Is it possible to 'add' SSL capability to working Apache?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Is it possible to 'add' SSL capability to working Apache?

ohaya
Hi,

I got Apache 2.0.52 compiled, installed, and working on a Solaris 9
system awhile ago, but now I need to enable that server for SSL with
client authentication.

I know that I have to at least compile/install OpenSSL on the Solaris
system, but all of the information that I've been able to find indicates
that I need to also completely re-configure, re-compile, and re-install
Apache from the original 2.0.52 source.

Is there any way to avoid this, and just compile the mod_ssl.so module
after I do the compile/install of OpenSSL?


Also, I have a test Apache installation running on a separate Windows
system, and that test system already has SSL working including the
server and CA certs installed.  

Once I get done with the OpenSSL installation and either the Apache
re-compile to get the SSL capability on the Solaris system, can I just
move:

 - the CA cert and server cert files
 - the .key file
 - the ..\conf\ssl.conf file

over from my test Windows system to the Solaris system?

For reference, here's what the ssl.conf file on the test Windows system
looks like now:

=====================================================================
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  exec:e:\apache\conf\passphrase.bat

SSLSessionCache         dbm:logs\ssl_scache
SSLSessionCacheTimeout  300

SSLMutex default

<VirtualHost _default_:443>

DocumentRoot "e:\apache\htdocs"
ServerName www.example.com:443
ServerAdmin [hidden email]
ErrorLog logs\error_log
TransferLog logs\access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile ssl\server-certificate.crt
SSLCertificateKeyFile ssl\server-certificate.key
SSLCertificateChainFile ssl\server-certificate.crt
SSLCACertificateFile ssl\ca-certificate.crt
SSLVerifyClient require
SSLVerifyDepth  5
<Files ~ "\.(class|jsp|cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "e:\apache\cgi-bin">
    SSLOptions +StdEnvVars +ExportCertData
</Directory>
.
.
<snip>
.
.
<Directory
"E:\Tomcat\jakarta-tomcat-5.0.27\work\Catalina\localhost\jsp-examples\org\apache\jsp">
    SSLOptions +StdEnvVars +ExportCertData +CompatEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs\ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>                                  
#</IfDefine>
=====================================================================

Obviously, I'm going to have to edit the ssl.conf file to eliminate the
drive letters and replace "\" with "/", but other than that, should this
work?

Thanks in advance,
Jim

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Is it possible to 'add' SSL capability to working Apache?

Joshua Slive
On 4/25/05, ohaya <[hidden email]> wrote:

> I got Apache 2.0.52 compiled, installed, and working on a Solaris 9
> system awhile ago, but now I need to enable that server for SSL with
> client authentication.
>
> I know that I have to at least compile/install OpenSSL on the Solaris
> system, but all of the information that I've been able to find indicates
> that I need to also completely re-configure, re-compile, and re-install
> Apache from the original 2.0.52 source.
>
> Is there any way to avoid this, and just compile the mod_ssl.so module
> after I do the compile/install of OpenSSL?

If you have mod_so compiled into the server, it may be possible to use
apxs to compile mod_ssl without needing to recompile the entire
server.

But on the other hand, recomplining the entire server is usually quite
a simple thing to do.  Just find the "config.nice" file (should be in
your build/ directory), edit it to add the ssl options, put it in the
source directory and run it.  Then "make install".

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]