Getting SSL Going on Mac OS X 10.4 Tiger for WebDAV on SSL

WebDevel.jpg

After I got the WebDAV server working on my OS X 10.4 machine, the next thing was to get SSL working with a self-signed certificate so that I could do secure WebDAV to the box. I've done this on Leopard (10.5) and so doing it on 10.4 was not too bad, but there were a few wrinkles.

First, follow the directions for creating the certificate files in this Mac OS X Hints hint. Don't mess with the httpf.conf file as we're going to do something a little more 10.5-like there. But make the cert, and the private key and the request and then sign it all.

Then in the /etc/httpd/users/ directory use the following file for ssl.conf - theirs is missing a few things.

  #
  # This is the SSL config goodies
  #
  LoadModule ssl_module         libexec/httpd/libssl.so
  AddModule mod_ssl.c

  <IfModule mod_ssl.c>
    Listen 80
    Listen 443
    # Some MIME-types for downloading Certificates and CRLs
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl

    # inintial Directives for SSL

    # enable SSLv3 but not SSLv2
    SSLProtocol all -SSLv2
    SSLPassPhraseDialog builtin
    SSLSessionCache dbm:/var/run/ssl_scache
    SSLSessionCacheTimeout 300
    SSLMutex file:/var/run/ssl_mutex
    SSLRandomSeed startup builtin
    SSLLog /var/log/httpd/ssl_engine_log            
    SSLLogLevel info

    <VirtualHost _default_:443>
      SSLEngine on
      DocumentRoot "/Library/WebServer/Documents"
      ServerName MACHINE
      ServerAdmin you@yourplace.com
      ErrorLog /var/log/httpd/error_log
      TransferLog /var/log/httpd/access_log

      SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
      SSLCertificateFile /Users/YOURNAME/Documents/certs/frosty/newcert.pem
      SSLCertificateKeyFile /Users/YOURNAME/Documents/certs/MACHINE/webserver.nopass.key
      SSLCACertificateFile /Users/YOURNAME/Documents/certs/demoCA/cacert.pem
      SSLCARevocationPath /Users/YOURNAME/Documents/certs/demoCA/crl

      <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
      </FilesMatch>
      <Directory "/Library/WebServer/CGI-Executables">
        SSLOptions +StdEnvVars
      </Directory>

      # correction for browsers that don't always handle SSL connections well
      SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    </VirtualHost>
  </IfModule>

Where YOURNAME is the login you put the certificates under, and MACHINE is the name of the machine directory that you put the specific certs in. It's pretty close to what he had, but there are a few differences and it's important differences.

With this, I have https: and WebDAV over SSL for the box. Nothing horribly hard about this, but it's nice to have it all working now. Just took a little time.