Come abilitare più siti HTTPS per un IP su Debian Etch usando TLS Estensioni
Questo how-to è specifico di Debian ma potrebbe essere trasferito su altre distribuzioni poiché il concetto è lo stesso. Per utilizzare le estensioni TLS dobbiamo applicare patch e ricompilare apache2 e ricompilare OpenSSL con la direttiva enable-tlsext. Poiché le estensioni TLS sono relativamente nuove , alcuni browser Internet non funzioneranno, quindi il server apache2 fornirà solo il sito predefinito come fa http 1.0 su un server http 1.1.
Questo how-to presuppone che tu abbia seguito il perfect_setup_debian_etch fino al completamento.
1. Preparazione di pbuilder
Installa pbuilder.
apt-get update
apt-get install pbuilder fakeroot sudo devscripts apt-utils
Prossima modifica /etc/pbuilder/pbuilderrc sulla riga 11 per riflettere un sito più vicino a te. Questo è il sito che apt utilizzerà per risolvere le dipendenze.
MIRRORSITE=http://http.us.debian.org/debian
Nello stesso file vai alla riga 20 e imposta DISTRIBUTION=etch
Infine crea la tua immagine di pbuilder.
pbuilder create --distribution etch
2. Applicazione di patch e ricompilazione di apache2.
Per prima cosa dobbiamo creare una directory in cui archiviare i sorgenti e scaricarli.
mkdir /usr/src/apache2
cd /usr/src/apache2
apt-get source apache2
Copia e salva questa patch in /usr/src/apache2/apache2-2.2.3/httpd-2.2.3-sni.patch
cat > /usr/src/apache2/apache2-2.2.3/httpd-2.2.3-sni.patch
httpd-2.2.3-sni.patch - server name indication support for Apache 2.2 (see RFC 4366, "Transport Layer Security (TLS) Extensions") based on a patch from the EdelKey project (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch) Needs openssl-SNAP-20060330 / openssl-0.9.8-stable-SNAP-20070813 or later to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 branch must be configured explicitly for TLS extension support at compile time ("./config enable-tlsext"). Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c =================================================================== --- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 423224) +++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy) @@ -156,6 +156,87 @@ return OK; } +#ifndef OPENSSL_NO_TLSEXT +static int set_ssl_vhost(void *servername, conn_rec *c, server_rec *s) +{ + SSLSrvConfigRec *sc; + SSL *ssl; + BOOL found = FALSE; + apr_array_header_t *names; + int i; + + /* check ServerName */ + if (!strcasecmp(servername, s->server_hostname)) + found = TRUE; + + /* if not matched yet, check ServerAlias entries */ + if (!found) { + names = s->names; + if (names) { + char **name = (char **) names->elts; + for (i = 0; i < names->nelts; ++i) { + if(!name[i]) continue; + if (!strcasecmp(servername, name[i])) { + found = TRUE; + break; + } + } + } + } + + /* if still no match, check ServerAlias entries with wildcards */ + if (!found) { + names = s->wild_names; + if (names) { + char **name = (char **) names->elts; + for (i = 0; i < names->nelts; ++i) { + if(!name[i]) continue; + if (!ap_strcasecmp_match(servername, name[i])) { + found = TRUE; + break; + } + } + } + } + + /* set SSL_CTX (if matched) */ + if (found) { + if ((ssl = ((SSLConnRec *)myConnConfig(c))->ssl) == NULL) + return 0; + if (!(sc = mySrvConfig(s))) + return 0; + SSL_set_SSL_CTX(ssl,sc->server->ssl_ctx); + return 1; + } + return 0; +} + +int ssl_set_vhost_ctx(SSL *ssl, const char *servername) +{ + conn_rec *c; + + if (servername == NULL) /* should not occur. */ + return 0; + + SSL_set_SSL_CTX(ssl,NULL); + + if (!(c = (conn_rec *)SSL_get_app_data(ssl))) + return 0; + + return ap_vhost_iterate_given_conn(c,set_ssl_vhost,servername); +} + +int ssl_servername_cb(SSL *s, int *al, modssl_ctx_t *mctx) +{ + const char *servername = SSL_get_servername(s,TLSEXT_NAMETYPE_host_name); + + if (servername) { + return ssl_set_vhost_ctx(s,servername)?SSL_TLSEXT_ERR_OK:SSL_TLSEXT_ERR_ALERT_FATAL; + } + return SSL_TLSEXT_ERR_NOACK; +} +#endif + /* * Per-module initialization */ @@ -376,6 +457,29 @@ } } +static void ssl_init_server_extensions(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, + modssl_ctx_t *mctx) +{ + /* + * Configure TLS extensions support + */ + +#ifndef OPENSSL_NO_TLSEXT + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "Configuring TLS extensions facility"); + + if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx, ssl_servername_cb) || + !SSL_CTX_set_tlsext_servername_arg(mctx->ssl_ctx, mctx)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Unable to initialize servername callback, bad openssl version."); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_die(); + } +#endif +} + static void ssl_init_ctx_protocol(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, @@ -709,6 +810,8 @@ /* XXX: proxy support? */ ssl_init_ctx_cert_chain(s, p, ptemp, mctx); } + + ssl_init_server_extensions(s, p, ptemp, mctx); } static int ssl_server_import_cert(server_rec *s, @@ -1035,6 +1138,7 @@ } } +#ifdef OPENSSL_NO_TLSEXT /* * Give out warnings when more than one SSL-aware virtual server uses the * same IP:port. This doesn't work because mod_ssl then will always use @@ -1079,6 +1183,7 @@ "Init: You should not use name-based " "virtual hosts in conjunction with SSL!!"); } +#endif } #ifdef SSLC_VERSION_NUMBER Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c =================================================================== --- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 423224) +++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy) @@ -231,7 +231,20 @@ * the currently active one. */ +#ifndef OPENSSL_NO_TLSEXT /* + * We will switch to another virtualhost and to its ssl_ctx + * if changed, we will force a renegotiation. + */ + if (r->hostname && !SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) { + SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); + if (ssl_set_vhost_ctx(ssl,(char *)r->hostname) && + ctx != SSL_get_SSL_CTX(ssl)) + renegotiate = TRUE; + } +#endif + + /* * Override of SSLCipherSuite * * We provide two options here: @@ -997,6 +1010,9 @@ SSLDirConfigRec *dc = myDirConfig(r); apr_table_t *env = r->subprocess_env; char *var, *val = ""; +#ifndef OPENSSL_NO_TLSEXT + const char* servername; +#endif STACK_OF(X509) *peer_certs; SSL *ssl; int i; @@ -1018,6 +1034,12 @@ /* the always present HTTPS (=HTTP over SSL) flag! */ apr_table_setn(env, "HTTPS", "on"); +#ifndef OPENSSL_NO_TLSEXT + /* add content of SNI TLS extension (if supplied with ClientHello) */ + if (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) + apr_table_set(env, "TLS_SNI", servername); +#endif + /* standard SSL environment variables */ if (dc->nOptions & SSL_OPT_STDENVVARS) { for (i = 0; ssl_hook_Fixup_vars[i]; i++) { Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h =================================================================== --- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (revision 423224) +++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (working copy) @@ -258,6 +258,12 @@ #define SSL_SESS_CACHE_NO_INTERNAL SSL_SESS_CACHE_NO_INTERNAL_LOOKUP #endif +#ifndef OPENSSL_NO_TLSEXT +#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME +#define OPENSSL_NO_TLSEXT +#endif +#endif + #endif /* SSL_TOOLKIT_COMPAT_H */ /** @} */ |
Usa ctrl+d per uscire
cd apache2-2.2.3/
Cambia la versione.
cd debian/
E modifica le righe 1-5 in modo che appaia così:
Ricompila il pacchetto sorgente.
cd ../..
Compila apache2 con pbuilder.
Modifica /etc/apt/sources.list con il tuo editor preferito e aggiungi una nuova riga usando sid per la distribuzione
apt-get update
Modifica il file /usr/src/openssl/openssl-0.9.8g/debian/rules e aggiungi enable-tlsext alla riga 22 in modo che assomigli a questo:
cd openssl-0.9.8g/debian/
Cambia la versione alle righe 1-5 in modo che assomigli a questa:
Ricompila il pacchetto sorgente.
cd ../..
Compila OpenSSL con pbuilder.
Installazione dei pacchetti di nuova creazione.
cd /var/cache/pbuilder/result
Esegui questo comando per correggere eventuali dipendenze.
Modifica /home/admispconfig/ispconfig/lib/classes/ispconfig_isp_web.lib.php e cerca quanto segue:
Commentalo in modo che assomigli a questo:
Cerca di nuovo nello stesso file e commentalo.
Crea un sito protetto predefinito che gli utenti vedranno se utilizzano un browser non conforme a RFC 4366.
mkdir /var/www/sharedip/ssl
Assicurati di inserire la tua password.
Modifica /etc/apache2/apache2.conf e posizionalo sopra Include /etc/apache2/vhosts/Vhosts_ispconfig.conf
Verifica la creazione di più siti con SSL abilitato.
http://edseek.com/~jasonb/articles/pbuilder_backports/index.html
patch –p1
dch –iapache2 (2.2.3-4a+etch) stable; urgency=low
* Enabled TLS Extensions
-- John Doe <[email protected]> Tue, 5 Nov 2007 06:29:54 -0600
dpkg-source –b apache2-2.2.3/ apache2_2.2.3.orig.tar.gzpbuilder build apache2_2.2.3-4a+etch.dsc
3. Compilazione di OpenSSL-0.9.8g
deb-src http://ftp.debian.org/debian/ sid main
mkdir /usr/src/openssl
cd /usr/src/openssl/
apt-get source opensslCONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl no-idea no-mdc2 no-rc5 zlib enable-tlsext
dch -iopenssl (0.9.8g-1) unstable; urgency=low
* Enabled TLS Extensions
-- John Doe <[email protected]> Mon, 5 Nov 2007 22:40:05 -0600
dpkg-source –b openssl-0.9.8g/ openssl_0.9.8g.orig.tar.gzpbuilder build openssl_0.9.8g-1.dsc
dpkg –i apache2_2.2.3-4a+etch_all.deb
dpkg –i apache2.2-common_2.2.3-4a+etch_i386.deb
dpkg –i apache2-mpm-prefork_2.2.3-4a+etch_i386.deb
dpkg –i libssl0.9.8_0.9.8g-1_i386.deb
dpkg –i openssl_0.9.8g-1_i386.debapt-get install –f
4. Configura ISPConfig per consentire più siti Web sicuri su un indirizzo IP
//////////////////////////////////////////////////////
// Check ob bereits ein SSL Cert auf der IP Existiert
//////////////////////////////////////////////////////
$ssl_count = $go_api->db->queryOneRecord("SELECT count(doc_id) as ssl_co
if($ssl_count["ssl_count"] > 1) {
// Es existiert bereits ein SSL Web mit dieser IP
$status = "NOTIFY";
$errorMessage .= $go_api->lng("error_web_ssl_exist");
$go_api->db->query("UPDATE isp_isp_web set web_ssl = 0 where doc_id =
}
//////////////////////////////////////////////////////
// Check ob bereits ein SSL Cert auf der IP Existiert
//////////////////////////////////////////////////////
// $ssl_count = $go_api->db->queryOneRecord("SELECT count(doc_id) as ssl_co
// if($ssl_count["ssl_count"] > 1) {
// // Es existiert bereits ein SSL Web mit dieser IP
// $status = "NOTIFY";
// $errorMessage .= $go_api->lng("error_web_ssl_exist");
// $go_api->db->query("UPDATE isp_isp_web set web_ssl = 0 where doc_id =
// }
cd /var/www/sharedip/ssl
openssl genrsa -des3 -passout pass:yourpassword -out 192.168.1.2.key2 1024
openssl req - new -passin pass:yourpassword -passout pass:yourpassword -key 192.168.1.2.key2 -out 192.168.1.2.csr -days 365
openssl req -x509 -passin pass:yourpassword -passout pass:yourpassword -key 192.168. 1.2.key2 -in 192.168.1.2.csr -out 192.168.1.2.crt -days 365
openssl rsa -passin pass:yourpassword -in 192.168.1.2.key2 -out 192.168.1.2.key
chmod 400 192.168.1.2.chiave
Inoltre, userei un asterisco "*" per il nome comune.NameVirtualHost 192.168.1.2:443
<VirtualHost 192.168.1.2:443>
ServerName localhost
ServerAdmin [email protected]
DocumentRoot /var/www/sharedip
SSLEngine on
SSLCertificateFile /var/www/sharedip/ssl/192.168.1.2.crt
SSLCertificateKeyFile /var/www/sharedip/ssl/192.168.1.2.key
</VirtualHost>
Devi disporre di un browser conforme a RFC 4366 per poter visualizzare correttamente i siti.
Per testare il tuo browser vai su https://dave.sni.velox.ch /e controlla se il tuo browser funziona.Link:
https://dave.sni.velox.ch/
http://www.edelweb.fr/EdelKey/