Web Developer's Virtual Library: Encyclopedia of Web Design Tutorials, Articles and Discussions

WDVL Newsletter
Active Server Pages
JSP/Java Servlets
Microsoft SQL Server
Daily Backup
Dedicated Servers
Streaming Audio/Video
24-hour Support    
jobs.webdeveloper.com

Hiermenus

e-commerce
Partner With Us

Developer Channel
FlashKit.com
JavaScript.com
JavaScriptSource
Developer Jobs
ScriptSearch
StreamingMediaWorld
Web Developer's Journal
Web Developer's Virtual Library
WebDeveloper.com
Webreference
Web Hosts
XMLfiles.com

internet.com
IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers


6.3 OpenSSL and Apache - Page 3

Manning Publications Co.

June 28, 2002

So now that we know we want OpenSSL, how do we get Apache to use it?

I casually mentioned earlier that a server has to be built to use SSL instead of the usual sockets layer (as do browsers). This is not a trivial change, and can't be implemented solely through an add-on interface to Apache, such as mod_perl is. The guts of the server have to change to handle SSL.

There are commercial Apache SSL products that provide the necessary changes, 2 as well as a pair of Open Source solutions. The first on the scene was Apache-SSL, created by Ben Laurie; later Ralf Engelschall split off the Apache-SSL code to build mod_ssl on an expanded architecture. Both products use OpenSSL, actively track Apache versions (which is not surprising since the developers are part of the Apache Group), use the same license, and accomplish the same goal.

In terms of the buyer's guide, it is hard to tell the two products apart. Their mailing lists are active and helpful. The development pedigree of each product is impeccable and there is no reason to think that one is going to have more ongoing cost than the other. Both products are trivially easy to build and install. The few reports I've read comparing the two implementations comment as much on the developers as the code, so the choice seems to be a matter of personality for those who are active in the development community. I'll put forth a few technical issues and go on with my own choice, mod_ssl. If you choose Apache-SSL instead, the only changes you'll need to make to my examples are in the configuration files.

Both products assume that OpenSSL has been configured and built already. There is some convenience to having all of Apache, OpenSSL, mod_perl, and mod_ssl in one directory tree but it's not a requirement.

6.3.1 Apache-SSL

Apache-SSL provides a set of patches to a given Apache version, plus additional source files. Starting with a freshly unpacked Apache, unpack Apache-SSL into the same directory and apply the patches as instructed. Then configure and build Apache as you have previously, making sure you enable the apache_ssl module as well as mod_perl and any others you use. There isn't much more to it.

There also isn't much more to the documentation. Apache-SSL adds a page to the online manual explaining its directives, and has a configuration example, but doesn't go any further. That's fine for someone who knows about SSL and has a good grasp of Apache configuration, but personally I wanted more.

6.3.2 mod_ssl

One could argue that the main thing mod_ssl adds to Apache-SSL is polish. The product has an extensive web site which looks better than that of most commercial products. The site has pages for downloading the source, reading the documentation or mailing list archives, getting news about mod_ssl, and checking the latest surveys to track the number of installed servers.

The documentation is quite good, and explains the workings of SSL's suite of cryptographic tools and how a web browser and server decide what to use. The installation instructions that ship with the source are better than the shortened online version, and include instructions on how to build OpenSSL, Apache, mod_ssl, and mod_perl all together. The process isn't that hard to figure out, but having the commands laid out in one file will help the first time web builder.

Those Apache developers who don't like mod_ssl complain that it adds too much to the server. mod_ssl patches Apache to include an extended API, then implements SSL through that API. It also optionally uses the developer's shared memory library to speed up some operations between servers. The result, though, is that mod_ssl acts in many ways like a standard Apache module, and I like the architecture almost as much as I like the generous documentation.

6.3.3 Installing mod_ssl

mod_ssl versions are tied to Apache versions, so if you are downloading newer software, make sure you get the distribution that matches your Apache source.

As mentioned, mod_ssl assumes the current release of OpenSSL is already in place. If you are going to use the MM shared memory library you'll need to set that up as well. This example builds the server using OpenSSL 0.9.5a, Apache 1.3.12, mod_ss 2.6.4, mod_perl 1.24, and MM 1.1.2, all unpacked in /usr/local, following the build process as described in the OpenSSL and mod_ssl installation documentation. 

$ cd /usr/local/openssl-0.9.5a 
$ sh config 
$ make 
$ make test

OpenSSL is built with all the defaults, which is fine for the U. S. I moved on to MM, the shared memory module: 

$ cd ../mm-1.1.2 
$ ./ configure --disable-shared 
$ make

The --disable-shared directive here disables shared libraries, not shared memory. Since Apache is the only application we're likely to build with MM, there isn't any benefit to having the MM code in a shared library. Then we'll go to mod_ssl, telling it where to find OpenSSL and MM: 

$ cd ../mod_ssl-2.6.4-1.3.12 
$ ./configure --with-apache=../apache_1.3.12 \ 
	--with-ssl=../openssl-0.9.5a \ 
	--with-mm=../mm-1.1.2

And on to mod_perl. Here we skip testing mod_perl before going on, but if you've built mod_perl previously that's fine. 

$ cd ../mod_perl-1.24 
$ perl Makefile.PL EVERYTHING=1 APACHE_SRC=../apache_1.3.12/ src \ 
	USE_APACI=1 PREP_HTTPD=1 DO_HTTPD=1 
$ make 
$ make install

Finally, we build Apache. Note the configuration directives for mod_ssl and mod_perl: 

$ cd ../apache_1.3.12 
$ SSL_ BASE=../openssl-0.9.5a ./configure --enable-module= ssl \ 
	--activate-module=src/modules/perl/libperl.a \ 
	--enable-module=perl 
$ make 
$ make certificate 
$ make install

Note the step to create the server's certificate, which we discuss in the next section.

If you have already installed Apache, I recommend shutting down your current server and moving its installation aside, letting make install start fresh. Among other things, it will put in a new blank configuration file which has examples of all the SSL directives and an IfModule section where you can put SSL-specifics. Compare the newly created httpd. conf to your previous one and reinstate your changes (port numbers, aliases, mod_perl configuration, etc.).

2 SSL products from RedHat, Raven, and Stronghold also provided licenses to the patented RSA algorithms for U. S. customers, but that restriction has expired.

6.2 Secure Sockets Layer (SSL) - Page 2
Web Development with Apache and Perl
6.3 OpenSSL and Apache (Cont.) - Page 4

Up to => Home / Authoring / Languages / Perl / Apache_Perl



Jupiter Online Media: internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and Jupiter Online Media

Jupitermedia Corporate Info


Legal Notices, Licensing, & Permissions, Privacy Policy.

Web Hosting | Newsletters | Tech Jobs | Shopping | E-mail Offers