SSL/TLS with Apache 2.2 on Debian/Ubuntu Linux

This article provides basic knowledge and exemplary configurations to use SSL/TLS with Apache.

It is assumed that you got a working Apache HTTP server and you can access the computer's terminal with root privileges (e.g. via SSH).

1. Why can't I use SSL with name-based/non-IP-based virtual hosts? But there is some light at the end of the tunnel: VhostTaskForce
2. If done right, TLS is not computationally expensive any more. Many years ago it might have been true, but it's just not the case any more. If you want to know more about, have a look at the article Overclocking SSL.
3. TLS makes the communication with your website more secure, but it does not protect against all kind of attacks and tracking. E.g. If an attacker is ablte to track your traffic, it should be still possible to know which pages you visisted (based on size of submitted data).

• The module mod_ssl has to be installed (should be the case by default) and active. If it is not, use the following to activate it:

  sudo a2enmod ssl

• Your Apache should listen on the SSL/TLS default Port 443 (→ Listen 443)
• OpenSSL has to be installed.
• Using and maintaining Apache 2.2 on Debian/Ubuntu Linux (some basic principles)

This is a good starting point. Create a weak and self-signed certificate to test and configure everything and switch over to a better certificate signed by a trusted third party afterwards.

• Create the TLS/SSL directory if it is not existing:

  sudo mkdir -p -v -m 0700 /etc/apache2/ssl/

• Create the certificate (replace server with your domain name or your server's IP, e.g. *.example.com, www.example.com in all following commands):

  sudo openssl req -new -x509 -nodes -out /etc/apache2/ssl/server.crt -keyout /etc/apache2/ssl/server.key

• Set the correct permissions:

  sudo chown -R root /etc/apache2/ssl/
  sudo chmod -R 400 /etc/apache2/ssl/

• Create the TLS/SSL directory if it is not existing:

  sudo mkdir -p -v -m 0700 /etc/apache2/ssl/

  You can use

  sudo openssl ciphers -v

  to check which encryption algorithms are available on your system. If available, I would recommend AES256-SHA or AES128-SHA. The genrsa OpenSSL documentation is also helpful.

• Create the certificate (replace server with your domain name or your server's IP, e.g. *.example.com, www.example.com in all following commands):
  • 1st variant (without password, useful for common servers):
    

    sudo openssl genrsa -out /etc/apache2/ssl/server.key 1024

  • 2nd variant (including password - you have to type this whenever Apache starts):

    sudo openssl genrsa -aes256 -out /etc/apache2/ssl/server.key 1024

• Create a Certificate Signing Request (CSR):

  sudo openssl req -new -key /etc/apache2/ssl/server.key -out /etc/apache2/ssl/server.csr

  When you are asked for the “CommonName”, use your server's FQDN (“Fully Qualified Domain Name”, e.g. www.example.com). Wildcards like *.example.com are working, but you may have to escape the * with a backslash.

• Check everything:

  openssl req -noout -text -in /etc/apache2/ssl/server.csr

• Take the CSR file and send it to a Root-CA to sign it. You will get back a signed certificate (normally as plain text: —–BEGIN CERTIFICATE—– […] —–END CERTIFICATE—–). Store this certificate <wrap important> without any white-space begind —–END CERTIFICATE—– into /etc/apache2/ssl/server.crt.
• Set the correct permissions:

  sudo chown -R root /etc/apache2/ssl/
  sudo chmod -R 400 /etc/apache2/ssl/

The basic configuration is done. Now you can add all needed configuration directives to make it fit your needs. Simply couch your needs in terms, google it and have a look at the Apache documentation to find the needed directives.

Some additional hints:

• Listen 443
• Directives to use within a vHost or global config:

  #SSL/TLS
  SSLEngine On
  SSLCertificateFile /etc/apache2/ssl/example.crt
  SSLCertificateKeyFile /etc/apache2/ssl/example.key

• Using and maintaining Apache 2.2 on Debian/Ubuntu Linux (some basic principles)
• Apache HTTP Server

Apache TLS/SSL

• Apache documentation: Apache SSL/TLS Encryption
• Apache documentation: Why can't I use SSL with name-based/non-IP-based virtual hosts?
• Debian-Administration.org: Setting up an SSL server with Apache2
• Debian/Apache HOWTO – this page provides good information about TLS/SSL, beside much basic knowledge.
• Sascha Kersken, Apache 2: mod_ssl
• VhostTaskForce

TLS/SSL in general

• Transport Layer Security (TLS)
• Overclocking SSL (Google) – “SSL/TLS is not computationally expensive any more. Ten years ago it might have been true, but it's just not the case any more.”
• EFF to Verizon: Etisalat Certificate Authority Threatens Web Security
• Defcon 18 (2010) - An Observatory for the SSLiverse (PDF)