DEV Community

Cover image for SSL/TLS Configuration
Waji
Waji

Posted on

SSL/TLS Configuration

Introduction

πŸ‘‰ SSL/TLS are cryptographic protocols that establish secure communication channels between web servers and browsers to protect data exchanged between them from unauthorized access and tampering. They ensure privacy and security over the internet, and are used in online transactions such as e-commerce and online banking.

πŸ‘‰ When a web browser connects to a secure website using SSL/TLS, the following process occurs:

  1. The browser requests a secure connection from the web server
  2. The web server responds by sending a digital certificate containing its public key to the browser
  3. The browser verifies the digital certificate and uses the public key to establish a secure session key
  4. The browser and server use the session key to encrypt and decrypt data exchanged between them

Data Privacy

Encrypted


Applying SSL/TLS certificate

From the Apache web server



vi /etc/httpd/conf/httpd.conf


Enter fullscreen mode Exit fullscreen mode

Right under the DocumentRoot area, we will add



127 <VirtualHost *:80>
128         Redirect "/" "https://<Your Domain Name>"
129 </VirtualHost>


Enter fullscreen mode Exit fullscreen mode

πŸ‘‰ We are redirecting the HTTP traffic to the Https

Installing ssl/tls



yum -y install mod_ssl

rpm -qa | grep mod_ssl
mod_ssl-2.4.6-98.el7.centos.6.x86_64


Enter fullscreen mode Exit fullscreen mode

πŸ’‘ I will be creating my personal SSL certificate for this hands on as I won't be actually hosting this test website over the internet

Confirming if we have openssl installed



rpm -qa | grep openssl
openssl-libs-1.0.2k-25.el7_9.x86_64
openssl-devel-1.0.2k-25.el7_9.x86_64
xmlsec1-openssl-1.2.20-7.el7_4.x86_64
openssl-1.0.2k-25.el7_9.x86_64


Enter fullscreen mode Exit fullscreen mode

Creating the private key



openssl genrsa -out /etc/pki/tls/private/waji.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................................+++
...............................+++
e is 65537 (0x10001)


Enter fullscreen mode Exit fullscreen mode

Creating a csr file for the key that we just created



openssl req -new -key /etc/pki/tls/private/waji.key -out /etc/pki/tls/private/waji.csr


Enter fullscreen mode Exit fullscreen mode

πŸ‘‰ This will ask for some information that will be related to the certificate

Now if we check,



ls -l /etc/pki/tls/private/
합계 12
-rw------- 1 root root 1675  2μ›” 22 09:27 localhost.key
-rw-r--r-- 1 root root 1029  2μ›” 22 09:32 waji.csr
-rw-r--r-- 1 root root 1675  2μ›” 22 09:30 waji.key


Enter fullscreen mode Exit fullscreen mode

πŸ’‘ We won't be creating a key or a csr file ourselves when we use an actual SSL/TLS certificate for our real website

Creating the crt authentication file



openssl x509 -req -days 365 -in /etc/pki/tls/private/waji.csr -signkey /etc/pki/tls/private/waji.key -out /etc/pki/tls/certs/waji.crt
Signature ok
subject=/C=KR/ST=Seoul/L=Gangnam/O=Waji/OU=Cloud/CN=waji/emailAddress=waji@test.com
Getting Private key


Enter fullscreen mode Exit fullscreen mode

πŸ‘‰ After this step we should have the .crt file under /etc/pki/tls/certs

Entering the cert path in the config file



vi /etc/httpd/conf.d/ssl.conf

59 DocumentRoot "/apache/www"
75 SSLProtocol -ALL +TLSv1.2
80 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHERSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384
100 SSLCertificateFile /etc/pki/tls/certs/waji.crt
107 SSLCertificateKeyFile /etc/pki/tls/private/waji.key


Enter fullscreen mode Exit fullscreen mode

πŸ‘‰ In the Apache Web Server configuration, we included all of the config files under /etc/httpd/conf.d meaning this is also a part of the main configuration

Now, we need to test the configurations



apachectl configtest
Syntax OK


Enter fullscreen mode Exit fullscreen mode

Restarting and checking the network status



systemctl restart httpd

netstat -antp | grep httpd
tcp6       0      0 :::443                  :::*                    LISTEN      1457/httpd          
tcp6       0      0 :::80                   :::*                    LISTEN      1457/httpd  


Enter fullscreen mode Exit fullscreen mode

πŸ‘‰ We are able to see 443 port and 80 port open for LISTEN

Setting up the firewall to accept https



firewall-cmd --permanent --add-service=https
success
firewall-cmd --reload
success


Enter fullscreen mode Exit fullscreen mode

If we open our server from the browser

HTTPS

πŸ‘‰ It shows unsafe because we aren't using a verified certificate from an authorized entity but we can confirm that it redirects to https as we inteneded


Top comments (0)