Version 1.6 (changelog: view source)
Spanish translation maintained by Sergio Artigas
French translation maintained by Jean-Francois Moreau
This page describes the installation of the Win32 version of Apache with the
mod_ssl extension. The newest version should always be available from http://tud.at/programm/apache-ssl-win32-howto.php3.
This process worked for many people on Windows NT, 98, ME, 2000 and XP;
please mail me your suggestions and bug
reports.
You can even install Apache with SSL in addition to the Microsoft
Internet Information Server if you need to.
Apache with mod_ssl seems to be the only free (as in speech, not in beer) solution for Win32. Please note that Apache on Win32 is considered beta quality as it doesn't reach the stability and performance of Apache on Un*x platforms.
Get the Win32 version of the Apache web server from one of the mirrors. It is called something like
apache_x_y_z_win32.exe
. This is a self-extracting archive that
contains the Apache base system and sample configuration files.
Install Apache as described in http://www.apache.org/docs/windows.html.
Note: You can skip this step and get a full Apache+SSL distribution from mod_ssl.org, as described below. There will be no fancy installation program but you won't need to overwrite the stock Apache files. This is the better way if you are experienced and don't fear editing configuration files (which you will need to do anyway).
Change at least the following parameters in
Apache-dir/conf/httpd.conf
:
[Replace all occurences of
www.my-server.dom
with the real domain name!]
Port 80
to # Port 80
(Comment it out;
Port
is not necessary, Listen
overrides it later.)
Listen 80
Listen 443
(So your server listens on the standard SSL port)
ServerName
www.my-server.dom
DocumentRoot
and the corresponding
<Directory
some-dir>
to your
Inetpub\wwwroot
Install the Apache service (NT only) and start the server. Verify that everything works before proceeding to the SSL installation because this limits the possible errors.
Try http://www.my-server.dom:443/. It won't be encrypted yet but if this works then the port configuration (port 443) is right.
Go to http://www.modssl.org/contrib/ and
find a file called like
Apache_X-mod_ssl_Y-openssl_Z-WIN32[-i386].zip
. Download and unzip
it to a new directory.
If you need the newest version, you will have to
compile it yourself if it is not there. Don't ask me about it; I don't have it,
I don't compile the versions on modssl.org, and I don't have access to
development tools on Win32.
Copy the files ssleay32.dll
and libeay32.dll
from
the Apache directory to WINNT\System32
. This is important! About
70 % of the e-mails I receive is because people forget to do this.
You'll need a config file for OpenSSL.exe
. Here is one (right-click on it and
"Save as..."). (There is an openssl.cnf in the distribution but with different
questions, but it should do it, too.) Copy it to the directory
openssl.exe
is in.
(This is a normal text file. It is really
called so; however, some Windows versions insist on hiding the extension from
you. You can edit it with Windows notepad or a good editor, but it shouldn't be
necessary.)
The following instructions are from http://www.apache-ssl.org/#FAQ.
openssl req -config openssl.cnf -new -out my-server.csr
This
creates a certificate signing request and a private key. When asked for
"Common Name (eg, your websites domain name)"
, give the exact
domain name of your web server (e.g. www.my-server.dom). The certificate
belongs to this server name and browsers complain if the name doesn't match.
openssl rsa -in privkey.pem -out my-server.key
This removes
the passphrase from the private key. You MUST understand what this means;
my-server.key
should be only readable by the apache server and the
administrator.
You should delete the .rnd
file because it
contains the entropy information for creating the key and could be used for
cryptographic attacks against your private key.
openssl x509 -in my-server.csr -out my-server.cert -req -signkey
my-server.key -days 365
This creates a self-signed certificate that
you can use until you get a "real" one from a certificate authority. (Which is
optional; if you know your users, you can tell them to install the certificate
into their browsers.) Note that this certificate expires after one year, you can
increase -days 365
if you don't want this.
If you have users with MS Internet Explorer 4.x and want them to be able to
install the certificate into their certificate storage (by downloading and
opening it), you need to create a DER-encoded version of the
certificate:openssl x509 -in my-server.cert -out my-server.der.crt
-outform DER
Create an Apache/conf/ssl
directory and move
my-server.key
and my-server.cert
into it.
Copy the executable files (*.exe, *.dll, *.so) from the downloaded apache-mod_ssl distribution over your original Apache installation directory (remember to stop Apache first!).
Find the LoadModule directives in your httpd.conf
file and add
this after the existing ones, according to the file you have found in the
distribution:
LoadModule ssl_module modules/ApacheModuleSSL.dll
orLoadModule ssl_module modules/ApacheModuleSSL.so
orLoadModule ssl_module modules/mod_ssl.so
in newer
versions.
In newer versions of the distribution, it could also be necessary to
addAddModule mod_ssl.c
after the LoadModule line.
Add the following to the end of httpd.conf
:
# see http://www.modssl.org/docs/2.4/ssl_reference.html for more info
SSLMutex sem
SSLRandomSeed startup builtin
SSLSessionCache none
SSLLog logs/SSL.log
SSLLogLevel info
# You can later change "info" to "warn" if everything is OK
<VirtualHost www.my-server.dom:443>
SSLEngine On
SSLCertificateFile conf/ssl/my-server.cert
SSLCertificateKeyFile conf/ssl/my-server.key
</VirtualHost>
Don't forget to call apache with -D SSL
if the
IfDefine
directive is active in the config file!
You might need to use regedit
to change the key
HKEY_LOCAL_MACHINE\SOFTWARE\Apache Group\Apache\X.Y.Z
to the
correct number if the apache.exe
from
modssl.org/contrib
is not the same version as the previously
installed one. (This seems not to be necessary with recent versions.)
Start the server, this time from the command prompt (not as a service) in
order to see the error messages that prevent Apache from starting. If everything
is OK, (optionally) press CTRL+C to stop the server and start it as a service if
you prefer.
If it doesn't work, Apache should write meaningful messages to
the screen and/or into the error.log and SSL.log files in the Apache/logs
directory.
If something doesn't work, set all LogLevel
s to the
maximum and look into the logfiles. They are very helpful.
DON'T e-mail me or the other contributors without having plain Apache
installed (Step 1). We will ignore your request; we are not the Free Apache
Helpdesk and there is enough good documentation on configuring Apache; if that
is not enough for you, you shouldn't run a secure server anyway. Also, DON'T
e-mail without having looked into the error.log and SSL.log with
LogLevel
set to Debug.
Problems connecting to the server with a browser can have many reasons, many of them on the client (proxy, DNS, general IE dumbness).
So, if you encounter problems connecting with SSL, try another browser and/or look into the settings. If even this doesn't work, you can use OpenSSL to debug the problem.
bb@www$ openssl s_client -connect no-such-machine:443
gethostbyname failure # Error resolving this DNS name. Connect with the IP address.
connect:errno=2
bb@www$ openssl s_client -connect www1.tud.at:443
connect: Connection refused
connect:errno=111
# No SSL server on this port. Double-check the Listen and Port directives.
bb@www$ openssl s_client -connect apcenter.apcinteractive.net:443
# everything OK. OpenSSL shows the information it obtained from the server.
CONNECTED(00000003)
depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Email=bb@apcinteractive.net
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Email=bb@apcinteractive.net
verify return:1
---
Certificate chain
0 s:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Email=bb@apcinteractive.net
i:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Email=bb@apcinteractive.net
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC0TCCAjoCAQAwDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAmF0MQ0wCwYDV
[...]
9ucXUnk=
-----END CERTIFICATE-----
subject=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Email=bb@apcinteractive.net
issuer=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Email=bb@apcinteractive.net
---
No client certificate CA names sent
---
SSL handshake has read 1281 bytes and written 320 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 49ACE1CF484A67D2C476B923D52110A6FCA1A7CE53D76DF7F233DEBF2333D4FB
Session-ID-ctx:
Master-Key: 00E9FA964253752294ECD69C18ADBA527B7170C112E2B3BCB25EA8F4FD847EC46E1FF0194EF8E16985B5E38BF6F12131
Key-Arg : None
Start Time: 980696025
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
[Enter:
GET / HTTP/1.0
and press RETURN twice]
HTTP/1.1 200 OK
Date: Sun, 28 Jan 2001 15:34:58 GMT
Server: Apache/1.3.9 (Win32) mod_ssl/2.4.9 OpenSSL/0.9.4
Cache-Control: no-cache, no-store, must-revalidate, private
Expires: 0
Pragma: no-cache
X-Powered-By: PHP/4.0.4
Last-Modified: Sun, 28 Jan 2001 15:35:00 GMT
Connection: close
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
# the server shows its main document
Q: I see the following when starting Apache:
Syntax error on line [some number] of ...httpd.conf Cannot load apache/modules/mod_ssl.so into server (126) The module could not be found:
Q: I see the following when starting Apache:
Syntax error on line [some number] of apache/conf/httpd.conf: Cannot load apache/modules/apachemodulessl.dll into server: (127) The specified procedure could not be found:or:
Syntax error on line [some number] of apache/conf/httpd.conf: Invalid command 'SSLMutex', perhaps mis-spelled or defined by a module not included in the server configuration
Q: SSL doesn't work in the browser and I see the following in some logfile:
[Fri Nov 16 15:46:30 2001] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?]A: How much clearer can an error message get? Your VirtualHost or Listen configuration is wrong.
Don't ask us about installing servlet extensions, recompiling mod_ssl or
Apache with EAPI, recompiled versions etc. We have no idea and won't be able
help you. We are just users and not programmers.
If your needs are so
special, you are better off with a Debian
GNU/Linux or OpenBSD server. It will
save you lots of trouble. Really.
Apache Web Server: http://www.apache.org/
mod_ssl: http://www.modssl.org/
mod_ssl
configuration: http://www.modssl.org/docs/2.4/ssl_reference.html
OpenSSL:
http://www.openssl.org/
PHP Hypertext
preprocessor: http://www.php.net/
Author of this document: Balázs Bárány (http://tud.at/)
(mail me your questions, but only
after having looked into the error logs with LogLevel debug
. You
can mail me in English, German and Hungarian.)
Contributor: Horst Bräuner
(OpenSSL configuration on NT)
Contributor: Christoph Zich (Windows
98)
Contributor: Torsten
Stanienda (Test with 1.3.12, IfDefine directive)
Contributor: Peter Holm (Listen and Port directives)
Last change: 2001-12-28
This document can be redistributed under the GNU Free Documentation License. © Balázs Bárány 1999-2001