jeong chul -
TRANSCRIPT
HTTPS Setup using mod_ssl
on CentOS 5.8
Jeong Chul
tland12.wordpress.com
Computer Science
ITC and RUPP in Cambodia
HTTPS Setup using mod_ssl
on CentOS 5.8 Part 1 Basic concepts on SSL • Step 1 Secure Socket Layer
• Step 2 SSL Record Protocol Operation
• Step 3 SSL Handshake Protocol
• Step 4 Digital Certificates
• Step 5 X.509 Certificates
• Step 6 HTTPS
Part 2 HTTPS Configuration • Step 7 Installation and startup
• Step 8 Https configuration
• Step 9 Packet Capture using Wireshark
Https Server Testing Environment
1.sever.chul.com: 192.168.80.25
HTTPS server
https://www.chul.com
2.client.chul.com: 192.168.80.10
Linux web client
Testing on Firefox
Step 1 Secure Socket Layer (SSL)
SSL Record Protocol Service
1.Confidentiality
using symmetric encryption with a shared secret key defined by
Handshake Protocol
AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128
message is compressed before encryption
2. Message integrity
using a MAC (Message Authentication Code) with shared secret key
similar to HMAC but with different padding
Step 3 SSL Handshake Protocol (1)
1.allows server & client to:
authenticate each other
to negotiate encryption & MAC algorithms
to negotiate cryptographic keys to be used
2.comprises a series of messages in phases
① Establish Security Capabilities
② Server Authentication and Key Exchange
③ Client Authentication and Key Exchange
④ Finish
Step 4 Digital Certificates
1.Digital Signatures 1.1 Private key to encrypt, public key to decrypt Any holder of the public key can decrypt the message, but only a holder of the private key could have encrypted it 1.2 For speed and improved security, hash the plaintext and sign that, then encrypt 1.3 Algorithms: RSA, ElGamal, DSA DSA is intended for digital signatures only
2. Digital Certificates 2.1 Trusted third party digitally signs public key Certificate Authority (CA) has a public key that is known by everyone involved 2.2 The resulting digital certificate contains Server's public key and expiration date Information about the owner of the key Information about the CA and the CA's signature Information on how the certificate may be used Package installation
Step 6 HTTPS
1. HTTPS (HTTP over SSL)
combination of HTTP & SSL/TLS to secure
communications between browser & server
documented in RFC2818
no fundamental change using either SSL or TLS
2. Use https:// URL rather than http://
and port 443 rather than 80
3. Encrypts
URL, document contents, form data, cookies, HTTP headers
Step 7 Installation and startup
1.Package installation # rpm –qa | grep httpd # rpm –qa | grep mod_ssl # rpm –qa | grep openssl # yum install httpd httpd-manual httpd-devel # yum install mod_ssl openssl
2. Service startup and main directory # service httpd start # ls –l /etc/httpd/conf /var/www/html /etc/pki/CA 3. Service startup checking # ps –ef | grep httpd # netstat –nat | grep 80 4. Runlevel registration # chkconfig httpd on # chkconfig –list httpd 5. Testing on browser http://localhost
Step 8 HTTPS Configuration (1)
1.SSL Configuration for making a private Certificate Authority vim /etc/pki/tls/openssl.cnf dir = /etc/pki/CA certificate = $dir/linux-ca.crt crl = $dir/linux-ca.crl private_key = $dir/private/linux-ca.key 2. Default setting for CA # mkdir /etc/pki/CA/{certs,crl,newcerts} # touch /etc/pki/CA/index.txt //database to contain all certificates # echo 01 > /etc/pki/CA/serial //next certificate serial number issued
3. Generating RSA private key # openssl genrsa –out private/linux-ca.key –des3 2048 # openssl rsa –noout –text –in linux-ca.key
4. Generating Certificate # openssl req –new –x509 –key private/linux-ca.key –days 365 > linux-ca.crt
Step 8 Https Configuration (2)
5. Generating a Certificate Signing Request (CSR) # openssl req –new –key linux-ca.key –out linux-ca.csr 6. Creating a CA-signed Certificate # openssl ca –in linux-ca.csr –out linux-ca.crt # cp linux-ca.key /etc/httpd/conf # cp linux-ca.crt /etc/httpd/conf/ # cp linux-ca.crt /var/www/html/certs/ // download certificate for users 7. SSL configuration # vim /etc/httpd/conf.d/ssl.conf SSL Engine on SSL CertificateFile /etc/httpd/conf/linux-ca.crt SSL CertificatKeyFile /etc/httpd/conf/linux-ca.key 8. SSL log file # tail –f /var/log/httpd/ssl_access ssl_error 9.Testing on the browser # service httpd restart https://www.chul.com/ Examine Certificate on the browser
Step 9 Packet Capture using Wireshark
1.Start Wireshark on Server system
# rpm –qa | grep wireshark
# yum install wireshark wireshark-gnome
# wireshark
2.Packet capture for http packet on Wireshark
# service httpd restart
# elinks http://www.chul.com
3. Packet capture for https packet on Wireshark
# service httpd restart
# elinks https://www.chul.com
4. Packet analysis using Wireshark