SSL support is provided by mod_ssl, an Apache module. This module requires the OpenSSL libraryan open-source implementation of the SSL/TLS protocols and a variety of other cryptographic algorithms. OpenSSL is based on the SSLeay library developed by Eric A. Young and Tim J. Hudson.
Because of the restrictions on the distribution of string cryptography and patented intellectual property worldwide, the installation of SSL-related tools varies in its ease from platform to platform. The following sections provide an overview for obtaining and installing SSL-related tools.
All files and instructions necessary for installing OpenSSL can be found at http://www.openssl.org/. Users of UNIX/Linux (and their variants) will find the installation of the OpenSSL software to be similar to installing other system tools. However, the casual Windows user will discover that there are currently no freely distributed precompiled binaries. As such, Windows users must compile the OpenSSL tools on their own.
After you have installed the OpenSSL toolkit, you will have all the necessary elements for creating and manipulating certificates and keys, as well as interfacing with the mod_ssl Apache module.
Installation for Windows Users
Windows users familiar with the process of building their own binaries may do so with the OpenSSL source code provided at the OpenSSL website. The instructions for compiling OpenSSL on Windows are in the INSTALL.W32 file found in the source distribution. Restating these instructions is beyond the scope of this book; however, you will find they are comprehensive and well written. The required tools are ActiveState Perl for Windows and one of the following C compilers:
Be sure to follow the instructions appropriate to your compiler of choice because they are different for each. You can also find tips from Apache for compiling OpenSSL at http://httpd.apache.org/docs/2.0/platform/win_compiling.html.
Installation for UNIX/Linux Users
If you are running a recent Linux or FreeBSD distribution, OpenSSL might already be installed in your system. Should you need to install OpenSSL, you can download the source from the OpenSSL website. After you have downloaded the file, uncompress it and cd into the created directory (replace -version in the following commands with your particular, current version of OpenSSL):
# gunzip < openssl-version.tar.gz | tar xvf - # cd openssl-version
Complete installation instructions are found in the INSTALL file, but in short, the config script will help you build the software, which is followed by the make and make install processes.
The mod_ssl Apache Module
In the past, SSL extensions for Apache had to be distributed separately because of export restrictions. Currently, mod_ssl is bundled with Apache 2.0, but only as part of the source distributions. Although this is not an issue for UNIX/Linux users, Windows users will find they must build Apache from source to build the mod_ssl module; mod_ssl is not distributed in the precompiled and distributed binaries. The mod_ssl module depends on the OpenSSL library, so a valid OpenSSL installation is required.
For Windows Users
For Windows users to use mod_ssl, you must build your Apache installation from scratch. In other words, if you followed the installation instructions in Chapter 3, "Installing and Configuring Apache," throw those out and follow the Apache documentation found at http://httpd.apache.org/docs/2.0/platform/win_compiling.html. Again, restating these instructions is beyond the scope of this book, but they will provide you with all the information you need. The core requirements are as follows:
For UNIX/Linux Users
The source distribution used in Chapter 3 should already include the files necessary to use mod_ssl. As such, for UNIX/Linux users to use mod_ssl, you only need to follow the configure and make/make install process again, with the following addition as part of the configure command:
This assumes that you installed OpenSSL in the listed location; if it resides in another directory on your server, simply substitute the location in the preceding command.
If you compiled mod_ssl statically into Apache, you can check whether it is present by issuing the following command, which provides a list of compiled-in modules:
# /usr/local/apache2/bin/httpd -l
By the Way
The preceding command assumes that you installed Apache in the /usr/local/apache2 directory.
If mod_ssl was compiled as a dynamic loadable module, the following line must be added to or uncommented in the Apache configuration file (httpd.conf):
LoadModule ssl_module modules/libmodssl.so
When you have finished making changes to the httpd.conf file, restart Apache so that your changes take effect. If you look in your error_log after restarting, mod_ssl will be part of your server signature, such as
Apache/2.0.55 (Unix) mod_ssl/2.0.55 OpenSSL/0.9.7i PHP/5.1.2