Come abilitare più siti HTTPS per un IP su Debian Etch usando TLS Estensioni
Questo how-to è specifico di Debian ma potrebbe essere trasferito su altre distribuzioni poiché il concetto è lo stesso. Per utilizzare le estensioni TLS dobbiamo applicare patch e ricompilare apache2 e ricompilare OpenSSL con la direttiva enable-tlsext. Poiché le estensioni TLS sono relativamente nuove , alcuni browser Internet non funzioneranno, quindi il server apache2 fornirà solo il sito predefinito come fa http 1.0 su un server http 1.1.
Questo how-to presuppone che tu abbia seguito il perfect_setup_debian_etch fino al completamento.
1. Preparazione di pbuilder
Installa pbuilder.
apt-get update
apt-get install pbuilder fakeroot sudo devscripts apt-utils
Prossima modifica /etc/pbuilder/pbuilderrc sulla riga 11 per riflettere un sito più vicino a te. Questo è il sito che apt utilizzerà per risolvere le dipendenze.
MIRRORSITE=http://http.us.debian.org/debian
Nello stesso file vai alla riga 20 e imposta DISTRIBUTION=etch
Infine crea la tua immagine di pbuilder.
pbuilder create --distribution etch
2. Applicazione di patch e ricompilazione di apache2.
Per prima cosa dobbiamo creare una directory in cui archiviare i sorgenti e scaricarli.
mkdir /usr/src/apache2
cd /usr/src/apache2
apt-get source apache2
Copia e salva questa patch in /usr/src/apache2/apache2-2.2.3/httpd-2.2.3-sni.patch
cat > /usr/src/apache2/apache2-2.2.3/httpd-2.2.3-sni.patch
httpd-2.2.3-sni.patch - server name indication support for Apache 2.2
(see RFC 4366, "Transport Layer Security (TLS) Extensions")
based on a patch from the EdelKey project
(http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch)
Needs openssl-SNAP-20060330 / openssl-0.9.8-stable-SNAP-20070813 or later
to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 branch
must be configured explicitly for TLS extension support at compile time
("./config enable-tlsext").
Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
===================================================================
--- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 423224)
+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy)
@@ -156,6 +156,87 @@
return OK;
}
+#ifndef OPENSSL_NO_TLSEXT
+static int set_ssl_vhost(void *servername, conn_rec *c, server_rec *s)
+{
+ SSLSrvConfigRec *sc;
+ SSL *ssl;
+ BOOL found = FALSE;
+ apr_array_header_t *names;
+ int i;
+
+ /* check ServerName */
+ if (!strcasecmp(servername, s->server_hostname))
+ found = TRUE;
+
+ /* if not matched yet, check ServerAlias entries */
+ if (!found) {
+ names = s->names;
+ if (names) {
+ char **name = (char **) names->elts;
+ for (i = 0; i < names->nelts; ++i) {
+ if(!name[i]) continue;
+ if (!strcasecmp(servername, name[i])) {
+ found = TRUE;
+ break;
+ }
+ }
+ }
+ }
+
+ /* if still no match, check ServerAlias entries with wildcards */
+ if (!found) {
+ names = s->wild_names;
+ if (names) {
+ char **name = (char **) names->elts;
+ for (i = 0; i < names->nelts; ++i) {
+ if(!name[i]) continue;
+ if (!ap_strcasecmp_match(servername, name[i])) {
+ found = TRUE;
+ break;
+ }
+ }
+ }
+ }
+
+ /* set SSL_CTX (if matched) */
+ if (found) {
+ if ((ssl = ((SSLConnRec *)myConnConfig(c))->ssl) == NULL)
+ return 0;
+ if (!(sc = mySrvConfig(s)))
+ return 0;
+ SSL_set_SSL_CTX(ssl,sc->server->ssl_ctx);
+ return 1;
+ }
+ return 0;
+}
+
+int ssl_set_vhost_ctx(SSL *ssl, const char *servername)
+{
+ conn_rec *c;
+
+ if (servername == NULL) /* should not occur. */
+ return 0;
+
+ SSL_set_SSL_CTX(ssl,NULL);
+
+ if (!(c = (conn_rec *)SSL_get_app_data(ssl)))
+ return 0;
+
+ return ap_vhost_iterate_given_conn(c,set_ssl_vhost,servername);
+}
+
+int ssl_servername_cb(SSL *s, int *al, modssl_ctx_t *mctx)
+{
+ const char *servername = SSL_get_servername(s,TLSEXT_NAMETYPE_host_name);
+
+ if (servername) {
+ return ssl_set_vhost_ctx(s,servername)?SSL_TLSEXT_ERR_OK:SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+ return SSL_TLSEXT_ERR_NOACK;
+}
+#endif
+
/*
* Per-module initialization
*/
@@ -376,6 +457,29 @@
}
}
+static void ssl_init_server_extensions(server_rec *s,
+ apr_pool_t *p,
+ apr_pool_t *ptemp,
+ modssl_ctx_t *mctx)
+{
+ /*
+ * Configure TLS extensions support
+ */
+
+#ifndef OPENSSL_NO_TLSEXT
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "Configuring TLS extensions facility");
+
+ if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx, ssl_servername_cb) ||
+ !SSL_CTX_set_tlsext_servername_arg(mctx->ssl_ctx, mctx)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Unable to initialize servername callback, bad openssl version.");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
+ ssl_die();
+ }
+#endif
+}
+
static void ssl_init_ctx_protocol(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
@@ -709,6 +810,8 @@
/* XXX: proxy support? */
ssl_init_ctx_cert_chain(s, p, ptemp, mctx);
}
+
+ ssl_init_server_extensions(s, p, ptemp, mctx);
}
static int ssl_server_import_cert(server_rec *s,
@@ -1035,6 +1138,7 @@
}
}
+#ifdef OPENSSL_NO_TLSEXT
/*
* Give out warnings when more than one SSL-aware virtual server uses the
* same IP:port. This doesn't work because mod_ssl then will always use
@@ -1079,6 +1183,7 @@
"Init: You should not use name-based "
"virtual hosts in conjunction with SSL!!");
}
+#endif
}
#ifdef SSLC_VERSION_NUMBER
Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
===================================================================
--- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 423224)
+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy)
@@ -231,7 +231,20 @@
* the currently active one.
*/
+#ifndef OPENSSL_NO_TLSEXT
/*
+ * We will switch to another virtualhost and to its ssl_ctx
+ * if changed, we will force a renegotiation.
+ */
+ if (r->hostname && !SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) {
+ SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+ if (ssl_set_vhost_ctx(ssl,(char *)r->hostname) &&
+ ctx != SSL_get_SSL_CTX(ssl))
+ renegotiate = TRUE;
+ }
+#endif
+
+ /*
* Override of SSLCipherSuite
*
* We provide two options here:
@@ -997,6 +1010,9 @@
SSLDirConfigRec *dc = myDirConfig(r);
apr_table_t *env = r->subprocess_env;
char *var, *val = "";
+#ifndef OPENSSL_NO_TLSEXT
+ const char* servername;
+#endif
STACK_OF(X509) *peer_certs;
SSL *ssl;
int i;
@@ -1018,6 +1034,12 @@
/* the always present HTTPS (=HTTP over SSL) flag! */
apr_table_setn(env, "HTTPS", "on");
+#ifndef OPENSSL_NO_TLSEXT
+ /* add content of SNI TLS extension (if supplied with ClientHello) */
+ if (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))
+ apr_table_set(env, "TLS_SNI", servername);
+#endif
+
/* standard SSL environment variables */
if (dc->nOptions & SSL_OPT_STDENVVARS) {
for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h
===================================================================
--- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (revision 423224)
+++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (working copy)
@@ -258,6 +258,12 @@
#define SSL_SESS_CACHE_NO_INTERNAL SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
#endif
+#ifndef OPENSSL_NO_TLSEXT
+#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
+#define OPENSSL_NO_TLSEXT
+#endif
+#endif
+
#endif /* SSL_TOOLKIT_COMPAT_H */
/** @} */ |
Usa ctrl+d per uscire
cd apache2-2.2.3/
Cambia la versione.
cd debian/
E modifica le righe 1-5 in modo che appaia così:
Ricompila il pacchetto sorgente.
cd ../..
Compila apache2 con pbuilder.
Modifica /etc/apt/sources.list con il tuo editor preferito e aggiungi una nuova riga usando sid per la distribuzione
apt-get update
Modifica il file /usr/src/openssl/openssl-0.9.8g/debian/rules e aggiungi enable-tlsext alla riga 22 in modo che assomigli a questo:
cd openssl-0.9.8g/debian/
Cambia la versione alle righe 1-5 in modo che assomigli a questa:
Ricompila il pacchetto sorgente.
cd ../..
Compila OpenSSL con pbuilder.
Installazione dei pacchetti di nuova creazione.
cd /var/cache/pbuilder/result
Esegui questo comando per correggere eventuali dipendenze.
Modifica /home/admispconfig/ispconfig/lib/classes/ispconfig_isp_web.lib.php e cerca quanto segue:
Commentalo in modo che assomigli a questo:
Cerca di nuovo nello stesso file e commentalo.
Crea un sito protetto predefinito che gli utenti vedranno se utilizzano un browser non conforme a RFC 4366.
mkdir /var/www/sharedip/ssl
Assicurati di inserire la tua password.
Modifica /etc/apache2/apache2.conf e posizionalo sopra Include /etc/apache2/vhosts/Vhosts_ispconfig.conf
Verifica la creazione di più siti con SSL abilitato.
http://edseek.com/~jasonb/articles/pbuilder_backports/index.html
patch –p1
dch –iapache2 (2.2.3-4a+etch) stable; urgency=low
* Enabled TLS Extensions
-- John Doe <[email protected]> Tue, 5 Nov 2007 06:29:54 -0600
dpkg-source –b apache2-2.2.3/ apache2_2.2.3.orig.tar.gzpbuilder build apache2_2.2.3-4a+etch.dsc
3. Compilazione di OpenSSL-0.9.8g
deb-src http://ftp.debian.org/debian/ sid main
mkdir /usr/src/openssl
cd /usr/src/openssl/
apt-get source opensslCONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl no-idea no-mdc2 no-rc5 zlib enable-tlsext
dch -iopenssl (0.9.8g-1) unstable; urgency=low
* Enabled TLS Extensions
-- John Doe <[email protected]> Mon, 5 Nov 2007 22:40:05 -0600
dpkg-source –b openssl-0.9.8g/ openssl_0.9.8g.orig.tar.gzpbuilder build openssl_0.9.8g-1.dsc
dpkg –i apache2_2.2.3-4a+etch_all.deb
dpkg –i apache2.2-common_2.2.3-4a+etch_i386.deb
dpkg –i apache2-mpm-prefork_2.2.3-4a+etch_i386.deb
dpkg –i libssl0.9.8_0.9.8g-1_i386.deb
dpkg –i openssl_0.9.8g-1_i386.debapt-get install –f
4. Configura ISPConfig per consentire più siti Web sicuri su un indirizzo IP
//////////////////////////////////////////////////////
// Check ob bereits ein SSL Cert auf der IP Existiert
//////////////////////////////////////////////////////
$ssl_count = $go_api->db->queryOneRecord("SELECT count(doc_id) as ssl_co
if($ssl_count["ssl_count"] > 1) {
// Es existiert bereits ein SSL Web mit dieser IP
$status = "NOTIFY";
$errorMessage .= $go_api->lng("error_web_ssl_exist");
$go_api->db->query("UPDATE isp_isp_web set web_ssl = 0 where doc_id =
} //////////////////////////////////////////////////////
// Check ob bereits ein SSL Cert auf der IP Existiert
//////////////////////////////////////////////////////
// $ssl_count = $go_api->db->queryOneRecord("SELECT count(doc_id) as ssl_co
// if($ssl_count["ssl_count"] > 1) {
// // Es existiert bereits ein SSL Web mit dieser IP
// $status = "NOTIFY";
// $errorMessage .= $go_api->lng("error_web_ssl_exist");
// $go_api->db->query("UPDATE isp_isp_web set web_ssl = 0 where doc_id =
// }
cd /var/www/sharedip/ssl
openssl genrsa -des3 -passout pass:yourpassword -out 192.168.1.2.key2 1024
openssl req - new -passin pass:yourpassword -passout pass:yourpassword -key 192.168.1.2.key2 -out 192.168.1.2.csr -days 365
openssl req -x509 -passin pass:yourpassword -passout pass:yourpassword -key 192.168. 1.2.key2 -in 192.168.1.2.csr -out 192.168.1.2.crt -days 365
openssl rsa -passin pass:yourpassword -in 192.168.1.2.key2 -out 192.168.1.2.key
chmod 400 192.168.1.2.chiave
Inoltre, userei un asterisco "*" per il nome comune.NameVirtualHost 192.168.1.2:443
<VirtualHost 192.168.1.2:443>
ServerName localhost
ServerAdmin [email protected]
DocumentRoot /var/www/sharedip
SSLEngine on
SSLCertificateFile /var/www/sharedip/ssl/192.168.1.2.crt
SSLCertificateKeyFile /var/www/sharedip/ssl/192.168.1.2.key
</VirtualHost>
Devi disporre di un browser conforme a RFC 4366 per poter visualizzare correttamente i siti.
Per testare il tuo browser vai su https://dave.sni.velox.ch /e controlla se il tuo browser funziona.Link:
https://dave.sni.velox.ch/
http://www.edelweb.fr/EdelKey/