Secure https development on OS X

=0D=0D

=0D= =0D

Secure https development on OS X

=0D

Search google for a topic = like this will show you that there are many ways to skin a cat! Even reading the mod_ss= l instructions on Apple's website will not lead to a working solution because there are one or two errors and omissions. I followed these = instructions that I found which I was able to solve with a little troubleshooting. Specifically, at one point the need to cd into a directory was omitted = and the need to tell Apache via the httpd.conf file to listen on port 443 (the = https port) was not included. Read on for the summarized instructions here = which are based on the Apple article.

=0D

# Check what version of Apache you have
% httpd -v
Server version: = Apache/1.3.29 (Darwin)
Server built: Feb = 4 2004 10:31:58

# Although Mac OS X has = mod_ssl already compiled and installed, we need to download the source to get a = utility shell script named "sign.sh" that we need for this process.

# Go to = http://www.modssl.org/ and download the version of mod_ssl corresponding to your Apache = version. Continue working here and we will get to the download later.

# Make a working = directory in your home folder
% mkdir ~/KeyGen

# Move into the directory
% cd ~/KeyGen/

# Create the = =E2=80=9CSSLCertificateKeyFile=E2=80=9D, as it is called in the Apache httpd.conf =E2=80=94 a 1024 bit RSA key = encrypted with Triple-DES in PEM format. You=E2=80=99ll be plugging this into the configuration file for Apache soon. Make = note of the corresponding password!
% openssl = genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.........................................................= .++++++
...++++++
e is 65537 (0x10001)
Enter = pass phrase for server.key:
Verifying - = Enter pass phrase for server.key:

# We = now have created the file "server.key" (private key file for generating an SSL certificate)

# Create a = CSR (Certificate Signing Request), which is what you would normally send to = a CA for signing. You=E2=80=99re going to sign it yourself. See my answers below. = Use your own. IMPORTANT, the Common name is the server host name, which for local = dev on your own machine is 127.0.0.1. Leave the 'extra' attributes blank (just = press return key)
% openssl req -new = -key server.key -out server.csr
Enter pass phrase for server.key:
You = are about to be asked to enter information that will be incorporated
into your = certificate request.
What you are about = to enter is what is called a Distinguished Name or a DN.
There are quite a few = fields but you can leave some blank
For = some fields there will be a default value,
If you enter '.', the = field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Florida
Locality = Name (eg, city) []:Palm Harbor
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WebDevelopers, Inc.
Organizational Unit = Name (eg, section) []:Engineering
Common= Name (eg, YOUR name) []:127.0.0.1
Email Address []:webobjects@webdevinc.com

Please enter the following 'extra' attributes
to be sent with = your certificate request
A = challenge password []:
An optional = company name []:

# We have just created = the file server.csr (Certificate Signing Request)
# Next we must make the CA (Certification Authority) files so that we can sign = our own certificate key
# First create a CA = key. It=E2=80=99s just like your = server.key - a Triple-DES encrypted, 1024 bit RSA key. MAKE NOTE of the password!
% openssl genrsa -des3 = -out ca.key 1024
Generating RSA = private key, 1024 bit long modulus
...............++++++
...................................................++++++=
e is 65537 (0x10001)
Enter = pass phrase for ca.key:
Verifying - = Enter pass phrase for ca.key:

# Now create a self-signed CA Certificate = using the RSA key you just made.
% openssl = req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be = asked to enter information that will be incorporated
into your = certificate request.
What you are about = to enter is what is called a Distinguished Name or a DN.
There are quite a few = fields but you can leave some blank
For = some fields there will be a default value,
If you enter '.', the = field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Florida
Locality = Name (eg, city) []:Palm Harbor
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bogus CA
Organizational Unit Name = (eg, section) []:Bogus CA for Development
Common Name (eg, = YOUR name) []:Joe Somebody
Email = Address []:joesomebody@bogus.ca.com

#= Now remember that mod_ssl download that you did? Well expand the tar.gz = fownload=20 and get the file sign.sh inside the folder pkg.contrib and copy it to = your KeyGen folder. Afterward, your KeyGen folder contents should look like this:
% ls -al
total 40
drwxr-xr-x 7 kieran = staff 238=20 8 Sep 14:42 .
drwx--x--x 57 = kieran=20 staff 1938 8 Sep 13:05 ..
-rw-r--r-- 1 kieran staff 1383 8 Sep 13:55 ca.crt
-rw-r--r-- 1 kieran = staff =20 963 8 Sep 13:51 ca.key
-rw-r--r-- 1 kieran staff 733 8 Sep 13:48 server.csr
-rw-r--r-- 1 = kieran=20 staff 963 8 Sep 13:35 server.key
-rwxr-xr-x 1 = kieran=20 staff 1784 1 Jan 2001 sign.sh

# Now use the sign.sh script to sign your own certificate with your = certification authority keys
% ./sign.sh server.csr
CA signing: = server.csr -> server.crt:
Using = configuration from ca.config
Enter pass = phrase for ./ca.key:
Check that the = request matches the signature
Signature ok
The Subject's = Distinguished Name is as follows
countryName = =20 :PRINTABLE:'US'
stateOrProvinceName =20 :PRINTABLE:'Florida'
localityName =20 :PRINTABLE:'Palm Harbor'
organizationName =20= :PRINTABLE:'SmartleadsUSA LLC'
organizationalUnitName:PRINTABLE:'Engineering' commonName :PRINTABLE:'127.0.0.1' emailAddress =20 :IA5STRING:'kieran@smartleadsusa.net' Certificate is to be certified until Sep 8 18:43:20 2005 GMT (365 days) Sign the certificate? [y/n]:y 1 out of = 1 certificate requests certified, commit? [y/n]y Write out database = with 1 new entries Data Base Updated CA verifying: = server.crt <-> CA cert server.crt: OK # We now have another = file server.crt (the actual SSL Certificate) which is a signed version of server.csr # We are almost = there. Next make the ssl.key folder for the Apache server % sudo mkdir /etc/httpd/ssl.key # Copy = all the key files in there % sudo cp -r * /etc/httpd/ssl.key/ # = Navigate into the ssl.key folder % cd /etc/httpd/ssl.key # Remove = the encryption on the server.key to prevent "hang" on bootup due to Apache = request for a passphrase. % sudo cp = server.key server.key.original % sudo = openssl rsa -in server.key.original -out server.key # Stop Apache = running using command line or the Sharing system preference pane % sudo apachectl stop # Make backup of the = http.conf file % cd /etc/httpd/ % sudo cp = httpd.conf httpd.conf.backup # Using = your favorite editor (like Pico), un comment these 2 lines in httpd.conf LoadModule ssl_module = =20 libexec/httpd/libssl.so AddModule mod_ssl.c # Then find the = section for Listen and add the following lines to get it to listen on the ports we need. Listen 80 Listen 443 # Add the following = text between the dashed lines to the END of the httpd.conf. IMPORTANT, the underlined = items must correspond to the keys you have generated! #--------------------------------------------------= <IfModule mod_ssl.c> # Some = MIME-types for downloading Certificates and CRLs =20 AddType application/x-x509-ca-cert .crt AddType = application/x-pkcs7-crl .crl # inintial = Directives for SSL SSLProtocol all -SSLv3 SSLPassPhraseDialog builtin SSLSessionCache dbm:/var/run/ssl_scache =20 SSLSessionCacheTimeout 300 = SSLMutex file:/var/run/ssl_mutex =20 SSLRandomSeed startup builtin = SSLLog /var/log/httpd/ssl_engine_log =20 SSLLogLevel info ## ## SSL Virtual Host Context ## <VirtualHost 127.0.0.1:80> #Just to = keep things sane... = DocumentRoot "/Library/WebServer/Documents" =20 ServerName 127.0.0.1 = =20 ServerAdmin webobjects@webdevinc.com =20 SSLEngine off </VirtualHost> <VirtualHost 127.0.0.1:443> # = General setup for the virtual host = DocumentRoot "/Library/WebServer/Documents" =20 #ServerName has to match the server you entered into the CSR ServerName 127.0.0.1 = ServerAdmin webobjects@webdevinc.com =20 ErrorLog /var/log/httpd/error_log =20 TransferLog /var/log/httpd/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLProtocol all -SSLv3 SSLCipherSuite = ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # Path to your certificates and private key =20 SSLCertificateFile /etc/httpd/ssl.key/server.crt =20 SSLCertificateKeyFile /etc/httpd/ssl.key/server.key =20 <Files ~ "\.(cgi|shtml|phtml|php3?)$"> =20 SSLOptions +StdEnvVars =20 </Files> = <Directory "/Library/WebServer/CGI-Executables"> SSLOptions +StdEnvVars =20 </Directory> # = correction for browsers that don't always handle SSL connections well SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ =20 downgrade-1.0 force-response-1.0 # Per-Server Logging: # The = home of a custom SSL log file. Use this when you want a # compact non-error SSL = logfile on a virtual host basis. = CustomLog /var/log/httpd/ssl_request_log \ =20 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> </IfModule> #--------------------------------------------------= # save the modified httpd.conf file Restart apache from the command line or the Sharing preference pane % sudo apachectl restart Test our setup by = opening your browser and pointing to https://127.0.0.1

=0D=0DPosted: Thu - September 9, 2004 at 04:17 PM = =0D= =0D

=0D

getBlogName(); > getCategoryName("C755751163"); >

Secure https development on OS X

> >