« Previous 1 2 3
Setting up SSL connections on Apache 2
Safe Service
Roll the Dice
The algorithms used by TLS rely on a random number generator. The default is mod_ssl
, which creates random numbers from the current time, the process ID, and a randomly chosen 1KB chunk of the internal scoreboard memory, which Apache uses for inter-process communication. However, the result is not a true random number; instead, you can use SSLRandomSeed
to select another source and thus improve security. In the simplest case, you can pick the random values from a file, such as from /dev/random
in Linux:
SSLRandomSeed connect file:/dev/random
connect
indicates that Apache retrieves the random number when connecting. The alternative, startup
, would only retrieve a random number on starting the web server. SSLRandomSeed
must also be in the global server context (i.e., outside the <VirtualServer>
container). In addition to a file as the source, a program can deliver the data. The program must write the random values to standard output:
SSLRandomSeed startup exec:/bin/myprg
Finally, on Unix systems, you can use the data from a network socket as a source of random numbers:
SSLRandomSeed startup egd:/path/to/socket
A reference to all mod_ssl
-provided directives is available for Apache 2.2 [6] and Apache 2.4 [7].
Once you have created a certificate, setting up mod_ssl
is no problem, but SSL/TLS only encrypt traffic, and so only offer privacy against potential sniffers. Thus, it is not enough simply to enable the SSL module. The web application must also handle the received data confidentially and encrypt the data for storage in a database. TLS is thus only one small component in a comprehensive security strategy.
Infos
- Wikipedia entry on the Diffie-Hellman algorithm: http://www.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
- Wikipedia entry on the X.509 standard: http://en.wikipedia.org/wiki/X509
- OpenSSL: http://www.openssl.org
- Apache download: http://httpd.apache.org/download.cgi
- Verisign: http://www.verisign.com
- Documentation of Mod SSL for Apache 2.2: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
- Documentation of Mod SSL for Apache 2.4: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html
« Previous 1 2 3