From owner-freebsd-questions Sun Aug 15 1:31:22 1999 Delivered-To: freebsd-questions@freebsd.org Received: from inet.chip-web.com (c1003518-a.plstn1.sfba.home.com [24.1.82.47]) by hub.freebsd.org (Postfix) with SMTP id D0AAB151EA for ; Sun, 15 Aug 1999 01:31:15 -0700 (PDT) (envelope-from ludwigp@bigfoot.com) Received: (qmail 26981 invoked from network); 15 Aug 1999 08:31:16 -0000 Received: from unknown (HELO bigfoot.com) (172.16.1.29) by inet.chip-web.com with SMTP; 15 Aug 1999 08:31:16 -0000 Message-ID: <37B67AC2.35C519A0@bigfoot.com> Date: Sun, 15 Aug 1999 01:30:59 -0700 From: Ludwig Pummer X-Mailer: Mozilla 4.6 [en] (X11; I; FreeBSD 3.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: big-sky@altavista.net Cc: Freebsd-Questions Subject: Re: SSL and Apache question References: <000001bee6e7$e7fffde0$0201010a@cmr.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Mark Einreinhof wrote: > Installed Apache. Then installed PHP. Compiled Apache both times. Now I've > downloaded and compiled OpenSSL-0.9.4. I'm at a loss as to what to do next. > Do I need to recompile Apache at this point? If I do recompile Apache, do I > lose the PHP that was compiled? Next, all I require is a 128bit encrypted > connection to the server, it will only be myself and some others using it so > I don't desire to pay for a certificate. How do I create my own certificate? > I saw mention of openssl, but docs are real sketchy. > > My ultimate goal is to run IMP via SSL, so I can read my email securely from > anywhere. I remember doing that exact same stuff just a few months ago. I feel I should point out that the Apache13+PHP3 port gives you the option of installing mod_ssl/OpenSSL support, as well as MySQL support (used for IMP address book and preferences. more on this later). Let me tell you the story of the long, difficult way: I downloaded the source distributions for Apache, PHP, MySQL, UW-IMAP, mod_ssl, and OpenSSL. I first installed the UW-IMAP server and MySQL by themselves, since building PHP later depends on them being already installed. I then got Apache working by itself (using the APACI method). I did 'make install' using the base apache configuration. Then I compiled in PHP support (Apache keeps a copy of the last-used ./configure line in config.status, so adding PHP while keeping everything else the same was as simple as "./config.status --activate-module=src/modules/php3/libphp3.a"). I just copied the new httpd binary in the apache/src directory over the old one in /usr/local/apache/bin. I also copied the php3.ini file to /usr/local/lib. Then I attempted to add mod_ssl support, according to their documentation. I tried to install OpenSSL by hand. I got hung up because the "make test" or something like that would fail. I later found out that was because the RSAREF library was missing something. There's now a patch for that, and it's installed by the port for you! So I installed OpenSSL via the port and then installed mod_ssl according to the mod_ssl documentation (and used config.status to keep the PHP module that I had previously added). Mod_ssl makes some big changes to Apache's makefile, for building the certificates and such. After mod_ssl was built in and compiled, I did 'make certificate TYPE=test'. I did another 'make install'. I ended up with duplicate configuration files (one set of configs before mod_ssl and one after mod_ssl) which I had to then merge by hand. But I ended up with a working Apache + PHP3 + IMAP + mod_ssl/OpenSSL + MySQL binary which I could then use to run IMP. When I tried to go to https://myserver, the web browser complained that the certificate wasn't signed by a valid CA, but I was able to tell the web browsers to accept the certificate anyway, and so I got a secure connection without paying a CA (note that earlier web browsers may not let you accept a certificate with an invalid CA. I've found that I need at least a version 4.x browser) That said, let me also say that I have never gotten IMP to work properly with MySQL, using a MySQL database for preferences and such. I also haven't been tracking IMP (just to be fair, in case that's been fixed by now). I found that IMP had too many quirks for my taste and went to TWIG (http://twig.screwdriver.net/) instead. It doesn't look as flashy, but it's a lot smaller and cleaner and doesn't require as much time to set up. I disabled the MySQL support in TWIG because I didn't want to set up another table and permissions (not after trying and failing with IMP). So... I suggest suggest you try the Apache+PHP port first, as it must be less painful than what I did. --Ludwig Pummer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message