ASF Bugzilla – Attachment 18658 Details for
Bug 40132
Expose ECC cipher suites (IETF RFC 4492) in OpenSSL to Apache
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
Instructions for building and testing an ECC enabled version of Apache
README.html (text/html), 9.63 KB, created by
Vipul Gupta
on 2006-07-27 23:59:29 UTC
(
hide
)
Description:
Instructions for building and testing an ECC enabled version of Apache
Filename:
MIME Type:
Creator:
Vipul Gupta
Created:
2006-07-27 23:59:29 UTC
Size:
9.63 KB
patch
obsolete
><html> ><head> ><title> >ECC enabled Apache ></title> ></head> ><body> ><h1> >Apache with Elliptic Curve Cryptography ></h1> >This document describes how to build an Apache 2.2.2 web server >with support for Elliptic Curve Cryptography cipher suites >(<a href="http://www.ietf.org/rfc/rfc4492.txt">RFC 4492</a>) >using OpenSSL 0.9.9-dev. > ><h2>Step 1: Building ECC-enabled OpenSSL</h2> ><ol> > <li> > Create an installation root directory and set an environment variable > $MY_INSTALL_ROOT to point to it. The declaration of $MY_INSTALL_ROOT > varies among shells. This example works for bash shells:<br /> > <pre> > % export MY_INSTALL_ROOT=absolute_path_to_installation_directory > % mkdir $MY_INSTALL_ROOT > </pre> > </li> > > <li> > Download openssl-SNAP-20060724.tar.gz (or similar) from > the <a href="ftp://ftp.openssl.org/snapshot/">OpenSSL > snapshot page</a>. Save it to $MY_INSTALL_ROOT and set > an environment variable to point to the OpenSSL directory. <br /> > <pre> > % cd $MY_INSTALL_ROOT > % gunzip openssl-SNAP-20040211.tar.gz > % tar xvf openssl-SNAP-20040211.tar > % export MY_OPENSSL=$MY_INSTALL_ROOT/openssl-SNAP-20040211 > </pre> > </li> > > <li> > Configure and compile OpenSSL and verify the compilation by executing > tests. <br /> > <pre> > % cd $MY_OPENSSL > % ./config > % make > % make test > </pre> > </li> ></ol> > ><h2>Step 2: Building Apache 2.2.2 with OpenSSL</h2> ><ol> > <li> > Download Apache httpd-2.2.2.tar.gz from the > <a href="http://httpd.apache.org/download.cgi">Apache > Software Foundation</a> and save it to $MY_INSTALL_ROOT. > Also create an installation directory for Apache (e.g., > Apache-Install) under $MY_INSTALL_ROOT. > <br /> > <pre> > % cd $MY_INSTALL_ROOT > % gunzip httpd-2.2.2.tar.gz > % tar xvf httpd-2.2.2.tar > > % mkdir $MY_INSTALL_ROOT/Apache-Install > </pre> > </li> > > <li> > Apache is linked to OpenSSL through the mod_ssl module. This > module is included in httpd-2.2.2 but needs to be patched to > expose the elliptic curve cryptography capabilities in OpenSSL. > This <a href="enable-ecc-in-modssl-20060725171010.patch">patch</a> > can be applied with the > <a href="http://www.gnu.org/software/patch/patch.html">GNU patch tool</a>: > <pre> > % cd $MY_INSTALL_ROOT/httpd-2.2.2 > % patch -p 0 -i enable-ecc-in-modssl-20060725171010.patch > </pre> > </li> > > <li> > Configure, compile and install Apache. > <pre> > % ./configure --prefix=$MY_INSTALL_ROOT/Apache-Install/ --enable-ssl --enable-so --with-ssl=$MY_OPENSSL > % make > % make install > </pre> > </li> ></ol> > ><h2>Step 3: Generate suitable certificates</h2> > >To test the Apache web server with ECC and RSA cipher suites, RSA and >ECC certificates are needed. ><ol> > <li> > An RSA certificate can be generated with OpenSSL and installed > into the Apache installation directory as follows: > <pre> > % cd $MY_OPENSSL/demos/ssltest-ecc > % ./RSAcertgen.sh > % cp Certs/rsa1024TestServer.cert.pem $MY_INSTALL_ROOT/Apache-Install/conf/server-rsa.crt > % cp Certs/rsa1024TestServer.key.pem $MY_INSTALL_ROOT/Apache-Install/conf/server-rsa.key > </Pre> > </li> > > <li> > Likewise, ECC certificates can be generated and installed. > To change the elliptic curves used in the certificate from the > default "secp160r1" and "secp160r2", open file > $MY_OPENSSL/demos/ssltest-ecc/ECCcertgen.sh in an editor and > replace "secp160r1" and "secp160r2" with the desired curves. > We highly recommend using secp256r1 since that curve is also > supported in the version of Internet Explorer that will be > included in Windows vista). You should also edit the "distinguished > name" field in the certificate appropriately, e.g. insert the > server's hostname in the CN component. > <pre> > % ./ECCcertgen.sh # Produces ECDSA-signed ECC certs > % cp Certs/secp160r2TestServer.cert.pem $MY_INSTALL_ROOT/Apache-Install/conf/server-ecc.crt > % cp Certs/secp160r2TestServer.key.pem $MY_INSTALL_ROOT/Apache-Install/conf/server-ecc.key > </pre> > > This creates an ECDSA-signed ECC certificate which can be used > for ECDH-ECDSA ciphers. Alternatively, if you need an RSA-signed > ECC certificate for use in ECDH-RSA ciphers, do the following: > <pre> > % ./ECC-RSAcertgen.sh # Produces RSA-signed ECC certs > % cp Certs/sect163r1-rsaTestServer.cert.pem $MY_INSTALL_ROOT/Apache-Install/conf/server-ecc.crt > % cp Certs/sect163r1-rsaTestServer.key.pem $MY_INSTALL_ROOT/Apache-Install/conf/server-ecc.key > </Pre> > > <b>NOTE</b>: OpenSSL does not currently allow a server to be > configured with multiple ECC certs simultaneously. > </li> ></ol> > ><h2>Edit Apache config files</h2> > ><ol> > <li> > Apache can either be run on regular HTTP port 80, which requires > superuser rights, or it can be run by any user on higher port > numbers, e.g. 8080. The following lines in > <tt>$MY_INSTALL_ROOT/Apache-Install/conf/httpd.conf</tt> may have to be > modified (replace 80 with 8080 and www.example.com with the > server's name):<br /> > <pre> > Listen 80 > ServerName www.example.com:80 > </pre> > > Finally, uncomment the following line in httpd.conf > <pre> > #Include conf/extra/httpd-ssl.conf > </pre> > </li> > > <li> > Likewise, Apache can accept secure connections on regular HTTPS > port 443, which requires superuser rights, or it can use an > unprivileged port, e.g., 8443. The following lines in > <tt>$MY_INSTALL_ROOT/Apache-Install/conf/extra/httpd-ssl.conf</tt> > may have to be modified (replace 443 with 8443 and _default_ and > www.example.com with the server's name): <br /> > <pre> > Listen 443 > VirtualHost _default_:443 > ServerName www.example.com:443 > </pre> > > Edit the line beginning with SSLCipherSuite to contain the > cipher suites you wish to enable. > <pre> > SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > </pre> > > <b>NOTE:</b> In recent > development versions of OpenSSL, ECC cipher suites are > part of "ALL" and "ECCdraft" is no longer a valid cipher > suite descriptor. <p /> > </li> > > <li> > To enable the generated ECC and RSA certificates, the following lines in > $MY_INSTALL_ROOT/Apache-Install/conf/extra/httpd-ssl.conf > have to be added or uncommented: > > <pre> > SSLCertificateFile $MY_INSTALL_ROOT/Apache-Install/conf/server-ecc.crt > > SSLCertificateKeyFile $MY_INSTALL_ROOT/Apache-Install/conf/server-ecc.key > </pre> > </li> ></ol> > ><h2>Testing Apache</h2> ><ol> > <li> > Start up the Apache web server: > <pre> > % $MY_INSTALL_ROOT/Apache-Install/bin/apachectl start > </pre> > </li> > > <li> > Connect to it via the OpenSSL <tt>s_client</tt> application: > <pre> > % $MY_OPENSSL/apps/openssl s_client -connect [server_name]:8443 -cipher ECDH-ECDSA-AES128-SHA > </pre> > </li> > > <li> > Upon successful installation, this command should show an output similar to the following: > > <pre> >CONNECTED(00000004) >depth=0 /C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2) >verify error:num=20:unable to get local issuer certificate >verify return:1 >depth=0 /C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2) >verify error:num=27:certificate not trusted >verify return:1 >depth=0 /C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2) >verify error:num=21:unable to verify the first certificate >verify return:1 >--- >Certificate chain > 0 s:/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2) > i:/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1) >--- >Server certificate >-----BEGIN CERTIFICATE----- >MIICCDCCAcgCAQMwCQYHKoZIzj0EATCBqDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT >AkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MR8wHQYDVQQKExZTdW4gTWljcm9z >eXN0ZW1zLCBJbmMuMSYwJAYDVQQLEx1TdW4gTWljcm9zeXN0ZW1zIExhYm9yYXRv >cmllczErMCkGA1UEAxMiVGVzdCBDQSAoRWxsaXB0aWMgY3VydmUgc2VjcDE2MHIx >KTAeFw0wMzA0MjgyMTEwMTJaFw0wNzA2MDYyMTEwMTJaMIGsMQswCQYDVQQGEwJV >UzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHzAdBgNVBAoT >FlN1biBNaWNyb3N5c3RlbXMsIEluYy4xJjAkBgNVBAsTHVN1biBNaWNyb3N5c3Rl >bXMgTGFib3JhdG9yaWVzMS8wLQYDVQQDEyZUZXN0IFNlcnZlciAoRWxsaXB0aWMg >Y3VydmUgc2VjcDE2MHIyKTA+MBAGByqGSM49AgEGBSuBBAAeAyoABIA2acNvLS/r >ttA4Yi815YJk/tpjRJ2jH9NOEPK4L6S6kPFk/EEDqi8wCQYHKoZIzj0EAQMvADAs >AhQ1FpYNGvLCK/u6KIKp9e1Cu/2g3wIUdi3Ko8fSl8VdpkeV9wnpm7+r8Xk= >-----END CERTIFICATE----- >subject=/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2) >issuer=/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1) >--- >No client certificate CA names sent >--- >SSL handshake has read 686 bytes and written 156 bytes >--- >New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES128-SHA >Server public key is 161 bit >SSL-Session: > Protocol : TLSv1 > Cipher : ECDH-ECDSA-AES128-SHA > Session-ID: 9D975718F660A2DC90A55141CE4904AE93BD4EBF32DC67AAE797DEA7CB4A3310 > Session-ID-ctx: > Master-Key: 76F7775835F6094D552AF13E37DADF0911151C0C7481D4C3E033138BAABCACB9E9D61FEBE893691B86476B258A157814 > Key-Arg : None > Start Time: 1051566707 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) >--- > </pre> > > In addition, a test page can be retrieved by typing > <pre> > GET / HTTP/1.0 [ENTER] [ENTER] > </pre> > </li> ></ol> > ></body> ></html>
<html> <head> <title> ECC enabled Apache </title> </head> <body> <h1> Apache with Elliptic Curve Cryptography </h1> This document describes how to build an Apache 2.2.2 web server with support for Elliptic Curve Cryptography cipher suites (<a href="http://www.ietf.org/rfc/rfc4492.txt">RFC 4492</a>) using OpenSSL 0.9.9-dev. <h2>Step 1: Building ECC-enabled OpenSSL</h2> <ol> <li> Create an installation root directory and set an environment variable $MY_INSTALL_ROOT to point to it. The declaration of $MY_INSTALL_ROOT varies among shells. This example works for bash shells:<br /> <pre> % export MY_INSTALL_ROOT=absolute_path_to_installation_directory % mkdir $MY_INSTALL_ROOT </pre> </li> <li> Download openssl-SNAP-20060724.tar.gz (or similar) from the <a href="ftp://ftp.openssl.org/snapshot/">OpenSSL snapshot page</a>. Save it to $MY_INSTALL_ROOT and set an environment variable to point to the OpenSSL directory. <br /> <pre> % cd $MY_INSTALL_ROOT % gunzip openssl-SNAP-20040211.tar.gz % tar xvf openssl-SNAP-20040211.tar % export MY_OPENSSL=$MY_INSTALL_ROOT/openssl-SNAP-20040211 </pre> </li> <li> Configure and compile OpenSSL and verify the compilation by executing tests. <br /> <pre> % cd $MY_OPENSSL % ./config % make % make test </pre> </li> </ol> <h2>Step 2: Building Apache 2.2.2 with OpenSSL</h2> <ol> <li> Download Apache httpd-2.2.2.tar.gz from the <a href="http://httpd.apache.org/download.cgi">Apache Software Foundation</a> and save it to $MY_INSTALL_ROOT. Also create an installation directory for Apache (e.g., Apache-Install) under $MY_INSTALL_ROOT. <br /> <pre> % cd $MY_INSTALL_ROOT % gunzip httpd-2.2.2.tar.gz % tar xvf httpd-2.2.2.tar % mkdir $MY_INSTALL_ROOT/Apache-Install </pre> </li> <li> Apache is linked to OpenSSL through the mod_ssl module. This module is included in httpd-2.2.2 but needs to be patched to expose the elliptic curve cryptography capabilities in OpenSSL. This <a href="enable-ecc-in-modssl-20060725171010.patch">patch</a> can be applied with the <a href="http://www.gnu.org/software/patch/patch.html">GNU patch tool</a>: <pre> % cd $MY_INSTALL_ROOT/httpd-2.2.2 % patch -p 0 -i enable-ecc-in-modssl-20060725171010.patch </pre> </li> <li> Configure, compile and install Apache. <pre> % ./configure --prefix=$MY_INSTALL_ROOT/Apache-Install/ --enable-ssl --enable-so --with-ssl=$MY_OPENSSL % make % make install </pre> </li> </ol> <h2>Step 3: Generate suitable certificates</h2> To test the Apache web server with ECC and RSA cipher suites, RSA and ECC certificates are needed. <ol> <li> An RSA certificate can be generated with OpenSSL and installed into the Apache installation directory as follows: <pre> % cd $MY_OPENSSL/demos/ssltest-ecc % ./RSAcertgen.sh % cp Certs/rsa1024TestServer.cert.pem $MY_INSTALL_ROOT/Apache-Install/conf/server-rsa.crt % cp Certs/rsa1024TestServer.key.pem $MY_INSTALL_ROOT/Apache-Install/conf/server-rsa.key </Pre> </li> <li> Likewise, ECC certificates can be generated and installed. To change the elliptic curves used in the certificate from the default "secp160r1" and "secp160r2", open file $MY_OPENSSL/demos/ssltest-ecc/ECCcertgen.sh in an editor and replace "secp160r1" and "secp160r2" with the desired curves. We highly recommend using secp256r1 since that curve is also supported in the version of Internet Explorer that will be included in Windows vista). You should also edit the "distinguished name" field in the certificate appropriately, e.g. insert the server's hostname in the CN component. <pre> % ./ECCcertgen.sh # Produces ECDSA-signed ECC certs % cp Certs/secp160r2TestServer.cert.pem $MY_INSTALL_ROOT/Apache-Install/conf/server-ecc.crt % cp Certs/secp160r2TestServer.key.pem $MY_INSTALL_ROOT/Apache-Install/conf/server-ecc.key </pre> This creates an ECDSA-signed ECC certificate which can be used for ECDH-ECDSA ciphers. Alternatively, if you need an RSA-signed ECC certificate for use in ECDH-RSA ciphers, do the following: <pre> % ./ECC-RSAcertgen.sh # Produces RSA-signed ECC certs % cp Certs/sect163r1-rsaTestServer.cert.pem $MY_INSTALL_ROOT/Apache-Install/conf/server-ecc.crt % cp Certs/sect163r1-rsaTestServer.key.pem $MY_INSTALL_ROOT/Apache-Install/conf/server-ecc.key </Pre> <b>NOTE</b>: OpenSSL does not currently allow a server to be configured with multiple ECC certs simultaneously. </li> </ol> <h2>Edit Apache config files</h2> <ol> <li> Apache can either be run on regular HTTP port 80, which requires superuser rights, or it can be run by any user on higher port numbers, e.g. 8080. The following lines in <tt>$MY_INSTALL_ROOT/Apache-Install/conf/httpd.conf</tt> may have to be modified (replace 80 with 8080 and www.example.com with the server's name):<br /> <pre> Listen 80 ServerName www.example.com:80 </pre> Finally, uncomment the following line in httpd.conf <pre> #Include conf/extra/httpd-ssl.conf </pre> </li> <li> Likewise, Apache can accept secure connections on regular HTTPS port 443, which requires superuser rights, or it can use an unprivileged port, e.g., 8443. The following lines in <tt>$MY_INSTALL_ROOT/Apache-Install/conf/extra/httpd-ssl.conf</tt> may have to be modified (replace 443 with 8443 and _default_ and www.example.com with the server's name): <br /> <pre> Listen 443 VirtualHost _default_:443 ServerName www.example.com:443 </pre> Edit the line beginning with SSLCipherSuite to contain the cipher suites you wish to enable. <pre> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL </pre> <b>NOTE:</b> In recent development versions of OpenSSL, ECC cipher suites are part of "ALL" and "ECCdraft" is no longer a valid cipher suite descriptor. <p /> </li> <li> To enable the generated ECC and RSA certificates, the following lines in $MY_INSTALL_ROOT/Apache-Install/conf/extra/httpd-ssl.conf have to be added or uncommented: <pre> SSLCertificateFile $MY_INSTALL_ROOT/Apache-Install/conf/server-ecc.crt SSLCertificateKeyFile $MY_INSTALL_ROOT/Apache-Install/conf/server-ecc.key </pre> </li> </ol> <h2>Testing Apache</h2> <ol> <li> Start up the Apache web server: <pre> % $MY_INSTALL_ROOT/Apache-Install/bin/apachectl start </pre> </li> <li> Connect to it via the OpenSSL <tt>s_client</tt> application: <pre> % $MY_OPENSSL/apps/openssl s_client -connect [server_name]:8443 -cipher ECDH-ECDSA-AES128-SHA </pre> </li> <li> Upon successful installation, this command should show an output similar to the following: <pre> CONNECTED(00000004) depth=0 /C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2) verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2) verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2) verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2) i:/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1) --- Server certificate -----BEGIN CERTIFICATE----- MIICCDCCAcgCAQMwCQYHKoZIzj0EATCBqDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT AkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MR8wHQYDVQQKExZTdW4gTWljcm9z eXN0ZW1zLCBJbmMuMSYwJAYDVQQLEx1TdW4gTWljcm9zeXN0ZW1zIExhYm9yYXRv cmllczErMCkGA1UEAxMiVGVzdCBDQSAoRWxsaXB0aWMgY3VydmUgc2VjcDE2MHIx KTAeFw0wMzA0MjgyMTEwMTJaFw0wNzA2MDYyMTEwMTJaMIGsMQswCQYDVQQGEwJV UzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHzAdBgNVBAoT FlN1biBNaWNyb3N5c3RlbXMsIEluYy4xJjAkBgNVBAsTHVN1biBNaWNyb3N5c3Rl bXMgTGFib3JhdG9yaWVzMS8wLQYDVQQDEyZUZXN0IFNlcnZlciAoRWxsaXB0aWMg Y3VydmUgc2VjcDE2MHIyKTA+MBAGByqGSM49AgEGBSuBBAAeAyoABIA2acNvLS/r ttA4Yi815YJk/tpjRJ2jH9NOEPK4L6S6kPFk/EEDqi8wCQYHKoZIzj0EAQMvADAs AhQ1FpYNGvLCK/u6KIKp9e1Cu/2g3wIUdi3Ko8fSl8VdpkeV9wnpm7+r8Xk= -----END CERTIFICATE----- subject=/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2) issuer=/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1) --- No client certificate CA names sent --- SSL handshake has read 686 bytes and written 156 bytes --- New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES128-SHA Server public key is 161 bit SSL-Session: Protocol : TLSv1 Cipher : ECDH-ECDSA-AES128-SHA Session-ID: 9D975718F660A2DC90A55141CE4904AE93BD4EBF32DC67AAE797DEA7CB4A3310 Session-ID-ctx: Master-Key: 76F7775835F6094D552AF13E37DADF0911151C0C7481D4C3E033138BAABCACB9E9D61FEBE893691B86476B258A157814 Key-Arg : None Start Time: 1051566707 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- </pre> In addition, a test page can be retrieved by typing <pre> GET / HTTP/1.0 [ENTER] [ENTER] </pre> </li> </ol> </body> </html>
View Attachment As Raw
Actions:
View
Attachments on
bug 40132
:
18657
|
18658
|
18859
|
23614
|
23615
|
24502