Apache

mod_ssl_ct (link to Apache documentation) supports serving SCTs as part of the TLS handshake during HTTPS connections.  At time of writing (2015-05-14) this is supported only in trunk.

Disclaimer: the following is not intended to show best (or even good) practices for configuration of openssl or Apache, but rather to document a reproducible set of instructions that work to demonstrate the module successfully returning SCTs during the TLS handshake.

For the purposes of this example, we started with a new virtual machine created in Google Compute Engine with the "ubuntu-1504-vivid-v20150422" image.

# Install dependencies
sudo apt-get install make gcc libapr1-dev libaprutil1-dev libpcre3-dev subversion \
                     libtool libtool-bin autoconf golang-go unzip

# Build and install openssl version 1.0.2
wget https://www.openssl.org/source/openssl-1.0.2a.tar.gz
tar zxf openssl-1.0.2a.tar.gz
cd openssl-1.0.2a/
./config shared
make
make test
sudo make install
cd ..

# Build and install trunk httpd
svn export https://svn.apache.org/repos/asf/httpd/httpd/trunk/ httpd
cd httpd/
svn export http://svn.apache.org/repos/asf/apr/apr/trunk srclib/apr
./buildconf

# Ensure we point to openssl 1.0.2 install
./configure --with-ssl=/usr/local/ssl --with-included-apr
make
sudo make install
cd modules/ssl/
sudo /usr/local/apache2/bin/apxs -ci -I/usr/local/ssl/include mod_ssl_ct.c ssl_ct_util.c \
     ssl_ct_sct.c ssl_ct_log_config.c
cd ../../..

# Create standard SSL configuration
sudo mkdir /usr/local/apache2/conf/ssl

sudo sh -c """echo '''-----BEGIN PRIVATE KEY-----
... your private key ...
-----END PRIVATE KEY-----''' >/usr/local/apache2/conf/ssl/server.key"""

sudo sh -c """echo '''-----BEGIN CERTIFICATE-----
… append zero or more intermediate certs in order ...
-----END CERTIFICATE-----''' >/usr/local/apache2/conf/ssl/intermediates.crt"""

sudo sh -c """echo '''-----BEGIN CERTIFICATE-----
… append zero or more intermediate certs in order ...
-----END CERTIFICATE-----''' >/usr/local/apache2/conf/ssl/server.crt"""

# Create directory to include static SCTs
sudo mkdir /usr/local/apache2/conf/ssl/scts

# Grab a tool to submit certificates to log servers
wget -O ct-submit.zip https://github.com/grahamedgecombe/ct-submit/archive/master.zip
unzip ct-submit.zip
cd ct-submit-master/
go build

# The tool needs all certificates in a single file
cat /usr/local/apache2/conf/ssl/server.crt \
    /usr/local/apache2/conf/ssl/intermediates.crt >server.crt-bundle

# Submit your cert chain to logs as appropriate, and write out SCTs:
sudo sh -c "./ct-submit-master ct.googleapis.com/aviator \
  <server.crt-bundle >/usr/local/apache2/conf/ssl/scts/aviator.sct"
sudo sh -c "./ct-submit-master ct.googleapis.com/pilot \
  <server.crt-bundle >/usr/local/apache2/conf/ssl/scts/pilot.sct"
sudo sh -c "./ct-submit-master ct.googleapis.com/rocketeer \
  <server.crt-bundle >/usr/local/apache2/conf/ssl/scts/rocketeer.sct"
sudo sh -c "./ct-submit-master ct1.digicert-ct.com/log \
  <server.crt-bundle >/usr/local/apache2/conf/ssl/scts/digicert.sct"
sudo sh -c "./ct-submit-master ct.izenpe.com \
  <server.crt-bundle >/usr/local/apache2/conf/ssl/scts/izenpe.sct"
sudo sh -c "./ct-submit-master log.certly.io \
  <server.crt-bundle >/usr/local/apache2/conf/ssl/scts/certly.sct"

# Configue Apache to server SSL and serve static SCTs
sudo sh -c """echo '''LoadModule unixd_module  modules/mod_unixd.so
LoadModule ssl_module    modules/mod_ssl.so
LoadModule ssl_ct_module modules/mod_ssl_ct.so

# I needed the following, due to other unrelated to SSL misconfiguration
# of my test Apache, YMMV
Mutex pthread  

User         nobody
CTSCTStorage /tmp
CTStaticSCTs /usr/local/apache2/conf/ssl/server.crt /usr/local/apache2/conf/ssl/scts
SSLEngine On
SSLCertificateFile /usr/local/apache2/conf/ssl/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl/server.key
SSLCertificateChainFile /usr/local/apache2/conf/ssl/intermediates.crt
Listen  443
DocumentRoot "/usr/local/apache2/htdocs"''' > /usr/local/apache2/conf/httpd.conf"""

# Start server, and verify SCTs are returned using Chrome (or other TLS client)
sudo LD_LIBRARY_PATH=/usr/local/ssl/lib /usr/local/apache2/bin/httpd

Comments