Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
790 views
in Technique[技术] by (71.8m points)

ssl - How to install: OpenSSL + WAMP

Does anyone here have clear and detailed steps on how to get SSL on my local development machine? I've installed the latest version of WAMP (2.2c) on c:wamp. The instructions I find on the net seem to be outdated in most cases and lacking the details I need to get things done right.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Guide: Openssl in WampServer 2.5

Prerequisite: There is normally no need to install openssl (it comes bundled with Wamp). Apache 2.4.9 includes 1.0.1g for instance.

System-Variable:

  • Open the Windows System panel ("WIN+Q" Search: system) > Advanced System Settings > Advanced > Environment variables
  • Add a new entry in system variables with name OPENSSL_CONF and its value being the path to openssl.cnf (usually somethings like C:wampinapacheapache2.4.9confopenssl.cnf)

openssl folder structure:

  • In C:wampinapacheapache#.#.#conf create the following folder structure:

    ..
    demoCA
    |-----certs
    |-----crl
    |-----newcerts
    |-----private
    

Configuring openssl.cnf:

  • I've followed Neil C. Obremski advice and cleared the following defaults:
    • countryName_default (was "AU")
    • stateOrProvinceName_default (was "Some-State")
    • 0.organizationName_default (was "Internet Widgits Pty Ltd")
    • organizationalUnitName_default (was already empty)

Creating the certificate:

  • From command line browse to C:wampinapacheapache#.#.#in and call "openssl req -new -out cacert.csr -keyout cacert.pem". If prompted enter a password and after that the DN informations like below.

    Loading 'screen' into random state - done
    Generating a 1024 bit RSA private key
    .......................++++++
    ....++++++
    writing new private key to 'cacert.pem'
    Enter PEM pass phrase: my_secret_pass
    Verifying - Enter PEM pass phrase: my_secret_pass
    `-----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    `-----
    Country Name (2 letter code) []:
    State or Province Name (full name) []:
    Locality Name (eg, city) []:
    Organization Name (eg, company) []:
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:local
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    
    C:wampinapacheapache2.4.9in>
    
  • In the same console window now use "openssl rsa -in cacert.pem -out cacert.key" and if asked enter the password previously entered.

    Enter pass phrase for cacert.pem: my_secret_pass
    writing RSA key
    
  • Remove the ".rnd" file in C:wampinapacheapache2.4.9in

  • Still in the same window call "openssl x509 -in cacert.csr -out cacert.cert -req -signkey cacert.key -days 365". If you experience the following error "unable to write 'random state'". This is a known bug! To workaround this call "set RANDFILE=.rnd" and retry the previous command.

Congrats you are now the owner of a self signed certificate!

I've placed the built files (they are currently in bin folder) according this Site:

  • cacert.pem, cacert.key in C:wampinapacheapache#.#.#confdemoCAprivate
  • cacert.cert, cacert.csr in C:wampinapacheapache#.#.#confdemoCAcerts

In httpd.conf enable SLL (search for "#Include conf/extra/httpd-ssl.conf") + alter the following entries in httpd-ssl.conf:

SSLSessionCache        "shmcb:C:/wamp/logs/ssl_scache(512000)"
DocumentRoot "C:/wamp/www"
#ErrorLog
#TransferLog
SSLCertificateFile "C:/wamp/bin/apache/apache2.4.9/conf/demoCA/certs/cacert.cert"
SSLCertificateKeyFile "C:/wamp/bin/apache/apache2.4.9/conf/demoCA/private/cacert.key"
CustomLog "C:/wamp/logs/ssl_request.log" 

Now test your Apache installation by calling httpd -t. If you get the following error "SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?)." enable the following entry "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" in httpd.conf

Wamp is now configured with https support :-)

I've also enabled "LoadModule status_module modules/mod_status.so" using the following configuration in httpd.conf:

<IfModule status_module>

ExtendedStatus On
<Location /server-status>
    SetHandler server-status
</Location>

</IfModule>

You can check now your server status here

https://localhost/server-status/

Apache/2.4.9 (Win64) OpenSSL/1.0.1g PHP/5.5.12 Server at localhost Port 443

Notes:

  • I've made this tute while trying to get it working on my machine (this was my first attempt in using OpenSSL on windows/wamp).
  • This guide is not meant for production systems!
  • You might have to change a few things like names depending on your openssl.cnf
  • My intention was not to make the best tutorial around but instead to simply note all required changes to get SSL working in WAMP.
  • Make sure to set the right -days amount for your x509 certificate
  • I finally know why NSA can easily break into servers with such a complex process :D
  • Since Wamp bundles apache together with OpenSSL it might be better to separately install it??

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...