Follow Us on Twitter

TLS v1.2 in Apache for the PKIoverheid

by Laurens van der Starre on September 13, 2011 · 0 comments

When working with the PKIoverheid in The Netherlands to digitally communicate with the Dutch government over the internet, one has to implement WS-Security message signing as well as two-way SSL message encrypting.

It is common practice that the back-end systems (such as an Oracle Service Bus for example) are not directly connected to the internet. Often there is some gateway in front that acts as a reverse proxy, load balancer and/or SSL offloader. Within the “WebLogic-world” the Apache HTTP server is often used together with the mod_wl plugin for load balancing. This is, naturally, also a good place to also do the SSL offloading, and handle the two-way SSL transport.

Since August, the Dutch government requires SHA256 certificates, which is part of the TLS v1.2 implementation. This TLS standard is unfortunately still not fully supported everywhere. When using Apache for example, the de-facto standard for SSL is mod_ssl (based on OpenSSL). However, there is still not full support for TLS v1.2 in the latest stable release (v1.0.1) of OpenSSL at the time of writing.

A quick workaround is to switch to GnuTLS and the mod_gnutls Apache module. It works in a similar way as mod_ssl, and has full TLS v1.2 support.

(Update: I used gnutls 2.10.0 and mod_gnutls 0.5.10)

Now let us assume that the Apache server runs on an Oracle Enterprise Linux distribution (version 5.x or 6.1 for example). In this case the GnuTLS libraries are too old for use with the latest mod_gnutls implementation. The best way is to compile the latest GnuTLS and mod_gnutls versions yourself. (Alternatively, this blog describes an older mod_gnutls installation that works without the need for compiling the libraries yourself).

First get the tools needed for compilation:

yum groupinstall "Development Tools"

Install the dependencies:

yum install httpd-devel libgcrypt-devel

Download GnuTLS and  mod_gnutls.

Compile and install GnuTLS (from the directory where the source is unpacked):

./configure --prefix=/usr
make
make install

Compile and make mod_gnutls (from the directory where the source is unpacked):

export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/lib/pkgconfig
./configure --prefix=/usr
make

The mod_gnutls.so module is now in the src/.lib directory. Copy this file to the /etc/httpd/modules directory.

Below is an example of a Apache VirtualHost configuration. This example would work as PKIoverheid WUS “AfleverService” two-way SSL gateway. The WebLogic cluster, and Oracle Webservice Manager 11g (OWSM) in particular would then be used for only the WS-Security message signing.

LoadModule gnutls_module modules/mod_gnutls.so

<VirtualHost afleverservice.myserver.nl:443>

ServerName afleverservice.myserver.nl:443

GnuTLSEnable on
GnuTLSCertificateFile /etc/tls/servercert.cer
GnuTLSKeyFile /etc/tls/serverkey.key

GnuTLSClientCAFile /etc/tls/clientCAChain.cer

GnuTLSClientVerify require
GnuTLSPriorities SECURE:!SSLv2

<IfModule mod_weblogic.c>
  SetHandler weblogic-handler
  WebLogicCluster       ms1:8001,ms2:8001
  WLLogFile             /tmp/lb.log
  WLTempDir             /tmp
  KeepAliveEnabled      On
  KeepAliveSecs         15
</IfModule>

</VirtualHost>

The full mod_gnutls syntax is described here.

 

Ratings:
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
Tags: , , , ,

{ 0 comments… add one now }

Leave a Comment

 

Previous post:

Next post:

About Whitehorses
Company profile
Services
Technology

Whitehorses website

Home page
Whitebooks
Jobs

Follow us
Blog post RSS
Comment RSS
Twitter