| 1 | ------------------------------------------------------------------------------- |
|---|
| 2 | $Id$ |
|---|
| 3 | ------------------------------------------------------------------------------- |
|---|
| 4 | [Table of Contents]: |
|---|
| 5 | ...1: Implementation details |
|---|
| 6 | ...2: Getting SSL support working |
|---|
| 7 | ...3: Generating a self-signed certificate |
|---|
| 8 | ...4: FAQs |
|---|
| 9 | ------------------------------------------------------------------------------- |
|---|
| 10 | [1: Implementation details]: |
|---|
| 11 | |
|---|
| 12 | Currently ithildin uses OpenSSL for its SSL library. It supports both |
|---|
| 13 | OpenSSL 0.9.6 and OpenSSL 0.9.7, and should support future versions as well. |
|---|
| 14 | |
|---|
| 15 | That said, it does not make completely full use of OpenSSL's capabilities. |
|---|
| 16 | In particular it does have support for CRLs (Certificate Revocation Lists) |
|---|
| 17 | and does not allow for end-user configuration of some specific parameters |
|---|
| 18 | (such as the available cipher list). |
|---|
| 19 | |
|---|
| 20 | However, most basic SSL functionality is supported. The socket API can |
|---|
| 21 | function as both an SSL client and an SSL server with the caveat that as an |
|---|
| 22 | SSL client it still requires a key, though the SSL specification makes no |
|---|
| 23 | such demands. |
|---|
| 24 | |
|---|
| 25 | ------------------------------------------------------------------------------- |
|---|
| 26 | [2: Getting SSL support working]: |
|---|
| 27 | |
|---|
| 28 | Getting SSL supporting working can be relatively painless depending on your |
|---|
| 29 | system of choice. For most all free Unixes it is as simple as |
|---|
| 30 | adding/uncommenting the 'ssl' section to your main configuration file |
|---|
| 31 | (usually ithildin.conf) and setting up the necessary private/public key |
|---|
| 32 | pair. If, however, you use a system without a random number generating |
|---|
| 33 | device (/dev/random) you will have to go through the extra steps of setting |
|---|
| 34 | up EGD. That is not covered here, and instead you should refer to OpenSSL's |
|---|
| 35 | documentation on this. |
|---|
| 36 | |
|---|
| 37 | You can also, at your option, use your own specific CA (certificate |
|---|
| 38 | authority) file with the public keys of CAs which you wish to trust. This |
|---|
| 39 | may be necessary for certain modules, because the SSL code requires that |
|---|
| 40 | when a key is presented to it that it be signed by a recognized certificate |
|---|
| 41 | authority. |
|---|
| 42 | |
|---|
| 43 | ------------------------------------------------------------------------------- |
|---|
| 44 | [3: Generating a self-signed certificate]: |
|---|
| 45 | |
|---|
| 46 | Sometimes it is desirable to create a self-signed SSL certificate. If you |
|---|
| 47 | are testing, or are using SSL in a closed environment, or otherwise do not |
|---|
| 48 | need the security added by a trusted third-party signing your SSL |
|---|
| 49 | certificate, this is the way to go. Generating a self-signed SSL |
|---|
| 50 | certificate with OpenSSL is actually fairly trivial, just follow the steps |
|---|
| 51 | below: |
|---|
| 52 | |
|---|
| 53 | #1: Decide where you want to put your certificates. I recommend placing |
|---|
| 54 | them in the directory containing the main server config files under an 'ssl' |
|---|
| 55 | subdirectory. So, if you have installed ithildin in /usr/local, and |
|---|
| 56 | /usr/local/etc/ithildin is where your config files live, you would do the |
|---|
| 57 | following: |
|---|
| 58 | $ cd /usr/local/etc/ithildin |
|---|
| 59 | $ mkdir ssl |
|---|
| 60 | |
|---|
| 61 | #2: Generate your certificate and private key. This is done via the |
|---|
| 62 | 'openssl' command line utility in the following manner: |
|---|
| 63 | $ openssl req -x509 -newkey rsa:1024 -keyout ssl/key.pem -out ssl/cert.pem |
|---|
| 64 | This will ask you various questions about your locality for the purposes of |
|---|
| 65 | the key. Most of these are straightforward, HOWEVER, the "Common name" |
|---|
| 66 | field should not be filled with your personal name, but rather the hostname |
|---|
| 67 | that your server will be calling itself. You can, at your discretion, |
|---|
| 68 | create your rsa key using more than 1024 bits (and this is recommended. |
|---|
| 69 | 2048 is a good value, and even 4096 is not unreasonable on faster hardware). |
|---|
| 70 | |
|---|
| 71 | Also, don't forget to make sure your private key is made as private as |
|---|
| 72 | possible. At least remember to change the access modes on it so that it can |
|---|
| 73 | only be accessed by the user the server will be running as. Doing something |
|---|
| 74 | like the following should achieve this: |
|---|
| 75 | $ chmod u=rw,go= ssl/key.pem |
|---|
| 76 | $ chown <whoever> ssl/key.pem |
|---|
| 77 | |
|---|
| 78 | #3: This step is optional, and is actually provided simply because a lot of |
|---|
| 79 | people want to know. By default, OpenSSL requires that you encrypt your |
|---|
| 80 | private key with a passphrase. It will then prompt you for that passphrase |
|---|
| 81 | every time you start the server. You can decrypt the RSA key (removing the |
|---|
| 82 | need for passphrase entry on startup). I don't recommend that you do this, |
|---|
| 83 | but you may find it necessary/useful. If so, do the following: |
|---|
| 84 | $ openssl rsa -in ssl/key.pem -out ssl/key2.pem |
|---|
| 85 | [enter passphrase] |
|---|
| 86 | $ mv ssl/key2.pem ssl/key.pem |
|---|
| 87 | And you'll be all set. |
|---|
| 88 | |
|---|
| 89 | ------------------------------------------------------------------------------- |
|---|
| 90 | [4: FAQs]: |
|---|
| 91 | |
|---|
| 92 | <left blank> |
|---|
| 93 | |
|---|
