Redrock SSL Module
The Redrock SSL Module is no longer offered by Redrock Software Corporation. The recommended method for securing your Trac website is to use Stunnel.
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are cryptographic protocols that provide secure communications on the Internet. There are slight differences between SSL and TLS, but they essentially provide the same protection. There are two basic options to enable SSL encryption on your Trac application: the Redrock SSL Module; or a 3rd party application, such as Stunnel.
Redrock SSL Module
The Redrock SSL Module utilizes built-in protocols to encrypt your web pages. This protocol is licensed to Redrock Software so there is a one-time cost of $695 associated with this module. Redrock Software will enable the module and provide you with the necessary SSL files (cert.pem and key.pem) with the purchase of the module. The SSL module is compatible with SSLv2, SSLv3, and TSLv1 and is able to provide full 128 bit encryption for maximum security. After the SSL Module is enabled on your server and Redrock Software has provided you with the cert.pem and key.pem files and you have placed them in the Trac installation directory, you will need to enact some server-side settings to utilize the module.
The necessary SSL Files are cert.pem and key.pem. Redrock Software will provide you with these and an additional file (req.pem) without charge; however, these files are self-signed by Redrock and will produce a warning on your standard web browser. Because Redrock Software Corporation is not a "Trusted" Certificate Authority to the major browser companies, you will always receive the warning with our free SSL Certificate. The req.pem is the equivalent of a Certificate Signing Request (CSR) and is used to generate your SSL Certificate. You have the option of obtaining your own Apache-compatible certificate from a "Trusted" source, such as VeriSign, DigiCert, Thawte, EnTrust, GeoTrust, and Go Daddy. These are just a few of the options available to you; in all, the mainstream browsers (IE, Firefox, Safari, etc.) only trust about 20 of the major Certificate Authorities (CA).
If you choose to obtain your own certificate, be sure to retrieve an Apache-compatible certificate so it will work with the SSL Module. Some CA's will provide you with a chained certificate, which we will have to adjoin in order to make the file compatible. Place the cert.pem, key.pem, and the req.pem files in your Trac installation directory.
First, log in to your Trac application as an administrator. Navigate to the Advanced Preferences and Search for the following Preference Codes:
The values of these two settings should match the directory location and name of your SSL files. Make any necessary corrections to the Preference Values, save the edits, and exit your Trac program.
You will need to quit the Trac application or stop the Trac service on your server and edit the prefs.ini file located in the installation directory. Make the following changes to the file:
(serverport and serverport2 values may differ; ports 80 and 443 are the defaults)
After completing those edits, save and close the prefs.ini file. Now start your Trac application or service and test the access to your newly encrypted site at https://YourSite.edu/, where 'YourSite.edu' is the web address or IP address to your Trac application. If your browser cannot reach your secure site, then skip down to Troubleshooting SSL Module.
Quit the Trac application or service and open the prefs.ini file. Make the following change:
Save and close the prefs.ini file and start your Trac application or service. Now try to access your site at the unencrypted http://yoursite.edu/. You will automatically be redirected to your secure site location.
Disable SSLv2 and Low Encryption
SSLv2 is an older version with known flaws. Many of the newer browsers are limiting any use of SSLv2 encryption and will only utilize SSLv3 and TSLv1; however, a cipher is available to disable any SSLv2 connections with the Trac application. The cipher is also entered into the prefs.ini file so again quit the Trac application or service and open the prefs.ini file located in the root Trac installation directory.
Make the change to the CYPHERS setting, save, and close the prefs.ini file.