HTTPS Setup using mod_ssl on CentOS 5.8. Jeong Chul. tland12.wordpress.com. Computer Science ITC and RUPP in Cambodia

Transcription

1 HTTPS Setup using mod_ssl on CentOS 5.8 Jeong Chul tland12.wordpress.com Computer Science ITC and RUPP in Cambodia

2 HTTPS Setup using mod_ssl on CentOS 5.8 Part 1 Basic concepts on SSL Step 1 Secure Socket Layer Step 2 SSL Record Protocol Operation Step 3 SSL Handshake Protocol Step 4 Digital Certificates Step 5 X.509 Certificates Step 6 HTTPS Part 2 HTTPS Configuration Step 7 Installation and startup Step 8 Https configuration Step 9 Packet Capture using Wireshark

3 Https Server Testing Environment 1.sever.chul.com: HTTPS server 2.client.chul.com: Linux web client Testing on Firefox

4 Step 1 Secure Socket Layer (SSL) SSL Record Protocol Service 1.Confidentiality using symmetric encryption with a shared secret key defined by Handshake Protocol AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption 2. Message integrity using a MAC (Message Authentication Code) with shared secret key similar to HMAC but with different padding

5 Step 2 SSL Record Protocol Operation

6 Step 3 SSL Handshake Protocol (1) 1.allows server & client to: authenticate each other to negotiate encryption & MAC algorithms to negotiate cryptographic keys to be used 2.comprises a series of messages in phases 1 Establish Security Capabilities 2 Server Authentication and Key Exchange 3 Client Authentication and Key Exchange 4 Finish

7 Step 3 SSL Handshake Protocol (2)

8 Step 4 Digital Certificates 1.Digital Signatures 1.1 Private key to encrypt, public key to decrypt Any holder of the public key can decrypt the message, but only a holder of the private key could have encrypted it 1.2 For speed and improved security, hash the plaintext and sign that, then encrypt 1.3 Algorithms: RSA, ElGamal, DSA DSA is intended for digital signatures only 2. Digital Certificates 2.1 Trusted third party digitally signs public key Certificate Authority (CA) has a public key that is known by everyone involved 2.2 The resulting digital certificate contains Server's public key and expiration date Information about the owner of the key Information about the CA and the CA's signature Information on how the certificate may be used Package installation

9 Step 5 X.509 Certificates

10 Step 6 HTTPS 1. HTTPS (HTTP over SSL) combination of HTTP & SSL/TLS to secure communications between browser & server documented in RFC2818 no fundamental change using either SSL or TLS 2. Use URL rather than and port 443 rather than Encrypts URL, document contents, form data, cookies, HTTP headers

11 Step 7 Installation and startup 1.Package installation # rpm qa grep httpd # rpm qa grep mod_ssl # rpm qa grep openssl # yum install httpd httpd-manual httpd-devel # yum install mod_ssl openssl 2. Service startup and main directory # service httpd start # ls l /etc/httpd/conf /var/www/html /etc/pki/ca 3. Service startup checking # ps ef grep httpd # netstat nat grep Runlevel registration # chkconfig httpd on # chkconfig list httpd 5. Testing on browser

12 Step 8 HTTPS Configuration (1) 1.SSL Configuration for making a private Certificate Authority vim /etc/pki/tls/openssl.cnf dir = /etc/pki/ca certificate = $dir/linux-ca.crt crl = $dir/linux-ca.crl private_key = $dir/private/linux-ca.key 2. Default setting for CA # mkdir /etc/pki/ca/{certs,crl,newcerts} # touch /etc/pki/ca/index.txt //database to contain all certificates # echo 01 > /etc/pki/ca/serial //next certificate serial number issued 3. Generating RSA private key # openssl genrsa out private/linux-ca.key des # openssl rsa noout text in linux-ca.key 4. Generating Certificate # openssl req new x509 key private/linux-ca.key days 365 > linux-ca.crt

13 Step 8 Https Configuration (2) 5. Generating a Certificate Signing Request (CSR) # openssl req new key linux-ca.key out linux-ca.csr 6. Creating a CA-signed Certificate # openssl ca in linux-ca.csr out linux-ca.crt # cp linux-ca.key /etc/httpd/conf # cp linux-ca.crt /etc/httpd/conf/ # cp linux-ca.crt /var/www/html/certs/ // download certificate for users 7. SSL configuration # vim /etc/httpd/conf.d/ssl.conf SSL Engine on SSL CertificateFile /etc/httpd/conf/linux-ca.crt SSL CertificatKeyFile /etc/httpd/conf/linux-ca.key 8. SSL log file # tail f /var/log/httpd/ssl_access ssl_error 9.Testing on the browser # service httpd restart Examine Certificate on the browser

14 Step 9 Packet Capture using Wireshark 1.Start Wireshark on Server system # rpm qa grep wireshark # yum install wireshark wireshark-gnome # wireshark 2.Packet capture for http packet on Wireshark # service httpd restart # elinks 3. Packet capture for https packet on Wireshark # service httpd restart # elinks 4. Packet analysis using Wireshark

15 HTTPS Setup using mod_ssl on CentOS 5.8 Thank you!! See you again on Kerberos, next video tland12.wordpress.com