Lampros - Weird Bricks

Apache 1.3 SSL (OpenSSL)

19 February, 2011 | FreeBSD

In my last tutorial I went over a basic installation of Apache on FreeBSD – of course :).

In this one, I'm going to go over enabling SSL for Apache.

Prerequisites are of course that you have already installed Apache from ports (/usr/ports/www/apache13-modssl).

So let's start!

1. Boot the FreeBSD VirtualBox and type: cd /usr/local/www/openssl and press enter.
2. Type make install clean to install the port.

You'll get a prompt to select options for openssl. Take the defaults and also add MD2. Then use the TAB key to select OK and continue.

If all went well you should see something like this in the end of the compiling.

The next step is to go ahead and issue a certificate! This is what's called a 'self-signed' certificate. It means that a well known authority (usually a security company such as Comodo or Verisign) has not verified that you are who you claim to be.

In practical terms, it means that all data sent from the server to a browser will still be encrypted, but the user will get a warning message.

To issue a certificate type in the following:

openssl req -new -x509 -nodes -out /usr/local/etc/apache/ssl.crt/server.crt -keyout /usr/local/etc/apache/ss.key/server.key -days 3650

Then openssl will ask you a bunch of questions like Country, organization name etc. Since this is a self-signed crertificate what you enter doesn't really matter.

To test, all we need to do is start apache with the startssl parameter.

/usr/local/sbin/apachectl startssl

Open up your browser and browse to the webserver's URL:

You should get the following message in Firefox:

Click on 'I understand the Risks'

Then click on 'Add Exception...'

Then click on 'Confirm Security Exception'

And you should get this:

If you want to make Apache only listen for secure connections, you will need to add the following:

Edit httpd.conf ee /usr/local/etc/apache/httpd.conf

Go down to line 241 and type in the following:

Then exit and save. Make sure to restart Apache after editing the file.

/usr/local/sbin/apachectl restart

And from here on, it should all be SSL encrypted.]]>