PHP

Installing Apache to Use SSL

This section describes how to install a secure version of the Apache web server. There are three major differences encountered when installing Apache to use SSL versus installing Apache normally:

Secure Sockets Layer software is required.

There are several sources of Secure Sockets Layer software. The OpenSSL is probably the most-commonly used with Apache

SSL patches must be applied to the Apache code before it is configured and compiled.

Unlike installing other Apache modules, SSL installation requires that the core Apache source code be modified or patched. Normal Apache modules-such as the PHP module-interact with Apache using a defined application programming interface or API. The Apache API provides functions that hide the details of dealing with HTTP from Apache module developers.

However, the code that implements SSL needs to encrypt and decrypt HTTP requests and responses. The Apache API is aimed at the wrong level, and SSL patches need to be applied to Apache. There are several open source and commercial SSL extensions and patches to Apache available. ApacheSSL (http://www.apache-ssl.org ) and mod_ssl (http://www.modssl.org) are both open source and easy to install. We describe the installation of ApacheSSL in this section.

A site certificate needs to be obtained and configured.

A self-signed certificate can be created, but it needs to replaced with a purchased certificate from a Certification Authority when an application goes live. There are dozens of organizations that can provide authoritative certificates, including companies such as Verisign and Thawte.

Installing OpenSSL

  1. Get the latest version of the OpenSSL from http://www.openssl.org/source/. Download the Unix tar-ed and gzip-ed file under the heading "Tarball." For example, download the file openssl-0.9.6a.tar.gz.

  2. Put the distribution file in a directory that can be used to build the OpenSSL libraries. In our installation instructions, we use /usr/local/. The default installation process installs OpenSSL in /usr/local/ssl. To use /usr/local/, log in as the root user of the Linux installation; in any case, root access is required in Step 5 to install in the default location.

  3. Uncompress and un-tar the distribution file in the new installation directory using gzip and tar. If the version downloaded was 0.9.6a, the commands are:

    % gzip -d openssl-0.9.6a.tar.gz
% tar xvf openssl-0.9.6a.tar

    The distribution files are listed as they are extracted from the tar file.

  4. Change the directory to the openssl source directory, run the config script, and then make the installation. Assuming the version downloaded is 0.9.6a, the commands are:

    % cd openssl-0.9.6a
% ./config
% make
% make test

    To install OpenSSL in a directory other than /usr/local/ssl, run config with the openssldir=<directory-path> directive.

  5. Build the install binaries of SSL. To do this, log in as the root user, and then run the make install script:

    % make install

    This creates an installation of SSL in the directory/usr/local/ssl.