[HOWTO] - Installing OpenSSL and the SSL perl module Net::SSLeay.pm

[yoshi]

Here is the step by step process for installing a working version of OpenSSH on your MacOS X 10.1.2
Install. I have done this HowTo with 10.1.2 in mind and I will not guarantee that this will work on
10.0.x.

OpenSSH Install:

Notes about this install:
YOU MUST follow this exactly because me and scope were doing this for over on IRC for over
5 hours! We tried many ways and this is the only one that worked for us. If you deviate from the
path I will not answer your support question. I know this seems harsh but this is the way it has to
be since this was a complete pain! You also need this before SSH will work also.

Step 1) Download OpenSSH 0.96c here: http://www.openssl.org/source/openssl-0.9.6c.tar.gz

Step 2) Uncompress the archive and rename the resulting folder "openssl"

step 3) Open up the terminal and type cd /users/YOURUSERNAME/desktop/

step 4) type sudo mv openssh /usr/local/

step 5) type sudo cd /usr/local/openssl

step 6) type ./config

step 7) type make

step 8) type make install


Net::SSLeay.pm Install:

Notes about this install:
This install like the other one is very sensitive to the options you use and I reccomend following
these instructions exactly. Like the above notes me and scope were working on this for a long while
and I think we are benefiting everyone who needs SSL for OS X. Also if you see an error message that
says "some error [ignored]" don't worry about it we had 1 error also but it wasn't serious and
everything is working... Apples cc compiler can be finiky sometimes.

Step 1) Download Net::SSLeay.pl here: http://www.bacus.pt/Net_SSLeay/Net_S...pm-1.12.tar.gz

step 2) Uncompress the archive and rename the resulting folder "netssl"

step 3) Open up the terminal and type cd /users/YOURUSERNAME/desktop/netssl

step 4) Type perl Makefile.PL -t

step 5) type sudo make install


That should be it, you now have OpenSSL 0.96c installed and the perl module Net::SSLeay 1.12
installed and working. One way to test this is to install webmin which for I also wrote a howto that
is very easy to do I reccomend you follow that one as well to test your installation here. As for
compiling notes it varies from computer to computer I myself did all the Net::SSLeay stuff in about
7 minutes while scope has a G4 (I have a G3) and it took him about 10-12 minutes.

Good Luck and post any questions.

`Yoshi

[scope]

Yeah, I opened my G4 as I do for fun every now and then, and the whole MoBo was burning up, even the RAM chips. I got a fan or two and some cold beer from the fridge and helped cool it down. Of course, I put protection so as the MoBo wouldn't get wet. I think it was because I was compiling about 10 things at once along with running some apps.

[mikasjoman]

Some comments...

Well the first thing you have to have installed is the cc complier from Apple, if you don´t have it, don´t try it.

Then no: 5 was wrong, you can´t type:
cd sudo /adirectory/
should be cd /thedirectory/

-Mika

[mikasjoman]

Hi...

Do you think that it would be possible to make an installer?

Or atleast an .command file?

A .sh file?

[scope]

I'll see if I can turn it into a .pkg file.

[WhateverJoe]

I may be off here,

But I'm trying to learn asap, how to create a secure site on OS X using apache+php+mysql ... to my understanding the howto above is step one ?

But in conversation with a stepwise.com fellow, SSL and Apache on OS X is not quite a workable item at this time ??

I'm wondering if any one knows and if a howto is out on building a secure SSL site using OS X (Apache+php+mysql) ?

Thanks,

[mikasjoman]

If you start thinking of security, as we talk about web security, I think a good way of looking at it is as different layers.

I´l start at the wrong end: the computer that hosts the database server.

Try to have it as "out of the box" as possible, because when it comes to MacOS X thats as secure as you´l get.
Install what you have to, and don´t mess around.

Get a good firewall that only allows visitors to get access via port 80.

Next, we come to the MySQL server.
The fist thing you could do is to set the mysq.users table in mysql only to accept users from localhost.
And the user you set up, please use something else that your wife´s name as a password

The next level, if you want it really secure would be to encrypt atleast the user data that is stored in database.

Lest say that you make a login db with a table called user_info.
What I did yesterday with a nice webapplication that is on beta right now called LassoPro5 was this:


A websurfer decides to register on my homepage. He then fills out his form, wich is really personal shit to him. But I tell him that everything, exept his login name will be encrypted. So now he feels safe and sends his form to my page called create_sec_user.lasso

Then what I do looks like this:

[var: 'encrypted_password' = (encrypt_md5: (form_param: 'the_password'))]
[var: 'user_data' = (encrypt_blowfish: (form_param: 'user_data'), -seed='myWebDevSecretPassword']
Now I have his password in an encrypted form in a variable.

To put it in a tabel I do like this:

[inline: -database='user_db',
-table='user_info',
'username'=(form_param: 'his_username'),
'password'=(var: 'encrypted_password'),
'user_data'=(var: 'user_data'),
-username='A_username_configurated_to_allow_to_add_in_Lasso5',
-password='the_lasso_user_password_to_add',
-add]

This would now add a record to my LassoMySQL database with an encrypted password and a username with the form parameters he sent.
Offcourse I first had to check if someone is registerd with that username, but I won´t make that here.

The first thing I did was encrypting the password in something called MD5. What that is, will eaiest be explained in this login example.

// code to search for a username and now to test the password sent again.
[if: (encrypt_md5: (form_param: ' password') == (field: 'password')]
You have the right to log in
[else]
Sorry try again, wrong password.
[/if]

Well, MD5 is a one way encryption, usually used for logins. what I first do is to find if there is a username in the system (none encrypted, and not in the code I wrote), and if there is one, I encrypt the password he tried to log in with and compare if the results are the same as the first time he encrypted his password (the time he registerd).
so it´s impossible for me as a webmaster to decrypt his password. Makes him happy and me because I´m safe that if someone manages to steel my user database, he does not get hold of the password.

Then I used a encryption method called Blowfish.
I took the form params from the userdata and encrypted it with my (the web server managers) password, called a seed.
What I could have done is to encrypt it with his password if the IF statement looks allright, instead of my personal seed.

So now your finised... not quite!

The problem is that when the web user sends his form params, the form is sent unencrypted. I satisfied with saving all the user data encrypted, but if you would like to go on from there, you would have to go on with SSL.

What you first have to do to install (what I have heard), is to get a verryfied certificate from a company as Verysign.

Then you would follow the guide here on how to set up SSL.

The metod I would do would be something like this:

On the index.html page I would make a link to a secure login page.

On the secure login page, I would the make the user to send his form params to my server.

Then check the form params against the MD5 encrypted password as explained before.

Then set something called a Session cookie, and end the SSL connection.
What a session cookie is a cookie that get´s updated every time a person clicks on a page.
If the person has not been active, the cookie is terminated, and if the person does not have a cookie, I log him out of the system.

Thats if fokes!

That is what I know about web security.

Hope that was a small introduction.

Kind regards

- Mika

Send me a email if you like, and correct my errors. I´m not a security expert.: mika@fortress.no

[yoshi]

Quote:

Originally posted by mikasjoman
Some comments...

Well the first thing you have to have installed is the cc complier from Apple, if you don´t have it, don´t try it.

Then no: 5 was wrong, you can´t type:
cd sudo /adirectory/
should be cd /thedirectory/

-Mika

Buddy, trust me if you want to get this done right just do it the way I say to above. I have tested many ways of doing this and it is the way that is the fastest. If you want to start flying off from the Howto I will not try and help because I spent several hours getting this right and if it worked for me it should work for you, if you don't know the admin password thats fine it won't work. Your way may work also but usually only admins can access /usr/local trust me I know although the cd sudo part was a screw up its fixed now...

In response to having the apple CC compiler that is a "NO DUH!" comment. People who are getting into compiling should know to have the developer tools installed. But you have duely proven me wrong so now any HowTo's I do shall include a line in the disclaimer about Having the Developer tools.

I also have question for you, how much experience do you have in in Linux/Unix. If you have had much these comments weren't needed as the way the howto is setup is for people who don't have much experience with this sort of thing. People who do usually don't need howto's.


I know all these comments sounded harsh but its all good I hope you don't take them the wrong way and go crazy on us.

Have a good one folks

`Yoshi