| View previous topic :: View next topic |
| Author |
Message |
vpoinot
Apprentice
Joined: 10 Nov 2003
Posts: 155
|
 Posted: Mon Nov 14, 2005 3:48 pm Post subject: Apache 2, SSL and subversion |
 |
|
I've been reading a lot about Apache and SSL and the more I read, the more I get confused... So I would like to summarize what I understood and ask for comments.
First, I need to set up an Apache 2 server to access a remote subversion repository from linux and windows clients (right now, I focus on linux to linux connections, I'll have a look at Tortoise SVN later). What I did:
- installed an SSL enabled Apache server (-D DAV -D SVN -D DEFAULT_VHOST -D SSL -D SSL_DEFAULT_VHOST in /etc/conf.d/apache2)
- kept auto-generated /etc/apache2/server.{crt,key} files
- installed subversion, created repositories, etc.
- configured mod_dav_svn to use basic authentication (passwords stored in a file / Require valid-user)
I still need to configure my server to require SSL (https no http) to access my repositories (as explained in http://gentoo-wiki.com/HOWTO_Apache2_with_subversion_SVN_and_DAV)
I did not generate client certificates, keys or whatsoever.
Given this setup, my understanding is that:
- accessing my secured repositories, the server will prompt for login/password
- these informations will be encrypted
- the connection itself will be encrypted, i.e. committed and checked out files, etc.
Am I right?
This should be enough right now for my needs: only valid users with valid passwords would be allowed to access my repositories. It is my understanding that client certificates are a replacement method for the login/password phase: more secure, especially if they are signed by third-party CA. Is that true? Is this their only purpose?
I should say that everything "works" here: I can commit, update, etc. but I do not know how secure my setup is? Are my files encrypted when they are transmitted via the net?
Thanks for your input...
Vincent. |
|
| Back to top |
|
 |
Kruegi
Guru
Joined: 09 Feb 2005
Posts: 406
Location: Clausthal-Zellerfeld; DE
|
| Posted: Mon Nov 14, 2005 9:40 pm Post subject: |
|
|
You can find out yourself with...
- ethereal
- a browsers security info
- Apaches SSL logs (increase the loglevel)
- ...
Thomas |
|
| Back to top |
|
|
vpoinot
Apprentice
Joined: 10 Nov 2003
Posts: 155
|
| Posted: Wed Nov 16, 2005 9:51 am Post subject: |
|
|
This does not really answer my questions...
Here is another one: does anybody know why the wiki link I mentioned above recommends to move 47_mod_dav_svn.conf to XX_mod_ssl_default-vhost.conf to allow only SSL connections? I tried by simply adding SSLRequireSSL to 47_mod_dav_svn.conf, and as far as I can see, http connections to my repositories are rejected while https is accepted. |
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Wed Nov 16, 2005 10:02 am Post subject: |
|
|
You really got to the point - congrats.
One thing: client certificates do provide better security. However, the drawback is that one needs to import the certificate into any browser. This is OK when sitting at a single machine but can be a nightmare when changing your workstation more often then your underware ;P
Alex!!
_________________
ALT-F4 |
|
| Back to top |
|
|
vpoinot
Apprentice
Joined: 10 Nov 2003
Posts: 155
|
| Posted: Thu Nov 17, 2005 1:03 am Post subject: |
|
|
Thanks, this is just what I wanted to know. Now that this stuff is configured, I can step to something else.
In case somebody is interested, I'll post here what I did to setup my server and subversion with SSL: it took hours to gather all these informations, I wish I could have found it in one single place like this...
To summarize:
- I have a Linux box with subversion and repositories in /var/svn
- I want to be able to access these repositories from the Linux box and from another Windows laptop, in a secure way
- Both machines are usually part of my local network, but the laptop is mobile and I use it from time to time from outside my local network, hence the need for SSL
- I have no static IP address...
- User authentication will be performed via login/password (no client certification, I do not need that right now)
I assume in the procedure below that Apache is properly installed, as well as subversion and that you can access the repositories via http. This procedure is only to add SSL on top of this setup: there might be better, easier methods, but this works and I am satisfied with it!
(I also assume that your Gentoo box is pretty much standard: configuration files are where they are supposed to be, default Apache setup, etc.)
1) Create a CA (certification authority) that will sign the server certificate (and possible future client certificates)
To do this, I created a custom openssl conf file, /etc/ssl/custom.cnf:
| Code: | #
# OpenSSL custom configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't defined.
HOME = /etc/ssl
RANDFILE = $ENV::HOME/.rnd
[ ca ]
default_ca = your-ca-name # The default ca section
####################################################################
[ your-ca-name ]
dir = /etc/ssl/your-ca-name # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/private/CAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/CAkey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = sign # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 1825 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_match
####################################################################
# policies
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
# The extentions to add to the self signed cert
x509_extensions = v3_ca
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = FR
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default =
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
####################################################################
# extensions
[ sign ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints = CA:FALSE
# nsCertType left undefined so that signed certificated can be used for
# anything except signing other object.
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign |
Of course, you shoud choose a proper name for you CA (your-ca-name).
I only grasped a small bit of it, basically:
- the default_ca will be used when signing the server certificate
- it will use extensions as defined in the "sign" group
- the "req" part is for the req command when creating a certificate request
- it will use the extensions as defined in the "v3_ca"
- the "req_distinguished_name" contains parameters to ask for certification creation, as well as their default values and types
Then prepare files and directories for your CA:
| Code: | mkdir -p /etc/ssl/your-ca-name/{certs,crl,newcerts,private}
cd /etc/ssl/your-ca-name/private
echo "01" > serial
touch index.txt |
2) Create a protected private key and a self-signed certificate for the CA (this is the root certificate: it is necessarily self-signed):
| Code: | openssl req -new -x509 -keyout CAkey.pem -out CAcert.pem -days 3650 -config /etc/ssl/custom.cnf
chmod 400 CAkey.pem && chmod 644 CAcert.pem |
Choose a good passphrase and remember it (keep it in a safe place). You will then be prompted for a set of parameters: these define your CA.
The certificate will be valid for 10 years (-days 3650). It is accessed by OpenSSL via a hash symlink that has to be created:
| Code: | openssl x509 -noout -hash -in CAcert.pem
ln -s CAcert.pem <value>.0 |
The <value> above is returned by the previous openssl command.
3) Create a certificate request for the server
| Code: | cd /etc/apache2/ssl
openssl req -new -keyout server.key -out server.csr -days 1825 -config /etc/ssl/custom.cnf |
The passphrase is not as important as the previous one: we will remove it later anyway.
The parameters you are prompted for here will identify your server. In particular, the CN (common name) is very important: it should be the domain name that will be used in the URL to access the server.
In my case, this is my server name (I will access my server from my local network using its name, and from the internet via its dynamic IP address).
4) The CA can now sign the certificate request
| Code: | cat server.csr server.key > request.pem
openssl ca -policy policy_anything -out server.crt -config /etc/ssl/custom.cnf -infiles request.pem
chmod 400 server.{crt,key}
rm server.csr request.pem |
The server certificate is now ready to be used.
5) Configure Apache to use these certificates: edit the file /etc/apache2/modules.d/41_mod_ssl_default-vhost.conf so that the ServerName directive contains the name of... your server, in my case the name used as the CN above. Plus:
| Code: | SSLCACertificatePath /etc/ssl/your-ca-name/private
SSLCACertificateFile /etc/ssl/your-ca-name/private/CAcert.pem
SSLCertificateFile conf/ssl/server.crt
SSLCertificateKeyFile conf/ssl/server.key |
6) Starting Apache
Edit the file /etc/conf.d/apache2 to modify APACHE2_OPTS so that it reads:
| Code: | | APACHE2_OPTS = "-D DAV -D SVN -D DEFAULT_HOST -D SSL -D SSL_DEFAULT_VHOST" |
At this point, if you start Apache, it will prompt you for the passphrase used to create the certificate request. This is not very convenient, especially if you start Apache at boot time. Let's remove the passphrase from the server private key:
| Code: | cd /etc/apache2/ssl
cp server.key server.key.protected
openssl rsa -in server.key.protected -out server.key |
You can also edit server.crt in order to only keep the encoded BEGIN CERTIFICATE - END CERTIFICATE part.
6) Configure the subversion client so that it trusts your CA: edit /etc/subversion/servers (create it if needed) or ~/.subversion/servers:
| Code: | [groups]
own = your-server-name
[own]
ssl-authority-files = /etc/ssl/your-ca-name/private/CAcert.pem
[global] |
As before, "your-server-name" should be your CN.
7) Users are identified by login/password, so that your should have this in your file 47_mod_dav_svn.conf:
| Code: | <Location /svn>
DAV svn
SVNParentPath /var/svn
AuthType Basic
AuthUserFile /var/svn/conf/svnusers
Require valid-user
SSLRequireSSL
</Location>
<Location /svn/a-repository>
AuthName "Repository name"
</Location> |
The SVNParentPath points to the parent directory where your repositories are.
The SSLRequireSSL is for restricting access to the repositories via https only.
I also took out the AuthName directive so that I can set a different realm for each repository.
We need to create the password file, i.e. /var/svn/conf/svnusers:
| Code: | htpasswd2 -cm /var/svn/conf/svnusers first-user
htpasswd2 -m /var/svn/conf/svnusers second-user
etc. |
The -c option is only required the first time: it actually creates the password file.
This works fine for me, it might work for you too. Feel free to reports errors.
Useful links:
http://www.openssl.org/docs/HOWTO/
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html
http://www.pseudonym.org/ssl/ssl_cook.html
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
