Raible's Wiki: ApacheSSL

At line 1 removed 44 lines.

span.highlight {background: yellow; color: black}

div.highlight {background: #ffc; color: black; border: 1px solid black; padding: 10px}

p.testedBy {border-top: 1px dashed black; padding-top: 5px; color: #666; background: transparent; font-size: .9em;}

</style>

<!--

$Id: ssl-howto.html,v 1.2 2002/09/27 20:50:37 mraible Exp $

Changelog:

1.6.7 2004-05-18 Moved to Wiki so users can edit when they find mistakes/updates

1.6.6 2003-12-30 Added user comments

1.6.5 2002-09-27 Added instructions for Linux

1.6.4 2002-09-26 Added information for Apache 2.0 and added a little formatting

1.6.3 2002-05-18 info about better not overwriting the configuration files

1.6.2 2002-05-10 more info about "couldn't load..."; apache 2 warning

1.6.1 2002-04-10 AddModule clarification, more debugging

1.6 2001-12-28 Windows XP information, common problems section

1.5.3 2001-11-27 Added link to French translation

1.5.2 2001-11-06 Added AddModule

1.5.1 2001-10-26 Added link to Spanish translation

1.5 2001-10-20 Lots of clarifications based on input from many people

1.4.4 2001-05-26 Added Peter Holm to the contributors

1.4.3 2001-05-25 "Port" directive commented out, some fixes for current versions

1.4.2 2001-04-06 Remark about .so files

1.4.1 2001-02-20 Success on ME

1.4 2001-01-28 Information about debugging connect errors

1.3.14 2000-12-28 Small fixes; right-click to download the openssl.cnf file

1.3.13 2000-12-19 Added feedback section

1.2.12 2000-11-21 Information about the languages I speak

1.2.11 2000-11-15 Removed outdated information about M$ IIS

1.2.10 2000-11-05 OpenSSL.exe fixes

1.2.9.2 2000-09-11 Minor tweaks, corrected HTML

1.2.9.1 2000-07-26 IfDefine Directive added, thanks to Torsten Stanienda

1.2.8 2000-05-09 OpenSSL -config corrected

1.2.7 2000-04-29 Peter Barany corrected my English

1.2.6 2000-04-28 Added info on converting the certificate to DER format for MSIE 4

1.2.5 2000-04-21 The HOWTO is now hosted on my on server. Updated the URL

Added -config parameter for openssl to work with the provided config file

1.2 2000-01-24 Christoph Zich tested the HOWTO on Windows 98

1.1 1999-10-22 Included Horst Brauner's openssl.conf file

1.0 Initial release

-->

At line 46 removed 469 lines.

google_ad_client = "pub-7968247362757416";

google_ad_width = 468;

google_ad_height = 60;1

google_ad_format = "468x60_as";

google_color_border = "990000";

google_color_bg = "FFFFFF";

google_color_link = "000000";

google_color_url = "CC0000";

google_color_text = "333333";

//--></script>

src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>

</div>

<h1>The Apache + SSL HOWTO</h1>

Version 1.6.7 (changelog: view source)

<a href="http://www.geocities.com/sartigas/apachessl.html">Spanish

translation</a> maintained by <a href="mailto:[email protected]">Sergio

Artigas</a>

<a href="http://netsafe.free.fr/index.php?Chap=A1">French

translation</a> maintained by <a href="mailto:[email protected]">Jean-Francois

Moreau</a>

Revised September 26, 2002 by <a href="mailto:[email protected]">Matt Raible</a> for Apache 2.0.42.

Original Article at <a href="http://tud.at/programm/apache-ssl-win32-howto.php3/">http://tud.at/programm/apache-ssl-win32-howto.php3</a>.

<h2>Overview</h2>

This page describes the installation of the Win32 version of Apache with

the mod_ssl extension. The newest version should always be available from <a

href="http://tud.at/programm/apache-ssl-win32-howto.php3">http://tud.at/programm/apache-ssl-win32-howto.php3</a>.

This process worked for many people on Windows NT, 98, ME, 2000 and XP;

please <a href="mailto:[email protected]">mail me</a> your suggestions and

bug reports. You can even install Apache with SSL in addition to the Microsoft

Internet Information Server if you need to.

Note: sometimes, there are changes between the precompiled apache

distributions so that this HOWTO is not correct anymore. In this case,

if the current version does not work for you, download an older version -

one that was published before the modification date of this HOWTO.

Or, if you like adventures, try to make it run, and <a href="mailto:[email protected]">mail

me</a> if you needed to change anything.

Apache with mod_ssl seems to be the only free (as in speech, not in beer)

solution for Win32. Please note that Apache on Win32 is considered beta

quality as it doesn't reach the stability and performance of Apache on

Un*x platforms.

<h2>1.: <a name="install" id="install"></a>Installing Apache</h2>

Get the Win32 version of the Apache web server from one of the <a

href="http://www.apache.org/mirrors/">mirrors</a>. It is called something like

<code>apache_x_y_z_win32.exe</code>. This is a self-extracting archive that

contains the Apache base system and sample configuration files.

Don't mix Apache versions 1.3 and 2! It won't work. If you find 1.3.x on

modssl.org, you cannot expect it to work with 2.0.x.

Install Apache as described in <a href="http://www.apache.org/docs/windows.html">http://www.apache.org/docs/windows.html</a>.

For Linux, to install Apache 2.0.42 with mod_sll installed, I performed the following steps:

I used <a href="http://httpd.apache.org/docs-2.0/install.html">http://httpd.apache.org/docs-2.0/install.html</a> as a reference.

<code>$ lynx http://www.apache.org/dist/httpd/httpd-2.0.42.tar.gz</code>

<code>$ gzip -d httpd-2.0.42.tar.gz</code>

<code>$ tar xvf httpd-2.0.42.tar</code>

<code>$ ./configure --enable-mods-shared=most --enable-ssl=shared</code>

<code>$ make install</code>

If you're using Apache 2.0.42 with Tomcat, you can download the binary mod_jk.so from<a href="http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.0/bin/linux/i386/mod_jk-2.0.42.so"> http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.0/bin/linux/i386/mod_jk-2.0.42.so</a>.

After downloading, put this file into your <code>modules</code> directory

and rename it <code>mod_jk.so</code>. <a href="http://www.raibledesigns.com/tomcat">Click

here</a> for more information on configuring Apache and Tomcat.

</div>

Note: You can skip this step and get a full Apache+SSL distribution from

modssl.org, as described below. There will be no fancy installation program but

you won't need to overwrite the stock Apache files. This is the better way if

you are experienced and don't fear editing configuration files (which you will

need to do anyway).

Change at least the following parameters in <code>

Apache-dir/conf/httpd.conf</code>:

[[Replace all occurences of <code>www.my-server.dom</code> with the real

domain name!]

<ul>

<li><code>Port 80</code> to <code># Port 80</code> (Comment it out;

<code>Port</code> is not necessary, <code>Listen</code> overrides it

later.)</li>

<li>(if not in addition to IIS) <code>Listen 80</code></li>

<li><code>Listen 443</code> (So your server listens on the standard SSL

port)</li>

<li><code>ServerName</code> www.my-server.dom</li>

<li>(if in addition to IIS) <code>DocumentRoot</code> and the corresponding

<code><Directory</code> some-dir<code>></code> to your <code>Inetpub\wwwroot</code></li>

</ul>

Install the Apache service (NT only) and start the server. Verify that

everything works before proceeding to the SSL installation because this

limits the possible errors.

Try http://www.my-server.dom:443/. It won't be encrypted yet but if

this works then the port configuration (port 443) is right.

<h2>2.: <a name="openssl" id="openssl"></a>Getting OpenSSL and mod_ssl</h2>

Go to <a href="http://www.modssl.org/contrib/">http://www.modssl.org/contrib/</a>

and find a file called like <code>Apache_X-mod_ssl_Y-openssl_Z-WIN32[[-i386].zip</code>.

(You can get the 2.0.42 version at <a href="http://hunter.campbus.com/Apache_2.0.42-OpenSSL_0.9.6g-Win32.zip">http://hunter.campbus.com/Apache_2.0.42-OpenSSL_0.9.6g-Win32.zip</a>, older packages

are also available at <a href="http://hunter.campbus.com">http://hunter.campbus.com</a>).

Download and unzip it to a new directory.

If you need the newest version, you will have to compile it yourself if it is

not there. Don't ask me about it; I don't have it, I don't compile the versions

on modssl.org, and I don't have access to development tools on Win32.

Copy the files <code>ssleay32.dll</code> and <code>libeay32.dll</code>

from the Apache/modssl distribution directory to <code>WINNT\System32</code>.

This is important! About 70 % of the e-mails I receive is because people

forget to do this.

Download and install Cygwin from <a href="http://www.cygwin.com">http://www.cygwin.com</a>.

You'll need a config file for <code>openssl.exe</code>. If you are using Cygwin, one will already

exist for you. If you don't want to install Cygwin, there is an openssl.exe application in the OpenSSL distribution.

<h2>3.: <a name="create-cert" id="create-cert"></a>Creating a test certificate</h2>

The following instructions are from <a href="http://www.apache-ssl.org/#FAQ">http://www.apache-ssl.org/#FAQ</a>.

<code>openssl req -new -out server.csr</code>

This creates a certificate signing request and a private key. When asked

for <code>"Common Name (eg, your websites domain name)"</code>,

give the exact domain name of your web server (e.g. www.my-server.dom).

The certificate belongs to this server name and browsers complain if the

name doesn't match.

<code>openssl rsa -in privkey.pem -out server.key</code>

This removes the passphrase from the private key. You MUST understand

what this means; <code>server.key</code> should be only readable by the

apache server and the administrator.

You should delete the <code>.rnd</code> file because it contains the entropy

information for creating the key and could be used for cryptographic attacks

against your private key.

<code>openssl x509 -in server.csr -out server.crt -req -signkey server.key

-days 365</code>

This creates a self-signed certificate that you can use until you get a

"real" one from a certificate authority. (Which is optional; if you

know your users, you can tell them to install the certificate into their

browsers.) Note that this certificate expires after one year, you can

increase <code>-days 365</code> if you don't want this.

If you have users with MS Internet Explorer 4.0+ and want them to be able

to install the certificate into their certificate storage (by downloading and

opening it), you need to create a DER-encoded version of the certificate:

<code>openssl x509 -in server.crt -out server.der.crt -outform DER</code>

Create an <code>Apache/conf/ssl</code> directory and move <code> server.key</code>

and <code>server.crt</code> into it. For Linux create

two directories: <code>ssl.key</code> and <code>ssl.crt</code>. Move <code>server.crt</code>

into <code>ssl.crt</code> and move <code>server.key</code> into <code>ssl.key</code>.

Tip from Olivier Gambier:

You can't create a certificate with openssl.exe without a config file

(you get an error about distinguished names).

Thus if the variable OPENSSL_CONF is not defined (and I didn't find it

in your doc, nor I found a conf file in the distrib I downloaded), you

must add:

"-config configfile"

to the certificate creation command, and create a valid "configfile"

I found the information, among with the error message meaning, from

<a href="http://www.openssl.org/docs/apps/req.html">http://www.openssl.org/docs/apps/req.html</a>.

<h2>4.: <a name="configuring" id="configuring"></a>Configuring Apache and mod_ssl</h2>

Copy the executable files (*.exe, *.dll, *.so) from the downloaded

apache-mod_ssl distribution over your original Apache installation directory

(remember to stop Apache first and DO NOT overwrite your edited config files

etc.!).

Find the LoadModule directives in your <code>httpd.conf</code> file and

add this after the existing ones, according to the file you have found in the

distribution:

<code>LoadModule ssl_module modules/ApacheModuleSSL.dll</code> or

<code>LoadModule ssl_module modules/ApacheModuleSSL.so</code> or

<code>LoadModule ssl_module modules/mod_ssl.so</code>

in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will

be done for you when you compile with <code>--enable-ssh=shared</code>)

In newer versions of the distribution, it could also be necessary to add

<code>AddModule mod_ssl.c</code>

after the AddModule lines that are already in the config file.

(Not necessary for 2.0.42)

Copy <code>ssl.conf</code> from the OpenSSL distrution to Apache/conf/.

For Windows, you can download from <a href="http://www.raibledesigns.com/tomcat/ssl.conf">http://www.raibledesigns.com/tomcat/ssl.conf</a>

(Right click -> Save Target As...). Make sure

and change the <code>DocumentRoot</code> and <code>ServerName</code> values

on lines 93 and 94.

Add the following to the end of <code>httpd.conf</code>:

<pre>

<code># see <a

href="http://www.modssl.org/docs/2.4/ssl_reference.html">http://www.modssl.org/docs/2.4/ssl_reference.html</a> for more info

SSLMutex sem

SSLRandomSeed startup builtin

SSLSessionCache none

ErrorLog logs/ssl.log

LogLevel info

# You can later change "info" to "warn" if everything is OK

SSLEngine On

SSLCertificateFile conf/ssl/server.cert

SSLCertificateKeyFile conf/ssl/server.key

</VirtualHost></code></pre>

Don't forget to call apache with <code>-D SSL</code> if the <code>IfDefine</code>

directive is active in the config file! In other words,

either start Apache from the command line with <code>-D SSL</code> or comment

out the <code>IfDefine</code> start/end tags in <code>ssl.conf</code>.

NOTE: When using SSL with

multiple Virtual Hosts, you must use an ip-based configuration. This

is because SSL requires you to configure a specific port (443), whereas

name-based specifies all ports (*). You might the following error

if you try to mix name-based virtual hosts with SSL.

<code>[[error] VirtualHost _default_:443 -- mixing * ports and non-*

ports with a NameVirtualHost address is not supported, proceeding

with undefined results</code>

</div>

You might need to use <code>regedit</code> to change the key <code>

HKEY_LOCAL_MACHINE\SOFTWARE\Apache Group\Apache\X.Y.Z</code> to the

correct number if the <code>apache.exe</code> from

<code>modssl.org/contrib</code> is not the same version as the previously installed

one. (This seems not to be necessary with recent versions.)

Start the server, this time from the command prompt (not as a service) in order

to see the error messages that prevent Apache from starting. If everything

is OK, (optionally) press CTRL+C to stop the server and start it as a service

if you prefer.

If it doesn't work, Apache should write meaningful messages to the screen

and/or into the error.log and SSL.log files in the Apache/logs directory.

If something doesn't work, set all <code>LogLevel</code>s to the maximum

and look into the logfiles. They are very helpful.

DON'T e-mail me or the other contributors without having plain Apache

installed (Step 1). We will ignore your request; we are not the Free Apache

Helpdesk and there is enough good documentation on configuring Apache; if that

is not enough for you, you shouldn't run a secure server anyway. Also, DON'T

e-mail without having looked into the error.log and SSL.log with

<code>LogLevel</code> set to Debug.

<h2><a name="debugging" id="debugging"></a>Debugging connect problems</h2>

Problems connecting to the server with a browser can have many reasons,

many of them on the client (proxy, DNS, general IE dumbness).

So, if you encounter problems connecting with SSL, try another browser

and/or look into the settings. If even this doesn't work, you can use

OpenSSL to debug the problem.

<pre><code>bb@www$ openssl s_client -connect no-such-machine:443

gethostbyname failure # Error resolving this DNS name. Connect with the IP address.

connect:errno=2

bb@www$ openssl s_client -connect www1.tud.at:443

connect: Connection refused

connect:errno=111

# No SSL server on this port. Double-check the Listen and Port directives.

bb@www$ openssl s_client -connect apcenter.apcinteractive.net:443

# everything OK. OpenSSL shows the information it obtained from the server.

CONNECTED(00000003)

depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]

verify error:num=18:self signed certificate

verify return:1

depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]

verify return:1

---

Certificate chain

0 s:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]

i:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]

---

Server certificate

---BEGIN CERTIFICATE---

MIIC0TCCAjoCAQAwDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAmF0MQ0wCwYDV

[[...]

9ucXUnk=

---END CERTIFICATE---

subject=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]

issuer=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]

---

No client certificate CA names sent

---

SSL handshake has read 1281 bytes and written 320 bytes

---

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA

Server public key is 1024 bit

SSL-Session:

Protocol : TLSv1

Cipher : EDH-RSA-DES-CBC3-SHA

Session-ID: 49ACE1CF484A67D2C476B923D52110A6FCA1A7CE53D76DF7F233DEBF2333D4FB

Session-ID-ctx:

Master-Key: 00E9FA964253752294ECD69C18ADBA527B7170C112E2B3BCB25EA8F4FD847EC46E1FF0194EF8E16985B5E38BF6F12131

Key-Arg : None

Start Time: 980696025

Timeout : 300 (sec)

Verify return code: 0 (ok)

---

[Enter:

GET / HTTP/1.0

and press RETURN twice]

HTTP/1.1 200 OK

Date: Sun, 28 Jan 2001 15:34:58 GMT

Server: Apache/1.3.9 (Win32) mod_ssl/2.4.9 OpenSSL/0.9.4

Cache-Control: no-cache, no-store, must-revalidate, private

Expires: 0

Pragma: no-cache

X-Powered-By: PHP/4.0.4

Last-Modified: Sun, 28 Jan 2001 15:35:00 GMT

Connection: close

Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>

# the server shows its main document

</code></pre>

<h2>Common problems</h2>

Q: I see the following when starting Apache:

<pre>Syntax error on line [[some number] of ...httpd.conf

Cannot load apache/modules/mod_ssl.so into server

(126) The module could not be found:

</pre>

A: Did you copy the openssl DLLs to WINNT/SYSTEM32 (or WINDOWS/SYSTEM on

Win9x/ME)?

You can verify this by copying <code>openssl.exe</code> into a directory of its

own and executing it. If it complains about not being able to find some DLLs,

then you haven't copied them into the correct directory.

One user told me that he had this problem even when he did everything right. He

then found the problem: corrupt openssl DLLs. So if you get this error despite

having done everything correctly, try the openssl DLLs from another version from

modssl.org/contrib.

Q: I see the following when starting Apache:

<pre>Syntax error on line [[some number] of apache/conf/httpd.conf:

Cannot load apache/modules/apachemodulessl.dll into server:

(127) The specified procedure could not be found:</pre>

or:

<pre>Syntax error on line [[some number] of apache/conf/httpd.conf:

Invalid command 'SSLMutex', perhaps mis-spelled or defined by a module not

included in the server configuration</pre>

A: You didn't add the AddModule line (or not where it belongs, it belongs below

the other AddModule lines).

Q: SSL doesn't work in the browser and I see the following in some logfile:

<pre>

[Fri Nov 16 15:46:30 2001] [[error] OpenSSL: error:1407609C:SSL

routines:SSL23_GET_CLIENT_HELLO:http request [[Hint: speaking HTTP to

HTTPS port!?]

</pre>

A: How much clearer can an error message get? Your VirtualHost or Listen

configuration is wrong.

<h3>Questions about Java servlets, OpenSSL compilation etc.</h3>

Don't ask us about installing servlet extensions, recompiling mod_ssl or

Apache with EAPI, recompiled versions etc. We have no idea and won't be able

help you. We are just users and not programmers.

If your needs are so special, you are better off with a

<a href="http://www.debian.org/">Debian GNU/Linux</a> or

<a href="http://www.openbsd.org/">OpenBSD</a> server. It will save you lots

of trouble. Really.

<h2>Links</h2>

Apache Web Server: <a href="http://www.apache.org">http://www.apache.org</a>

mod_ssl: <a href="http://www.modssl.org">http://www.modssl.org</a>

mod_ssl configuration: <a

href="http://www.modssl.org/docs/2.4/ssl_reference.html">http://www.modssl.org/docs/2.4/ssl_reference.html</a>

OpenSSL: <a href="http://www.openssl.org">http://www.openssl.org</a>

PHP Hypertext preprocessor: <a href="http://www.php.net">http://www.php.net</a>

Author of this document: <a href="mailto:[email protected]">Balázs

Bárány</a> (<a href="http://tud.at">http://tud.at</a>)

(mail me your questions, but only after having looked into the error logs with

<code>LogLevel debug</code>. You can mail me in English, German and Hungarian.

If I am constantly ignoring your e-mail, read all the hints in the HOWTO about

how to e-mail me.)

Contributor: <a href="mailto:[email protected]">Horst

Bräuner</a> (OpenSSL configuration on NT)

Contributor: <a href="mailto:[email protected]">Christoph Zich</a>

(Windows 98)

Contributor: <a href="mailto:[email protected]">Torsten Stanienda</a>

(Test with 1.3.12, IfDefine directive)

Contributor: <a href="mailto:[email protected]">Peter Holm</a> (Listen and Port directives)

Last change: 2002-05-18

This document can be redistributed under the

<a href="http://www.gnu.org/copyleft/fdl.html">GNU Free

These instructions where tested by <a href="mailto:[email protected]">Matt Raible</a>

on Windows XP (SP1) and Red Hat Linux 7.3 with Apache 2.0.42.

</div>

Raible's Wiki

AppFuse

Other Applications

ApacheSSL