Adding SSL on-the-fly programmatically

--0-544017290-1187919929=:22516
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

I'm looking to do something, but I'm not sure it's even possible. Maybe s=
omeone can steer me in the right direction.
=20
Let's say that I have a copy of apache running on my server. I also hav=
e a brand new SSL certificate that was signed by a CA. I'd like to write =
some code to programmatically enable SSL on the server by means of mod_ss=
l. When I think about the steps necessary, I need to:
=20
1. Copy the mod_ssl files to the proper place.
2. Update the mod_ssl config files to point to my SSL certificate.
3. Update the apache config files to recognize and run mod_ssl
4. Cause apache to suddenly start to use mod_ssl
=20
Now steps 1,2, and 3 seem pretty straight forward. Step 4 is a huge han=
dwave, and I'm hoping someone can give me some insight. Is it even possib=
le? Does it require apache to be restarted? Is there some programmatic wa=
y to get apache to restart?
=20
=20

--0-544017290-1187919929=:22516
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Re: Adding SSL on-the-fly programmatically

This seems about 180deg from normal. Install Apache with mod_ssl.
Start it without invoking SSL .. if you get a certificate, you'll want
to hand-walk it into the right place, chown it to root, and make it
perm'd to 0400 anyway .. then a quick graceful stop and startssl ..
*poof*, Bob's yer uncle.

Best~
-d

SANDER SMITH wrote:
> I'm looking to do something, but I'm not sure it's even possible. Maybe someone can steer me in the right direction.
>
> Let's say that I have a copy of apache running on my server. I also have a brand new SSL certificate that was signed by a CA. I'd like to write some code to programmatically enable SSL on the server by means of mod_ssl. When I think about the steps necessary, I need to:
>
> 1. Copy the mod_ssl files to the proper place.
> 2. Update the mod_ssl config files to point to my SSL certificate.
> 3. Update the apache config files to recognize and run mod_ssl
> 4. Cause apache to suddenly start to use mod_ssl
>
> Now steps 1,2, and 3 seem pretty straight forward. Step 4 is a huge handwave, and I'm hoping someone can give me some insight. Is it even possible? Does it require apache to be restarted? Is there some programmatic way to get apache to restart?
>
>
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Adding SSL on-the-fly programmatically

--0-653303204-1187956242=:81457
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

You're right, what I'm asking for is not normal and I understand it. Howe=
ver, your suggestions make some assumptions about the "normalcy" of the e=
nvironment that we're dealing with which just isn't the reality of my sit=
uation.
=20
The project I'm working on is not to simply secure an e-commerce site r=
unning on some big server hardware. I'm looking at apache running on some=
embedded platform. Users will not be people who understand what chown is=
, but will be content by just pushing buttons on the front panel of the d=
evice. Because of how the device is being deployed, I can even assume tha=
t everything can be run under root to simplfy things.
=20
So given that this is not a normal case, any ideas on how to proceed?
=20

Dave Paris wrote:
This seems about 180deg from normal. Install Apache with mod_ssl.=20
Start it without invoking SSL .. if you get a certificate, you'll want=20
to hand-walk it into the right place, chown it to root, and make it=20
perm'd to 0400 anyway .. then a quick graceful stop and startssl ..=20
*poof*, Bob's yer uncle.

Best~
-d

SANDER SMITH wrote:
> I'm looking to do something, but I'm not sure it's even possible. Maybe=
someone can steer me in the right direction.
>=20
> Let's say that I have a copy of apache running on my server. I also hav=
e a brand new SSL certificate that was signed by a CA. I'd like to write =
some code to programmatically enable SSL on the server by means of mod_ss=
l. When I think about the steps necessary, I need to:
>=20
> 1. Copy the mod_ssl files to the proper place.
> 2. Update the mod_ssl config files to point to my SSL certificate.
> 3. Update the apache config files to recognize and run mod_ssl
> 4. Cause apache to suddenly start to use mod_ssl
>=20
> Now steps 1,2, and 3 seem pretty straight forward. Step 4 is a huge han=
dwave, and I'm hoping someone can give me some insight. Is it even possib=
le? Does it require apache to be restarted? Is there some programmatic wa=
y to get apache to restart?
>=20
>=20
>=20
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org


--0-653303204-1187956242=:81457
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Re: Adding SSL on-the-fly programmatically

Ok, so script the chown'ing and permissioning on import. It's still
easier on an embedded system to install apache as SSL-capable and only
enable when desired, rather than jumping through flaming hoops and
loading up the mod_ssl module when needed.

Embedded devices are designed around the KISS principle. The more
complex you make it, the surer you are to be getting loads of support calls.

Best~
-dsp

SANDER SMITH wrote:
> You're right, what I'm asking for is not normal and I understand it. However, your suggestions make some assumptions about the "normalcy" of the environment that we're dealing with which just isn't the reality of my situation.
>
> The project I'm working on is not to simply secure an e-commerce site running on some big server hardware. I'm looking at apache running on some embedded platform. Users will not be people who understand what chown is, but will be content by just pushing buttons on the front panel of the device. Because of how the device is being deployed, I can even assume that everything can be run under root to simplfy things.
>
> So given that this is not a normal case, any ideas on how to proceed?
>
>
> Dave Paris wrote:
> This seems about 180deg from normal. Install Apache with mod_ssl.
> Start it without invoking SSL .. if you get a certificate, you'll want
> to hand-walk it into the right place, chown it to root, and make it
> perm'd to 0400 anyway .. then a quick graceful stop and startssl ..
> *poof*, Bob's yer uncle.
>
> Best~
> -d
>
> SANDER SMITH wrote:
>> I'm looking to do something, but I'm not sure it's even possible. Maybe someone can steer me in the right direction.
>>
>> Let's say that I have a copy of apache running on my server. I also have a brand new SSL certificate that was signed by a CA. I'd like to write some code to programmatically enable SSL on the server by means of mod_ssl. When I think about the steps necessary, I need to:
>>
>> 1. Copy the mod_ssl files to the proper place.
>> 2. Update the mod_ssl config files to point to my SSL certificate.
>> 3. Update the apache config files to recognize and run mod_ssl
>> 4. Cause apache to suddenly start to use mod_ssl
>>
>> Now steps 1,2, and 3 seem pretty straight forward. Step 4 is a huge handwave, and I'm hoping someone can give me some insight. Is it even possible? Does it require apache to be restarted? Is there some programmatic way to get apache to restart?
>>
>>
>>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Adding SSL on-the-fly programmatically

This is a multi-part message in MIME format.

------_=_NextPart_001_01C7E656.9F0AC7D8
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

You may want to look at the command "apachectl graceful" for step 4. It
gets the httpd threads to restart after they finish what they are doing.
So it is not too disruptive to existing activity.

=20

________________________________

From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org] On Behalf Of SANDER SMITH
Sent: August 23, 2007 9:45 PM
To: modssl-users@modssl.org
Subject: Adding SSL on-the-fly programmatically

=20

I'm looking to do something, but I'm not sure it's even possible. Maybe
someone can steer me in the right direction.

=20

Let's say that I have a copy of apache running on my server. I also have
a brand new SSL certificate that was signed by a CA. I'd like to write
some code to programmatically enable SSL on the server by means of
mod_ssl. When I think about the steps necessary, I need to:

=20

1. Copy the mod_ssl files to the proper place.

2. Update the mod_ssl config files to point to my SSL certificate.

3. Update the apache config files to recognize and run mod_ssl

4. Cause apache to suddenly start to use mod_ssl

=20

Now steps 1,2, and 3 seem pretty straight forward. Step 4 is a huge
handwave, and I'm hoping someone can give me some insight. Is it even
possible? Does it require apache to be restarted? Is there some
programmatic way to get apache to restart?

=20

=20


------_=_NextPart_001_01C7E656.9F0AC7D8
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">


charset=3Dus-ascii">

Re: Adding SSL on-the-fly programmatically

--0-1019095939-1187967781=:18611
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

You're right, some of this stuff can be se up earlier.
=20
So what I'm really doing is receiving an SSL cert as a part of an HTTP =
request. Behind the scenes I've got an apache module or PHP running that =
will service it. It takes the cert, copies it to the right place, updates=
the config files to enable SSL, and then, ... what?
=20
I don't want to restart the device, because there are other things goin=
g on. I really only want to make apache aware of this config change, but =
I'm thinking there's no way to do that, is there? Alternatively, I guess =
I could restart apache, but how can I do that since I'm in the middle of =
servicing a request?
=20
=20

Dave Paris wrote:
Ok, so script the chown'ing and permissioning on import. It's still=20
easier on an embedded system to install apache as SSL-capable and only
enable when desired, rather than jumping through flaming hoops and=20
loading up the mod_ssl module when needed.

Embedded devices are designed around the KISS principle. The more=20
complex you make it, the surer you are to be getting loads of support cal=
ls.

Best~
-dsp


--0-1019095939-1187967781=:18611
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

GIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">Ok, so script the chown'in=
g and permissioning on import. It's still

easier on an embedded system to install apache as SSL-capable and on=
ly
enable when desired, rather than jumping through flaming hoops and =

loading up the mod_ssl module when needed.

Embedded devices ar=
e designed around the KISS principle. The more
complex you make it, t=
he surer you are to be getting loads of support calls.

Best~
-d=
sp