2010 International Conference on E-Business and E-Government Guangzhou, China 7 - 9 May url: http://doi.ieeecomputersociety.org/10.1109/ICEE.2010.

334 Abstract The security of Web service has been paid more attention with the increasing E-business nowadays. Therefore, a method was explored to establish a secure Website by using Apache and OpenSSL. During the process, the article use EtherPeek program and compare the two different Tele-com effect while launching the safety module or not to achieve a safe communication. Index Terms: Web, Apache, SSL, OpenSSL, https Citation: Li Gui-hong, Zheng Hua, Li Gui-zhi, "Building a Secure Web Server Based on OpenSSL and Apache," icee, pp.1307-1310, 2010 International Conference on E-Business and E-Government, 2010

2010 International Conference on E-Business and E-Government

BuildingASecureWebServerBasedon OpenSSLandApache
LIGuihong
AcademicAdministration ShijiazhuangRailwayInstitute Shijiazhuang, China sirtzhh@vip.sohu.com

ZHENGHua
DepartmentofInformationEngineering ShijiazhuangInstituteofRailwayTechnology Shijiazhuang, China ligh@sjzri.edu.cn

LIGuizhi
DepartmentofForeignLanguages ShijiazhuangRailwayInstitute Shijiazhuang, China

AbstractThe security of Web service has been paid more attention with theincreasing Ebusiness nowadays.Therefore,a method was explored to establish a secure Website by using Apache and OpenSSL. During the process, the article use EtherPeek program and compare the two different Telecom effectwhilelaunchingthesafetymoduleornottoachieveasafe communication. Keywords WebApacheSSL OpenSSLhttps

certificateforApacheandachieveasecureWebsite.Thenisit possibletointegratetheusabilityofWindowsoperatingsystem and such advantages as opensource and free use of Apache server to achieve a secure Web site? The article provides an applicablemethod,andprovestheapplicabilityofthismethod withtheEtherPeekpacketcapture. II. BRIEF INTRODUCTIONTO SSL

I. INTRODUCTION At the present Website server market, IIS and Apache are two leading products, accounting for over 90% of the whole. IIS of Microsoft boasts of complete GUI interface, and it is easytolearnhowtouseit.ButitreliesonWindowsoperating system, and has average performance in security and throughput rate. Advantages of Apache are that it is open source, free, crossplatform, open for remote operation and flexibleconfiguration,whichfacilitatesinterfacecustomization. But its configuration process is complicated and requires profoundspecialknowledge.Therefore,largewebsitesusually useApacheastheirWebserver,asshowninTABLE.
TABLEI. Websites Alibaba Sina Baidu Sohu Netease WEBSERVERSOFDOMESTICRENOWNED WEBSITES Operating System Linux FreeBSD Linux UNIX Linux WebServer Apache/1.3.29 Apache/2.0.54 Apache/1.3.27 Apache/1.3.33 Apache/2.0.5x

A. DemandofSecureWebCommunication Data on the Web pageistransmitted by http protocol, but http protocol has no secure mechanism. And mutual communicationbetweentheserverandclientsisthroughplain message. So for such private information as account number and password, http protocol has some birth defects, which is showninthefollowingsimpleexample. Figure1isasimpleWebpage,andwhentheclientusesthe EtherPeek packet capture and analyzes the http packet, it is found that all the things on the webpage can be read by the third party plainly, as shown in figure2. Obviously, private informationoftheclientcannotbetransmitteddirectly through httpprotocol.Attheendofthearticle,thepacketcaptureeffect ofthewebpageafterusingSSLshallbeprovided.

HttpProtocolisplaintextmessage,soiftheHttppacketof a specific IP is monitored by some packet capture tool, the users data may be easily intercepted and lead to information leak.Itis common practicetouse SSL(Secure Socket Layer) toimproveWebsecurity.AsforIISandApache,thecommon practiceistoissueWEBservercertificateforIISbyusingthe certificate service under the operating system Windows 2000/2003 and IIS for a secure Web site or under the operating system Linux, use OpenSSL to issue WEB server
978-0-7695-3997-3/10 $26.00 2010 IEEE DOI 10.1109/ICEE.2010.334 1307

Figure1. Asimple Webpage.

To solve the problem of secure Web communication, NetscapeputforwardtheSSL(SecureSocketLayer)Protocol in1994,whichcanensuresecureandconfidentialinformation transmission over the internet. Http protocol using the SSL technology is called https, and it is widely used on the Web.

LatertheProtocolwasstandardizedbyIETFandgivenanother nameTLS(TransportLayerSecurity).

The server sends suchinformationas theSSL version number, the encryption parameter (such as the combination of DESRSASHA), relevant session data, the Web server certificate and other necessary informationtotheusersbrowser The users browser examines the authenticity of the WebservercertificatethroughCA.Iftheexamination fails,itsuggeststhattheSSLconnectionfails,andifit succeeds,continue. The users browser produces a confidential message (tobeusedtoencryptkey),encryptsthemessagewith the public key provided by the Web server, encapsulates it into ClientKeyExchange message and sendsthemessagetotheserver The server decrypts the ClientKeyExchange message withtheprivatekeytogettheencryptionkey TheSSLhandshakefinishes.

Figure2. AnalyzehttpspacketwithEtherPeek.

Thetwokeypointsoftheproceduresshownaboveare: The client verifies the servers WEB certificate and thisensurestheauthenticityoftheWebsite.Andunder some special occasions, the client may be asked to providedigitalcertificatetoensureitsauthenticity. The two sides have defined which data Encryption Algorithmtouseandsafelyproducedaprivatekey.

B. DevelopmentoftheSSLProtocol Netscape put forward the SSL (Secure Socket Layer) Protocolin1994,andin1995issuedtheSSL2.0version.Inthe same year, it issued the SSL3.0 version and rectified some loopholesoftheSSL2.0version.In1996,IETFwassetupand standardized the SSL technique in 1999. The new technique was named TLS1.0, which made some improvement on the basis of SSL3.0. In 2006, IETF issued the TLS1.1 version (RFC4346). The new version improved the TLS handshake processandits security. Please pay attention to the following: though there is not muchdifferencebetweenSSL3.0andTLS1.0,thetwocannot interoperate with each other and though both Netscape and MicrosoftsupportTLS1.0,theybothuseSSL2.0orSSL3.0on default. C. PrincipleoftheSSLProtocol SSL includestwo parts:SSL Handshake and SSL Record, theformernegotiatinghowtoencryptanddecryptdataandthe later defining specific data transmission format. According to SSL, only when SSL handshake is finished can data be transmitted.Andifthehandshakefails,datatransmissionshall notbegin.Thisensuresthesecurityoftheusersdata. Thekey oftheSSLhandshakeprotocolishowtoproduce safelyasetofencryptionanddecryptingprogram,anditisalso thekeyofthesecurityprovidedbytheSSLprotocol.TheSSL handshakeprocesscanbebrieflyintroducedas: TheusersbrowsersendssuchinformationastheSSL version number, Symmetrical Encryption Algorithm (DES3DESforexample),KeyExchangeAlgorithm (RSADH for example), Message Digest Algorithm (MD5SHA for example), relevant session data, and othernecessaryinformationtotheserver

Afterdefinitionoftheidentificationofthetwosides,which Encryption Algorithm to use and what the private key is, the two sides can safely transmit data using the SSL record protocol. III. SPECIFICCONFIGURATION There are many versions of Apache, and each version differsfromanother.Versionsafter2.0providesupporttoSSL and needs to start three modules: Apache server, module mod_ssl and OpenSSL software, of which Apache provides Web service, OpenSSL is used to produce private key and servercertificate,andmod_sslisusedtoenableApachetocall OpenSSL so as to support the clients secure connection to WebserverbySSL(thatishttps). ModelsinthearticleusestheSmartApache1.3.2version, andtheinstallationpackageinthisversionintegratesthethree modules discussed above (Apache 2.2.4 for Win32 mod_ssl 2.2.4 and OpenSSL 0.9.8d) to save the procedure of downloading,compilationandinstallation. In the following configuration procedure, suppose the ApacheserverhasbeeninstalledinthedirectoryofD:\Apache, thewholeprocedureshallbedividedintofoursteps: ProduceWebservercertificatewithOpenSSL Startmodulemod_sslinApache Configures SSL so as to make use of the Web server certificateproducedinstepone Finish&test

1308

A. ProducetheWebServerCertificatewithOpenSSL TheWebservercertificateistheidentificationcertificateof Web server, which includes such information as country, province, institute, email of the manager and public key. In OpenSSLalltheinformationissavedbyaconfigurationfileof atext(suchasopenssl.conf).Thefilehasnotbeenpackagedto the installation package of Smart Apache, so the user may either compile the configuration file by himself, or download thefilefromtheInternet(http://tud.at/programm/openssl.cnfor http://neilstuff.com/apache/openssl.cnf). While downloading pay attentionto this:the extension cnf isrecognizedas speed dial program, so it is necessary to rename thetarget file after downloading (such as openssl.conf). Copy the file in the directoryofD:\Apache\Apache\bin,startopenssl.exeandbegin toproducethecertificate. 1) SubmitaCertificateRequest Execute Command: req config openssl.conf new out mydomain.csrkeyoutmydomain.pem Filemydomain.csris file of pure certificationrequesttext, the content of which begins with BEGIN CERTIFICATE REQUEST, and ends with END CERTIFICATE REQUEST, and in the middle is the encrypted certificate request information. Generally, file name of the request file shallbethesameasthedomainnameoftheWeb. File mydomain.pem is a private key RSA file encoded by BASE64,andatextfileaswell.ThefilebeginswithBEGIN RSA PRIVATE KEY and ends with END RSA PRIVATE KEYandinthemiddleisthe128byte(1024bit)RSAprivate key. Generally, filename of the private key file shall also be thesameasthedomainnameoftheWeb. Inthisprocedure,thesystemshallasktheusertoenterthe PEMpassphrase,countrycode(suchasCN),province,cityor district, institution or company name, department name, commonnameoftheserver,andemailaddressofthemanager, of which the PEM pass phrase must be filled with more than fourcharactersCommonnamemustbefilledandbethesame asthecompletedomainnameorIPaddress(suchas127.0.0.1) ofthewebsite(forexample:www.domain.cn),ortheusermay get the cueing of invalid name of the secure certificate or mismatch to the website name and the other information shallbefilledhonestly. After execution of the command, two new files: mydomain.pem and mydomain.csr can been seen in the directoryofD:\Apache\Apache\bin. 2) BuildaRSAPrivateKeyFilewithoutPassword Execute Command: rsa in mydomain.pem out mydomain.key Privatekeyfilemydomain.pemproducedinthefirststepis protected by Pem pass phrasepassword,aiming to protectthe securityofprivatekeyandfacilitatetheusersdownloadingof thefilefromtheinternet.Tousetheprivatekeyfileinthe local Web server, password protection of Pem pass phrase must be removed. In this step the only thing to do is to reenter PEM pass phrase,andafterexecutionofthecommand,aprivatekeyfile

of mydomain.key shall be produced in the directory of D:\Apache\Apache\bin. The only difference between mydomain.key and mydomain.pem is that the former has not thepasswordprotection. 3) Produce the Selfsigned Web Server Certificate and CompileitaccordingtotheX.509Format Execute Command: x509 in mydomain.csr out mydomain.crt req signkeymydomain.key days365 X.509 is digital certificate standard formulated by ITUT. Theoretically,acertificateproducedforoneapplicationmaybe used in any other application meeting the X.509 standard, for example IPSec, SSL, SET and S/MIME. The certificate includes: the users public key, the users information, the certificate serial number, the CA identifier, the signature algorithm identifier, the issuers name and the validity of the certificateetc. Mydomain.crtisthe Web server certificate file. Itisa text file which begins with BEGIN CERTIFICATE and ends with END CERTIFICATE, and in the middle is encrypted certificateinformation. Till now, we have finished producing the certificate. Save the files mydomain.crt and mydomain.key, this shall be used soon. B. StartModulemod_sslinApache Indefaultinstallation,SmartApachedoesnotstartmodule mod_ssl, and configuration of mode router shall be operated accordingtothefollowingmethod: Open file httpd.conf in the directory of D:\Apache\Apache\conf with notepad. The opened file is Apachesfiletostarttheconfiguration,anditdetermineswhat modulesarecalledwhenstarting.Findthefollowingstatement: #LoadModule ssl_module modules/mod_ssl.so. Omit the note (that is #) so as to make Apache call module mod_ssl whenstarting. Find another statement: #Include conf/extra/httpd ssl.conf , change it into Include conf/ssl.conf and we shall build and configurate file ssl.conf, which is the focal pointof thewholeconfigurationprocedure. C. ConfiguateFileSSL.conf InthedirectoryofD:\Apache\Apache\confcreateatextfile, renameitasssl.confandenterthefollowing: Listen443 #Monitorport443,whichisthedefaultportofSSL <VirtualHost_default_:443> DocumentRoot"d:/apache/apache/htdocs" #Pathofwebpagedocuments ErrorLog"logs/error_log" SSLEngineon #StartSSLengine

1309

SSLCertificateFile"conf/ssl/mydomain.crt" # Path of the certificate file, where the certificate files we created before shall be used. First copy it in the directory of D:\Apache\Apache\conf\ssl. SSLCertificateKeyFile"conf/ssl/mydomain.key" #Thecertificateprivatekeyfile. </VirtualHost> D. Finish Aftertheaboveconfigurationisdone,restartApache. IV. TEST A. TestWhetherSSLCouldOperateSmoothly Execute the netstatna order on the server to checkthe locallyboundSocketlist(asshowninfigure3).Ifthereisport 443,itshowsSSLoperatessmoothly.

Figure 4. AnalyzehttpsPacketwithEtherPeek

REFERENCES
[1] WANG Juan,QIU Hongmao,GAI Lei,WANG Haijun. SSL and certificates using OpenSSL. Microcomputer Development,2004,10, pp.138140. [2] LIGuojun,SURuidan,ZHOULihua.TheDesignandImplementation of Web Security Access Control Based on the OpenSSL.Microelectronics&Computer.2006,11,vol.23 [3] CHEN Bing,SONG Weibin,LI Dongsheng. Investigation of SSL Classified Encryption Based on Apache. China Information Security,2006,9. [4] Kocher P C.SSL2.0.[EB/OL]. http://www.netscape.com/newsref/std/SSLold.html.199708. [5] Freier A,Karlton P.The SSL Protocol Version 3.0 [EB/OL]. http://wp.netscape.com/eng/ssl3/draft302.txt.2000. [6] Young E A,Hudson T J.OpenSSL[EB/OL].http:// www.OpenSSL.org/docs.200310. [7] GOC PKI X.509 Certificate and CRL Field and Extensions Profile[Z].Draftversion2.0.1999,10:4550. [8] RFC2246RFC4346. [9] LIAO Weiqiang. On the Application of SSL in Apache. Journal of ZhangzhouTechnicalInstitute,2004,1,pp.6568. [10] ZHANGGuoxiang.Applicationresearchofthewebsecuritytechnique based on apache.Journal of Wuhan University of Technology,2004,3.

Figure 3. TheLocallyBoundSocketList

B. TesttheSSLEncryptionEffect Open IE and input https://127.0.0.1. Use the EtherPeek PacketCapturetooltoanalyzetheexamplediscussedin2.1of the article, and it can be seen that the encrypted data has changedbeyondrecognition,asshowninfigure4. V. CONCLUSION ThearticledescribesamethodofbuildingsecureWebsites with Apache and opens. This method is economical, efficient and easy to manage, including in it not only the Windows operating systems easy use and management, but also the Apacheserversopensourceandefficiency.

1310