Friday, April 17, 2009

Encrypting passwords for web applications

Just heard about security concerns and username/passwords being scanned over the network. This is the weakness of the HTTP protocol. One solution is to use the HTTPS with OpenSSL.

With reference to http://www.centos.org/docs/5/html

Step 1: Install the SSL components
yum install mod_ssl openssl

Step 2: Create the certificates
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
mv ca.crt /etc/pki/tls/certs
mv ca.key /etc/pki/tls/private/ca.key
mv ca.csr /etc/pki/tls/private/ca.csr

Step 3: Configure Apache to use the certificates
vi /etc/httpd/conf.d/ssl.conf

Search for the SSLCertificateFile and SSLCertificateKeyFile lines and point it to the correct TLS directory.

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/ca.crt
# nicholas

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

Restart apache server

service httpd restart

Step 4: Assign Apache to use a secure folder for the HTTPS while redirecting the port 80 of the HTTP to another folder.
vi /etc/httpd/conf/httpd.conf

NameVirtualHost *:80

</virtualhost *:80>
<directory>
AllowOverride All
</directory>
DocumentRoot /var/www/html
ServerName servername.com
</virtualhost>

NameVirtualHost *:443
<virtualhost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
<directory>
AllowOverride All
</directory>
DocumentRoot /var/www/vhosts/servername/httdocs
ServerName tservername.com
</virtualhost>


Restart Apache server. The virtual host can be verified with the command

httpd -S

Step 5: Test the HTTPS and HTTP
Use a web browser to access with HTTP and HTTPS, both should point to different directory.

Certain web browsers do not know about cacert as a validation server. This can be done easily with following steps.

Step 1. Download from www.cacert.org the Root Certificates for class 1 and 3 PKI keys.
Step 2. Use firefox to add these root keys.
Choose edit ->Preferences ->Advanced ->Encryptions ->View Certificates
Choose Authorities ->Import
Choose both of the root keys that was downloaded
Step 3. Restart the web browser.

2 comments:

msian_tux_lover said...

Nick, some time back I sent out an email detailing the dangers of using clear-text HTTP, obviously my recipients either did not care or understand what I was trying to say.

Here's hoping after reading your entry the proverbial apple will land on their crowns.

Tboxmy said...

To some its still a safe world out there.