Recipe 7.1 Installing SSL

Problem

You want to install SSL on your Apache server.

Solution

The solutions to this problem fall into several categories, depending on how you installed Apache in the first place (or whether you are willing to rebuild Apache to get SSL).

If you installed a binary distribution of Apache, your best bet is to return to the place from which you acquired that binary distribution, and try to find the necessary files for adding SSL to it.

If you built Apache yourself from source, then the solution will depend on whether you are running Apache 1.3 or Apache 2.0.

In Apache 1.3, SSL is an add-on module, which you must acquire and install from a different location than that from where you obtained Apache. There are two main choices available: mod_ssl (http://www.modssl.org/) and Apache-SSL (http://www.apache-ssl.org/); the installation procedure will vary somewhat depending on which one of these you choose.

If you are building Apache 2.0 from source, the situation is somewhat simpler; just add —enable-ssl to the ./configure arguments when you build Apache to include SSL as one of the built-in modules.

Consult Chapter 1 and Chapter 2 for more information on installing third-party modules, particularly if you have installed a binary distribution of Apache rather than building it yourself from the source code.

If you are attempting to install SSL on Apache for Windows, there is a discussion of this in the Compiling on Windows document, which you can find at http://httpd.apache.org/docs-2.0/platform/win_compiling.html for Apache 2.0. Or, if you are using Apache 1.3 on Windows and wish to install SSL, you should consult the file INSTALL.Win32, which comes with the SSL distribution, or look at the HowTo at http://tud.at/programm/apache-ssl-win32-howto.php3.

Finally, note that the Apache SSL modules are an interface between Apache and the OpenSSL libraries, which you must install before any of this can work. You can obtain the OpenSSL libraries from http://www.openssl.org/. Although you may already have these libraries installed on your server, it is recommended that you obtain the latest version of the libraries to have the most recent security patches and to protect yourself from exploits.

Discussion

So, why is this so complicated? Well, there are a variety of reasons, most of which revolve around the legality of encryption. For a long time, encryption has been a restricted technology in the U.S.. Since Apache is primarily based out of the U.S., there is a great deal of caution regarding distributing encryption technology with the package. Even though major changes have been made in the laws, permitting SSL to be shipped with Apache 2.0, there are still some gray areas that make it problematic to ship compiled binary distributions of Apache with SSL enabled.

This makes the situation particularly unpleasant on Microsoft Windows, where most people do not have a compiler readily available to them, and so must attempt to acquire binary builds from third parties to enable SSL on their Apache server on Windows. The URL given previously for compiling Apache 2.0 with SSL on Windows assumes that you do have a compiler, and the document telling you how to build Apache 1.3 with SSL takes great pains to encourage you not to use Apache 1.3 on Windows, where it does not have comparable performance to Apache on Unixish operating systems.

See Also

• http://httpd.apache.org/docs-2.0/platform/win_compiling.html

• http://tud.at/programm/apache-ssl-win32-howto.php3

• http://www.openssl.org/

• http://www.modssl.org/

• http://www.apache-ssl.org/