From d6e9d47f574f0ea087073ddadcf8394305c38d20 Mon Sep 17 00:00:00 2001 From: gferg <> Date: Fri, 17 Oct 2003 20:58:48 +0000 Subject: [PATCH] updated --- .../docbook/Apache-WebDAV-LDAP-HOWTO.xml | 187 ++++++++++++++++-- LDP/howto/docbook/HOWTO-INDEX/appsSect.sgml | 2 +- LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml | 2 +- 3 files changed, 169 insertions(+), 22 deletions(-) diff --git a/LDP/howto/docbook/Apache-WebDAV-LDAP-HOWTO.xml b/LDP/howto/docbook/Apache-WebDAV-LDAP-HOWTO.xml index ead0f36c..d89064ae 100644 --- a/LDP/howto/docbook/Apache-WebDAV-LDAP-HOWTO.xml +++ b/LDP/howto/docbook/Apache-WebDAV-LDAP-HOWTO.xml @@ -23,6 +23,17 @@ + + v4.1.2 + 2003-10-17 + sa + + Added the SSL performance tuning section. + + + + + v4.1.1 2003-09-29 @@ -79,6 +90,7 @@ Introduction + The Objective of this document in to Setup a Apache + mySQL + PHP + WebDAV based Web Application Server, that uses LDAP for Authentication. The documentation will also provide details on the encrypting LDAP transactions. Note:If you encounter any problems installing Apache or any of the modules please feel free to contact me @ saqib@seagate.com @@ -493,7 +505,7 @@ fully compatible, the client side WebDAV applications will not function properly To test the complaince we will use a tool called Litmus. Litmus is a WebDAV server protocol compliance test suite, which aims to test whether a server is compliant with the WebDAV protocol as specified in RFC2518. -Please download the Litmus source code from http://www.webdav.org/neon/litmus/ and place it in the /tmp/downloads directory. +Please download the Litmus source code from http://www.webdav.org/neon/litmus/ and place it in the /tmp/downloads directory. Then use gzip and tar to extract the files: @@ -644,7 +656,7 @@ The following is a over-simplified structure of the layers involved in SSL. Encryption algorithms used in SSL - There are three kinds of cryptographic techniques used in SSL: Public-Private Key, Symmetric Key, and Message Digest. + There are three kinds of cryptographic techniques used in SSL: Public-Private Key, Symmetric Key, and Digital Signature. Public-Private Key Crytography - Initiating SSL connection: In this algorithm, encryption and decryption is performed using a pair of private and public keys. The Web-server holds the private Key, and sends the Public key to the client in the Certificate. @@ -675,7 +687,7 @@ The following is a over-simplified structure of the layers involved in SSL. Symmetric Cryptography - Actual transmission of data: After the SSL connection has been established, Symmetric cryptography is used for encrypting data as it uses less CPU cycles. In symmetric cryptography the data can be encrypted and decrypted using the same key. The Key for symmetric cryptography is exchanged during the initiation process, using Public Key Cryptography. -Message Digest The server uses message digest algoritm such as HMAC, SHA, MD5 to verify the integrity of the transferred data. +Message Digest The server uses message digest algoritm such as HMAC, SHA-1, MD5 to verify the integrity of the transferred data. Ensuring Authenticity and Integrity Encryption Process @@ -777,7 +789,8 @@ mod_ssl to create this custom Certificate. We used the command: Similarly the test certificates will also cause a warning message to appear on the user's browser. - + + How to generate a CSR @@ -821,6 +834,7 @@ An optional company name []: # /usr/local/ssl/bin/openssl req -rand some_file.ext -new -nodes -keyout private.key -out public.csr Replace some_file.ext with the name of a existing file on your file system. Any file can be specified. Openssl will use that file to generate the seed +Solaris 9 comes with /dev/random. However on Solaris you might have to install the 112438 patch to get the /dev/random At this point you will be asked several questions about your server to generate the Certificate Singning Request @@ -839,7 +853,7 @@ Note: Your Common Name (CN) is the Fully Qualified DNS (FQDN) name of your webse -Installing Server Private Key, and Server Certificate +Installing Server Private Key, and Server Certificate Once the Certification Authority processes your request, they will send an encoded certificate (Digital Certificate) back to you. The Digital Certificate is in the format defined by X.509 v3. The following shows the structure of a typical X509 v3 Digital Certificate @@ -847,12 +861,12 @@ Note: Your Common Name (CN) is the Fully Qualified DNS (FQDN) name of your webse VersionSerial NumberAlgorithm IDIssuer Validity - Not BeforeNot After + Not BeforeNot After Subject Subject Public Key Info - Public Key AlgorithmRSA Public Key + Public Key AlgorithmRSA Public Key Extensions @@ -868,7 +882,7 @@ server.crt: OK Where server.crt is the name of the file that contains the Digital Certificate -Viewing the contents of a Digital Certificate +Viewing the contents of a Digital Certificate The contents of a Digital Certificate can be viewed by using the # openssl x509 command as follows: # openssl x509 -text -in server.crt Certificate: @@ -893,8 +907,8 @@ Certificate: ............ - - + + Modifying the httpd.conf to Install the Certificates You will need to place this certificate on the server, and tell Apache where to find it. For this example, the Private Key is placed in the /usr/local/apache2/conf/ssl.key/ directory, and the Sever Certificate is placed in the /usr/local/apache2/conf/ssl.crt/. Copy the file received from the Certification to a file called server.crt in the /usr/local/apache2/conf/ssl.crt/. @@ -965,7 +979,88 @@ One way to secure the decrypted Private Key is to make readable only by the root -Trusted Certificate Authorities +SSL Performance Tuning + Inter Process SSL Session Cache + Apache uses a multi-process model, in which all the request are NOT handled by the same process. This causes the SSL Session Information to be lost when a Client makes multiple requests. Multiple SSL HandShakes causes lot of overhead on the webserver and the client. To avoid this, SSL Session Information must be stored in a inter-process Session Cache, allowing all the processes to have access to to handshake information. SSLSessionCache Directive the in /usr/local/apache2/conf/ssl.conf file can be used to specify the location of the SSL Session Cache: + +SSLSessionCache shmht:logs/ssl_scache(512000) +#SSLSessionCache shmcb:logs/ssl_scache(512000) +#SSLSessionCache dbm:logs/ssl_scache +SSLSessionCacheTimeout 300 + + +Using dbm:logs/ssl_scache creates the Cache as DBM hashfile on the local disk. +Using shmht:logs/ssl_scache(512000) creates the Cache in Shared Memory Segment + +shmht vs shmcb + shmht: uses a Hash Table to Cache the SSL HandShake Information in the Shared Memory + shmht: uses a Cyclic Buffer to Cache the SSL HandShake Informationin the Shared Memory + + +Note: + Not all platforms/OS support creation of Hash table in the Shared Memory. So dbm:logs/ssl_scache must be used instead + + + +Verifying SSLSession Cache +To verify if the SSLSessionCache is working properly, you can use the openssl utility with the -reconnect as follows: + +# openssl s_client -connect your.server.dom:443 -state -reconnect + +CONNECTED(00000003) +....... +....... +Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA +SSL-Session: +..... +Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA +SSL-Session: +..... +Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA +SSL-Session: +..... +Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA +SSL-Session: +..... +Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA +SSL-Session: +..... + +-reconnect forces the s_client to connect to the server 5 times using the same SSL session ID. You should see 5 attempts of Reusing the same Session-ID as shown above. + + + + + +HTTP/HTTPS Benchmarking tools + The following is a list of some of the OpenSource BenchMarking tools for WebServers + + + SSLswamp - For stress-testing/benchmarking connction to a SSL enable server + + + HTTPERF - A Tool for Measuring Web Server Performance + + + ab - Apache HTTP server benchmarking tool + + + + +Hardware based SSL encryption solutions + The following is a Hardware Based SSL encryption solution available: + + + CHIL (Cryptographic Hardware Interface Library) by nCipher + + + ab - Apache HTTP server benchmarking tool + + + + + +Certificate Authorities The following is list of Certificate Authorities that are trusted by the various browsers: @@ -974,17 +1069,18 @@ One way to secure the decrypted Private Key is to make readable only by the root Entrust - + + GeoTrust + Thawte - Verisign + TrustCenter + - - Glossary of PKI Terms @@ -992,7 +1088,7 @@ One way to secure the decrypted Private Key is to make readable only by the root Asymmetric Cryptography - In this Cryptography a Key Pair - Private and Public Key is used. Private Key is kept secret and the Public Key is Widely distrbuted. + In this Cryptography a Key Pair - Private and Public Key is used. Private Key is kept secret and the Public Key is Widely distributed. @@ -1000,6 +1096,14 @@ One way to secure the decrypted Private Key is to make readable only by the root C +Certificate + + A Data Record that contains the information as defined in the X.509 Format. + + + + + Certificate Authority (CA) CA @@ -1026,16 +1130,16 @@ One way to secure the decrypted Private Key is to make readable only by the root D - Digital Certificate + Digital Certificate - Public Key of the End-Entity + the identifying information of the End-Entity (owner of the Public Key). It certifies the Identity of the owner (End-Entity). It is signed by Issuing CA. + A certificate that binds a Public Key to a Subject (end-entity). This certificate also contains other indentifying information about the subject as defined in the X.509 Format. It is signed by Issuing CA, using CA's pivate key. e.g. of a digital certificate -Digital Signature +Digital Signature - A Digital Signature is created by signing the Message Digest using the Private Key. It ensures the Identity of the Sender, and the Integrity of the Data. + A Digital Signature is created by signing the Message Digest (Message Hash) using the Private Key. It ensures the Identity of the Sender, and the Integrity of the Data. @@ -1048,6 +1152,41 @@ One way to secure the decrypted Private Key is to make readable only by the root +H +Hash + + A hash is Hexadecimal number generated from a string of text such that, no two different strings can produce the same hash. + + + +HMAC: Keyed Hashing for Message Authentication + HMAC + + HMAC is an implementation of Message Authentication Code Algorithm. + + + + + + +M + Message Authentication Code + MAC + + Similar to a Message Digest (Hash/Fingerprint), except the Shared Secret Key is used in the process of calculating the Hash. Since a shared secret key is used, an attacker can not change the Message Digest. However the shared secret key has to be first communicated to the participating entities, unlike Digital Signature where Message Digest is signed using the Private Key. HMAC is an example of a Message Authentication Code Algorithm. + + + +Message Digest 5 - MD5 + MD5 + + Message Digest 5 (MD5) is a 128-bit one-way hash function + + + + + + P @@ -1072,6 +1211,14 @@ One way to secure the decrypted Private Key is to make readable only by the root S + +SHA-1: Secure Hash Algorithm + MD5 + + Secure Hash Algorithm (SHA-1) is a 160-bit one-way hash function. Maximum message is 2^64 bits. + + + Secure Socket Layer (SSL) SSL diff --git a/LDP/howto/docbook/HOWTO-INDEX/appsSect.sgml b/LDP/howto/docbook/HOWTO-INDEX/appsSect.sgml index 7cd6fceb..7f3ad4b1 100644 --- a/LDP/howto/docbook/HOWTO-INDEX/appsSect.sgml +++ b/LDP/howto/docbook/HOWTO-INDEX/appsSect.sgml @@ -910,7 +910,7 @@ M$Frontpage Server Extensions. Apache-WebDAV-LDAP-HOWTO, Apache based WebDAV Server with LDAP and SSL HOWTO -Updated: Sep 2003. +Updated: Oct 2003. A HOWTO on implementing WebDAV services using Apache - with LDAP for authentication and SSL for ensuring security of the DAV stores. diff --git a/LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml b/LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml index f549f0de..8e5ae75d 100644 --- a/LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml +++ b/LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml @@ -262,7 +262,7 @@ MS Frontpage Server Extensions. Apache-WebDAV-LDAP-HOWTO, Apache based WebDAV Server with LDAP and SSL HOWTO -Updated: Sep 2003. +Updated: Oct 2003. A HOWTO on implementing WebDAV services using Apache - with LDAP for authentication and SSL for ensuring security of the DAV stores.