Obtaining and Installing SSL Tools
SSL support is provided by mod_ssl, an Apache module. This module requires the OpenSSL libraryan open-source implementation of the SSL/TLS protocols and a variety of other cryptographic algorithms. OpenSSL is based on the SSLeay library developed by Eric A. Young and Tim J. Hudson.
Due to the restrictions on the distribution of string cryptography and patented intellectual property worldwide, the installation of SSL-related tools varies in its ease from platform to platform. The following sections provide an overview for obtaining and installing SSL-related tools.
All files and instructions necessary for installing OpenSSL can be found at http://www.openssl.org/. Users of Linux/Unix (and their variants) will find the installation of the OpenSSL software to be similar to installing other system tools. However, the casual Windows user will discover that there are currently no freely distributed precompiled binaries. As such, Windows users must compile the OpenSSL tools on their own.
Installation for Windows Users
Windows users who are familiar with the process of building their own binaries may do so with the OpenSSL source code provided at the OpenSSL Web site. The instructions for compiling OpenSSL on Windows are in the INSTALL.W32 file found in the source distribution. Restating these instructions is beyond the scope of this book; however, you will find they are comprehensive and well written. The required tools are ActiveState Perl for Windows, and one of the following C compilers:
Be sure to follow the instructions appropriate to your compiler of choice, as they are quite different for each. You can also find tips from Apache for compiling OpenSSL, at http://httpd.apache.org/docs-2.0/platform/win_compiling.html.
Installation for Linux/Unix Users
If you are running a recent Linux or FreeBSD distribution, OpenSSL might already be installed in your system. Should you need to install OpenSSL, you can download the source from the OpenSSL Web site. Once downloaded, uncompress it and cd into the created directory (replace -version in the following commands with your particular, current version of OpenSSL):
# gunzip < openssl-version.tar.gz | tar xvf - # cd openssl-version
The mod_ssl Apache Module
In the past, SSL extensions for Apache had to be distributed separately because of export restrictions. Currently, mod_ssl is bundled with Apache 2.0, but only as part of the source distributions. While not an issue for Linux/Unix users, Windows users will find they must build Apache from source in order to build the mod_ssl module; mod_ssl is not distributed in the precompiled and distributed binaries. The mod_ssl module depends on the OpenSSL library, so a valid OpenSSL installation is required.
For Windows Users
In order to use mod_ssl, you must build your Apache installation from scratch. In other words, if you followed the installation instructions in Chapter 3, "Installing and Configuring Apache," throw those out and follow the Apache documentation found at http://httpd.apache.org/docs-2.0/platform/win_compiling.html. Again, restating these instructions is beyond the scope of this book, but they will provide you with all the information you need. The core requirements are
For Linux/UNIX Users
The source distribution used in Chapter 3 should already include the files necessary to use mod_ssl. As such, in order to use mod_ssl, you only need to follow the configure and make/make install process again, with the following addition as part of the configure command:
This assumes that you installed OpenSSL in the listed location; if it resides in another directory on your server, simply substitute the location in the preceding command.
If you compiled mod_ssl statically into Apache, you can check whether it is present by issuing the following command, which provides a list of compiled-in modules:
# /usr/local/apache2/bin/httpd -l
By the Way
The above command assumes that you installed Apache in the /usr/local/ apache2 directory.
LoadModule ssl_module modules/libmodssl.so
When you have finished making changes to the httpd.conf file, restart Apache so your changes take effect. If you look in your error_log after restarting, mod_ssl will be part of your server signature, such as
Apache/2.0.52 (Unix) mod_ssl/2.0.52 OpenSSL/0.9.7d PHP/5.0.2