[HOWTO] - Installing OpenSSL and the SSL perl module Net::SSLeay.pm

Discussion in 'HOWTO & FAQs' started by yoshi, Jan 13, 2002.

  1. yoshi

    yoshi Registered

    Joined:
    Dec 16, 2001
    Messages:
    214
    Likes Received:
    0
    Trophy Points:
    0
    Occupation:
    Web Hosting/Design
    Location:
    Longwood, FL
    Here is the step by step process for installing a working version of OpenSSH on your MacOS X 10.1.2
    Install. I have done this HowTo with 10.1.2 in mind and I will not guarantee that this will work on
    10.0.x.

    OpenSSH Install:

    Notes about this install:
    YOU MUST follow this exactly because me and scope were doing this for over on IRC for over
    5 hours! We tried many ways and this is the only one that worked for us. If you deviate from the
    path I will not answer your support question. I know this seems harsh but this is the way it has to
    be since this was a complete pain! You also need this before SSH will work also.

    Step 1) Download OpenSSH 0.96c here: http://www.openssl.org/source/openssl-0.9.6c.tar.gz

    Step 2) Uncompress the archive and rename the resulting folder "openssl"

    step 3) Open up the terminal and type cd /users/YOURUSERNAME/desktop/

    step 4) type sudo mv openssh /usr/local/

    step 5) type sudo cd /usr/local/openssl

    step 6) type ./config

    step 7) type make

    step 8) type make install


    Net::SSLeay.pm Install:

    Notes about this install:
    This install like the other one is very sensitive to the options you use and I reccomend following
    these instructions exactly. Like the above notes me and scope were working on this for a long while
    and I think we are benefiting everyone who needs SSL for OS X. Also if you see an error message that
    says "some error [ignored]" don't worry about it we had 1 error also but it wasn't serious and
    everything is working... Apples cc compiler can be finiky sometimes.

    Step 1) Download Net::SSLeay.pl here: http://www.bacus.pt/Net_SSLeay/Net_SSLeay.pm-1.12.tar.gz

    step 2) Uncompress the archive and rename the resulting folder "netssl"

    step 3) Open up the terminal and type cd /users/YOURUSERNAME/desktop/netssl

    step 4) Type perl Makefile.PL -t

    step 5) type sudo make install


    That should be it, you now have OpenSSL 0.96c installed and the perl module Net::SSLeay 1.12
    installed and working. One way to test this is to install webmin which for I also wrote a howto that
    is very easy to do I reccomend you follow that one as well to test your installation here. As for
    compiling notes it varies from computer to computer I myself did all the Net::SSLeay stuff in about
    7 minutes while scope has a G4 (I have a G3) and it took him about 10-12 minutes.

    Good Luck and post any questions.

    `Yoshi
     
  2. scope

    scope Registered

    Joined:
    Jun 29, 2001
    Messages:
    221
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    South of the border, down Mexico lane (not really)
    Yeah, I opened my G4 as I do for fun every now and then, and the whole MoBo was burning up, even the RAM chips. I got a fan or two and some cold beer from the fridge and helped cool it down. Of course, I put protection so as the MoBo wouldn't get wet. I think it was because I was compiling about 10 things at once along with running some apps.
     
  3. mikasjoman

    mikasjoman Registered

    Joined:
    Jan 2, 2002
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    0
    Some comments...

    Well the first thing you have to have installed is the cc complier from Apple, if you don´t have it, don´t try it.

    Then no: 5 was wrong, you can´t type:
    cd sudo /adirectory/
    should be cd /thedirectory/

    -Mika
     
  4. mikasjoman

    mikasjoman Registered

    Joined:
    Jan 2, 2002
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    0
    Hi...

    Do you think that it would be possible to make an installer?

    Or atleast an .command file?

    A .sh file?
     
  5. scope

    scope Registered

    Joined:
    Jun 29, 2001
    Messages:
    221
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    South of the border, down Mexico lane (not really)
    I'll see if I can turn it into a .pkg file.
     
  6. WhateverJoe

    WhateverJoe echo $row['what_tha'];

    Joined:
    Apr 5, 2001
    Messages:
    138
    Likes Received:
    0
    Trophy Points:
    0
    Occupation:
    move a mouse and press keys on a keyboard
    Location:
    Epsalon 3
    I may be off here,

    But I'm trying to learn asap, how to create a secure site on OS X using apache+php+mysql ... to my understanding the howto above is step one ?

    But in conversation with a stepwise.com fellow, SSL and Apache on OS X is not quite a workable item at this time ??

    I'm wondering if any one knows and if a howto is out on building a secure SSL site using OS X (Apache+php+mysql) ?

    Thanks,
     
  7. mikasjoman

    mikasjoman Registered

    Joined:
    Jan 2, 2002
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    0
    If you start thinking of security, as we talk about web security, I think a good way of looking at it is as different layers.

    I´l start at the wrong end: the computer that hosts the database server.

    Try to have it as "out of the box" as possible, because when it comes to MacOS X thats as secure as you´l get.
    Install what you have to, and don´t mess around.

    Get a good firewall that only allows visitors to get access via port 80.

    Next, we come to the MySQL server.
    The fist thing you could do is to set the mysq.users table in mysql only to accept users from localhost.
    And the user you set up, please use something else that your wife´s name as a password :)

    The next level, if you want it really secure would be to encrypt atleast the user data that is stored in database.

    Lest say that you make a login db with a table called user_info.
    What I did yesterday with a nice webapplication that is on beta right now called LassoPro5 was this:


    A websurfer decides to register on my homepage. He then fills out his form, wich is really personal shit to him. But I tell him that everything, exept his login name will be encrypted. So now he feels safe and sends his form to my page called create_sec_user.lasso

    Then what I do looks like this:

    [var: 'encrypted_password' = (encrypt_md5: (form_param: 'the_password'))]
    [var: 'user_data' = (encrypt_blowfish: (form_param: 'user_data'), -seed='myWebDevSecretPassword']
    Now I have his password in an encrypted form in a variable.

    To put it in a tabel I do like this:

    [inline: -database='user_db',
    -table='user_info',
    'username'=(form_param: 'his_username'),
    'password'=(var: 'encrypted_password'),
    'user_data'=(var: 'user_data'),
    -username='A_username_configurated_to_allow_to_add_in_Lasso5',
    -password='the_lasso_user_password_to_add',
    -add]

    This would now add a record to my LassoMySQL database with an encrypted password and a username with the form parameters he sent.
    Offcourse I first had to check if someone is registerd with that username, but I won´t make that here.

    The first thing I did was encrypting the password in something called MD5. What that is, will eaiest be explained in this login example.

    // code to search for a username and now to test the password sent again.
    [if: (encrypt_md5: (form_param: ' password') == (field: 'password')]
    You have the right to log in
    [else]
    Sorry try again, wrong password.
    [/if]

    Well, MD5 is a one way encryption, usually used for logins. what I first do is to find if there is a username in the system (none encrypted, and not in the code I wrote), and if there is one, I encrypt the password he tried to log in with and compare if the results are the same as the first time he encrypted his password (the time he registerd).
    so it´s impossible for me as a webmaster to decrypt his password. Makes him happy and me because I´m safe that if someone manages to steel my user database, he does not get hold of the password.

    Then I used a encryption method called Blowfish.
    I took the form params from the userdata and encrypted it with my (the web server managers) password, called a seed.
    What I could have done is to encrypt it with his password if the IF statement looks allright, instead of my personal seed.

    So now your finised... not quite!

    The problem is that when the web user sends his form params, the form is sent unencrypted. I satisfied with saving all the user data encrypted, but if you would like to go on from there, you would have to go on with SSL.

    What you first have to do to install (what I have heard), is to get a verryfied certificate from a company as Verysign.

    Then you would follow the guide here on how to set up SSL.

    The metod I would do would be something like this:

    On the index.html page I would make a link to a secure login page.

    On the secure login page, I would the make the user to send his form params to my server.

    Then check the form params against the MD5 encrypted password as explained before.

    Then set something called a Session cookie, and end the SSL connection.
    What a session cookie is a cookie that get´s updated every time a person clicks on a page.
    If the person has not been active, the cookie is terminated, and if the person does not have a cookie, I log him out of the system.

    Thats if fokes!

    That is what I know about web security.

    Hope that was a small introduction.

    Kind regards

    - Mika

    Send me a email if you like, and correct my errors. I´m not a security expert.: mika@fortress.no
     
  8. yoshi

    yoshi Registered

    Joined:
    Dec 16, 2001
    Messages:
    214
    Likes Received:
    0
    Trophy Points:
    0
    Occupation:
    Web Hosting/Design
    Location:
    Longwood, FL
    Buddy, trust me if you want to get this done right just do it the way I say to above. I have tested many ways of doing this and it is the way that is the fastest. If you want to start flying off from the Howto I will not try and help because I spent several hours getting this right and if it worked for me it should work for you, if you don't know the admin password thats fine it won't work. Your way may work also but usually only admins can access /usr/local trust me I know although the cd sudo part was a screw up its fixed now...

    In response to having the apple CC compiler that is a "NO DUH!" comment. People who are getting into compiling should know to have the developer tools installed. But you have duely proven me wrong so now any HowTo's I do shall include a line in the disclaimer about Having the Developer tools.

    I also have question for you, how much experience do you have in in Linux/Unix. If you have had much these comments weren't needed as the way the howto is setup is for people who don't have much experience with this sort of thing. People who do usually don't need howto's.


    I know all these comments sounded harsh but its all good :) I hope you don't take them the wrong way and go crazy on us.

    Have a good one folks :)

    `Yoshi
     
  9. mikasjoman

    mikasjoman Registered

    Joined:
    Jan 2, 2002
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    0
    Well, my expirience is ONLY darwin unix.
    About one and a half year playing and managing 10 different MacOSX servers.

    And no, I´m not a great UNIX geek, but I have moore experience than the most out there. Still, any person who does not have 3 years of unix experience, is looked as a beginner in the communities. So; I´m a beginner.

    Still, I think that my comment was right.

    Prove me wrong, but I have never managed to write:

    sudo cd somecatalog

    in any darwin OS. If I don´t remember wrong, if you issue a sudo statement you are in sudo "mode" for five minutes, depends on how you configure your computer. So you don´t acctually have to write it, or??

    I don´t take your comments as somthing bad, but something really good. No, I did not know that you had to have the develloper tools, and I would love to have a 4 click install of it.
    I´m a mac person that had to learn UNIX, because it´s a part of my damn work.
    So if any of you could make one of those really nice installers, :))))))
    Scope?

    Kind regards

    Mika
     
  10. scope

    scope Registered

    Joined:
    Jun 29, 2001
    Messages:
    221
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    South of the border, down Mexico lane (not really)
    Damned package maker is confusing, plus I'm sick. Give me a day or two, perhaps.
     
  11. mikasjoman

    mikasjoman Registered

    Joined:
    Jan 2, 2002
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    0
    Well, I found a site that says that SSL is built in MacOSX.

    And... I found out that it is!!

    In /System/Library/OpenSSL actually it is installed!!

    Any comments on this, and to set it up, is it possible to set it up?

    But according to the site, MacOSX Server does not have it... even thoug I found it at the same place...

    http://www.oic.de/index.htm

    and Scope, great!

    - Mika
     
  12. yoshi

    yoshi Registered

    Joined:
    Dec 16, 2001
    Messages:
    214
    Likes Received:
    0
    Trophy Points:
    0
    Occupation:
    Web Hosting/Design
    Location:
    Longwood, FL
    Actually its broken, it is in fact installed but it doesn't have headers and it is really easier to reinstall, I am a *nix Geek in training so take my word for it :).

    as for my cd sudo deal yeah I didn't see that until after I typed my reply so yeah I screwed up but I edited the first post with a correction. I wrote this How-To: Half asleep and it was like 4AM when I did it so I had some weird typing lol. Alls good though.


    If you want more info on the SSL installed with OS X let me know. I will tell you it doesn't work out of the box but what I think is that I lot of the technology that OS X Server uses is in OS X Client but the files are broken and we have to fix them to enable.

    Cheers

    ~Yoshi
     
  13. yoshi

    yoshi Registered

    Joined:
    Dec 16, 2001
    Messages:
    214
    Likes Received:
    0
    Trophy Points:
    0
    Occupation:
    Web Hosting/Design
    Location:
    Longwood, FL
    I will get the package made today if someone tells me where package maker is or where I can download it, I almost never use packages unless its from apple because I love the command line way of doing things.


    `Yoshi
     
  14. mikasjoman

    mikasjoman Registered

    Joined:
    Jan 2, 2002
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    0
    Well, since I have never ever used SSL, what do I do when I have set the SSL up?

    Of what I understand about this guide you wrote, is a how to install SSL, but what about configuring it?

    I would love to see a guide about that!

    Maybe a "SSL Certificate, getting, configuring, and managing it" guide?

    That would be really cool!

    And please tell me when your finished making the installer!

    Thanks for your great work!

    - Mika
     
  15. yoshi

    yoshi Registered

    Joined:
    Dec 16, 2001
    Messages:
    214
    Likes Received:
    0
    Trophy Points:
    0
    Occupation:
    Web Hosting/Design
    Location:
    Longwood, FL
    its not really an application, there isn't much to config, things like netSSL will require it be installed. As for certificates, we will discuss those soon/later.


    `Yoshi :)
     
  16. scope

    scope Registered

    Joined:
    Jun 29, 2001
    Messages:
    221
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    South of the border, down Mexico lane (not really)
    It's in /Developer/Applications/Package Maker. That is, if you have the Dev Tools installed, which I can safely assume you do.
     
  17. MacMarshall

    MacMarshall Registered

    Joined:
    Mar 11, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    0
    Yoshi,

    I haven't bought an OS X Mac yet, but I have written Perl apps under UNIX. The way you're installing the SSL library is fine, but it does have a major limitation: Portability.

    Here's the problem you can have: Somebody develops a big Perl app, tests the daylights out of it, installs it on a different machine -- and it doesn't work. The cause is usually that a library such as SSL or XMLParser was installed in a system-wide directory on the development system, but not on the production machine.

    On UNIX boxes, I TAR up the installed version of the library, and move & un-tar it to a sub-directory of my Perl app (like "libs/"). Then, I add "libs/" to the PUSH@INC line in the beginning of my Perl app. When I distribute my Perl app, I tar it up with its sub-directories. This way, my app can be installed on any system that has the baseline installation of Perl.

    If you're only writing stuff for personal use, it does not matter. But if the code is going to be used for production, such as a 24x7 web server, the method I describe can make life a lot easier. On the other hand, if the SSL library includes any compiled files (such as .so files), these files won't be cross-platform to other UNIX or Windows boxes - so you're better off writing clear instructions.
     
  18. travelfox

    travelfox Registered

    Joined:
    Feb 22, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    0
    i know this is an old thread, but i'm having trouble installing this zip file. can someone please help me out with this. i'm trying to get this to work with the informer widget. my real trouble is where do u put the file once u change it's name, and what is "your user name" (cd /users/YOURUSERNAME/desktop/) cause i tried everything & nothing works. can someone post a better example - thanks - T/F
     
  19. PER3

    PER3 Registered

    Joined:
    Dec 22, 2002
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Moscow
    Judging from your post, you are trying to install SSL. You don't need to now—the already installed version works fine. You only need to install net_SSLeay.

    "Your user name" is just that—the name you use to log on.

    When I installed net_SSLeay, I followed the instructions for Unix in the read me (on an Intel Book).

    I didn't use

    perl Makefile.PL -t

    but rather


    ./Makefile.PL -t
    sudo make install

    What is your machine?
     
  20. PER3

    PER3 Registered

    Joined:
    Dec 22, 2002
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Moscow
    Oh, and it might not hurt to use the more recent Net_SSLeay.pm-1.30. Just Google it!
     

Share This Page