Skip to content →

neverendingbooks Posts

SSL on Mac OSX

A
longer term project is to get the web-server www.matrix.ua.ac.be integrated in our home-network
as an external WebDAV-server (similar to the .Mac-service
offered by Apple). But as this server runs all information about the
master-class on non-comutative geometry connecting to it via HTTP to use
WebDAV is too great of a security risk as all username/password
combinations will be send without encryption. Hence the natural question
whether this server can be set up to run SSL (Secure Sockets
Layer) such that one can connect via HTTPS and all exchanged information
will be encrypted. As the server is an Apache it comes down to get
mod-ssl running. A Google on mod_ssl OS X gives the
ADC-document Using mod-ssl on Mac OS X which seems to be just
what I want. This page is very well documented giving detailed
instructions of using the openssl command. However, the
end-result is rather weak : it only makes the localhost running
HTTPS, that is, one can connect to your own computer safely… which is
pretty ridiculous (other computers in the same network cannot even
connect safely).

So, back to the Google-list on which
one link raises my interest Configuring mod-ssl on Mac OS X which looks like
the previous link but has one essential difference : the page is written
by Marc Liyanage. If you ever tried to get PHP and/or MySQL
running under OS X you will have noticed that his pages are by far the
most reliable on the subject, hence maybe he has also something
interesting to say on mod-ssl. However, the bottom line of the
document is not very promising :

You
should now be able to access the content with https://127.0.0.1 from
the same machine.

which is again the
localhost. So perhaps it is just impossible to run mod-ssl
without having an X-server. Anyway, let us try out his procedure.
Begin by issuing the following commands in the Terminal

sudo -s cd /etc/httpd mkdir ssl chmod 700 ssl cd
ssl gzip -c --best /var/log/system.log > random.dat openssl rand
-rand file:random.dat 0

Next, we need a server certificate. If you
want to do it properly you need a certificate from a certification
authority
such as Thawte but this costs at least $200 a year which I
am not willing to pay. The alternative is to use a self-signed
certificate
which will force the browser to display an error-message
but if the user dismisses it all traffic exchanged with the server will
still be encrypted which is just what I want. So, type the command

openssl req -keyout privkey-2001.pem -newkey rsa:1024
 -nodes -x509 -days 365 -out cert-2001.pem

(all on one line).
You will be asked a couple of questions (the only important one is the
Common Name (eg, YOUR name). Here you should take care to enter
the host name of your web server exactly as it will be used later in the
common name field. In my test-case, if I want to get my server
used by other computers in the network this name will be
imaclieven.local. (note the trailing .). Now issue the following
commands

chmod 600 privkey-2001.pem chown root
privkey-2001.pem apxs -e -a -n ssl /usr/libexec/httpd/libssl.so

which will activate the SSL-module (if at a later state you want
to de-activate it you have to change -a by -A in the last command).
Finally, we have to change the /etc/httpd/httpd.conf file so
first save a backup-version and then add the following lines at the end
of the file :

(IfModule mod-ssl.c)     Listen 80    
Listen 443     SSLCertificateFile /etc/httpd/ssl/cert-2001.pem    
SSLCertificateKeyFile /etc/httpd/ssl/privkey-2001.pem    
SSLRandomSeed startup builtin     SSLRandomSeed connect builtin   
 (VirtualHost -default- :443)         SSLEngine on    
(/VirtualHost) (/IfModule)

Observe that round brackets ()
should be replaced by <>. Finally, we do

apachectl
stop apachectl start

and we are done! Going to another computer
in the network and typing in Safari https://imaclieven.local./
will result in an error message


Just click Continue and you will have a secure connection
to the server. Thanks Marc Liyanage!

(Added january
11th) Whereas the above allows one to make a HTTPS connection it is not
enough for my intended purposes. In order to get a secure connection to
a WebDAV server, this server must have the mod-auth-digest module
running which seems to be impossible for the standard Apache server of
10.3. You need an X-server to have this facility. So I think I have to
scale down my ambitions a bit.

Leave a Comment

one week blogging

So far I
found it rather easy to post one or more messages a day as I was
installing a lot of software or trying to get things working and was
merely logging my progress for future reference. These notes are useful
to me but probably not to the rest of the world. Another thing I noticed
is that I’m using this blog sometimes as a replacement for my
Bookmarks, merely listing interesting web-pages without too much
personal comments. I will continue to post both install-logs and
bookmark-logs but in addition I want to write (say weekly) a lengthier
post on a specific topic with more background, more details (such as
screenshots) and more personal comments. We will see how this works out
in the coming weeks…

Another thing that slightly
worried me is that people visiting my homepage and clicking on to my
blog may expect entirely different things there. But this cant be
helped, I’m sitting on an OSX-cloud at the moment but no doubt this
will change quickly. Beginning of february I have to give a talk on
Combinatorial Game Theory and soon afterwards the
Non-commutative Geometry Master Class starts in which I’m giving
a couple of courses, so mathematics will become more dominant in this
blog from next month on…

On a
blog-tech matter : I found a quite good editor pMpost
which is meant to write pMachine-blogs offline and upload them by one
click. It also synchronizes categories etc. on login. Further, it has a
spelling-checker but the thing I really like about it is that you can
save texts as a draft and continue at a later time (sadly, it remember
the date/hour when you start your post so when you finally submit it it
will be posted at the starting- rather than the posting-day. Still,
there is nothing that copy/paste cannot solve. I hope to use this
facility when (read if) I’m going for a more in-depth post. Another
matter that I will address to as quickly as possible (probably over the
weekend) is teh layout of this site. The main annoying thing is that the
text doesnt resize when you increase/decrease window width. So I will
address this matter first and probably leave a personal layout and
color-scheme to later. Fortunately, I did find a good site containg a
lot of CSS templates for pMachine weblogs. Another site I’ll have to
investigate over the weekend is pMtemplates. But don’t expect too much from the
layout-side, I still have other projects to worry about : SSL, WebDAV,
streaming iTunes, getting on Ethernet-DVD player to work and so
on.

Leave a Comment

WarChalking


What then is all this WarWalking, WarDriving,
WarChalking and so on? In particular, why the aggressive
War-word in them ? From what I learned, the historical origin of
these terms comes from the 1983 movie “War Games” in which a
kid sets up his modem to dial numbers until it finds a computer to hack
leading inevitably to the US-army in total panic. This hobby created the
phrase WarDialing. In analogy, a person driving around in a car
with a laptop in search for wireless networks is said to be
WarDriving, if (s)he is on foot it is clearly WarWalking.
Because of the aggressive nature of the War-subword some people have
re-engineered an explanation :

WAR = Wireless
Access Reconnaissance

so let us hope this acronym
will catch on. Now then, what is WarChalking ? It was invented by
Matt Jones and the idea is that a WarWalker should write a symbol in
chalk on the wall nearest to the discovered Access Point describing its
nature (see picture on the left) : the first sign depicts an open
node, the next a closed one and the last one is a node with
WEP-protection (btw. WEP=Wired Equivalent Privacy). A lot
of people seem to take this fairly serious, there is even a webpage warchalking.org devoted to it on which you can
find a lot more information. And as warchalking was originally British,
there had to be also an American site containing among other things a not
that active forum. Further, the unofficial HOW-TO of WarDriving may be
interesting. To me it all sounds as an excuse to buy a
GPS-receiver and a
laptop

Leave a Comment