SISTEMA OPERATIVO Y VERSION :

Instalando OpenSSL sobre Apache

Instalando OpenSSL sobre ApacheActivacin de conexiones seguras con SSL

SSL traduce Socket Secure Layer y funciona como un algoritmo del tipo de clave pblica asimtrica. En las claves pblicas asimtricas el servidor crea un par de llaves que consiste en una llave/clave pblica y una llave/clave privada. El servidor hace un requerimiento de llave pblica a una entidad certificadora basada en la llave privada del servidor, la entidad certificadora modifica la llave de requerimiento de llave pblica y le incrusta la llave pblica de la entidad certificadora. Ahora el servidor quien hizo el requerimiento recibe la nueva y nica llave publica que la entidad certificadora podr verificar con su llave privada en el futuro.

Este paso se hace generalmente una vez al ao y tiene costo por parte de la entidad certificadora.

El objetivo es cifrar la conexin entre el cliente (Browser) y el servidor (web) con la llave pblica nica que siempre le enva el servidor al cliente. El servidor transmite la llave pblica, ponindola a disposicin de cualquier browser o cliente que quiera conectarse al servidor por el puerto seguro 443.Una vez que la llave publica ha sido recibida por el explorador / Browser o cliente este enva la llave publica del servidor a la entidad certificadora para su verificacin y aprobacin, solo la entidad certificadora podr verificar con su llave privada la validez de la llave publica.

Es evidente que la llave privada debe ser mantenida en secreto por el propietario en su respectivo servidor. As mismo la entidad certificadora guardar con celo su llave privada. OpenSSL es la implementacin GNU de SSL. Para ver la versin del mdulo OpenSSL digite:

# rpm qi openssl

En apache versin 2.0.x ya viene inmerso el mdulo en mencin.El proyecto OpenSSL es un proyecto OpenSource que implementa los protocolos Secure Sockets Layer (SSL v2/v3) y Transport Layer Security (TLS v1).

OpenSSL est basado en el excelente trabajo de libreras SSLeay desarrollado por Eric A. Young y Tim J.Hudson

El principal sitio de OpenSSL es www.openssl.org# tar xzvmf openssl-0.9.7e.tar.gz

# cd openssl*#./config

# make# make install

Generacin de llaves privadas y publicas

Para generar una llave privada de 1024 bits hacia el archivo mva.key, digite:

# openssl genrsa out mva.key 1024En apache 2.0 generalmente la llave privada reside en /usr/local/apache2/conf/ssl.key/server-dsa.keyPara generar una llave de requerimiento para compra de certificado ante una entidad certificadora digite:

# openssl req new key mva.key out mva.csr days 360Para generar una llave de requerimiento y en el mismo paso la llave privada digite:

# openssl req new keyout mva.key out mva.csr days 360Para firmar la llave anterior donde el servidor sea la entidad certificadora # openssl req x509 key mva.key in mva.csr out mva.crtEn apache 2.0 generalmente la llave pblica reside en /usr/local/apache2/conf/ssl.crt/server-dsa.crtPara generar las llaves privada y publica de la Entidad Certificadora (CA)

# openssl req new x509 keyout cakey.pem out cacert.pem days 365Notas: Se debe observar que las extensiones deben ser .pem. La opcin keyout cakey.pem indica generar la llave privada. Se recomienda estar posicionado en el directorio /usr/local/ssl.Ahora la entidad CA debe generar un directorio para firmar requerimientos de llaves pblicas, por ejemplo:# mkdir p /usr/local/ssl/demoCA/private

# mkdir p /usr/local/ssl/demoCA/newcerts

Copie la llave privada cakey.pem al directorio de llaves privadas:

# cp cakey.pem /usr/local/ssl/demoCA/private

Copie la llave pblica cacert.pem al directorio de llaves pblicas de la CA:

# cp cacert.pem /usr/local/demoCAGenere el archivo index.txt que contendr una lista de los certificados pblicos generados:# touch /usr/local/ssl/demoCA/index.txt

Genere el archivo de nombre serial que contendr el consecutivo de certificados pblicos generados, debe iniciar en ceros:# echo 00 > /usr/local/ssl/demoCA/serialPara firmar requerimientos como una CA# openssl ca policy policy_anything out mva.crt infiles mva.csrPara mirar un certificado x509 o llave publica digite:# openssl x509 noout text in mva.crt

Para ver informacin de un certificado expedido por una entidad certificadora digite:# openssl x509 noout subject in mva.crt

Para mirar una llave privada

# openssl rsa noout text in mva.key

Para mirar una llave de requerimiento de certificado

# openssl req noout text in mva.csr Activacin de SSL en Apache

Para obtener una versin ms actualizada de Apache debe copiarse la ltima versin desde http://www.apache.org.

La Versin 2.0.x, se debe instalar con los siguientes comandos para soportar SSL y LDAP# tar xvzf httpd-2.0.48.tar.gz# cd httpd*#./configure --enable-ssl --with-ldap --enable-ldap

--enable-auth-ldap# make# make install Generalmente se instalar en /usr/local/apache2 pero esto se puede cambiar con el parmetro --prefix=/directorio/deseado.Ahora edite el archivo /usr/local/apache2/conf/httpd.conf y revise que existan los siguientes parmetros:

#

# This is the Apache server configuration file providing SSL support.

# It contains the configuration directives to instruct the server how to

# serve pages over an https connection. For detailing information about these

# directives see

#

# For the moment, see for this info.

# The documents are still being prepared from material donated by the

# modssl project.

#

# Do NOT simply read the instructions in here without understanding

# what they do. They're here only as hints or reminders. If you are unsure

# consult the online docs. You have been warned.

#

# Until documentation is completed, please check http://www.modssl.org/

# for additional config examples and module docmentation. Directives

# and features of mod_ssl are largely unchanged from the mod_ssl project

# for Apache 1.3.

#

# When we also provide SSL we have to listen to the

# standard HTTP port (see above) and to the HTTPS port

#

# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two

# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"

#

Listen 443

##

## SSL Global Context

##

## All SSL configuration in this context applies both to

## the main server and all SSL-enabled virtual hosts.

##

#

# Some MIME-types for downloading Certificates and CRLs

#

AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl .crl

# Pass Phrase Dialog:

# Configure the pass phrase gathering process.

# The filtering dialog program (`builtin' is a internal

# terminal dialog) has to provide the pass phrase on stdout.

SSLPassPhraseDialog builtin

# Inter-Process Session Cache:

# Configure the SSL Session Cache: First the mechanism

# to use and second the expiring timeout (in seconds).

#SSLSessionCache none

#SSLSessionCache shmht:/usr/local/apache2/logs/ssl_scache(512000)

#SSLSessionCache shmcb:/usr/local/apache2/logs/ssl_scache(512000)

SSLSessionCache dbm:/usr/local/apache2/logs/ssl_scache

SSLSessionCacheTimeout 300

# Semaphore:

# Configure the path to the mutual exclusion semaphore the

# SSL engine uses internally for inter-process synchronization.

SSLMutex file:/usr/local/apache2/logs/ssl_mutex

# Pseudo Random Number Generator (PRNG):

# Configure one or more sources to seed the PRNG of the

# SSL library. The seed data should be of good random quality.

# WARNING! On some platforms /dev/random blocks if not enough entropy

# is available. This means you then cannot use the /dev/random device

# because it would lead to very long connection times (as long as

# it requires to make more entropy available). But usually those

# platforms additionally provide a /dev/urandom device which doesn't

# block. So, if available, use this one instead. Read the mod_ssl User

# Manual for more details.

SSLRandomSeed startup builtin

SSLRandomSeed connect builtin

#SSLRandomSeed startup file:/dev/random 512

#SSLRandomSeed startup file:/dev/urandom 512

#SSLRandomSeed connect file:/dev/random 512

#SSLRandomSeed connect file:/dev/urandom 512

##

## SSL Virtual Host Context

##

# General setup for the virtual host

DocumentRoot "/usr/local/apache2/htdocs"

ServerName localhost:443

ServerAdmin root@localhost

ErrorLog /usr/local/apache2/logs/error_log

TransferLog /usr/local/apache2/logs/access_log

# SSL Engine Switch:

# Enable/Disable SSL for this virtual host.

SSLEngine on

# SSL Cipher Suite:

# List the ciphers that the client is permitted to negotiate.

# See the mod_ssl documentation for a complete list.

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

# Server Certificate:

# Point SSLCertificateFile at a PEM encoded certificate. If

# the certificate is encrypted, then you will be prompted for a

# pass phrase. Note that a kill -HUP will prompt again. Keep

# in mind that if you have both an RSA and a DSA certificate you

# can configure both in parallel (to also allow the use of DSA

# ciphers, etc.)

SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server-dsa.crt

# Server Private Key:

# If the key is not combined with the certificate, use this

# directive to point at the key file. Keep in mind that if

# you've both a RSA and a DSA private key you can configure

# both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server-dsa.key

# Server Certificate Chain:

# Point SSLCertificateChainFile at a file containing the

# concatenation of PEM encoded CA certificates which form the

# certificate chain for the server certificate. Alternatively

# the referenced file can be the same as SSLCertificateFile

# when the CA certificates are directly appended to the server

# certificate for convinience.

#SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt

# Certificate Authority (CA):

# Set the CA certificate verification path where to find CA

# certificates for client authentication or alternatively one

# huge file containing all of them (file must be PEM encoded)

# Note: Inside SSLCACertificatePath you need hash symlinks

# to point to the certificate files. Use the provided

# Makefile to update the hash symlinks after changes.

#SSLCACertificatePath /usr/local/apache2/conf/ssl.crt

#SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle.crt

SSLCACertificateFile /usr/local/apache2/conf/ca.crt

# Certificate Revocation Lists (CRL):

# Set the CA revocation path where to find CA CRLs for client

# authentication or alternatively one huge file containing all

# of them (file must be PEM encoded)

# Note: Inside SSLCARevocationPath you need hash symlinks

# to point to the certificate files. Use the provided

# Makefile to update the hash symlinks after changes.

#SSLCARevocationPath /usr/local/apache2/conf/ssl.crl

#SSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle.crl

# Client Authentication (Type):

# Client certificate verification type and depth. Types are

# none, optional, require and optional_no_ca. Depth is a

# number which specifies how deeply to verify the certificate

# issuer chain before deciding the certificate is not valid.

#SSLVerifyClient require

#SSLVerifyDepth 10

# Access Control:

# With SSLRequire you can do per-directory access control based

# on arbitrary complex boolean expressions containing server

# variable checks and other lookup directives. The syntax is a

# mixture between C and Perl. See the mod_ssl documentation

# for more details.

#

#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \

# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \

# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} = 8 and %{TIME_HOUR}