Problems with Secure Sockets Layer (SSL)
Basic How-To Info
Generating a Key
To generate a key you must use OpenSSL and the system file /dev/urandom to generate a random key. Here's how:
cd /etc/httpd/conf/
make genkey
You will see the following output:
/usr/sbin/openssl genrsa -des3 -rand /dev/urandom 1024 > ssl.key/server.key
unable to load 'random state'
Note: the error shown above only occurred once (the first time) and I ran this command several times. Everytime after the 1st time it ran just fine. As the key was generated in all cases I think this error may be ignored.
1048664 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...........................................e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
chmod go-rwx ssl.key/server.key
If, for some reason you don't have "make" installed on your system you may use the following less "user-friendly" command instead of make genkey:
/usr/sbin/openssl gensra -rand /dev/urandom 1024 > ssl.key/server.key
-and-
chmod go-rwx ssl.key/server.key
The server.key file should be owned by the root user on your system and should not be accessible to any other user. You should make a backup copy of this file and keep it under lock and key. A good idea is to copy it to a floppy and then store this in a very, very safe place. You need the backup copy because if you ever lose the server.key file after using it to create your certificate request (CSR), your certificate will no longer work and the Certificate Authority will not be able to help you. Your only option would be to request a new certificate and pay for it all over again.
Generating a Certificate Request
To generate a Certificate Request (CSR) type in the following command:
make certreq
If, for some reason you don't have "make" installed on your system you may use the following less "user-friendly" command instead of make certreq:
You will see the following output:
[root@ntbox conf]# make certreq
/usr/sbin/openssl req -new -key ssl.key/server.key > ssl.csr/server.csr
Using configuration from /usr/lib/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name []:NC
City (Locality) Name []:Cary
Company (Organization) Name []:My New Outfit, Inc.
Department Name []:Sales
Server Host Name []:ntbox.somewhere.com
Server Administrators Email Address []:me@somewhere.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xxxxxxxx
An optional company name []:
After executing this task check in /etc/httpd/conf/ssl.csr/ to ensure that the CSR was created:
[root@ntbox ssl.csr]# pwd
/etc/httpd/conf/ssl.csr
[root@ntbox ssl.csr]# ls
server.csr
Here's what it looks like:
-----BEGIN CERTIFICATE REQUEST-----
MIIB+jCCAWMCAQAwgaAxCzAJBgNVBAYTATVTMQswCQYDVQQIEwJOQzENMAsGA1UE
BxMEQ2FyeTEjMCEGA1UEChMaTW9vbkdyb3VwIENvbnN1bHRpbmcsIEluYy4xDjAM
BgNVBAsTBVNhbGVzMRwwGgYDVQQDExNudGJveC5tb29uZ3JvdXAub3JnMSIwIAYJ
KoZIhvcNAQkBFhNjaHVja0Btb29uZ3JvdXXuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDI3WgxyhyrdHwhqN5xIiXsSN1UNLW4vq2Wz1aton2fgdViOvHC
A02Nc6PLrPj015UNP54sj1/TQJEJeSHEi/YKOyzHQj0sw1sXaFguR0IeJEEdWbpX
DCZjLkZVcuUeYWxuwnOt4GjtcKlDc2m1w59kVNYSEfMQOELoVIIj9yAmAwIDAQAB
oBkwFwYJKoZIhvcNAQkHMQoTCGphbWVzb24AMA0GCSqGSIb3DQEBBAUAA4GBAGOd
wCO4DDggCe3idSDpIbuvENCucVFoaogZn1Tsn7EC81nvI0FthTUAtVZas9Tv0VhS
WSGS2llOdjr3sISi+7Xm+AV0K+KDvAW56zddCsmJ5WlzVZ2gRulmfjG7Zz5dXcA+
1Z8DAy5lp4lzacb/vO8sUXQlHWDHLRtNvXvudoiH
-----END CERTIFICATE REQUEST-----
This is what gets sent to your Certificate Authority (CA).
Making a Test Certificate Yourself
Once again we will execute this operation in /etc/httpd/conf/. The command to use is:
make testcert
You will see the following output:
[root@ntbox conf]# make testcert
/usr/sbin/openssl x509 -days 365 -signkey ssl.key/server.key -in ssl.csr/server.csr -req -out ssl.crt/server.crt
Signature ok
subject=/C=US/ST=NC/L=Cary/O=My New Outfit, Inc./OU=Sales/CN=ntbox.somewhere.com/Email=me@somewhere.com
Getting Private key
Enter PEM pass phrase:xxxxxxxx
At this point you are ready to restart your server. Issue the following command:
[root@ntbox conf]# /etc/rc.d/init.d/httpsd restart
You will see the following output:
Shutting down httpsd: [ OK ]
Starting httpsd: Red Hat Secure/3.0 mod_ssl/2.2.8 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server ntbox.moongroup.org:443
Enter pass phrase:xxxxxxxx
Ok: Pass Phrase Dialog successful.
[ OK ]
Now you are ready to test your server with a browser.
When you get to your web site with your browser you will have to tell the browser to accept the certificate you just created because it's not a "real" certificate. Only after you get the genuine cert from your Certificate Authority will the browser not ask you to accept or deny the cert.
What you should use for a URL is not:
http://ntbox.somewhere.com:443/
-but-
https://ntbox.somewhere.com/
Note the "s" in the protocol field!
What you will see looks like this:
ntbox.somewhere.com is a site that uses encryption to protect transmitted
information. However, Netscape does not recognize the authority who signed
its Certificate.
Although Netscape does not recognize the signer of this Certificate, you may
decide to accept it anyway so that you can connect to and exchange
information with this site.
This assistant will help you decide whether or not you wish to accept this
Certificate and to what extent.
Just accept the defaults all the way through the series of dialogues which follow and you'll be fine... it's just a test, after-all!
1. Can I use my Stronghold Certificate with SWS?
Yes you can. You should be able to use your certificate from Stronghold with Secure Server without any modifications. Simply rename your key(s) and certificate(s) to the names specified in the manual, fire up the server, and you should be all set. Just remember that certificates are issued for an ip/domain name pair and cannot be moved to a different ip address or domain.
The correct paths and file names are:
/etc/httpd/conf/ssl.key/server.key
-and-
/etc/httpd/conf/ssl.csr/server.csr
Note that after you receive your key from your chosen authority it will be here:
/etc/httpd/conf/ssl.crt/server.crt
2. Can I run multiple SSL-enabled vhosts with SWS?
Yes you can but each virtual host will need it's own ip address. You just put the certificate related configuration for each domain between the <VirtualHost> directives.
3. How can I get httpd to startup without prompting for the password on the console after reboot?
We DO NOT recommend this procedure as it is very insecure but here's how you can automate it:
Use this command:
/usr/sbin/ssleay genrsa -rand /dev/urandom 1024 > httpsd.key
to create your key and you will not need to use a password to start your SWS.
4. Can we simply go get Apache-SSL 1.3.x and use that under the license we have from the Redhat version?
You are not licensed to use Apache-SSL if you get the Red Hat Secure Web Server. This is per our agreement with RSA Data Security, Inc., who holds the patent licenses on the encryption technology.
5. I have several users complaining that they can't connect to our site with older browsers (Netscape 3x). I tried Netscape 3.0 with and I get a message-box from Netscape saying "The security library has experienced a database error. You probably will not be able to connect to this site securely." What do I do now?
These old browsers have an old Thawte root certificate in them. You probably have a newish Thawte certificate. There are instructions on the Thawte website for upgrading these old browsers to work with the new Thawte root certificate.
See SSL Certificate Overview: 3.x Root Rollover.
6. I am having a problem with some browsers not recognizing my certificate but they aren't that old. Is there some place I can check for browser compatibility?
Yes. Have a look at SSL Certificate Overview: Browser Compatibility for Thawte and for Verisign check here.
7. When I access my secure site, the wrong certificate is displayed!
SSL does not support name based virtual hosting. This means you need to assign an IP to each of your secure hosts, and edit your config file accordingly. See the answer to Question #1 above for more information.
Problems with basic configuration and config file issues.
8. I've been starting the httpsd daemon and it dies on start-up. Now I dont yet have a certificate, but I should be able to get to the default spash page on port 80 right?
You'll at least need a test certificate before the server will start properly.
The problem with the startup scripts claiming that the processes are still running is the fact that they did start OK, but httpsd exited immediately when it didn't find a certificate.
If you really need to run without a certificate, comment out all the SSL stuff in /etc/httpd/conf/httpd.conf and restart or -HUP the httpd daemon.
9. Where can I find additional documentation on SSL?
Usually raw link lists are bad but in this case it would probably be useful!
SSL Documentation
http://www.openssl.org/
http://developer.netscape.com/tech/security/ssl/howitworks.html
http://developer.netscape.com/docs/manuals/security/sslin/index.htm
http://home.netscape.com/eng/ssl3/ssl-toc.html
Additional SSL Applications
ftp://ftp.uni-mainz.de/pub/internet/security/ssl/
ftp://ftp.replay.com/pub/replay/linux/
http://mike.daewoo.com.pl/computer/stunnel/
http://violet.ibs.com.au/slush/
Thawte Certificate Issues
10. I have multiple ip based domains and I need to enable more than one certificate. How do I do that?
The configuration information generally resides in a file in your Apache
directory structure - probably "httpd.conf". Update that configuration file as
follows:
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
You can have the key and the cert in a single file if you want by appending the one after the other in the file. However, we recommend separating them for clarity. Sometimes you might have the wrong key in a cert file, which creates errors that are very hard to debug, so please stick to separate key and cert files.
11. I need to renew my Thawte cert. How do I do that?
Thawte has made this very easy. Check the following URL:
http://www.thawte.com/certs/server/renew.html
12. How do I know which certs match which key?
The private key contains a series of numbers. Two of those numbers form the "public key", the others are part of your "private key". The "public key" bits are also embedded in your certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers.
To view the cert:
[root@ntbox conf]# openssl x509 -noout -text -in ssl.crt/server.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=NC, L=Cary, O=My New Outfit, Inc., OU=Sales, CN=ntbox.somewhere.com/Email=me@somewhere.com
Validity
Not Before: Oct 7 04:19:24 1999 GMT
Not After : Oct 6 04:19:24 2000 GMT
Subject: C=US, ST=NC, L=Cary, O=My New Outfit, Inc., OU=Sales, CN=ntbox.somewhere.com/Email=me@somewhere.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c9:dd:68:31:ca:1c:ab:74:7c:21:a8:de:71:22:
25:ec:48:dd:54:34:b5:b8:be:ad:96:cf:56:ad:a2:
7d:9f:81:d5:62:3a:f1:c2:03:4d:8d:73:a3:cb:ac:
f8:f4:d7:95:0d:3f:9e:2c:8f:5f:d3:40:91:09:79:
21:c4:8b:f6:0a:3b:2c:c7:42:3d:2c:c3:5b:17:68:
58:2e:47:42:1e:24:41:1d:59:ba:57:0c:26:63:2e:
46:55:72:e5:1e:61:6c:6e:c2:73:ad:e0:68:ed:70:
a9:43:73:69:b5:c3:9f:64:54:d6:12:11:f3:10:38:
42:e8:54:82:23:f7:20:26:03
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
4f:27:7b:c5:f1:52:33:bc:f8:50:19:b9:98:e6:3b:08:9b:4b:
7b:24:f8:80:10:18:a4:25:6a:39:b1:75:35:05:64:54:ec:5e:
e4:c1:88:fb:7f:72:d1:32:f4:8c:0d:08:28:7e:7e:a5:5f:61:
9c:cc:b4:5c:13:f0:71:a8:d0:56:58:11:e6:b8:35:0a:01:b7:
72:7f:e8:a7:b6:82:aa:52:5d:05:29:d8:48:ba:26:8e:ed:41:
38:86:b8:62:2e:9a:f1:be:99:3c:20:76:57:0f:70:4b:a6:18:
82:aa:90:0c:1f:18:05:c3:98:b8:20:9e:e5:64:02:0d:01:4e:
c4:4e
To view the key:
[root@ntbox conf]# openssl rsa -noout -text -in ssl.key/server.key
read RSA private key
Enter PEM pass phrase:
Private-Key: (1024 bit)
modulus:
00:c9:dd:68:31:ca:1c:ab:74:7c:21:a8:de:71:22:
25:ec:48:dd:54:34:b5:b8:be:ad:96:cf:56:ad:a2:
7d:9f:81:d5:62:3a:f1:c2:03:4d:8d:73:a3:cb:ac:
f8:f4:d7:95:0d:3f:9e:2c:8f:5f:d3:40:91:09:79:
21:c4:8b:f6:0a:3b:2c:c7:42:3d:2c:c3:5b:17:68:
58:2e:47:42:1e:24:41:1d:59:ba:57:0c:26:63:2e:
33:55:72:e5:1e:61:6c:6e:c2:73:ad:e0:68:ed:70:
a9:43:73:69:b5:c3:9f:64:54:d6:12:11:f3:10:38:
42:e8:54:82:23:f7:20:26:03
publicExponent: 65537 (0x10001)
privateExponent:
76:a6:12:3e:16:dd:08:8a:2e:28:d3:cf:51:94:92:
42:18:68:64:ad:1e:0a:9a:d7:7f:15:ca:65:96:6e:
0e:22:6b:21:33:20:4b:32:18:45:4d:e1:9b:15:f9:
98:e7:1f:2c:4c:3f:ea:a2:66:40:2b:0b:81:45:04:
25:4d:67:6f:67:cf:4a:1a:52:2c:48:09:8a:54:77:
9e:20:5c:d9:a6:d5:fe:a6:ac:16:99:d9:34:de:fd:
d6:7a:56:8b:9f:dc:9d:9b:4b:84:b5:35:65:94:df:
6b:2f:dd:72:ef:f7:ec:b2:73:20:77:a3:b1:99:b3:
b8:8e:09:6e:00:80:60:c1
prime1:
00:e3:10:d3:94:3d:6f:77:eb:e2:99:7d:39:88:20:
9b:80:c1:df:e9:2f:c9:dc:dc:b5:fa:c3:50:e0:d0:
c9:7e:41:91:55:9d:4c:19:4b:98:96:e6:e3:15:93:
12:3b:6f:05:99:7e:8f:38:65:57:f0:07:63:a3:2a:
ea:53:d3:9c:8f
prime2:
00:e2:75:e0:0a:b5:e5:38:e1:32:99:68:ee:8e:99:
45:3f:09:1f:84:ad:e8:b8:ad:ef:e9:45:30:be:6e:
a6:bd:57:00:d1:73:d2:9d:ba:e9:99:a8:fb:7b:fd:
3d:64:75:cd:2d:b8:69:39:ea:8e:aa:11:9a:95:49:
eb:6f:0a:81:4d
exponent1:
5e:7a:90:de:bc:95:55:fb:a3:64:a4:33:3d:0d:fc:
46:1d:e5:51:fc:9d:6c:b5:b5:4e:aa:d8:4b:42:f4:
a4:01:1a:3c:da:5f:60:a3:10:d1:b1:2e:49:ba:d1:
3a:43:9e:bb:d8:6a:35:58:0d:b8:05:0b:13:48:77:
09:fc:21:c7
exponent2:
50:d0:f8:2f:5a:52:7f:45:fe:a4:b8:c9:c9:a1:f1:
10:59:d5:21:a8:5e:90:e9:a1:e0:81:8c:af:a9:15:
60:24:98:6a:27:07:56:ba:c9:7a:c8:cf:56:a4:3d:
30:88:c9:bc:33:3f:7a:27:b6:da:02:86:44:18:a9:
28:6b:7b:51
coefficient:
31:bb:e2:73:89:b7:7c:25:94:b8:80:37:39:49:b6:
cf:37:0b:df:bf:42:aa:d4:a3:6e:c1:94:6c:a5:88:
99:d4:b6:fe:5f:6d:52:3f:9d:fe:61:38:a9:96:73:
91:25:2f:d7:91:26:31:48:0b:52:50:98:47:5b:4e:
3d:61:66:e1
The "modulus" and the "public exponent" portions in the key and the certificate must match.
13. I get an error that looks like this: "no start line:pem_lib.c" or "no end line:pem_lib.c". What does it mean?
Apache-SSL uses a toolkit called SSLeay, by Eric Young, for its security routines. SSLeay is very fussy about the format of certificate requests and certificates. In particular it wants BEGIN and END lines that look like this for certificates:
-----BEGIN CERTIFICATE-----
blah blah blah
this is actually your
certificate BASE64 encoded
to make it easy to transport
by mail
-----END CERTIFICATE-----
If your cert has trailing spaces after the BEGIN or END lines it will bomb with the error you see. Usually, the problem is that your browser created trailing spaces when you cut and pasted the cert from the browser window into a text editor to create the certificate text file. Just remove the trailing spaces (on UNIX you may also need to get rid of CTRL-M characters) and all will be well. :-)
StrongHold Certificate Issues
14. Internet Explorer Error: IE cannot open the Internet site www.foo.com. An error occurred in the secure channel support.
IE users will get this message if you have installed a certificate that is over 1024 bits. See below for details.
15. Netscape Navigator Error: "The server has encountered bad data from the client".
Netscape users get this error if the cert used on the server is greater than 1024 bits. See below for details.
16. Large key sizes (larger than 1024 bits).
Most newer versions of Stronghold warn you that making a key greater than 1024 bits will result in browser errors. However, there are some that don't and it is possible to create a 4096 bit key and CSR (and thus certificate). 4096 bits is very secure, but it is slow and most browsers don't handle them particularly well. You'll have to ask your representative about the $50 re-issue so you can regenerate your key (to 1024 bits this time) and submit a new CSR for signing.
Verisign Certificate Issues
17. I purchased a Verisign cert. How do I install it?
Verisign provides instructions on their site but these will only work for the
StrongHold product. See
http://digitalid.verisign.com/server/help/insSSLeayInstall.htm for more
information on the Verisign method for StrongHold.
To install a Verisign cert for SWS is actually quite simple. Here's how it works:
The only thing you should do is to save the cert into a file and give the name and path to that file to the SSLCertificateFile directive. Remember that you need to add the key file in as well (SSLCertificateKeyFile directive).
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
General SSL Issues
18. Isn't there a mailing list with archives for Apache-SSL?
Yes there is:
http://www.lists.aldigital.co.uk/apache-ssl/threads.html
19. I am getting an error message in Netscape that says that "the certificate that the site 'my.domain.com/' has presented does not contain the correct site name. It is possible, though unlikely, that someone may be trying to intercept your communication with this site. If you suspect the certificate shown below does not belong to the site you are connecting with, please cancel the connection and notify the site administrator. What does this mean?
When you generated the certificate, it is the 'Server Host Name' question (which is actually the Common Name field of the cert). Make sure you put the exact server name as it will show in the URL or you will get this error.
Also once you've sorted out this problem, you'll start to see the message 'my.domain.com/' is a site that uses encryption to protect transmitted information. However, Netscape does not recognize the authority who signed its certificate."... To fix this, you'll need to get a 'trusted' cert from someone like Thawte or Verisign.
20. I've got everything up and working, at least the httpd daemon started with no errors. I don't have a graphical browser available to me so how do I confirm that the daemon is actually running on port 443?
netstat -an | grep LISTEN
21. I've tried everything I know and I just can't get SSL working. Any other thoughts on how to see if this is working ok and how to get a response from port 443 and the SSL?
If you have everything set up and working then the following tests should help:
Telnet to the SSL port (make sure you telnet to the actual IP address that you expect your server to be runing on, not 'localhost'), and type anything followed by <CR>. You should immediately get disconnected with no visible response from the server.
In your error log you should see something like:
[error] SSL_accept failed
[error] error:140760F8:SSL routines:SSL23GETCLIENT_HELLO:unknown
protocol
If you get a response from the server, like:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>400 Bad Request</TITLE>
</HEAD><BODY>
<H1>Bad Request</H1>
Your browser sent a request that
this server could not understand.<P>
Invalid URI in request hello server<P>
</BODY></HTML>
Connection closed by foreign host.
Then you're connected to a non-SSL port and this should tell you that the SSL setup is still incorrect.