Wednesday, November 27, 2013

How to set up apache2 with SSL/TLS support and client auth on Debian 7.2

I think SSL/TLS should be part of security hardening process. Only fools would not use cryptography technology in post-prism era. I think what Mr Snowden did, that was proved one thing: Richard Stallman and Phrack guys( I prefer use the term "philosophical anarchist") never lie to us;-) Well, I don't wanna bullshit anything about this controversial topic here...let's see how we can set up a HTTPS server with client auth.

Generate CA certificates:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# cp /usr/lib/ssl/misc/CA.sh .
root@d6-test:/opt/ssl# ./CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
..................................+++
..............................................+++
writing new private key to './demoCA/private/./cakey.pem'
.............................................
.............................................
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-shit.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            c0:81:0e:bc:52:d0:19:5a
        Validity
            Not Before: Nov 19 02:08:14 2013 GMT
            Not After : Nov 18 02:08:14 2016 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Shanghai
            organizationName          = MOT
            organizationalUnitName    = MOT
            commonName                = hardened-shit
            emailAddress              = info@hardened-shit.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
            X509v3 Authority Key Identifier:
                keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Nov 18 02:08:14 2016 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
--------------------------------------------------------------------------------

Copy intermediate key and certificate:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# cp demoCA/private/cakey.pem ca.key
root@d6-test:/opt/ssl#
root@d6-test:/opt/ssl# cp demoCA/cacert.pem ca.crt
--------------------------------------------------------------------------------

Generate server key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
.................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
--------------------------------------------------------------------------------

Generate server CSR(Certificate Signing Request) with server key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -new -key server.key -out server.csr
...........................................
........................................
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-shit.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
--------------------------------------------------------------------------------

Genrate server certificate:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -x509 -days 2048 -key server.key -in server.csr > server.crt
Enter pass phrase for server.key
--------------------------------------------------------------------------------

You can check out the cert or verify it:
openssl x509 -noout -text -in server.crt
openssl verify -CAfile ca.crt server.crt


Generate client's key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl genrsa -des3 -out client.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................................................................................................+++
........+++
e is 65537 (0x10001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:
--------------------------------------------------------------------------------

Client's CSR:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -new -key client.key -out client.csr
.......................................................
..............................................
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-info.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Generate client's certificate with CA certificate's signature:
root@d6-test:/opt/ssl# openssl ca -in client.csr -out client.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            c0:81:0e:bc:52:d0:19:5c
        Validity
            Not Before: Nov 19 02:28:13 2013 GMT
            Not After : Nov 19 02:28:13 2014 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Shanghai
            organizationName          = MOT
            organizationalUnitName    = MOT
            commonName                = hardened-shit
            emailAddress              = info@hardened-info.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                A6:A5:D7:7C:C7:A8:C3:24:C7:90:14:76:84:15:43:D0:2C:0C:31:66
            X509v3 Authority Key Identifier:
                keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63

Certificate is to be certified until Nov 19 02:28:13 2014 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
--------------------------------------------------------------------------------


Convert to pkcs12 format, which can be identified by firefox:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:
--------------------------------------------------------------------------------

Enable SSL/TLS support in Apache2:
--------------------------------------------------------------------------------
root@hardened-shit:/opt# mv ssl /etc/ssl/hardened-shit

root@hardened-shit:/etc/apache2# a2ensite default-ssl
Enabling site default-ssl.
To activate the new configuration, you need to run:
  service apache2 reload
root@hardened-shit:/etc/apache2# a2enmod ssl
Module ssl already enabled

edit /etc/apache2/sites-enabled/default-ssl:
        SSLCertificateFile    /etc/ssl/hardened-shit/server.crt
        SSLCertificateKeyFile /etc/ssl/hardened-shit/server.key

        SSLCertificateChainFile /etc/ssl/hardened-shit/ca.crt

        SSLCACertificatePath /etc/ssl/hardened-shit/
        SSLCACertificateFile /etc/ssl/hardened-shit/ca.crt

        SSLVerifyClient require
        SSLVerifyDepth  10










Disable port 80:
root@hardened-shit:/etc/apache2# a2dissite default
--------------------------------------------------------------------------------

Done....it should works.

btw: I highly recommend you to read these two articles if you want to know further: Hardening Your Web Server's SSL Ciphers, and TLS Perfect Forward Secrecy support with Apache

I only enable the secure ciphers:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLProtocol +TLSv1.2 +TLSv1.1

4 comments:

Unknown said...

Hi Shawn, just dropping by to say Hi! Nice blog btw!

Unknown said...
This comment has been removed by the author.
Unknown said...

Thanks Harry!

Unknown said...

how to unblock youtube videos on google
I came to your site and got a lot of information. I will wait for further post in