| Apache based WebDAV with LDAP and SSL HOWTO | ||
|---|---|---|
| Prev | ||
Security of the data stored on a file server is very important these days. Compromised data can cost thousands of dollars to company. In the last section, we compiled LDAP authentication module into the Apache build to provide a Authentication mechanism. However HTTP traffic is very insecure, and all data is transferred in clear text - meaning, the LDAP authentication (userid/passwd) will be transmitted as clear text as well. This create a problem. Anyone can sniff these userid/passwd and gain access to DAV store. To prevent this we have to encrypt HTTP traffic, essentially HTTP + SSL or HTTPS. Anything transferred over HTTPS is encrypted, so the LDAP userid/passwd can not be sniffed. HTTPS runs on port 443. The resulting build from the last section's compilation process will have Apache to listen to both port 80 (normal HTTP) and 443 (HTTPS). If you are just going to use this server for DAV, then I will highly suggest that you close port 80. In this section of the HOWTO I will provide some information regarding SSL and maintaining SSL on a WebDAV server. However this is a not limited to a DAV server, it can be used on any web server.
There are many administration tasks related with implementing and maintaining SSL encryption for a Web Site. You can either use commercial certicates, or generate your own. In the following sections we will briefly go over a few simple things that are required to get the SSL website up and running, and maintain it. This tutorial is by no means a full in-depth overview of the SSL.
SSL (Secure Socket Layer) is a protocol layer that exists between the Network Layer and Application layer. As the name suggest SSL provides a mechanism for encrypting all kinds of traffic - LDAP, POP, IMAP and most importantly HTTP.
This HOWTO discusses about the HTTP over SSL or simply HTTPS. For more information about POP/IMAP/LDAP over SSL, please visit http://www.stunnel.org. Or if you are looking for a commerical products look into IPlanet for LDAP and Netscape for IMAP and POP.
There are 2 kinds of encryption algorithms used in SSL.
Public-Private Key Crytography - Initiating SSL connection: This algorithm is used for initiating the SSL session. In this algorithm, the encryption must be performed using the Public Key, and the decryption can only be performed using the Private Key. The Web-server holds the private Key, and sends the Public key to the client. The public key is sent to the client in a certificate.
The client request content from the Web Server using HTTPS.
The web server responds with a Certificate which includes the server's public key.
The client check to see if the certificate has expired.
Then the client checks if the Certificate Authority that signed the certificate, is a trusted authority listed in the browser. This explains why we need to get a certificate from a a trusted CA.
The client then checks to see if the Domain Name of the web server matches the Comman Name (CN) on the certificate?
If everything is successful the SSL connection is initiated.
Symmetric Cryptography - Actuall transmission of data: After the SSL connection has been established, Symmetric cryptography is used to encrypting data. Public-Private Key cryptography is CPU cycle intensive, so Symmetric cryptography is used. In symmetric cryptography the data can be encrypted and decrypted using the same key. The Key for symmetric cryptography was exchange in the initiation process.
The certicate that we created while installing Apache, is what I call a Homegrown Certificate. We used the makefile provided by mod_ssl to create this custom Certificate. We used the command:
# make certificate TYPE=custom |
These homegrown Certificates are usually used for testing purposes - to check if the Apache with mod_ssl installation worked.
CA or Certificate Authorities are certificate vendors, who are listed as a Trusted CA in user's browser client. As mentioned in the Encryption Algorithms section, if the CA is not listed as a trusted authority, your user will get a warning message when trying to connect to a secure location.
Similarly the certificates that you created yourself will cause a warning message to appear on the user's browser.
If you are implementing a commercial website, I would highly recommend using a Certification Authority for getting your certificates signed. The warning message usually make the customers go away.
If you are on a "intranet", you can also implement your own CA, but it is a complicated task, and requires a lot of day-to-day management.
CSR or Certificate Signing Request must be sent to the trusted CA for signing. This section discusses howto create a CSR, and send it to the CA of your choice. add text here......
RSA Private Key stored on the webserver is usually encrypted, and you need a passphrase to parse the file. That is why you are prompted for a passphrase when start Apache with modssl:
# apachectl startssl Apache/1.3.23 mod_ssl/2.8.6 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server your.server.dom:443 (RSA) Enter pass phrase: |
Encrypting the RSA Private Key is very important. If somebody gets hold of the you "Unencrypted RSA Private Key" he/she can easily impersonate your webserver. If the Key is encrypted, the hacker can not do anything without the passphrase.
However encrypting the Key can sometimes be nuisance, since you will be prompted for a passphrase everytime you start the web-server. Specially if you are using rc scripts to start the webserver at boot time, the prompt for passphrase creates problems.
You can get rid of the passphrase prompt easily by decrypting the Key. However make sure that no one can hold of this Key. I would recommend Hardening and Securing guidelines be followed before decrypting the Key on the webserver.
To decrypt the Key:
First make a copy of the encrypted key
# cp server.key server.key.cryp |
Then re-write the key with encryption. You will be prompted for the original encrypted Key passphrase
# /usr/local/ssl/bin/openssl rsa -in server.key.cryp -out server.key read RSA key Enter PEM pass phrase: writing RSA key |
One way to secure the decrypted Private Key is to make readable only by the root:
# chmod 400 server.key |
The following is list of Certificate Authorities that are trusted by the various browsers: