Networking

Web Development: Use SSL to secure your Apache-based e-commerce transactions

Electronic commerce has become commonplace for many enterprise Web sites. Secure Sockets Layer technology ensures that transactions are encrypted and safe from outside influences. Get the basics of setting up SSL on Apache in this overview.

We've all bought enough books and CDs from Web sites at this point to set aside any lingering fears about doing financial transactions on the Web. A decade ago, most people were scared to death of the prospect. Today, we don't think twice.

The Secure Sockets Layer (SSL) is largely responsible for our feelings of security, and it can be the tool that moves your company's Web site into that secure land of online transactions where you can do business on the Web without fear.

SSL is the brainchild of Netscape. It's a security protocol specifically created to protect Web-based e-commerce transactions, and it has been wildly successful. It sits between the application protocol (usually HTTP) and TCP/IP, and secures applications including mail, directory services, and even the most customized financial transactions.

What does SSL do for you? For starters, it thwarts sniffers intent on intercepting your data by encrypting network sessions, hashing them into secure unreadability. It provides public key encryption to prevent an interloper from slipping into the session with a fake ID; and it can, if you like, authenticate your clients.

So successful is SSL that the Internet masses clamored for it to be an open protocol. And it became so, under the new name Transport Layer Security (TLS). TLS solved a port problem in SSL, by setting aside port 80 for HTTP and reserving port 443 for SSL traffic, keeping the default port open for clear-channel traffic. (Both types of traffic can be accessed on the same port under TLS, in which case client and server can, in theory, duke it out. SSL will always have a home on the Web, however, since most clients can't handle this level of interaction.)

As a side note, TLS running over HTTP is referenced by the prefix https: in the URL, which we've all seen many times.

Keeping out imposters
SSL encryption uses a public key, delivered to the client by the server. Inbound information is encrypted according to this key, but it is decrypted by a private key known only to the server. In addition, the client generates a unique key specific to itself, created with the public key. With this system in place, an intruder situated between server and client has no way to successfully pretend to be either.

Step by step, the connection comes together like this: A "cipher suite," or SSL cryptography kit, is agreed upon between server and client (SSL allows for 31 of these) to be used for encryption; a session key is created, as described above. If desired, mutual authentication occurs between the server and client.

There's another benefit to this key system: If a third party is to be included in an interaction, the key can authenticate the server to that third party (known as a Certificate Authority).

SSL for Apache servers (UNIX platform assumed)
The module that enables SSL for Apache is called mod_ssl. This module and the OpenSSL library do the job—although there are alternatives, which we'll discuss later.

If you're running Apache 2.0, then mod_ssl is already built for you. If you're running 1.3.x, however, patches are required. The module itself can be downloaded from http://www.modssl.org/. The patches can be obtained from http://www.apache.org/dist/httpd.

Untar the patches into the root directory and then run configure, as shown in Listing A.

In this configure command, with-apache is the location of the Apache source tree; with-mm is where the memory module source distribution is found (more on this below); and with-ssl is the location of OpenSSL (more on this below). You use prefix to tell UNIX where Apache is to be installed; enable-shared=ssl will cause Apache to enable SSL once it's built.

The memory module is used for shared memory caching, which will give you better performance. You can download the module from http://www.ossp.org/pkg/lib/mm. Once it's downloaded, configure it as follows:
?./configure —disable-shared

Then make, and make install.

Now build and install Apache in the directory given above. Then copy the server.key file to $APACHE_HOME/conf/ssl.key, and copy server.crt to $APACHE_HOME/conf/ssl.crt. Do a restart, and you're ready to go.

For Apache 2.0 and higher
If you're running 2.0.x, you don't need to go to this much trouble, because mod_ssl is ready to configure. Just enable the module in httpd.conf. After Apache is installed, set the ServerName parameters in httpd.conf and ssl.conf. You must have directories for ssl.key and ssl.crt under the Apache conf directory. Copy server.key into ssl.key and then copy server.crt into ssl.crt. Finally, restart Apache again.

Libraries for code-breaking
The hard part is over, but you're also going to need OpenSSL's libraries for SSL's encryption algorithms. Note: You need Perl to manually install these libraries!

The source distribution for OpenSSL is found at http://www.openssl.org/. Download it and unpack it, then configure it as follows:
$ ./configure –prefix=/{library directory, usually /usr/local}

Next, run make and make install to complete the build. Then type # openssl; the system should respond by reporting to you OpenSSL's version number.

First steps
These are the first steps in putting SSL to work in protecting your e-commerce transactions. Now you're ready to confront performance issues, to consider hardware acceleration, and to configure your system to generate certificates and perform client authentication.

About

Scott Robinson is a 20-year IT veteran with extensive experience in business intelligence and systems integration. An enterprise architect with a background in social psychology, he frequently consults and lectures on analytics, business intelligence...

Editor's Picks