Once we have our SSL certificate. If we want to use it with our web server, we just have to edit our VirtualHost file to include this information.
First, we must make sure Apache SSL module is loaded (as root):
# a2enmod ssl
Module ssl already enabled
Contents
Disabling unsecure protocols
We’ve been seeing some severe vulnerability issues during this month, so we may protect us from them. Simply edit /etc/apache2/mods-available/ssl.conf or /etc/apache2/conf.d/ssl.conf it the file is not there, just search it, it can’t go so far.
Configuring certificate for our Virtual Host
.
Search for a line starting with SSLProtocol and make sure it is like this:
SSLProtocol all -SSLv2 -SSLv3
you may have to write the text in bold. It’s also interesting change (or include) the line:
SSLCompression off
because attackers can use it to break our server.
Including the certificate
Then edit our VirtualHost File. Include:
<IfModule mod_ssl.c>
in the beginning and
</IfModule>
at the end.
Then, our VirtualHost will bind on port 443 (https), so <VirtualHost *:80> will translate to <VirtualHost *:443>
Then, tell Apache about our certificate and key:
SSLEngine on
SSLCertificateFile /tmp/apache2/certs/myserver.crt
SSLCertificateKeyFile /tmp/apache2/certs/myserver.key
if we have a self-signed certificate. SSLCertificateFile and SSLCertificateChanFile will be the same, so if we have a CA signed certificate, we’ll do this:
SSLEngine on
SSLCertificateFile /tmp/apache2/certs/myserver.crt
SSLCertificateKeyFile /tmp/apache2/certs/myserver.key
SSLCertificateChainFile /tmp/apache2/certs/myCA.crt
Then, add some options (I borrowed these options from some default configuration files, so your installation may include somehing similar:
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
It adds some performance, only adds SSL related environment variables to scripts, so images, javascripts, css and so won’t load these variables.
Also, I use these settings borrowed again from some default configuration files, I feel they are interesting for some clients (not every visitor uses a decent browser):
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
So, the resulting file will be like this
<IfModule mod_ssl.c>
<VirtualHost *:4430>
ServerAdmin info@totaki.com
ServerName totaki.com
ServerAlias www.totaki.com
DocumentRoot /home/cloud/www/totaki.com/www
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /home/cloud/www/totaki.com/www/>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog "/home/cloud/www/totaki.com/logs/error.log"
LogLevel warn
CustomLog "/home/cloud/www/totaki.com/logs/access.log" combined
SSLEngine on
SSLCertificateFile /tmp/apache2/certs/myserver.crt
SSLCertificateKeyFile /tmp/apache2/certs/myserver.key
SSLCertificateChainFile /tmp/apache2/certs/myCA.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
Extra: check certificate on server
To check certificate info of an external server directly from our terminal, just use this command:
$ echo | openssl s_client -showcerts -connect server.com:443 | openssl x509 -text
We will see signature, validity, subject, key and extension informations. We can also use some variants to extract particular information, for example validity dates:
$ echo | openssl s_client -showcerts -connect server.com:443 | openssl x509 -noout -dates
or subject
$ echo | openssl s_client -showcerts -connect server.com:443 | openssl x509 -noout -subject
Leave a Reply