Web�ｿｽT�ｿｽ[�ｿｽo�ｿｽ[�ｿｽﾔ通信�ｿｽ�ｿｽ�ｿｽe�ｿｽﾃ搾ｿｽ�ｿｽ�ｿｽ(Apache+mod_SSL)

�ｿｽﾅ終�ｿｽX�ｿｽV�ｿｽ�ｿｽ�ｿｽF 2020.12.29

[root@centos ~]# yum -y install mod_ssl�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@mod_ssl�ｿｽC�ｿｽ�ｿｽ�ｿｽX�ｿｽg�ｿｽ[�ｿｽ�ｿｽ

[root@centos ~]# cd /etc/pki/tls/certs/�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽf�ｿｽB�ｿｽ�ｿｽ�ｿｽN�ｿｽg�ｿｽ�ｿｽ�ｿｽﾚ難ｿｽ

[root@centos certs]# sed -i 's/365/3650/g' Makefile�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽT�ｿｽ[�ｿｽo�ｿｽ[�ｿｽp�ｿｽﾘ厄ｿｽ�ｿｽ�ｿｽ�ｿｽL�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ1�ｿｽN�ｿｽ�ｿｽ�ｿｽ�ｿｽ10�ｿｽN�ｿｽﾉ変更

[root@centos certs]# make server.crt�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽT�ｿｽ[�ｿｽo�ｿｽ[�ｿｽp�ｿｽ髢ｧ�ｿｽ�ｿｽ�ｿｽE�ｿｽﾘ厄ｿｽ�ｿｽ�ｿｽ�ｿｽ�成
umask 77 ; \
        /usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
.................++++++
............++++++
e is 65537 (0x10001)
Enter pass phrase:�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽC�ｿｽﾓのパ�ｿｽX�ｿｽ�ｿｽ�ｿｽ[�ｿｽh�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ\�ｿｽ�ｿｽ�ｿｽﾍゑｿｽ�ｿｽ�ｿｽﾈゑｿｽ
Verifying - Enter pass phrase:�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽC�ｿｽﾓのパ�ｿｽX�ｿｽ�ｿｽ�ｿｽ[�ｿｽh�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ(�ｿｽm�ｿｽF)�ｿｽ�ｿｽ�ｿｽ\�ｿｽ�ｿｽ�ｿｽﾍゑｿｽ�ｿｽ�ｿｽﾈゑｿｽ
umask 77 ; \
        /usr/bin/openssl req -utf8 -new -key server.key -x509 -days 3650 -out server.crt -set_serial 0
Enter pass phrase for server.key:�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽ�ｿｽL�ｿｽﾅ会ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽp�ｿｽX�ｿｽ�ｿｽ�ｿｽ[�ｿｽh�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ\�ｿｽ�ｿｽ�ｿｽﾍゑｿｽ�ｿｽ�ｿｽﾈゑｿｽ
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ
State or Province Name (full name) [Berkshire]:Kanagawa�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽs�ｿｽ�ｿｽ�ｿｽ{�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ
Locality Name (eg, city) [Newbury]:Kawasaki�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽs�ｿｽ謦ｬ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ
Organization Name (eg, company) [My Company Ltd]:centossrv.com�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽT�ｿｽC�ｿｽg�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ(�ｿｽﾈゑｿｽﾅゑｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ)
Organizational Unit Name (eg, section) []:�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽ�ｿｽENTER
Common Name (eg, your name or your server's hostname) []:centossrv.com�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@Web�ｿｽT�ｿｽ[�ｿｽo�ｿｽ[�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ
Email Address []:[email protected]�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽﾇ暦ｿｽ�ｿｽﾒ��ｿｽ�ｿｽ[�ｿｽ�ｿｽ�ｿｽA�ｿｽh�ｿｽ�ｿｽ�ｿｽX�ｿｽ�ｿｽ�ｿｽ�ｿｽ

[root@centos certs]# openssl rsa -in server.key -out server.key�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽT�ｿｽ[�ｿｽo�ｿｽ[�ｿｽp�ｿｽ髢ｧ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽp�ｿｽX�ｿｽ�ｿｽ�ｿｽ[�ｿｽh�ｿｽ�除
Enter pass phrase for server.key:�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽT�ｿｽ[�ｿｽo�ｿｽ[�ｿｽp�ｿｽ髢ｧ�ｿｽ�ｿｽ�ｿｽE�ｿｽﾘ厄ｿｽ�ｿｽ�ｿｽ�ｿｽ�成�ｿｽ�ｿｽ�ｿｽﾌパ�ｿｽX�ｿｽ�ｿｽ�ｿｽ[�ｿｽh�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ\�ｿｽ�ｿｽ�ｿｽﾍゑｿｽ�ｿｽ�ｿｽﾈゑｿｽ
writing RSA key

[root@centos certs]# vi /etc/httpd/conf.d/ssl.conf�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@ApacheSSL�ｿｽﾝ抵ｿｽt�ｿｽ@�ｿｽC�ｿｽ�ｿｽ�ｿｽﾒ集
SSLCertificateFile /etc/pki/tls/certs/server.crt�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽT�ｿｽ[�ｿｽo�ｿｽ[�ｿｽp�ｿｽﾘ厄ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽw�ｿｽ�ｿｽ

SSLCertificateKeyFile /etc/pki/tls/certs/server.key�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽT�ｿｽ[�ｿｽo�ｿｽ[�ｿｽp�ｿｽ髢ｧ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽw�ｿｽ�ｿｽ

#  General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@#�ｿｽ�ｿｽ�ｿｽ�除(�ｿｽR�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽg�ｿｽ�ｿｽ�ｿｽ�ｿｽ)
�ｿｽ�ｿｽ
DocumentRoot "/var/www/html"

POODLE SSLv3.0 �ｿｽﾆ弱性�ｿｽ�ｿｽ�ｿｽﾎ擾ｿｽ
#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol all -SSLv2
�ｿｽ�ｿｽ
SSLProtocol All -SSLv2 -SSLv3�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@SSLv2�ｿｽASSLv3�ｿｽ�無鯉ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽ

[root@centos ~]# vi /etc/httpd/conf.d/ssl.conf�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@SSL�ｿｽﾝ抵ｿｽt�ｿｽ@�ｿｽC�ｿｽ�ｿｽ�ｿｽﾒ集
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/error_log�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽ�ｿｽ�ｿｽO�ｿｽt�ｿｽ@�ｿｽC�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽﾏ更
CustomLog logs/access_log combined env=!no_log�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@�ｿｽ�ｿｽ�ｿｽO�ｿｽ謫ｾ�ｿｽf�ｿｽB�ｿｽ�ｿｽ�ｿｽN�ｿｽe�ｿｽB�ｿｽu�ｿｽﾆ��ｿｽ�ｿｽO�ｿｽt�ｿｽ@�ｿｽC�ｿｽ�ｿｽ�ｿｽ�ｿｽ�ｿｽﾏ更
LogLevel warn

[root@centos ~]# systemctl restart httpd�ｿｽ@�ｿｽ�ｿｽ�ｿｽ@httpd�ｿｽN�ｿｽ�ｿｽ�ｿｽ�ｿｽCentOS7�ｿｽﾌ場合