Setting up SSL connections on Apache 2

Safe Service

Roll the Dice

The algorithms used by TLS rely on a random number generator. The default is mod_ssl, which creates random numbers from the current time, the process ID, and a randomly chosen 1KB chunk of the internal scoreboard memory, which Apache uses for inter-process communication. However, the result is not a true random number; instead, you can use SSLRandomSeed to select another source and thus improve security. In the simplest case, you can pick the random values from a file, such as from /dev/random in Linux:

SSLRandomSeed connect file:/dev/random

connect indicates that Apache retrieves the random number when connecting. The alternative, startup, would only retrieve a random number on starting the web server. SSLRandomSeed must also be in the global server context (i.e., outside the <VirtualServer> container). In addition to a file as the source, a program can deliver the data. The program must write the random values to standard output:

SSLRandomSeed startup exec:/bin/myprg

Finally, on Unix systems, you can use the data from a network socket as a source of random numbers:

SSLRandomSeed startup egd:/path/to/socket

A reference to all mod_ssl-provided directives is available for Apache 2.2 [6] and Apache 2.4 [7].

Once you have created a certificate, setting up mod_ssl is no problem, but SSL/TLS only encrypt traffic, and so only offer privacy against potential sniffers. Thus, it is not enough simply to enable the SSL module. The web application must also handle the received data confidentially and encrypt the data for storage in a database. TLS is thus only one small component in a comprehensive security strategy.

Infos

  1. Wikipedia entry on the Diffie-Hellman algorithm: http://www.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
  2. Wikipedia entry on the X.509 standard: http://en.wikipedia.org/wiki/X509
  3. OpenSSL: http://www.openssl.org
  4. Apache download: http://httpd.apache.org/download.cgi
  5. Verisign: http://www.verisign.com
  6. Documentation of Mod SSL for Apache 2.2: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
  7. Documentation of Mod SSL for Apache 2.4: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html

The Author

Tim Schürmann is a freelance computer scientist and author. Besides books, Tim has published various articles in magazines and on websites.

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • What's left of TLS
    Numerous attacks have rocked the security of SSL/TLS encryption in recent years. Newer standards would remedy this, but they are not widely used.
  • Automatic data encryption and decryption with Clevis and Tang
    Encrypting hard disk partitions during the installation of an operating system is standard procedure. When booting the computer, you then need to enter a matching passphrase to unlock the hard drive. We show you how to automate this process and link it to a policy.
  • TLS 1.3 and the return of common sense
    After a decade in service, TLS 1.2 is showing many signs of aging. Its immediate successor, TLS 1.3, has earned the approval of the IETF. Some major changes are on the way.
  • Safe Files

    Encrypting your data is becoming increasingly important, but you don’t always have to use an encrypted filesystem. Sometimes just encrypting files is enough.

  • SHA-3 – The New Hash Standard

    NIST has chosen the Keccak algorithm as the new cryptographic hash standard, but in real life, many users are still waiting to move to its predecessor, SHA-2.

comments powered by Disqus