well, on December
31st, 1999, a number of site certificates are set to expire. These are the root
certificates included in your browser, the ones
pre-verified by a third party. In this case, the third party is VeriSign.
Expect some panic as people trying to do their Internet
banking find themselves being hit with a request to verify the authenticity of
an expired VeriSign root certificate.
If you visit VeriSign's page at
http://www.verisign.com/server/cus/rootcert/webmaster.html, you can get the
details. VeriSign
claims that only about 4% of browsers will be affected. Since all Netscape
browsers of release 4.05 or earlier, as well as
Internet Explorer version 4.01 and earlier, are affected, I have to wonder
where they got that figure. I know lots of people
who are still running version 3 browsers. I guess we'll see. All you system
administrators out there, prepare yourselves for
ringing phones.
What's interesting here is important to what I'll discuss next. After you've
built your SSL certificate (covered later in this
article), anyone contacting your web site will be asked to verify the
authenticity of the certificate offered up by your new SSL
server, just as users visiting their bank will be asked to verify VeriSign. The
lesson is this: it doesn't take VeriSign (or any other
certificate authority) to make a functional secure server. As VeriSign confirms
on the page I mentioned above, an expired
certificate does not affect SSL encryption. 'Nuff said. On with the show.
You might find yourself asking why you would need to build another Apache web
server if you already have one installed on
your server. Remember, your stock Apache distribution from Caldera or Red Hat
does not come SSL-enabled. You will need
two packages for this one. The first is your Apache web server source. You can
get that one by surfing over to
http://www.apache.org/httpd.html or going directly to the ftp site at
ftp://ftp.apache.org/dist/ . The current bundle (as of this
writing) is version 1.3.9. That means you should download apache_1.3.9.tar.gz
for this example.
You will also need the mod_ssl package at http://www.modssl.org/source. Its
latest release is mod_ssl-2.4.9-1.3.9.tar.gz.
Finally, harking back to last week's "weasel words", keep in mind that some
encryption technology is subject to export and
patent restrictions. Translation: if you are in the United States (I know from
your e-mails that people read this from all over the
world), then you need to use the RSAREF package, available from this address:
ftp://utopia.hacktic.nl/pub/replay/pub/crypto/LIBS/rsa
The file you want is rsaref20.1996.tar.Z, a deprecated cryptographic library.
You also need to remember that use of this must
be limited to educational or non-profit purposes. (Read the docs included with
the distribution.) Once you have downloaded
the package, build it like this:
# uncompress rsaref20.1996.tar.Z
# mkdir rsaref
# cd rsaref
# tar -xvf ../rsaref20.1996.tar.Z
# cp -rp install/unix local
# cd local
# make
This will create a library called rsaref.a which you should rename librsaref.a.
In order to build from a fixed point of reference, I will put all my SSL builds
in a directory called /usr/local/src. From this
directory, I will extract the files for the Apache server and the mod_ssl
source distribution. Like this:
# mkdir /usr/local/src
# cd /usr/local/src
# tar -xzvf apache_1.3.9.tar.gz
# tar -xzvf mod_ssl-2.4.9-1.3.9.tar.gz
Strange as it may seem, I will not go into the Apache directory to set up
mod_ssl. Instead, cd to the mod_ssl directory and
configure with these options. Keep in mind that there are several options which
can be changed. If you're curious or you want
to install in different default locations, try the command ./configure --help
before you start. Here's my command using the
RSAREF library.
# ./configure --with-apache=../apache_1.3.9 with-rsa=../rsa
For those living outside the United States, you can probably use this version
of the command (the openssl directory is the one
you installed from last week).
# ./configure --with-apache=../apache_1.3.9 with-ssl=../openssl.0.9.4
Regardless of which version of Apache SSL you are building, the next steps are
the same.
# cd ../apache_1.3.9
# ./configure --enable-module=ssl
# make
If you follow the documentation, the next step is described as simply "make
certificate". This, unfortunately, makes only a
test certificate (and it shows up that way when presented to your users). The
real command to use is this:
# make certificate TYPE=custom
You will get asked several questions now. The dialog goes something like this
(look for my answers in step 2).
# make certificate TYPE=custom
make[1]: Entering directory
`/usr/local/src/apache_1.3.9/src'
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights
Reserved.
Generating custom certificate signed by own CA [CUSTOM]
____________________________________
STEP 0: Decide the signature algorithm used for certificates
The generated X.509 certificates can contain either
RSA or DSA based ingredients. Select the one you want to
use.
Signature Algorithm ((R)SA or (D)SA) [R]:
____________________________________
STEP 1: Generating RSA private key for CA (1024 bit)
[ca.key]
117545 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
..........+++++
............................................+++++
_____________________________________
STEP 2: Generating X.509 certificate signing request for CA
[ca.csr]
Using configuration from .mkcert.cfg
You are about to be asked to enter information that will be
incorporated into your certificate request. What you are
about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name (2 letter code) [XY]: CA
2. State or Province Name (full name) [Snake Desert]: Ontario
3. Locality Name (eg, city) [SnakeTown]: Toronto
4. Organization Name (eg, company) [Snake Oil,Ltd]:
Super MegaUniversal Corp.
5. Organizational Unit Name (eg, section) [Certificate Authority]:
6. Common Name (eg, CA name) [Snake Oil CA]:SuperMega CA
7. Email Address (eg, name@FQDN)
[ca@snakeoil.dom]:ca@supermegauniversal
There's more. Without giving you all the gory details, here are the next steps.
STEP 3: Generating X.509 certificate for CA signed by itself
[ca.crt]
STEP 4: Generating RSA private key for SERVER (1024 bit)
[server.key]
STEP 5: Generating X.509 certificate signing request for
SERVER [server.csr]
STEP 6: Generating X.509 certificate signed by own CA
[server.crt]I
STEP 7: Enrypting RSA private key of CA with a pass phrase
for security [ca.key]
The last step is an important one. You will now encrypt your server's private
key with a pass phrase. Remember this pass
phrase, because you will need it to start your server.
STEP 8: Encrypting RSA private key of SERVER with a pass
phrase for security [server.key]
The contents of the server.key file (the generated private
key) has to be kept secret. So we strongly recommend you to
encrypt the server.key file with a Triple-DES cipher and a
Pass Phrase.
Encrypt the private key now? [Y/n]: y
read RSA private key
writing RSA private key
Enter PEM pass phrase:
Now you are ready for the big final step.
# make install
If you followed the instructions more or less as I wrote them, your new Apache
server will be installed in /usr/local/apache.
Make sure you shut down your old server first (in my case, I did it with
/etc/rc.d/init.d/httpd stop). To start the
server, use this command:
/usr/local/apache/bin/apachectl start
This starts up your regular run-of-the-mill web server, with no SSL. To start
the SSL version, use this command instead:
/usr/local/apache/bin/apachectl startssl
Remember the pass phrase I told you not to forget. This is where it comes into
play. To run the secure server, you will be
asked to provide the pass phrase you used when you generated the site
certificates. Next, start your browser and surf to your
new secure server with the following:
https://your_server_name
Notice the "https" instead of the usual "http". For the curious, I will also
tell you that SSL web services run on port 443 by
default, unlike the port 80 of standard web services. Check it out by looking
in your /etc/services file. Notice, also, that
your browser has just popped up a warning, telling you it can't verify the
authenticity of the certificate it has just received. You
must now decide whether you can trust yourself (I don't need to include a
smiley here, do I?).
We've covered a lot of ground over the last few weeks in terms of encryption
software and technology. This SSL segment is
the last in the series for a while. Next week, I'll try to answer the question,
"If Linux is so great, why isn't my best
friend/sister/next-door neighbor/pet cat/etc. using it yet?" It's time to make
system administration simple. Or simpler,
anyway.
That's it for now. Until next week, run silent, run encrypted.
--
☆ 来源:.BBS 荔园晨风站 bbs.szu.edu.cn.[FROM: bbs@210.39.3.71]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店