Setting up SSL on Apache Questions

I'm trying to do something very simple: setup a secure https so I can take credit card numbers for a store I'm setting up. I'm not processing the orders in real-time, I'm just taking the numbers securely so I can process them through my own merchant terminal. I also only want the SSL to be for the credit card number input page, not the whole site.

I have a web server running BSDi ISS 4 and Apache ver. 1.3.9. I have Webmin 0.71 on this same box.

I know that I need to use Secure Socket Layer (SSL) Encryption. I know I can set this up with various bits of software which I can install. I'm just not sure which ones I need.

There's OpenSSL and SSLeay, both of which I've installed on a development server running the latest version of FreeBSD. This is not a production server but just one I'm messing around with. Sticking with this development server for a moment, I also have Webmin 0.87 on it and I used its interface to enable SSL support (because I installed the SSLeay Perl module). Webmin also has a Certificate Authority module that allows you to generate certificates but I'm really not fully sure how it works . . . I managed to generate a certificate and an RSA private key but I'm not sure what to do with them.

So here I am sort of stuck with an older production server that'll need Apache upgraded to 1.3.20 and no SSL whatsoever, and a development server that appears to be running https but the certificates aren't trusted. I know I have to go to Verisign or Thawte and buy a contract but I'm still not crystal clear on that aspect of things either.

Okay, so that's the background. Here's my problem:

I've just learned about Apache-SSL and mod_ssl. Are these different? If so, do I need both of them? I ask because my devel server seems to be running https just fine without either of these with the exception that the certificates aren't trusted.

Also, I'm now finding that I may or may not need both OpenSSL and SSLeay. Do I need both or just OpenSSL?

Finally, can anyone recommend a practical book or online tutorial that shows semi-competent individuals like me (who know just enough to be dangerous) about what you need to get SSL up and running from start to finish? I know I can read the docs for every one of these things, but that's a lot of docs and I'm trying to get this done in less than a year (I'm a slow reader). Actually, I did read Verisign's "Securing Your Apache Server for Business with VeriSign Secure Server IDs" and it was pretty good, but I wouldn't mind another source to compare it to.

Any assistance will be greatly appreciated

>> I've just learned about Apache-SSL and mod_ssl. Are these different?

Start here -> http://forums.devshed.com/showthrea...1645&forumid=15

>> do I need both of them?

No.

>> with the exception that the certificates aren't trusted

Why aren't they trusted? Your server will trust the connecting clients. It's up to the clients whether they GRANT your self-signed cert. You can always start out with a self-signed cert and pay around $120 for a commercial CA cert.

>> Do I need both or just OpenSSL?

Just OpenSSL. You'd use SSLeay when you need to develop SSL-aware application. Like writing a script and connect to Authorize.net on the server side.

>> can anyone recommend a practical book or online tutorial

I would start by searching google.com

freebsd,

Thanks for the insights. Previous to my above post, I had read your post regarding Apache-SSL and mod_ssl, but I have to admit that it still left me scratching my head a tiny bit (give me time, It'll sink in eventually!).

Just to be sure I understood your response about Apache-SSL and mod_ssl, let me re-phrase my question: do I need either of them? That is, can I do without Apache-SSL and mod_ssl and just use good ol' regular Apache v.1.3.20 and OpenSSL to (which is what I did with my FreeBSD server).

Once again, your assistance is greatly appreciated!

Oh, and I will indeed continue to search Google.com for more info.

Took freebsd's advice and did a few more Google.com searches and found some great resources to start with:

Xmission have four good introductory tips.


Apache with SSL from FreeBSDDiary.org

• Client Authentication with SSL
  
• Apache with SSL

Frederick J. Hirsch

• Introducing SSL and Certificates using SSLeay

Two different flavours of SSL for Apache

• mod_ssl
• Apache-SSL

>> do I need either of them?

Yes.

>> can I do without Apache-SSL and mod_ssl and just use good ol' regular Apache v.1.3.20 and OpenSSL

No. Your http daemon needs to be SSL-aware. In another protocol like SMTP, you probably should have heard of STARTSSL. Without the built in support for such STARTSSL SMTP command, when you are establishing a telnet session to the remote SMTP server and entering such command, the remote SMTP server just can't undertand it. For those MTA that support STARTSSL, they need to build (recompile) it and enable it explicitly.

Similarily, In Apache, you can build Apache-SSL but you are given another alternative -- mod_ssl, that's to load SSL support dynamically. Either case, you need to install OpenSSL.

Port 443 itselfis NOT SSL-aware. You need to build Apache with SSL support and listen to whatever port (default to 443).

freebsd,

Alrighty, then . . . I need to make my http daemon (Apache) SSL-aware by patching it with Apache-SSL or recompiling it with mod_ssl.

Why then, does my development server running the FreeBSD OS with Apache 1.3.20 with OpenSSL and SSLeay installed and SSL enabled using Webmin's SSL Encryption and Certificate Authority modules appear to be running https when I log into Webmin no problem?

Did Webmin do something that I'm not aware of? Is it running https for Webmin only . . . ah!

I think I may have just answered my own question . . . Webmin has nothing to do with the Apache http daemon . . . it runs independently on top of everything else . . . (see, I know just enough to be dangerous ). This is why I've been getting confused: because Webmin appears to be just another set of web pages on the server, I unconsciously connected it with the behaviour of my existing Apache server install. D'uh!

Okay, all is slowly becoming clear. Thanks again for the help.

>> I think I may have just answered my own question

Yes you did.

BTW, if you are a BSD user, don't use webmin as it's for Linux newbies who don't know how to administer their system. Webmin users might say "Hey, I know how to do things manually without webmin and webmin just make my life easier. If you really know how, stop lying to yourself and write your own script. Further, if you really wanted to learn the OS, just quit using webmin. If you can't live without GUI, BSD is not for you, go back to Windows.

Correction: I just read my last post and found I posted the wrong SMTP command, it should be STARTTLS instead of STARTSSL.

freebsd,

Stop using Webmin? Ha!

There's no doubt your skills are so sharp because you hone them everyday by doing things at the command line level; but Webmin is an excellent tool and I don't rely on it as a crutch as much as I rely on it as a expeditious way to get things done while I'm learning about how these things work at the command line level. There simply aren't enough hours in the day to do everything that must be done and learn from scratch at the same time.

Furthermore, I've still never written a shell script in my life so it'll be some time before I can learn how to write my own scripts to do what Webmin does.

But I do appreciate your admonition . . . I'm taking it as inspiration to keep learning this stuff from the inside out and not to rely on GUI's. If it helps to raise my credit at all, I didn't even install X-Windows in my FreeBSD install [Has anyone seen my hair shirt?]

Hi

One thing to point out. mod_ssl can and does cause problems with some IE browsers (Esp Mac users)

Apache-SSL does not cause any problems

Regards
Darren