[HOWTO] - Installing OpenSSL and the SSL perl module Net::SSLeay.pm

yoshi

Registered
Here is the step by step process for installing a working version of OpenSSH on your MacOS X 10.1.2
Install. I have done this HowTo with 10.1.2 in mind and I will not guarantee that this will work on
10.0.x.

OpenSSH Install:

Notes about this install:
YOU MUST follow this exactly because me and scope were doing this for over on IRC for over
5 hours! We tried many ways and this is the only one that worked for us. If you deviate from the
path I will not answer your support question. I know this seems harsh but this is the way it has to
be since this was a complete pain! You also need this before SSH will work also.

Step 1) Download OpenSSH 0.96c here: http://www.openssl.org/source/openssl-0.9.6c.tar.gz

Step 2) Uncompress the archive and rename the resulting folder "openssl"

step 3) Open up the terminal and type cd /users/YOURUSERNAME/desktop/

step 4) type sudo mv openssh /usr/local/

step 5) type sudo cd /usr/local/openssl

step 6) type ./config

step 7) type make

step 8) type make install


Net::SSLeay.pm Install:

Notes about this install:
This install like the other one is very sensitive to the options you use and I reccomend following
these instructions exactly. Like the above notes me and scope were working on this for a long while
and I think we are benefiting everyone who needs SSL for OS X. Also if you see an error message that
says "some error [ignored]" don't worry about it we had 1 error also but it wasn't serious and
everything is working... Apples cc compiler can be finiky sometimes.

Step 1) Download Net::SSLeay.pl here: http://www.bacus.pt/Net_SSLeay/Net_SSLeay.pm-1.12.tar.gz

step 2) Uncompress the archive and rename the resulting folder "netssl"

step 3) Open up the terminal and type cd /users/YOURUSERNAME/desktop/netssl

step 4) Type perl Makefile.PL -t

step 5) type sudo make install


That should be it, you now have OpenSSL 0.96c installed and the perl module Net::SSLeay 1.12
installed and working. One way to test this is to install webmin which for I also wrote a howto that
is very easy to do I reccomend you follow that one as well to test your installation here. As for
compiling notes it varies from computer to computer I myself did all the Net::SSLeay stuff in about
7 minutes while scope has a G4 (I have a G3) and it took him about 10-12 minutes.

Good Luck and post any questions.

`Yoshi
 
Yeah, I opened my G4 as I do for fun every now and then, and the whole MoBo was burning up, even the RAM chips. I got a fan or two and some cold beer from the fridge and helped cool it down. Of course, I put protection so as the MoBo wouldn't get wet. I think it was because I was compiling about 10 things at once along with running some apps.
 
Some comments...

Well the first thing you have to have installed is the cc complier from Apple, if you don´t have it, don´t try it.

Then no: 5 was wrong, you can´t type:
cd sudo /adirectory/
should be cd /thedirectory/

-Mika
 
I may be off here,

But I'm trying to learn asap, how to create a secure site on OS X using apache+php+mysql ... to my understanding the howto above is step one ?

But in conversation with a stepwise.com fellow, SSL and Apache on OS X is not quite a workable item at this time ??

I'm wondering if any one knows and if a howto is out on building a secure SSL site using OS X (Apache+php+mysql) ?

Thanks,
 
If you start thinking of security, as we talk about web security, I think a good way of looking at it is as different layers.

I´l start at the wrong end: the computer that hosts the database server.

Try to have it as "out of the box" as possible, because when it comes to MacOS X thats as secure as you´l get.
Install what you have to, and don´t mess around.

Get a good firewall that only allows visitors to get access via port 80.

Next, we come to the MySQL server.
The fist thing you could do is to set the mysq.users table in mysql only to accept users from localhost.
And the user you set up, please use something else that your wife´s name as a password :)

The next level, if you want it really secure would be to encrypt atleast the user data that is stored in database.

Lest say that you make a login db with a table called user_info.
What I did yesterday with a nice webapplication that is on beta right now called LassoPro5 was this:


A websurfer decides to register on my homepage. He then fills out his form, wich is really personal shit to him. But I tell him that everything, exept his login name will be encrypted. So now he feels safe and sends his form to my page called create_sec_user.lasso

Then what I do looks like this:

[var: 'encrypted_password' = (encrypt_md5: (form_param: 'the_password'))]
[var: 'user_data' = (encrypt_blowfish: (form_param: 'user_data'), -seed='myWebDevSecretPassword']
Now I have his password in an encrypted form in a variable.

To put it in a tabel I do like this:

[inline: -database='user_db',
-table='user_info',
'username'=(form_param: 'his_username'),
'password'=(var: 'encrypted_password'),
'user_data'=(var: 'user_data'),
-username='A_username_configurated_to_allow_to_add_in_Lasso5',
-password='the_lasso_user_password_to_add',
-add]

This would now add a record to my LassoMySQL database with an encrypted password and a username with the form parameters he sent.
Offcourse I first had to check if someone is registerd with that username, but I won´t make that here.

The first thing I did was encrypting the password in something called MD5. What that is, will eaiest be explained in this login example.

// code to search for a username and now to test the password sent again.
[if: (encrypt_md5: (form_param: ' password') == (field: 'password')]
You have the right to log in
[else]
Sorry try again, wrong password.
[/if]

Well, MD5 is a one way encryption, usually used for logins. what I first do is to find if there is a username in the system (none encrypted, and not in the code I wrote), and if there is one, I encrypt the password he tried to log in with and compare if the results are the same as the first time he encrypted his password (the time he registerd).
so it´s impossible for me as a webmaster to decrypt his password. Makes him happy and me because I´m safe that if someone manages to steel my user database, he does not get hold of the password.

Then I used a encryption method called Blowfish.
I took the form params from the userdata and encrypted it with my (the web server managers) password, called a seed.
What I could have done is to encrypt it with his password if the IF statement looks allright, instead of my personal seed.

So now your finised... not quite!

The problem is that when the web user sends his form params, the form is sent unencrypted. I satisfied with saving all the user data encrypted, but if you would like to go on from there, you would have to go on with SSL.

What you first have to do to install (what I have heard), is to get a verryfied certificate from a company as Verysign.

Then you would follow the guide here on how to set up SSL.

The metod I would do would be something like this:

On the index.html page I would make a link to a secure login page.

On the secure login page, I would the make the user to send his form params to my server.

Then check the form params against the MD5 encrypted password as explained before.

Then set something called a Session cookie, and end the SSL connection.
What a session cookie is a cookie that get´s updated every time a person clicks on a page.
If the person has not been active, the cookie is terminated, and if the person does not have a cookie, I log him out of the system.

Thats if fokes!

That is what I know about web security.

Hope that was a small introduction.

Kind regards

- Mika

Send me a email if you like, and correct my errors. I´m not a security expert.: mika@fortress.no
 
Originally posted by mikasjoman
Some comments...

Well the first thing you have to have installed is the cc complier from Apple, if you don´t have it, don´t try it.

Then no: 5 was wrong, you can´t type:
cd sudo /adirectory/
should be cd /thedirectory/

-Mika

Buddy, trust me if you want to get this done right just do it the way I say to above. I have tested many ways of doing this and it is the way that is the fastest. If you want to start flying off from the Howto I will not try and help because I spent several hours getting this right and if it worked for me it should work for you, if you don't know the admin password thats fine it won't work. Your way may work also but usually only admins can access /usr/local trust me I know although the cd sudo part was a screw up its fixed now...

In response to having the apple CC compiler that is a "NO DUH!" comment. People who are getting into compiling should know to have the developer tools installed. But you have duely proven me wrong so now any HowTo's I do shall include a line in the disclaimer about Having the Developer tools.

I also have question for you, how much experience do you have in in Linux/Unix. If you have had much these comments weren't needed as the way the howto is setup is for people who don't have much experience with this sort of thing. People who do usually don't need howto's.


I know all these comments sounded harsh but its all good :) I hope you don't take them the wrong way and go crazy on us.

Have a good one folks :)

`Yoshi
 
Well, my expirience is ONLY darwin unix.
About one and a half year playing and managing 10 different MacOSX servers.

And no, I´m not a great UNIX geek, but I have moore experience than the most out there. Still, any person who does not have 3 years of unix experience, is looked as a beginner in the communities. So; I´m a beginner.

Still, I think that my comment was right.

Prove me wrong, but I have never managed to write:

sudo cd somecatalog

in any darwin OS. If I don´t remember wrong, if you issue a sudo statement you are in sudo "mode" for five minutes, depends on how you configure your computer. So you don´t acctually have to write it, or??

I don´t take your comments as somthing bad, but something really good. No, I did not know that you had to have the develloper tools, and I would love to have a 4 click install of it.
I´m a mac person that had to learn UNIX, because it´s a part of my damn work.
So if any of you could make one of those really nice installers, :))))))
Scope?

Kind regards

Mika
 
Well, I found a site that says that SSL is built in MacOSX.

And... I found out that it is!!

In /System/Library/OpenSSL actually it is installed!!

Any comments on this, and to set it up, is it possible to set it up?

But according to the site, MacOSX Server does not have it... even thoug I found it at the same place...

http://www.oic.de/index.htm

and Scope, great!

- Mika
 
Originally posted by mikasjoman
Well, I found a site that says that SSL is built in MacOSX.

And... I found out that it is!!

In /System/Library/OpenSSL actually it is installed!!

Any comments on this, and to set it up, is it possible to set it up?

But according to the site, MacOSX Server does not have it... even thoug I found it at the same place...

http://www.oic.de/index.htm

and Scope, great!

- Mika

Actually its broken, it is in fact installed but it doesn't have headers and it is really easier to reinstall, I am a *nix Geek in training so take my word for it :).

as for my cd sudo deal yeah I didn't see that until after I typed my reply so yeah I screwed up but I edited the first post with a correction. I wrote this How-To: Half asleep and it was like 4AM when I did it so I had some weird typing lol. Alls good though.


If you want more info on the SSL installed with OS X let me know. I will tell you it doesn't work out of the box but what I think is that I lot of the technology that OS X Server uses is in OS X Client but the files are broken and we have to fix them to enable.

Cheers

~Yoshi
 
Originally posted by scope
Damned package maker is confusing, plus I'm sick. Give me a day or two, perhaps.

I will get the package made today if someone tells me where package maker is or where I can download it, I almost never use packages unless its from apple because I love the command line way of doing things.


`Yoshi
 
Well, since I have never ever used SSL, what do I do when I have set the SSL up?

Of what I understand about this guide you wrote, is a how to install SSL, but what about configuring it?

I would love to see a guide about that!

Maybe a "SSL Certificate, getting, configuring, and managing it" guide?

That would be really cool!

And please tell me when your finished making the installer!

Thanks for your great work!

- Mika
 
its not really an application, there isn't much to config, things like netSSL will require it be installed. As for certificates, we will discuss those soon/later.


`Yoshi :)
 
Originally posted by yoshi


I will get the package made today if someone tells me where package maker is or where I can download it, I almost never use packages unless its from apple because I love the command line way of doing things.


`Yoshi

It's in /Developer/Applications/Package Maker. That is, if you have the Dev Tools installed, which I can safely assume you do.
 
Yoshi,

I haven't bought an OS X Mac yet, but I have written Perl apps under UNIX. The way you're installing the SSL library is fine, but it does have a major limitation: Portability.

Here's the problem you can have: Somebody develops a big Perl app, tests the daylights out of it, installs it on a different machine -- and it doesn't work. The cause is usually that a library such as SSL or XMLParser was installed in a system-wide directory on the development system, but not on the production machine.

On UNIX boxes, I TAR up the installed version of the library, and move & un-tar it to a sub-directory of my Perl app (like "libs/"). Then, I add "libs/" to the PUSH@INC line in the beginning of my Perl app. When I distribute my Perl app, I tar it up with its sub-directories. This way, my app can be installed on any system that has the baseline installation of Perl.

If you're only writing stuff for personal use, it does not matter. But if the code is going to be used for production, such as a 24x7 web server, the method I describe can make life a lot easier. On the other hand, if the SSL library includes any compiled files (such as .so files), these files won't be cross-platform to other UNIX or Windows boxes - so you're better off writing clear instructions.
 
i know this is an old thread, but i'm having trouble installing this zip file. can someone please help me out with this. i'm trying to get this to work with the informer widget. my real trouble is where do u put the file once u change it's name, and what is "your user name" (cd /users/YOURUSERNAME/desktop/) cause i tried everything & nothing works. can someone post a better example - thanks - T/F
 
i know this is an old thread, but i'm having trouble installing this zip file. can someone please help me out with this. i'm trying to get this to work with the informer widget. my real trouble is where do u put the file once u change it's name, and what is "your user name" (cd /users/YOURUSERNAME/desktop/) cause i tried everything & nothing works. can someone post a better example - thanks - T/F

Judging from your post, you are trying to install SSL. You don't need to now—the already installed version works fine. You only need to install net_SSLeay.

"Your user name" is just that—the name you use to log on.

When I installed net_SSLeay, I followed the instructions for Unix in the read me (on an Intel Book).

I didn't use

perl Makefile.PL -t

but rather


./Makefile.PL -t
sudo make install

What is your machine?
 
Back
Top