RHCE Series: Implementing HTTPS through TLS using Network Security Service (NSS) for Apache – Part 8
If you are a system administrator who is in charge of maintaining and securing a web server, you can’t afford to not devote your very best efforts to ensure that data served by or going through your server is protected at all times.
In order to provide more secure communications between web clients and servers, the HTTPS protocol was born as a combination of HTTP and SSL (Secure Sockets Layer) or more recently, TLS (Transport Layer Security).
Due to some serious security breaches, SSL has been deprecated in favor of the more robust TLS. For that reason, in this article we will explain how to secure connections between your web server and clients using TLS.
This tutorial assumes that you have already installed and configured your Apache web server. If not, please refer to following article in this site before proceeding further.
Installation of OpenSSL and Utilities
First off, make sure that Apache is running and that both http and https are allowed through the firewall:
# systemctl start http # systemctl enable http # firewall-cmd --permanent –-add-service=http # firewall-cmd --permanent –-add-service=https
Then install the necessary packages:
# yum update && yum install openssl mod_nss crypto-utils
Important: Please note that you can replace mod_nss with mod_ssl in the command above if you want to use OpenSSL libraries instead of NSS (Network Security Service) to implement TLS (which one to use is left entirely up to you, but we will use NSS in this article as it is more robust; for example, it supports recent cryptography standards such as PKCS #11).
Finally, uninstall mod_ssl if you chose to use mod_nss, or viceversa.
# yum remove mod_ssl
Configuring NSS (Network Security Service)
After mod_nss is installed, its default configuration file is created as /etc/httpd/conf.d/nss.conf. You should then make sure that all of the Listen and VirtualHost directives point to port 443 (default port for HTTPS):
Listen 443 VirtualHost _default_:443
Then restart Apache and check whether the mod_nss module has been loaded:
# apachectl restart # httpd -M | grep nss
Next, the following edits should be made in
/etc/httpd/conf.d/nss.conf configuration file:
1. Indicate NSS database directory. You can use the default directory or create a new one. In this tutorial we will use the default:
2. Avoid manual passphrase entry on each system start by saving the password to the database directory in /etc/httpd/nss-db-password.conf:
Where /etc/httpd/nss-db-password.conf contains ONLY the following line and mypassword is the password that you will set later for the NSS database:
In addition, its permissions and ownership should be set to 0640 and root:apache, respectively:
# chmod 640 /etc/httpd/nss-db-password.conf # chgrp apache /etc/httpd/nss-db-password.conf
3. Red Hat recommends disabling SSL and all versions of TLS previous to TLSv1.0 due to the POODLE SSLv3 vulnerability (more information here).
Make sure that every instance of the NSSProtocol directive reads as follows (you are likely to find only one if you are not hosting other virtual hosts):
4. Apache will refuse to restart as this is a self-signed certificate and will not recognize the issuer as valid. For this reason, in this particular case you will have to add:
5. Though not strictly required, it is important to set a password for the NSS database:
# certutil -W -d /etc/httpd/alias