SSL with Web and E-mail

This section covers creating or obtaining an SSL certificate and installing (i.e., using) it with Apache and/or Courier-IMAP.

You may also wish to refer to this Handy OpenSSL commands.

The basic function of an SSL certificate is to encrypt communication between two computers. SSL uses two “keys” – a public and a private “key” – which are nothing more than simple text files with a sequence of letters and numbers. In the case of a web or e-mail server, the server uses the private key to encrypt and decrypt messages, while the public key is shared with the remote client so that it may in turn exchange encrypted messages with the server.¹⁾

In terms of the security of the communication, whether a certificate is purchased from a Certificate Authority or created yourself makes no difference; either way the communication is encrypted and only the people on each end can decipher it. The value that a CA provides is in being a third-party that verifies the identity of the server. If a person made a self-signed certificate and placed a laptop on a corporate network to intercept e-commerce traffic, the only thing that would let people know of the deception is that the certificate is not verified by a third-party.

A self-signed SSL key²⁾ is perfect for testing SSL functionality on non-production servers (i.e., before they go into production use). Another good use for a self-signed key is in a case where you need only a modest assurance of protection, such as on a public wiki or blog site where the only secret information is each person's password.

There is a one case that comes to my mind in which a self-signed key is just as good (even better, actually) than a key from a CA: If you create a self-signed key for a server that is physically near you (on your local network), so that you know for sure that you are actually talking to that server the first time you do so, then your laptop can store a copy of that server's self-signed certificate in its memory,³⁾ thereafter guaranteeing you the identity of that server when accessed remotely.

Creating a self-signed SSL certificate

You can get a free or low-cost SSL certificate from http://startssl.org/. Unless your company demands a name-brand, you should probably just use StartCom (a.k.a., StartSSL) to save money and get the job done quickly.⁴⁾

An SSL certificate's primary function is to provide a common key between the user and the server so that communications can be encrypted and decrypted. Using a CA provides a second function: the ability to assure the end-user that the server with which they are communicating actually belongs to the company they think it does.

Obtaining a free CA-signed SSL certificate

Operating Apache over a secure socket layer (SSL) connection means that all data exchanged will be encrypted using a combination of a shared public key and a secret private key for the server. You can either generate the private and public keys yourself, or you can obtain a binary “fingerprint” from an Certificate Authority (CA) such as StartCom.

To use SSL, you need to have the "ssl" USE flag set, although it should be set by default. When you run emerge -va apache you should see it among the first USE flags shown.

SSL key files are stored in /etc/ssl/apache2⁵⁾ in Gentoo, although you can use any location you prefer as long as it resides outside your document tree (i.e., nobody can possibly view the files by pointing a web browser to them).

Edit /etc/conf.d/apache2 to contain the options you need. For example, one of my servers looks like this:

APACHE2_OPTS="-D INFO -D LANGUAGE -D SSL -D PHP5"

Edit file in /etc/apache2/vhosts.d/. You might edit the 00_default_ssl_vhost.conf file, or you may insert the SSL lines into your own configuration file. I like to move the original configuration files into a directory called “orig” for reference and instead insert the needed lines into one of my own ”.conf” files. If you also do this, remove the ”-D SSL_DEFAULT_VHOST” option from /etc/conf.d/apache2.

The Apache mod_ssl documentation is here. You will find descriptions of all the options there.

I usually find a quick way to explain something is by illustration, so here is a sample SSL section:

<IfDefine SSL>
<IfModule ssl_module>
Listen 443
<VirtualHost _default_:443>
    ServerName server.domain-name.com
    DocumentRoot /var/www/localhost/htdocs/web-site-root-dir
    <IfModule log_config_module>
        TransferLog /var/log/apache2/ssl_access_log
    </IfModule>
    SSLEngine on
    SSLProtocol all -SSLv2
# SSLCipherSuite controls which ciphers are available for negotiation.
    SSLCipherSuite RSA:!EXP:!NULL:!SSLv2:+HIGH:!MEDIUM:!LOW
    SSLCertificateFile /etc/ssl/apache2/domain-name.crt
    SSLCertificateKeyFile /etc/ssl/apache2/domain-name.key
    SSLCertificateChainFile /etc/ssl/apache2/sub.class1.server.ca.pem
    SSLCACertificateFile /etc/ssl/apache2/ca.crt
# SSLVerifyClient causes browser to request user authentication unless set to "none"
    SSLVerifyClient optional
    SSLVerifyDepth  10
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/var/www/domain-name.com/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
    <IfModule setenvif_module>
        BrowserMatch ".*MSIE.*" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
    </IfModule>
    <IfModule log_config_module>
        CustomLog /var/log/apache2/ssl_request_log \
            "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </IfModule>
</VirtualHost>
</IfModule>
</IfDefine>

Within /etc/courier-imapd you will find files for IMAP and POP SSL certificates:

• imapd.cnf is a configuration file for making a self-signed IMAP certificate
• pop3d.cnf is a configuration file for making a self-signed POP certificate

To make self-signed certificates, just edit one or both of the files (whichever you want to use), then run mkimapdcert to make an IMAP SSL certificate or mkpop3dcert to make a POP3 SSL certificate.

To install a certificate from a CA, such as StartSSL as described above, just place your ”.crt” and ”.key” files into a single ”.pem” file. For example:

cd /etc/courier-imap
cat /etc/apache2/ssl/mydomain.crt /etc/apache2/ssl/mydomain.key > imapd.pem

Once you have the certificate in-place, just start whichever secure service you want to use (or both):

/etc/init.d/courier-imapd-ssl start
/etc/init.d/courier-pop3d-ssl start

Also be sure to put one or both in your server start-up:

rc-update add courier-imapd-ssl default
rc-update add courier-pop3d-ssl default

If you look at netstat -lnp you should see port 993, which is used for secure IMAP.

There are two distinct areas of security for e-mail communication: Authentication and transmission. The steps outlined above provide secure message transmission. I have never looked into “secure authentication” to know its technical merits or uses, but I do know that if you enable “secure authentication” your e-mail client will hang for about a minute and then tell you it could not establish a connection.

If you are using courier-authlib for your authentication, then securing the transmission means you are wrapping your log-in in an SSL layer, so your authentication is actually “secure” but this is not the same as “secure authentication”. Confusing? Sure… just leave the “secure authentication” option turned off in your e-mail client (such as Thunderbird) and only set the SSL option.

When you check the “SSL” box in Thunderbird you will see the port change to “993”. If you are using KMail, there is no SSL option – you just set the port to 993 to indicate SSL should be used.