{"id":15,"date":"2008-06-27T02:40:12","date_gmt":"2008-06-27T02:40:12","guid":{"rendered":"http:\/\/www.apmuga.com\/wordpress\/?p=15"},"modified":"2015-06-13T09:41:57","modified_gmt":"2015-06-13T09:41:57","slug":"configuracao-de-um-servidor-apache-com-ssl-no-windows-2000xp","status":"publish","type":"post","link":"https:\/\/www.apmuga.com\/wordpress\/configuracao-de-um-servidor-apache-com-ssl-no-windows-2000xp\/","title":{"rendered":"Configura\u00e7\u00e3o de um servidor Apache com SSL no Windows 2000\/XP"},"content":{"rendered":"

<\/span><\/p>\n

<\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n

\n\n\n
\n\n\n
Configura\u00e7\u00e3o do servidor Apache com SSL no sistema operativo Windows 2000\/XP<\/span><\/td>\nVers\u00e3o PDF<\/span><\/a><\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<\/h3>\n

1.\u00a0\u00a0\u00a0Introdu\u00e7\u00e3o \u00a0\u00a0<\/span><\/a>Introdu\u00e7\u00e3o\u00a0<\/span><\/h3>\n

\u00a0<\/span>Este documento foi escrito com intuito ajudar na instala\u00e7\u00e3o do servidor web<\/span> Apache no sistema operativo Microsoft Windows 2000 e XP. Trata-se apenas de um guia e n\u00e3o pretende substituir os manuais de utiliza\u00e7\u00e3o do Apache e do openssl<\/span>.<\/span><\/p>\n

\u00a0<\/span>Para facilitar na tarefa de cria\u00e7\u00e3o e gera\u00e7\u00e3o de certificados \u00e9 necess\u00e1rio configurar o ficheiro openssl.cnf<\/span>.<\/span><\/p>\n

<\/span><\/h3>\n

\n

Cria\u00e7\u00e3o chave do CA com 1024 bit<\/p>\n

openssl<\/span><\/span><\/span> genrsa<\/span> -out ssl.key<\/span>\/CA\/CA.KEY<\/span><\/p>\n

<\/span><\/p>\n

Cria\u00e7\u00e3o do pedido de certificado<\/p>\n

openssl<\/span><\/span><\/span> req<\/span> -new -key ssl.key<\/span>\/CA\/CA.KEY \\<\/span><\/p>\n

out<\/span> ssl.key<\/span>\/CA\/CA.CSR –config<\/span> openssl.cnf<\/span><\/span><\/p>\n

<\/span><\/p>\n

Certificado \u201cSelf-sign<\/span>\u201d<\/p>\n

openssl<\/span><\/span><\/span> x509 –req<\/span> -days 365 -in ssl.key<\/span>\/CA\/ CA.CSR \\<\/span><\/p>\n

out<\/span> ssl.key<\/span>\/CA\/ CA.CRT –signkey<\/span> ssl.key\/CA\/CA.key<\/span><\/span><\/p>\n

<\/span><\/p>\n

converter<\/span><\/span> para<\/span> pem<\/span><\/span><\/p>\n

openssl<\/span><\/span><\/span> x509 -in ssl.key<\/span>\/ca\/CA.CRT –outform<\/span> DER \\<\/span><\/p>\n

-out ssl.key\/ca\/CA.der<\/span><\/span><\/p>\n<\/h3>\n

<\/span><\/h3>\n

<\/a>2.1.2. <\/span><\/span><\/span>Gera\u00e7\u00e3o de certificados para o web-server<\/h3>\n

<\/span><\/h3>\n

\n

Cria\u00e7\u00e3o chave do CA com des3 como m\u00e9todo de encripta\u00e7\u00e3o<\/span><\/p>\n

openssl<\/span><\/span><\/span> genrsa<\/span> -des3 -out ssl.key\/server\/keys\/localhost.KEY<\/span><\/span><\/p>\n

<\/span><\/p>\n

Cria\u00e7\u00e3o do pedido de certificado<\/p>\n

openssl<\/span><\/span><\/span> req<\/span> -new -key ssl.key\/server\/keys\/localhost.KEY<\/span> \\<\/span><\/p>\n

-out ssl.key\/server\/requests\/localhost.CSR<\/span><\/span>\u00a0 <\/span>\\<\/span><\/span><\/p>\n

config<\/span> openssl.cnf<\/span><\/p>\n

 <\/p>\n

 <\/p>\n

Assinar certificado com base no CA<\/p>\n

openssl<\/span><\/span><\/span> ca –config<\/span> openssl.cnf<\/span> \\<\/span><\/p>\n

-in ssl.key\/server\/requests\/localhost.CSR<\/span> \\<\/span><\/p>\n

-cert ssl.key<\/span>\/CA\/CA.CRT \\<\/span><\/p>\n

keyfile<\/span> ssl.key<\/span>\/CA\/CA.KEY \\<\/span><\/p>\n

-out ssl.key\/server\/certificates\/localhost.CRT<\/span><\/span><\/p>\n<\/h3>\n

<\/span><\/h3>\n

<\/span><\/h3>\n

<\/a>2.1.3. <\/span><\/span><\/span>Gera\u00e7\u00e3o de certificados para o web-browser<\/h3>\n

<\/span><\/h3>\n

\n

Cria\u00e7\u00e3o chave do CA com des3 como m\u00e9todo de encripta\u00e7\u00e3o<\/span><\/p>\n

openssl<\/span><\/span><\/span> genrsa<\/span> -des3 -out ssl.key\/user\/keys\/user.KEY<\/span><\/span><\/p>\n

<\/span><\/p>\n

Cria\u00e7\u00e3o do pedido de certificado<\/p>\n

openssl<\/span><\/span> req<\/span> –new<\/span> \\<\/p>\n

key<\/span> ssl.key<\/span>\/user<\/span>\/keys<\/span>\/user.KEY<\/span> \\<\/p>\n

-out ssl.key\/user\/requests\/user.CSR<\/span><\/span>\u00a0 <\/span>\\<\/span><\/span><\/p>\n

config<\/span> openssl.cnf<\/span><\/p>\n

 <\/p>\n

 <\/p>\n

Assinar certificado com base no CA<\/p>\n

openssl<\/span><\/span><\/span> ca –config<\/span> openssl.cnf<\/span> \\<\/span><\/p>\n

-in ssl.key\/user\/requests\/user.CSR<\/span> \\<\/span><\/p>\n

-cert ssl.key<\/span>\/CA\/CA.CRT \\<\/span><\/p>\n

keyfile<\/span> ssl.key<\/span>\/CA\/CA.KEY \\<\/span><\/p>\n

-out ssl.key\/user\/certificates\/user.CRT<\/span><\/span><\/p>\n

<\/span><\/p>\n

<\/span><\/p>\n

Convers\u00e3o de certificado para formato PKCS#12 para importa\u00e7\u00e3o no<\/p>\n

webbrowser<\/span><\/span><\/span><\/p>\n

openssl<\/span><\/span><\/span> pkcs12 -export –clcerts<\/span> \\<\/span><\/p>\n

-in <\/span>ssl.key\/user\/certificates<\/span>\/user.CRT<\/span><\/span> \\<\/span><\/p>\n

inkey<\/span> <\/span>ssl.key\/user\/certificates<\/span>\/user.KEY<\/span><\/span> \\<\/span><\/p>\n

-out <\/span>ssl.key\/user\/certificates<\/span>\/user.P12<\/span><\/p>\n

<\/span><\/p>\n<\/h3>\n

<\/span><\/h3>\n

<\/span><\/h3>\n

<\/a>3.\u00a0\u00a0\u00a0 <\/span><\/span><\/span>Configura\u00e7\u00e3o do Apache<\/h1>\n

<\/a>3.1.\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span><\/span>Configura\u00e7\u00e3o base<\/h2>\n

Na webroot<\/span> do apache, no nosso caso\u00a0 <\/span><\/span>\/web<\/span>\/webroot<\/span>, tr\u00eas directorias:<\/span><\/h3>\n

<\/span><\/h3>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span><\/span>normal<\/span><\/span>, aonde temos apenas ssl<\/span> activado.<\/span><\/h3>\n

<\/span><\/h3>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span><\/span>pro_normal<\/span><\/span><\/span>, aonde pretendemos uma protec\u00e7\u00e3o b\u00e1sica.<\/span><\/h3>\n

<\/span><\/h3>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span><\/span>pro_cert<\/span><\/span><\/span>, aonde pretendemos apenas utilizadores com certificados v\u00e1lidos.<\/span><\/h3>\n

<\/span><\/h3>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span><\/span>pro_sel_cert<\/span><\/span><\/span>, aonde pretendemos apenas utilizadores escolhidos com certificados v\u00e1lidos.<\/span><\/h3>\n

<\/span><\/h3>\n

<\/a>3.2.\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span><\/span>Activa\u00e7\u00e3o do SSL para todas as \u00e1reas<\/h2>\n

Para ter conte\u00fados protegidos com ssl<\/span>, temos duas solu\u00e7\u00f5es:<\/span><\/h3>\n

<\/span><\/h3>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span><\/span>Proteger todo o site, removendo o porto 80 mantendo o porto ssl<\/span> 443.<\/span><\/h3>\n

<\/span><\/h3>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span><\/span>Proteger cada directoria pretendendo no ficheiro httpd.conf<\/span>.<\/span><\/h3>\n

<\/span><\/h3>\n

Vou apresentar o segundo caso.<\/span><\/h3>\n

<\/span><\/h3>\n

Assim \u00e9 necess\u00e1rio alterar, no httpd.conf<\/span>, a configura\u00e7\u00e3o das pastas pro_normal<\/span>, pro_cert<\/span> e pro_sel_cert<\/span> para ser alvo de protec\u00e7\u00e3o ssl<\/span>.<\/span><\/h3>\n

<\/span><\/h3>\n

Um exemplo dessa altera\u00e7\u00e3o \u00e9:<\/span><\/h3>\n

<\/span><\/h3>\n

\n

<Directory \/web\/webroot\/pro_normal<\/span>\/><\/span><\/p>\n

SSLRequireSSL<\/span><\/p>\n

<\/Directory<\/span>><\/p>\n<\/h3>\n

<\/span><\/h3>\n

<\/span><\/h3>\n

<\/a>3.3.\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span><\/span>Restri\u00e7\u00e3o pelo m\u00e9todo cl\u00e1ssico usando o htpassfile<\/h2>\n

Para definir que utilizadores podem aceder a directoria \u00e9 necess\u00e1rio criar um ficheiro contendo os login<\/span>\/password<\/span><\/span> dos utilizadores autorizados. Temos de criar ent\u00e3o o ficheiro \/web<\/span>\/apache\/conf<\/span>\/htpassfile.txt. <\/span><\/h3>\n

<\/span><\/h3>\n

Essa gest\u00e3o \u00e9 feita com base no comando htpasswd<\/span> do apache. Como exemplo, dois utilizadores, admusr<\/span> e usr1, os comandos ser\u00e3o algo como:<\/span><\/h3>\n

<\/span><\/h3>\n

\n

htpasswd<\/span><\/span><\/span> \u2013bc<\/span> \/web\/apache\/conf\/htpassfile.txt admusr<\/span> pass<\/span><\/p>\n

htpasswd<\/span><\/span><\/span> \u2013c \/web\/apache\/conf\/htpassfile.txt usr1 pass<\/span><\/p>\n<\/h3>\n

<\/span><\/h3>\n

A op\u00e7\u00e3o c<\/span> permite que o htpasswd<\/span> cria o ficheiro se n\u00e3o existir.<\/span><\/h3>\n

A op\u00e7\u00e3o b<\/span> indica ao htpasswd<\/span> que a password<\/span><\/span> \u00e9 definida como par\u00e2metro.<\/span><\/h3>\n

<\/span><\/h3>\n

Dentro da pasta pro_normal<\/span>, \u00e9 necess\u00e1rio criar um ficheiro .htaccess<\/span><\/span> contendo o seguinte:<\/span><\/h3>\n

<\/span><\/h3>\n

\n

AuthUserFile<\/span><\/span> \/web\/apache\/conf\/htpassfile.txt<\/span><\/p>\n

AuthName<\/span> “SR Autentica\u00e7\u00e3o”<\/p>\n

AuthType<\/span> Basic<\/p>\n

require<\/span><\/span> valid-user<\/span><\/p>\n<\/h3>\n

<\/span><\/h3>\n

Assim indicamos ao Apache que todos os acessos nesta directoria s\u00e3o para ser validados com base no ficheiro htpassfile.txt<\/span><\/h3>\n

<\/span><\/h3>\n

<\/span><\/h3>\n

<\/a>3.4.\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span><\/span>Restri\u00e7\u00e3o usando certificados<\/h2>\n

Para restringir os utilizadores para apenas os que tenham certificados compat\u00edveis com o do servidor \u00e9 necess\u00e1rio configurar no ficheiro httpd.conf<\/span> do apache de seguinte maneira: <\/span><\/h3>\n

<\/span><\/h3>\n

\n

<Directory \/web\/webroot\/pro_cert<\/span>\/><\/span><\/p>\n

SSLRequireSSL<\/span><\/p>\n

SSLVerifyClient<\/span> require<\/span><\/p>\n

<\/Directory><\/span><\/p>\n<\/h3>\n

<\/span><\/h3>\n

<\/span><\/h3>\n

<\/a>3.5.\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span><\/span>Restri\u00e7\u00e3o usando certificados controlados.<\/h2>\n

Para restringir os utilizadores para apenas os que tenham certificados compat\u00edveis com o do servidor e escolhidos \u00e9 necess\u00e1rio configurar no ficheiro httpd.conf<\/span> do apache de seguinte maneira: <\/span><\/h3>\n

<\/span><\/h3>\n

\n

<Directory \/web\/webroot\/pro_cert<\/span>\/><\/span><\/p>\n

SSLRequireSSL<\/span><\/span><\/p>\n

SSLVerifyClient<\/span><\/span> require<\/span><\/p>\n

SSLRequire<\/span><\/span>\u00a0\u00a0\u00a0 <\/span>%{SSL<\/span>_CLIENT_S_DN_O} eq<\/span> \u201cUser xpto<\/span>\u201d<\/span><\/p>\n

<\/Directory<\/span>><\/p>\n<\/h3>\n

<\/span><\/h3>\n

Nota: Podemos alterar a configura\u00e7\u00e3o do SSLRequire<\/span> para validar com base noutros par\u00e2metros tais como <\/span><\/h3>\n

<\/span><\/h3>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span><\/span>SSL_CLIENT_S_DN_CN, alcunha do utilizador, \u201cCommon<\/span> Name<\/span>\u201d<\/span><\/h3>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span><\/span>SSL_CLIENT_S_DN_O, nome da organiza\u00e7\u00e3o.<\/span><\/h3>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span><\/span>SSL_CLIENT_S_DN, Nome completo do utilziador<\/span><\/span><\/h3>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span><\/span>SSL_CLIENT_CERT, o certificado em base 64.<\/span><\/h3>\n

<\/span><\/h3>\n

<\/h3>\n

<\/span><\/em><\/p>\n


<\/h3>\n

<\/h3>\n

<\/span><\/em><\/p>\n

<\/a>3.6.\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span><\/span>Testes.<\/h2>\n

<\/h3>\n

Aqui est\u00e3o exemplos de testes com \u00a0<\/span>o<\/span> FireFox<\/span> e o Internet Explorer. <\/span><\/h3>\n

<\/span><\/h3>\n

<\/span><\/h3>\n

<\/span><\/h3>\n

<\/a>Figura <\/span>1<\/span><\/span> \u2013 Falha na tentativa de acesso aos conte\u00fados ssl<\/span>.<\/span><\/span><\/h3>\n

<\/span><\/h3>\n

<\/span><\/h3>\n

<\/span><\/h3>\n

<\/span><\/h3>\n

<\/span><\/h3>\n

<\/span><\/h3>\n

<\/a>Figura <\/span>2<\/span><\/span> –<\/span> Teste com m\u00e9todo de autentica\u00e7\u00e3o b\u00e1sico.<\/span><\/span><\/h3>\n

<\/span><\/h3>\n

<\/span><\/h3>\n

<\/a>Figura <\/span>3<\/span><\/span> \u2013 Pedido da palavra chave<\/span> no FireFox<\/span>.<\/span><\/span><\/h3>\n

<\/span><\/h3>\n

Foi interessante ver que o firefox<\/span>, ao contr\u00e1rio do IE, pede a palavra-chave do certificado para poder ser utilizado.<\/span><\/h3>\n

<\/span><\/h3>\n

<\/span><\/h3>\n

<\/span><\/h3>\n

<\/a>Figura <\/span>4<\/span><\/span> \u2013 Pedido de certificado no IE.<\/span><\/span><\/h3>\n

<\/h3>\n

<\/span><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Instala\u00e7\u00e3o do servidor web Apache em Windows com SSL<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,22,4],"tags":[29],"_links":{"self":[{"href":"https:\/\/www.apmuga.com\/wordpress\/wp-json\/wp\/v2\/posts\/15"}],"collection":[{"href":"https:\/\/www.apmuga.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.apmuga.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.apmuga.com\/wordpress\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.apmuga.com\/wordpress\/wp-json\/wp\/v2\/comments?post=15"}],"version-history":[{"count":1,"href":"https:\/\/www.apmuga.com\/wordpress\/wp-json\/wp\/v2\/posts\/15\/revisions"}],"predecessor-version":[{"id":259,"href":"https:\/\/www.apmuga.com\/wordpress\/wp-json\/wp\/v2\/posts\/15\/revisions\/259"}],"wp:attachment":[{"href":"https:\/\/www.apmuga.com\/wordpress\/wp-json\/wp\/v2\/media?parent=15"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.apmuga.com\/wordpress\/wp-json\/wp\/v2\/categories?post=15"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.apmuga.com\/wordpress\/wp-json\/wp\/v2\/tags?post=15"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}