The N0b0d13s

aj1_nc1@yahoo.com

Instalasi HTTPS

Untuk instalasi https ini akan menggunakan spesifikasi sistem sebagai berikut :

1. Linux Slackware 12

2. openssl 0.8.9

3. httpd 2.2.4

Dalam membuat suatu aplikasi https dibutukan adanya sertifikasi digital oleh karena itu akan terlebih dahulu dilakukan pembuatan digital sertifikat.

Pembuatan sertifikat dengan openssl

Pertama kali yang harus dilakukan adalah membuat CA karena kali ini kita akan menggunakan CA sendiri. disini tidak akan dibahas mengenai proses instalasi openssl karena hanya akan mneggunakan aplikasi openssl yang telah ada pada Slackware. Untuk pembuatan CA diawali dengan langkah sebagai berikut

root@darkstar:/etc/ssl# cd /etc/ssl/

root@darkstar:/etc/ssl# mkdir demoCA

root@darkstar:/etc/ssl# mkdir crl

root@darkstar:/etc/ssl# cd demoCA/

root@darkstar:/etc/ssl/demoCA# mkdir newcerts

root@darkstar:/etc/ssl/demoCA# mkdir private

root@darkstar:/etc/ssl/demoCA# chmod 700 private/

root@darkstar:/etc/ssl/demoCA# echo “01″ > serial

root@darkstar:/etc/ssl/demoCA# touch index.txt

Dapat dilihat bahwa kita akan membuat direktori dan file yang dibutuhkan untuk membuat sebuah root CA. Proses selanjutnya kita akan melakukan proses pembangkitan kunci untuk root CA dan sertifikatnya.

root@darkstar:/etc/ssl# openssl req -x509 -newkey rsa:4096 -out

cacert.pem -outform PEM -keyout demoCA/private/cakey.pem

Generating a 4096 bit RSA private key

……………………………………………………………..

………………………………..++

……………………………………………………………..

…………………………………………………++

writing new private key to ‘demoCA/private/cakey.pem’

Enter PEM pass phrase:

Verifying – Enter PEM pass phrase:

—–

You are about to be asked to enter information that will be

incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a

DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:ID

State or Province Name (full name) [Some-State]:JKT

Locality Name (eg, city) []:DKI

Organization Name (eg, company) [Internet Widgits Pty Ltd]:STSN

Organizational Unit Name (eg, section) []:Mahasiswa

Common Name (eg, YOUR name) []:Agung Setiaji

Email Address []:aj1@thenobodies.com

Proses selanjutnya adalah pembangkitan kunci dan penandatanganan setifikat untuk server web yang nantinya akan diinstalasi https.

root@darkstar:/etc/ssl# openssl req -new -newkey rsa:2048 -keyout webkey.key -out web.req

Generating a 2048 bit RSA private key

…………………………….+++

……….+++

writing new private key to ‘webkey.key’

Enter PEM pass phrase:

Verifying – Enter PEM pass phrase:

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:ID

State or Province Name (full name) [Some-State]:DKI

Locality Name (eg, city) []:KALISARI

Organization Name (eg, company) [Internet Widgits Pty Ltd]:nobodies

Organizational Unit Name (eg, section) []:web serveer

Common Name (eg, YOUR name) []:web

Email Address []:web@thenobodies.com

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:1234

An optional company name []:1234

Pembangkitan kunci dan sertifikat selesai dilanjutkan dengan penandatanganan sertifikat oleh Server CA

root@darkstar:/etc/ssl# openssl ca -in web.req -extensions v3_ca -out web.crt

Using configuration from /etc/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 7 (0×7)

Validity

Not Before: Jul 3 00:42:15 2008 GMT

Not After : Jul 3 00:42:15 2009 GMT

Subject:

countryName = ID

stateOrProvinceName = DKI

organizationName = nobodies

organizationalUnitName = web serveer

commonName = web

emailAddress = web@thenobodies.com

X509v3 extensions:

X509v3 Subject Key Identifier:

E0:9C:3C:8B:47:95:30:1C:BD:5A:14:10:A9:AF:A1:EB:D1:3D:2E:0C

X509v3 Authority Key Identifier:

keyid:B5:26:50:23:83:54:E7:4C:53:4A:44:B6:EF:F3:81:94:98:D4:50:1E

DirName:/C=ID/ST=DKI/L=JKT/O=nobodies/OU=manager/CN=aj1/emailAddress=aj1@thenobodies.com

serial:D7:10:93:63:37:58:F0:BF

X509v3 Basic Constraints:

CA:TRUE

Certificate is to be certified until Jul 3 00:42:15 2009 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Yang selanjutnya akan kita lakukan adalah meletakkan kunci dan sertifikat kedalam web server. Web server yang digunakan adalah apache yang secara default mengatur peletakkan kunci dan sertifikat SSL pada “/etc/httpd/”. Agar lebih mudah untuk membedakan kita buat terlebih dahulu direktori ssl.key dan ssl.crt pada “/etc/httpd”. Kemudian copykan kunci dan sertifikat web kedalamnya

root@blackbox:/etc/ssl# cp webkey.key /etc/httpd/ssl.key/

root@blackbox:/etc/ssl# cp web.crt /etc/httpd/ssl.crt/

Dengan demikian penanganan terhadap konfigurasi kunci dan sertifikat selesai

Konfigrasi Apache

Instalasi untuk apache pun kembali tidak dituliskan disini karena hanya memakai aplikasi apache yang telah ada di slackware 12. Yang harus kita lakukan adalah melakukan konfigurasinya saja agar dapat berjalan dan mendukung SSL. Namun sebelum melakukan konfigurasu pada apache kita akan melakukan resolve sederhana pada host file di ”/etc/hosts” untuk memberikan nama domain untuk web server jika diperlukan dengan cara menambahkan IP address kita dengan sebuah nama host (nama yang akan dipanggil untuk membuka web) seperti dibawah ini.

# End of hosts. (alamat IP kompi saya)

192.169.1.19 thenobodies.com darkstar

Setelah selesai kita lakukan konfigurasi apache pada file httpd.conf pada ”/ettc/httpd/httpd.conf” dengan melakukan uncomment pada baris-baris dibawah ini.

Include /etc/httpd/extra/httpd_ssl.conf

LoadModule ssl_module lib/httpd/modules/mod_ssl.so

Dan menonaktifkan port 80

#Listen 80

Selain itu kita berikan nama server yang akan digunakan

ServerAdmin aji@thenobodies.com

ServerName www.thenobodies.com:443

Konfigurasi selanjutnya adalah terletak pada file httpd_ssl.conf (“/etc/httpd/extra/httpd_ssl.conf”).

NameVirtualHost 192.169.1.19:443

<VirtualHost 192.169.1.19:443>

DocumentRoot “/var/www/htdocs”

ServerName www.thenobodies.com:443

ServerAdmin aj1@thenobodies.com

ErrorLog /var/log/apache/error_ssl_log

TransferLog /var/log/apache/access_ssl_log

SSLEngine on

SSLCipherSuite

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /etc/httpd/ssl.crt/web.crt

SSLCertificateKeyFile /etc/httpd/ssl.key/webkey.key

<Files ~ “\.(cgi|shtml|phtml|php3?)$”>

SSLOptions +StdEnvVars

</Files>

<Directory “/var/www/cgi-bin”>

SSLOptions +StdEnvVars

</Directory>

SetEnvIf User-Agent “.*MSIE.*” \

nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

CustomLog /var/log/apache/ssl_request_log \

“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”

</VirtualHost>

</IfDefine>

Dan selesai pula konfigurasi ssl pada apache ini. selanjutnya kita akan coba menjalankan web server apache

Pertama kali kita rubah permission dari httpd

root@darkstar:~# chmod 755 /etc/rc.d/rc.httpd

setelah itu kita akan jalankan server apache

root@darkstar:~# /etc/rc.d/rc.httpd start

root@darkstar:/opt/AJ1Fs# /etc/rc.d/rc.httpd start

Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide the pass phrases.

Server thenobodies:443 (RSA)

Enter pass phrase:

OK: Pass Phrase Dialog successful.

Masukkanlah passphrase untuk kunci ssl web server anda. maka seharusnya aplikasi https sudah dapat berjalan dan dapat dicoba di web browser anda. Jika anda membuka dengan http// tidak akan berhasil karena port 80 sudah ditutup oleh karena itu bukalah dengan https//. Setelah anda mebuka https anda akan ditawarkan sebuah sertifikan dan silahkan approve sertifikat tersebut maka https anda akan berjalan.

Anda tinggal memilih jenis sertifikat yang ingin digunakan dan ketika pop up kedua muncul anda dapat melihat isi sertifikat dengan menekan tombol View Certificate. Akan terlihat di alamat web yang dituju telah menggunakan protocol https dan dapat juga terlihat di pojok kanan bawah terdapat gambar gembok yang telah terkunci menandakan bahwa koneksi SSL telah berhasil.

July 5, 2008 Posted by | research & project | Leave a Comment

My Morning Tennis…..

after tennis

You know what? i’m feeling better this morning, thanx god……

got a lot to do this day and i start it with playing tennis with my friend eventhought a high temperature of lovely sun is shining us this morning but it’s okay and it’s not a problemo at all….

in this session of practice i’m just planning to training my backhand shoot because i fell terrible when doing that, my shoot were going to far far away from the back line mostly you know….

actualy i’ve doing the same thing last night but i’m still feel that my skill is so… so… so…. worse….. that is why i want to pratice it again this day, but you know what? i’m still fail to fixing my shoot this morning…fuuhhhhh……..

and i think i should stop this game and learning the theory more and more huh??

July 2, 2008 Posted by | sport | Leave a Comment

Creating simple Public Key Infrastructure with OpenSSL

What a hard time for me because as you can read at Indonesian page category (for you that understand of course) i’ve been attack by some strange disease since a day before and feeling so weak until now, but however i just can stop playing with my SlackWorld. and now i’ll give my report after trying to create some simple PKI using installed Openssl in my slackware. i assume that you have a basic knowledge in PKI, if you don’t you can read a cool book called “Network Security with OpenSSL” and the book is look like this :

before i begin to give you my exploration i’ll give the scenario that i’m trying to do. for better undertanding i’ll give it with vizualitation method. ok let see the picture below :

ha3 the left side suppose to be client 1 i’m sory …..

as you can see there will be a Root CA with one CA server below it and there will be 2 client where one of them will be signed by Server CA and another will be directly signed by Root CA. I’m sure you’re not having a problem to understanding the concept do you? good….

okay we’ll do this step by step..

STEP 1: Preparing file and directory needed by openssl for creating CA
root@darkstar:/etc/ssl# mkdir demoCA —–> for Root CA directori
root@darkstar:/etc/ssl# cd demoCA/
root@darkstar:/etc/ssl/demoCA# mkdir newcerts —–> storing the certificate
root@darkstar:/etc/ssl/demoCA# mkdir private —–> storing the root CA key
root@darkstar:/etc/ssl/demoCA# chmod 700 private/
root@darkstar:/etc/ssl/demoCA# echo “01″ > serial —–> setificate index number
root@darkstar:/etc/ssl/demoCA# touch index.txt —–> indexing the saved certificate

no more explanation i think because i’ve write down it there in the right side of each step, for more explanation just read the recommendation book okay….

STEP 2 : Generating key and certificate for Root CA

and now we are going to maka a new key and certificat for CA root
root@darkstar:/etc/ssl# openssl req -x509 -newkey rsa:4096 -out cacert.pem -outform PEM -keyout demoCA/private/cakey.pem

STEP 3 : Generating key and certificate request for client 1

root@darkstar:/etc/ssl# openssl req -new -newkey rsa:2408 -keyout key1.pem -out req.pem

STEP 4 : Signing the client 1certificate by Root CA

root@darkstar:/etc/ssl# openssl ca -in req.pem

STEP 5 : Generating key and certificate request for Server CA

root@darkstar:/etc/ssl# openssl req -new -newkey rsa:2408 -keyout serverCA.pem -out serverCAreq.pem

STEP 6 : Signing the Server CA certificate by Root CA
root@darkstar:/etc/ssl# openssl ca -in serverCAreq.pem -extensions v3_ca -out serverCAcert.pem

STEP 6 : Generating key and certificate request for client 2

root@darkstar:/etc/ssl# openssl req -new -newkey rsa:2408 -keyout key2.pem -out req2.pem

STEP 7 : Singing the client 2 certificate by Server CA

root@darkstar:/etc/ssl# openssl ca -in req3.pem -keyfile serverCAkey.pem -cert serverCAcert.pem

and it’s finished and the question is “what for all this stuff created?” the anwer is in the next post where we’ll continuing this with making a simple HTTPs connection okay…

July 1, 2008 Posted by | research & project | Leave a Comment

   

Follow

Get every new post delivered to your Inbox.