Installing mod_ssl

Hi Folks,

mod_ssl newbie here. I'm running RH Linux 7.3 and apache 1.3.23. I have
been reading the archives and Kabir's book - "Red Hat Linux 7 Server", and
from what I understand, correct me if I'm wrong, is that in order to install
mod_ssl on my machine, I will have to start from scratch and re install and
compile a fresh copy of apache. Is this true? Or can I install mod_ssl on
an existing apache machine that has already been configured and set up with
e-commerce sites?

If I can install mod_ssl on my machine without re compiling apache, can
anyone direct me to any step by step documentation as to how to install and
configure mod_ssl and secure sites/Thawte certificates on a Linux 7.x box
already set up with apache?

Lastly, if it is possible to install mod_ssl on a server already configured
with apache with e-commerce sites already set up, are there any security
risks in installing mod_ssl on an already configured server? Is it
"better", to install mod_ssl on an empty server? Also I read somewhere that
this mod_ssl worm is a big problem. Is that true? Should I upgrade my
apache software to prevent such an attack, and if I do, will upgrading
apache cause any problems with my current set up of my sites?

Thanks much

Dan Sabo

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Installing mod_ssl

My advice would be to install a completely new server from scratch and
install it in a different directory to your current Redhat installed one.

All you need do once the new install is complete is kill the old server and
restart the new one. Once happy with the new install you can edit your
startup configuration so the new server is started on a reboot or restart.

Your can then either copy or symbolically link back to the content from your
original setup.

This way if it all goes wrong you can immediately switch back to the
previous server.

As for instructions the INSTALL documents included with the Apache and
Mod_SSL distros have a pretty good walk through procedure.

You will ideally need to install (from source or RPM) the latest version of
OpenSSL (at least 0.9.6e) before you start and then download the latest
version of Apache and Mod_SSL from the main sites (http://httpd.apache.org/
and http://www.modssl.org/)

Download the .... blaaaahh.tar.gz files ..

Then issue the following command (in a suitable directory) to unpack them.

gzip -d -c blaaaahh.tar.gz | tar xvf -

The will then unpack the files into directories. Inside these your will find
the instructions (start with README and INSTALL).

Depending on how familar you are with scripting you can setup an install
script to run the various configure and make command used to build the
server from source. I use this to maintain the 6 Apache servers I run and
can rebuild each one from source in about 8 minutes flat.

To update servers at a later date simply do the following .... Download and
rebuild new server issuing every command except the final "make install".
Stop the current server. Renew current install directory (/usr/local/apache
for example) to /usr/local/apache.bak ... then go back to the directory
where your made the new server and issue the "make install" command. If
your web content exists outside of the /usr/local/apache directory (which
ideally it should), then all you need do now is copy the "httpd.conf" file
into the new /usr/local/apache directory and restart the server. In case of
an problems stop the server, rename the directory back, restart and you are
back to where you started ... (easy once you've done it a few times !!!).


Regards,


Phil,

Sheffield,
England,
UK.
..
----- Original Message -----
From: "Dan Sabo"
To:
Sent: Monday, October 07, 2002 12:30 AM
Subject: Installing mod_ssl


> Hi Folks,
>
> mod_ssl newbie here. I'm running RH Linux 7.3 and apache 1.3.23. I have
> been reading the archives and Kabir's book - "Red Hat Linux 7 Server", and
> from what I understand, correct me if I'm wrong, is that in order to
install
> mod_ssl on my machine, I will have to start from scratch and re install
and
> compile a fresh copy of apache. Is this true? Or can I install mod_ssl
on
> an existing apache machine that has already been configured and set up
with
> e-commerce sites?
>
> If I can install mod_ssl on my machine without re compiling apache, can
> anyone direct me to any step by step documentation as to how to install
and
> configure mod_ssl and secure sites/Thawte certificates on a Linux 7.x box
> already set up with apache?
>
> Lastly, if it is possible to install mod_ssl on a server already
configured
> with apache with e-commerce sites already set up, are there any security
> risks in installing mod_ssl on an already configured server? Is it
> "better", to install mod_ssl on an empty server? Also I read somewhere
that
> this mod_ssl worm is a big problem. Is that true? Should I upgrade my
> apache software to prevent such an attack, and if I do, will upgrading
> apache cause any problems with my current set up of my sites?
>
> Thanks much
>
> Dan Sabo
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Installing mod_ssl

>My advice would be to install a completely new server from scratch and
>install it in a different directory to your current Redhat installed one.

Thanks for the info Phil! Do I understand correctly, that I could keep my
existing e-commerce stores on line and just install a new apache server
independent of the existing apache setup on the same Linux machine?

>All you need do once the new install is complete is kill the old server and
>restart the new one. Once happy with the new install you can edit your
>startup configuration so the new server is started on a reboot or restart.

If this is possible, would it be difficult to switch my stores that are
already set up over to the new apache server associated with mod_ssl?

>Your can then either copy or symbolically link back to the content from
your
>original setup.

Sounds a bit scary to me, would this be something I could hire out to an
expert? I don't want to screw up live stores now that they are on line and
functional.

Could I have two independent apache servers on my Linux server running and
switch from one to the other? And then just copy over my existing store
settings from httpd.conf into the new server once mod_ssl is set up? Would
I have to delete my existing e-commerce sites and all associated files? Or
leave them on my Linux machine and just move the httpd.conf file over the
newer apache server with the associated mod_ssl? Would this be a
complicated process if I already have five e-commerce sites set up on the
machine?

Thanks,

Dan





Regards,


Phil,

Sheffield,
England,
UK.
..
----- Original Message -----
From: "Dan Sabo"
To:
Sent: Monday, October 07, 2002 12:30 AM
Subject: Installing mod_ssl


> Hi Folks,
>
> mod_ssl newbie here. I'm running RH Linux 7.3 and apache 1.3.23. I have
> been reading the archives and Kabir's book - "Red Hat Linux 7 Server", and
> from what I understand, correct me if I'm wrong, is that in order to
install
> mod_ssl on my machine, I will have to start from scratch and re install
and
> compile a fresh copy of apache. Is this true? Or can I install mod_ssl
on
> an existing apache machine that has already been configured and set up
with
> e-commerce sites?
>
> If I can install mod_ssl on my machine without re compiling apache, can
> anyone direct me to any step by step documentation as to how to install
and
> configure mod_ssl and secure sites/Thawte certificates on a Linux 7.x box
> already set up with apache?
>
> Lastly, if it is possible to install mod_ssl on a server already
configured
> with apache with e-commerce sites already set up, are there any security
> risks in installing mod_ssl on an already configured server? Is it
> "better", to install mod_ssl on an empty server? Also I read somewhere
that
> this mod_ssl worm is a big problem. Is that true? Should I upgrade my
> apache software to prevent such an attack, and if I do, will upgrading
> apache cause any problems with my current set up of my sites?
>
> Thanks much
>
> Dan Sabo
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Installing mod_ssl

In other words, you are saying it's not possible or recommended to just
install mod_ssl into an existing apache/Linux setup? It won't work or could
cause server errors or security risks? Is that why you recommend a fresh
apache install?

Dan


>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Installing mod_ssl

You actually have several options:

1. Use the mod_ssl, mm and apache package that come with the Red Hat Linux
7.3 system. These are out of date, but you can get the latest by registering
with https://rhn.redhat.com. Some people don't like the fact that these are
not the latest versions, merely "backported" to the latest fix. It doesn't
bother me though. The latest openssl update from Red Hat prevents the "linux
slapper" worm from infecting your systems.

2. Remove the apache, mm and mod_ssl rpm packages and recompiling them.

In the second case, you have two options:

1. Compile against the openssl that comes with 7.3. In this case you'll need
to install the openssl-devel rpm package.
2. Compile against the latest openssl files. In that case I believe you'd
need to install the openssl binary into a directory other than /usr/bin (see
http://www.openssl.org/support/faq.cgi#BUILD8). If I'm wrong on this
hopefully someone will correct me, but I've always believed that you need
the same version of openssl installed somewhere that you used to compile
mod_ssl.

There is always the option of creating RPMs from either of the above
options.

Don't remove the openssl package that comes with 7.3 though. You'll break
several packages that come with 7.3 such as ssh, sendmail and nearly all the
email programs.

I used to compile apache and mod_ssl, but now I prefer to wait for the
packages from Red Hat.

-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

Theories of evolution are like buses - there'll be another one along in a
minute


> -----Original Message-----
> From: Dan Sabo [mailto:dan@dansabo.net]
> Sent: 07 October 2002 00:31
> To: modssl-users@modssl.org
> Subject: Installing mod_ssl
>
>
> Hi Folks,
>
> mod_ssl newbie here. I'm running RH Linux 7.3 and apache
> 1.3.23. I have
> been reading the archives and Kabir's book - "Red Hat Linux 7
> Server", and
> from what I understand, correct me if I'm wrong, is that in
> order to install
> mod_ssl on my machine, I will have to start from scratch and
> re install and
> compile a fresh copy of apache. Is this true? Or can I
> install mod_ssl on
> an existing apache machine that has already been configured
> and set up with
> e-commerce sites?
>
> If I can install mod_ssl on my machine without re compiling
> apache, can
> anyone direct me to any step by step documentation as to how
> to install and
> configure mod_ssl and secure sites/Thawte certificates on a
> Linux 7.x box
> already set up with apache?
>
> Lastly, if it is possible to install mod_ssl on a server
> already configured
> with apache with e-commerce sites already set up, are there
> any security
> risks in installing mod_ssl on an already configured server? Is it
> "better", to install mod_ssl on an empty server? Also I read
> somewhere that
> this mod_ssl worm is a big problem. Is that true? Should I
> upgrade my
> apache software to prevent such an attack, and if I do, will upgrading
> apache cause any problems with my current set up of my sites?
>
> Thanks much
>
> Dan Sabo
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Installing mod_ssl

>1. Use the mod_ssl, mm and apache package that come with the Red Hat Linux
>7.3 system. These are out of date, but you can get the latest by registering
>with https://rhn.redhat.com. Some people don't like the fact that these are
>not the latest versions, merely "backported" to the latest fix. It doesn't
>bother me though. The latest openssl update from Red Hat prevents the "linux
>slapper" worm from infecting your systems.

I've been doing this to keep my 6.2 packages up to date. I always find it a little bit disconcerting that openssl version returns a really old rev (0.9.5a in the backported rpm that I installed lasy week). Anyone know why RH insist on this confusing system? Why not just rebuild them in full for 6.2 and the other supported releases?

cam
-----------------------------------------
camccuk@netscape.net

____________________________________________________________ ______
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org