[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#267477: Apache2 and SSL Quick Hints



Here is a rough outline of how to get Apache2 SSL working. I agree that
the package could be more SSL friendly out of the box. I came here to file
a bug myself ;-).


Steps:

1. Have Apache working without SSL!


2. Generate your SSLCertificateFile and SSLCertificateKeyFile files. I
used the newcert-ca.sh script at  http://www.openssl.org/contrib/ . If you
go this route be sure to read the script before you start running it so
that you understand what you are doing. You will run it one time to create
a CA and a second time calling that CA to create a the files for your
server.

3. Copy the .key and .cert over to the /etc/apache2/ssl/ directory so that
they are easy to get to.

4. Copy your sites-available/default file and call it default-ssl.

***Including this file already set up is something that the APACHE2 .deb
could be doing at install time.***

5. Edit your new default-ssl as follows. The first two lines you will just
edit what is there. The stuff inside the # SSL STUFF + bars will be
inserted after the <VirtualHost *:443> line:
NameVirtualHost *:443
<VirtualHost *:443>

# SSL STUFF (START) ++++++++++++++++++++++++++++++++++++++++++++++++++++

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server_cert_name_httpsd.cert
SSLCertificateKeyFile /etc/apache2/ssl/server_key_name_httpsd.key

# see http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html for the meaning
of below.
# The following enables only the seven strongest ciphers.
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM


# SSL STUFF (END) +++++++++++++++++++++++++++++++++++++++++++++++++++++++


6. Run "a2enmod" and make sure that ssl is enabled.

7. Make sure the ports.conf line contains both a "Listen 80" and a "Listen
443" line.

8. Test your setup by running "apache2 -D SSL -S". The results should look
something like these below:

littleguy:/etc/apache2/sites-enabled# apache2 -D SSL -S
apache2: Could not determine the server's fully qualified domain name,
using 127.0.0.1 for ServerName
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server 127.0.0.1 (/etc/apache2/sites-enabled/default-ssl:2)
         port 443 namevhost 127.0.0.1
(/etc/apache2/sites-enabled/default-ssl:2)
*:80                   is a NameVirtualHost
         default server 127.0.0.1 (/etc/apache2/sites-enabled/default:2)
         port 80 namevhost 127.0.0.1 (/etc/apache2/sites-enabled/default:2)
Syntax OK


9. "/etc/inid.d/apache2 restart" and then go test your SSL (and nonSSL)
pages.

Debian Apache Maintainers -- Could y'all include at least a sample
default-ssl file and some terse documentation in the README?

Thanks,
Sam



Reply to: