[AWS] SSL questions
Pascal Obry
p.obry@wanadoo.fr
Tue, 6 Jan 2004 19:11:18 +0100
Jessica et Vincent Tourvieille writes:
> Greetings !
>
> I am trying to set up an AWS-based secure server and here are
> the following problems (and associated questions) I have:
>
> 1) When installing AWS in the /usr/local/... directly,
> libz.a did not end up being copied
> to the lib directory, I had to copy it manually.
> Would that be a makefile bug, or is this file
> simply not needed?
This was a makefile bug if my memory is right, fixed since some time now.
> 2) When building AWS, the secure part of the
> runme demo does behave as expected.
> However after installing AWS (in the usr/local/Ada/AWS... directory).
> It was quite a challenge to find the appropriate command line,
> (it would be helpful to display the command line being used to compile the
> demos,
> even DEBUG=1 does not display it)
To build an SSL program you just need to compile it with -lssl and -lcrypto
(as described in the documentation). Note that (not directly related) the next
AWS version will have a script to help setup the build environment.
> 3) Attempt to generate a self signed certificate:
> Using the successful command line above and the AWS provided
> certificate, I can run sucessfully the secure server.
> However, when I try to generate my own self signed certificate
> (my ultimate goal is to have a CA approved one) following the methods
> described in http://www.openssl.org/docs/HOWTO/
> I get the "No Common Encryption Algorithm" error from my Mozilla browser
> (the opera browser simply does not say nor load anything, while internet
> explorer
> gives "page not found")
>
> (I tried key generated with and without a password, same result).
>
> Did you generate your self signed certificate differently than what is
> described in
> the URL above, or do you have any hint for me ?
We have generated this ourself. I have added a note in the documentation
some time ago about this issue, here is the procedure:
<<
@node Creating a test certificate
@subsection Creating a test certificate
@cindex certificate
@noindent
The goal here is not to replace the @code{OpenSSL} documentation but
just to present one way to create a certificate for an @code{HTTPS}
test server.
@table @b
@item The RSA key
@smallexample
@cartouche
@group
$ openssl genrsa -rand <filename> -out ca-key.pem
@end group
@end cartouche
@end smallexample
@noindent
Filename must be point to any file, this is used to initialized the
random seed.
@item The Certificate
@smallexample
@cartouche
@group
$ openssl req -new -x509 -days 730 -key ca-key.pem -out ca-cert.pem
@end group
@end cartouche
@end smallexample
@item Create a single self contained file
@smallexample
@cartouche
@group
$ cat ca-key.pem ca-cert.pem > aws.pem
@end group
@end cartouche
@end smallexample
@end table
@noindent
A this point you can use @file{aws.pem} with your server.
>>
>
> 4) Would AWS support a certificate protected by a password ?
> (in the apache case, I think you get prompted for the
> password when starting the server)
I don't think so :)
> 5) Would AWS support chained certificate ?
> ( I just read that those are harder to setup so I am
> just asking, I didn't do much research)
No.
> 6) I am using Mandrake 9.2, with a security level of "higher"
> (the one advised for using the machine as a server).
> To run a server at ports 80 or 443, the program has to be started as root.
> (the question is not really AWS specific) Isn't running a server as root
> a security problem rather than a good thing ?
> How can I do to be allowed to start my process on port 80
> or 443 as a normal user ?
I can't answer this one sorry.
I wish all AWS's mailing-list readers an Happy New Year !
Pascal.
--
--|------------------------------------------------------
--| Pascal Obry Team-Ada Member
--| 45, rue Gabriel Peri - 78114 Magny Les Hameaux FRANCE
--|------------------------------------------------------
--| http://perso.wanadoo.fr/pascal.obry
--| "The best way to travel is by means of imagination"
--|
--| gpg --keyserver wwwkeys.pgp.net --recv-key C1082595