Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 15 Aug 1999 01:30:59 -0700
From:      Ludwig Pummer <ludwigp@bigfoot.com>
To:        big-sky@altavista.net
Cc:        Freebsd-Questions <freebsd-questions@FreeBSD.ORG>
Subject:   Re: SSL and Apache question
Message-ID:  <37B67AC2.35C519A0@bigfoot.com>
References:  <000001bee6e7$e7fffde0$0201010a@cmr.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Mark Einreinhof wrote:
> Installed Apache. Then installed PHP. Compiled Apache both times. Now I've
> downloaded and compiled OpenSSL-0.9.4. I'm at a loss as to what to do next.
> Do I need to recompile Apache at this point? If I do recompile Apache, do I
> lose the PHP that was compiled? Next, all I require is a 128bit encrypted
> connection to the server, it will only be myself and some others using it so
> I don't desire to pay for a certificate. How do I create my own certificate?
> I saw mention of openssl, but docs are real sketchy.
> 
> My ultimate goal is to run IMP via SSL, so I can read my email securely from
> anywhere.

I remember doing that exact same stuff just a few months ago. I feel I
should point out that the Apache13+PHP3 port gives you the option of
installing mod_ssl/OpenSSL support, as well as MySQL support (used for
IMP address book and preferences. more on this later).

Let me tell you the story of the long, difficult way:
I downloaded the source distributions for Apache, PHP, MySQL, UW-IMAP,
mod_ssl, and OpenSSL.
I first installed the UW-IMAP server and MySQL by themselves, since
building PHP later depends on them being already installed.
I then got Apache working by itself (using the APACI method). I did
'make install' using the base apache configuration. Then I compiled in
PHP support (Apache keeps a copy of the last-used ./configure line in
config.status, so adding PHP while keeping everything else the same was
as simple as "./config.status
--activate-module=src/modules/php3/libphp3.a"). I just copied the new
httpd binary in the apache/src directory over the old one in
/usr/local/apache/bin. I also copied the php3.ini file to
/usr/local/lib. Then I attempted to add mod_ssl support, according to
their documentation. I tried to install OpenSSL by hand. I got hung up
because the "make test" or something like that would fail. I later found
out that was because the RSAREF library was missing something. There's
now a patch for that, and it's installed by the port for you!
So I installed OpenSSL via the port and then installed mod_ssl according
to the mod_ssl documentation (and used config.status to keep the PHP
module that I had previously added). Mod_ssl makes some big changes to
Apache's makefile, for building the certificates and such. After mod_ssl
was built in and compiled, I did 'make certificate TYPE=test'. I did
another 'make install'. I ended up with duplicate configuration files
(one set of configs before mod_ssl and one after mod_ssl) which I had to
then merge by hand.

But I ended up with a working Apache + PHP3 + IMAP + mod_ssl/OpenSSL +
MySQL binary which I could then use to run IMP.

When I tried to go to https://myserver, the web browser complained that
the certificate wasn't signed by a valid CA, but I was able to tell the
web browsers to accept the certificate anyway, and so I got a secure
connection without paying a CA (note that earlier web browsers may not
let you accept a certificate with an invalid CA. I've found that I need
at least a version 4.x browser)

That said, let me also say that I have never gotten IMP to work properly
with MySQL, using a MySQL database for preferences and such. I also
haven't been tracking IMP (just to be fair, in case that's been fixed by
now). I found that IMP had too many quirks for my taste and went to TWIG
(http://twig.screwdriver.net/) instead. It doesn't look as flashy, but
it's a lot smaller and cleaner and doesn't require as much time to set
up. I disabled the MySQL support in TWIG because I didn't want to set up
another table and permissions (not after trying and failing with IMP).

So... I suggest suggest you try the Apache+PHP port first, as it must be
less painful than what I did.

--Ludwig Pummer <ludwigp@bigfoot.com>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?37B67AC2.35C519A0>