● The High-Tech How Not to be Seen, Part 5 - 荔园在线 | 深圳大学学生论坛,荔园晨风BBS,深大在线网站

荔园之美，在春之萌芽，在夏之绽放，在秋之收获，在冬之沉淀

发信人: "Roy Guo" <roy@szu.edu.cn>, 信区: Linux
标  题: The High-Tech How Not to be Seen, Part 5
发信站: ShenZhen University (Sun Dec  5 19:37:19 1999)
转信站: ShenZhen-University!bbs.szu.edu.cn!not-for-mail
出  处: 210.39.3.71

The High-Tech How Not to be Seen, Part 5

                              by Marcel Gagn~{(&~} <mggagne@salmar.com>
                                           3-Dec-1999

Practical invisibility for the Web--SSL.

Welcome back, everyone, to yet another week of practical invisibility for
Linux users here at Sys Admin's Corner.

Ages back (last week, in fact), we looked at what happens inside your
browser; this whole notion of certificates and
certificate authorities, or CAs. The more astute among you (I know--that's
everyone!) pretty much figured out this meant an
article on implementing SSL and secure services for your web site.

SSL is a secure network protocol originally created by Netscape
Communications, and is one of several Transport Layer
Security protocols (SSH, which we talked about a few weeks ago, is another).
The chief application/drive for SSL was and
remains electronic commerce. For users to willingly send their credit card
information over the Web, they needed to be
convinced that no one could intercept and decode their information (despite
the fact that those same people will drop their
credit card on a restaurant table while an anonymous server walks by, picks
it up, and wanders off with it--but that's another
story). For e-commerce to flourish, we needed something like SSL, and
Netscape answered that call. The current version of
the SSL protocol is v3. If you're really curious, you can visit the Netscape
web site for the current SLL 3.0 specifications.

   http://www.netscape.com/eng/ssl3

Some time after SSL was created, the model was distributed to the World Wide
Web Consortium (often referred to as
simply http://www.w3.org). ) I mention W3C because it is an international
organization dedicated to taking protocols like SSL
and directing them towards some kind of global interoperability. The World
Wide Web Consortium is the place to go if you
want to explore web-related standards. But, I digress ...

Allow me a few "weasel words" before I continue with this. SSL technology
can be used freely just about anywhere. In the
United States (due largely to patent restrictions), you are still free (as I
understand it) to use this encryption technology for
non-profit and educational purposes. You can, when you build openssl, remove
offending encryption algorithms from the
package. RC4 and RC5, for instance, are patented by RSA. If you read the
license document in the openssl package (any
crypto software), you'll be warned that using and building this stuff is
entirely your responsibility. (end weasel words)

You can find the openssl package by surfing over to http://www.openssl.org
and downloading the latest version. At the time of
this writing, it was version 0.9.4.

After downloading the package, extract the files and build the distribution.

   # tar -xzvf openssl-0.9.4.tar.gz
   # cd openssl-0.9.4
   # ./config

You can, if you wish, change the configuration option to load openssl into a
different directory structure. The default is
/usr/local/ssl (which suited my purposes fine). Check the INSTALL file if
you want to go outside the defaults. The most
likely thing you would do is omit a particular cipher or change the default
install directory. For instance,

   # ./config --prefix=/usr/myspecialdir -no-rc4

would create a Makefile that would install openssl in /usr/myspecialdir/ssl
instead of /usr/local. It would also build
the software without the rc4 cryptographic algorithm.

Next, you need to do a make followed a few minutes later by a make test. The
make test will do all sorts of neat things, like
run through encryption and decryption tests on all the ciphers you have
built. Some of them will take awhile.

Now do a make install. When this build happens, two interesting libraries
get created. They are libcrypto.a and
libssl.a. Since you will be using these again when we create our Apache web
server with SSL next week (darn! I've given it
away), you need to know where they are. For the apache build to find them,
you need to set your LD_LIBRARY_PATH variable
to find them later.

   # LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/ssl/lib
   # export LD_LIBRARY_PATH

You might want to throw those two lines into your $HOME/.bash_profile. If
you are lazier than that (I am), why not simply
create a symbolic link to the files from /usr/lib where all package builds
will look anyhow?

   # ln -s /usr/local/ssl/lib/libcrypto.a /usr/lib/libcrypto.a
   # ln -s /usr/local/ssl/lib/libssl.a /usr/lib/libssl.a

Since I've already told you what we are eventually going to use this Secure
Sockets Layer package for (the Apache secure
server), you might want to know what else we can do with this monster, now
that we've built it. Glad you asked.

SSL is not so much a final product as the foundation for many others, like
the Apache server I mentioned at the beginning. A
good place to look for SSL applications is from the OpenSSL web site,
specifically at this URL:

    http://www.openssl.org/related/apps.html .

While I was hunting around for applications for SSL (I do check these things
out, you know), I found a cool little text-only
browser. Yes, I admit it; I often find myself using Lynx when I am on a
text-only telnet connection with a customer and I need
to look for something on the 'net. That's how I ran across W3M, a text-only
browser like lynx, only more so. Aside from its
ability to deal with SSL connections, it can also handle tables and frames
and color. You can even use your mouse (with gpm)
to click your way from URL to URL. All this for the low, low price of ...
nothing. The programmer has a sense of humour,
evident from his README file. Here it is in its entirety.

   If you can read English, see doc/*.
   If you can read Japanese, see doc-jp/*.
   If you can read both, read both and correct English. :-)

W3M is worth checking out. The appropriate address is
http://ei5nazha.yz.yamagata-u.ac.jp/~aito/w3m/eng/.

Another application for OpenSSL which you may not have immediately thought
of is SAMBA, your Windows-style file and
printer server. If secure communications between your PC clients and your
SAMBA server are desirable, you can compile
SAMBA from the source with SSL enabled. What's this? I just heard somebody
from the back asking why I would want to
run SSL-enabled SAMBA. If you go back to my article on port sniffers
(Thwarting the System Cracker, Part 6), you'll
remember that every keystroke you type on your network can be picked up by a
port sniffer. The same holds true for a
document you may have open on an SMB-shared drive. Think about this as you
edit that spreadsheet which details
executive salaries.

Your stock SAMBA server does not have these services built into the code. If
you want this feature, you can now add it with
the help of your brand-new SSL toolkit and libraries. When you run your
../configure script for the SAMBA build, just add
--with- ssl to the command (./configure --with-ssl). For the latest SAMBA
source, visit http://www.samba.org.

So there you have it. As mentioned, there are other applications that use
OpenSSL as the basis for secure communication.
Check out the OpenSSL link above and see for yourself. Next week, we'll
build Apache with the OpenSSL module,
mod_ssl.

Anyway, that's it for now. Until next week, run silent, run encrypted.

Copyright ? 1999 Specialized Systems Consultants, Inc.

荔园在线首页友情链接：深圳大学深大招生荔园晨风BBS S-Term软件网络书店