Security Settings

From RedrockWiki
(Redirected from SSL)
Redirect page
Jump to: navigation, search

Redirect to:

Getting Started   Installation   Server   Security   Access   Users   Imports   Preferences    

Encryption Options

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are cryptographic protocols that provide secure communications on the Internet. There are slight differences between SSL and TLS, but they essentially provide the same protection. There are two basic options to enable SSL encryption on your Trac application: the Redrock SSL Module; or a 3rd party application, such as Stunnel.

Redrock SSL Module

The Redrock SSL Module utilizes built-in protocols to encrypt your web pages. This protocol is licensed to Redrock Software so there is a one-time cost of $695 associated with this module. Redrock Software will enable the module and provide you with the necessary SSL files (cert.pem and key.pem) with the purchase of the module. The SSL module is compatible with SSLv2, SSLv3, and TSLv1 and is able to provide full 128 bit encryption for maximum security. After the SSL Module is enabled on your server and Redrock Software has provided you with the cert.pem and key.pem files and you have placed them in the Trac installation directory, you will need to enact some server-side settings to utilize the module.

Certificate Files

The necessary SSL Files are cert.pem and key.pem. Redrock Software will provide you with these and an additional file (req.pem) without charge; however, these files are self-signed by Redrock and will produce a warning on your standard web browser. Because Redrock Software Corporation is not a "Trusted" Certificate Authority to the major browser companies, you will always receive the warning with our free SSL Certificate. The req.pem is the equivalent of a Certificate Signing Request (CSR) and is used to generate your SSL Certificate. You have the option of obtaining your own Apache-compatible certificate from a "Trusted" source, such as VeriSign, DigiCert, Thawte, EnTrust, GeoTrust, and Go Daddy. These are just a few of the options available to you; in all, the mainstream browsers (IE, Firefox, Safari, etc.) only trust about 20 of the major Certificate Authorities (CA).

If you choose to obtain your own certificate, be sure to retrieve an Apache-compatible certificate so it will work with the SSL Module. Some CA's will provide you with a chained certificate, which we will have to adjoin in order to make the file compatible. Place the cert.pem, key.pem, and the req.pem files in your Trac installation directory.

Advanced Preferences

First, log in to your Trac application as an administrator. Navigate to the Advanced Preferences and Search for the following Preference Codes:

SSLCERTFILE
SSLKEYFILE

The values of these two settings should match the directory location and name of your SSL files. Make any necessary corrections to the Preference Values, save the edits, and exit your Trac program.

Prefs.ini Settings

You will need to quit the Trac application or stop the Trac service on your server and edit the prefs.ini file located in the installation directory. Make the following changes to the file:

ServerPort=80
ServerPort2=443
ServerProcs=5
ServerProcs2=10
ServerSecure=NO
ServerSecure2=YES

(serverport and serverport2 values may differ; ports 80 and 443 are the defaults)

After completing those edits, save and close the prefs.ini file. Now start your Trac application or service and test the access to your newly encrypted site at https://YourSite.edu/, where 'YourSite.edu' is the web address or IP address to your Trac application. If your browser cannot reach your secure site, then skip down to Troubleshooting SSL Module.

Force HTTPS

Quit the Trac application or service and open the prefs.ini file. Make the following change:

redirect=https://YourSite.edu/

Save and close the prefs.ini file and start your Trac application or service. Now try to access your site at the unencrypted http://yoursite.edu/. You will automatically be redirected to your secure site location.

Disable SSLv2 and Low Encryption

SSLv2 is an older version with known flaws. Many of the newer browsers are limiting any use of SSLv2 encryption and will only utilize SSLv3 and TSLv1; however, a cipher is available to disable any SSLv2 connections with the Trac application. The cipher is also entered into the prefs.ini file so again quit the Trac application or service and open the prefs.ini file located in the root Trac installation directory.

CYPHERS=ALL:!SSLv2:!ADH:!LOW:!EXP:!RC2:+SHA1:+MD5:+RSA:+HIGH:+MEDIUM

Make the change to the CYPHERS setting, save, and close the prefs.ini file.

Stunnel Configuration

Browse to http://www.stunnel.org and download and install the precompiled Windows binaries. We used version 4.16. Once downloaded install Stunnel using the default options.

Certificate Files

The necessary SSL Files are a certificate (typically cert.pem) and a key file (typically key.pem). Redrock Software can provide you with these and an additional file (req.pem) without charge; however, these files are self-signed by Redrock and will produce a warning on your standard web browser. Because Redrock Software Corporation is not a "Trusted" Certificate Authority to the major browser companies, you will always receive the warning with our free SSL Certificate. The req.pem is the equivalent of a Certificate Signing Request (CSR) and is used to generate your SSL Certificate. You have the option of obtaining your own Apache-compatible certificate from a "Trusted" source, such as VeriSign, DigiCert, Thawte, EnTrust, GeoTrust, and Go Daddy. These are just a few of the options available to you; in all, the mainstream browsers (IE, Firefox, Safari, etc.) only trust about 20 of the major Certificate Authorities (CA).

If you choose to obtain your own certificate, be sure to retrieve an Apache-compatible certificate so it will work with the SSL Module. Some CA's will provide you with a chained certificate, which we will have to adjoin in order to make the file compatible. Place the certificate and key files in your Stunnel installation directory (C:\Program Files\stunnel). Keep a copy of your req.pem (CSR) file to request your new certificate when it expires.

Stunnel Config File

The Stunnel configuration file (Stunnel.conf) is located in the C:\Program Files\stunnel\ directory. You will need to edit this file to secure your Trac site. Below is a good default config file. Simply replace the contents of Stunnel.conf with this, and edit the IP Address on line 17.

; Sample stunnel configuration file by Redrock Software
cert = cert.pem
key = key.pem


; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1


; Some debugging stuff useful for troubleshooting
; debug = 7 for verbose logging 1 for emerg only
debug = 3
output = stunnel.log


; Service-level configuration


[https]
accept = 443
connect = 10.0.0.23:80
TIMEOUTclose = 0


Configure STunnel as a Service

To set stunnel as a service, run stunnel.exe -install in a command prompt. You will get a prompt informing you the service was installed. Next open up the services window and start the service.