Adding SSL to the ListManager Web Server

 

SSL (Secure Sockets Layer) is a protocol that allows you to manage security of your web server. ListManager supports SSL2, SSL3 and TSL 1.

 

In order to use SSL with the Lyris ListManager Webserver, it is necessary to generate a private key file and go through the process of acquiring a certificate file, as well as enabling SSL in the tclhttpd.rc file. The example we provide here for generating the SSL files use OpenSSL (http://www.openssl.org), but a similar process can be done with tools from RSA (http://www.rsa.com). You will need to have OpenSSL installed and have an openssl (or openssl.exe) binary to follow this example.

 

We include (in the 'tclweb/bin/certs/' directory) the openssl program so that you do not need to obtain it yourself. However, if you prefer, openssl can also be compiled from source, downloaded as an RPM (for Linux), or obtained from Cygwin (http://www.cygwin.com).

 

SSL is a feature of ListManager Pro and Enterprise, and is unavailable for standard ListManager. Contact your account representative at sales@lyris.com if you'd like to upgrade to ListManager Pro or Enterprise.

 

Please note: These examples are for illustrative purposes only. If you need extra assistance please contact sales@lyris.com to learn about our professional services.

 

SSL Installation Information: 

Adding SSL for Windows

Adding SSL for Linux

Installing an Intermediate Root Certificate

 

Adding SSL for Windows

1. Open a command prompt, and then change the directory to ...tclweb/bin/certs/.

 

2. Generate a CSR file (Certificate Request) and the private key file

 NOTE This should all be on the same line:

openssl req -new -nodes -keyout skey.pem -out public.csr -config openssl.conf

You will be prompted for a passphrase, and various data about your organization. If you wish, you can edit the openssl.cnf file to provide default information for your organization, so you don't have to type it each time you create a certificate. Verisign (http://www.verisign.com ) has some example input for creating the certificate request.

3. You will have generated two files: your public key for requesting a certificate (public.csr), and a private key (skey.pem). These files should be protected from the outside world.

4. Submit the CSR file you created to a Certifying Authority (CA), for example Verisign.

The certificate request should look something like

-----BEGIN CERTIFICATE REQUEST-----
JLKJSDKLSJDLKJLKjdfakslfjaldkfafLSKJDSL234324/a/adsfasaadadfasda

More letters and numbers....

-----END CERTIFICATE REQUEST-----

5. Submit your CSR for a certificate authority to receive an SSL certificate.

6. The file you receive back from the certificate authority should be copied into a file called server.pem. In order to do this, create a file called server.pem and copy the contents of your certificate into the file server.pem.

7. Copy the server.pem and skey.pem (from step 1 above) to the ListManager tclweb\bin\certs directory.

8. Restart the webserver. You should see output like this (if started from the command line).

ListManager Web Interface: now running on port 80
secure httpd started on SSL port 443

Adding SSL for Linux

1. Generate a CSR file (Certificate Request) and the private key file:

openssl req -new -nodes -keyout skey.pem -out public.csr -config openssl.conf

You will be prompted for a passphrase, and various data about your organization. If you wish, you can edit the openssl.cnf file to provide default information for your organization, so you don't have to type it each time you create a certificate. Verisign (http://www.verisign.com ) has some example input for creating the certificate request.

2. You will have generated two files: your public key for requesting a certificate (public.csr), and a private key (skey.pem). These files should be protected from the outside world. To set the file permissions appropriately, run:

chmod 600 skey.pem

3. Submit the CSR file you created to a Certifying Authority (CA) for example Verisign.

The certificate request should look something like

-----BEGIN CERTIFICATE REQUEST-----
JLKJSDKLSJDLKJLKjdfakslfjaldkfafLSKJDSL234324/a/adsfasaadadfasda

More letters and numbers....

-----END CERTIFICATE REQUEST-----

4. Submit the CSR file you created to a Certifying Authority (CA), for example Verisign.

5. The file you receive back from the certificate authority should be copied into a file called server.pem. In order to do this, create a file called server.pem and copy the contents of your certificate into the file server.pem

6. Copy the server.pem and skey.pem (from step 1 above) to the ListManager tclweb/bin/certs directory.

7. Turn on the SSL option for the ListManager webserver. Open tclweb/bin/tclhttpd.rc in the ListManager directory with a plain text editor (such as emacs or vim) and edit the following line to be as follows:

Config USE_TLS1 1
Config USE_SSL2 0
Config USE_SSL3 0

Note: By default this option is off (0).

Important: USE_SSL2 and USE_SSL3 should be set to 0 as these protocols are no longer secure.

8. Restart the webserver. You should see output like this (if started from the command line).

ListManager Web Interface: now running on port 80
secure httpd started on SSL port 443
 

 

Installing an Intermediate Root Certificate

When using an intermediate root certificate, you may get an error indicating that the certificate is not yet valid, or has expired, when it clearly is in the correct date range. Here is how you solve that problem with Verisign:

1. Cd to tclweb/bin (underneath the directory where you installed ListManager)

2. Make a backup copy of the file tclhttpd.rc.

3. Open tclhttpd.rc with a plain text editor.

4. Replace
 

Config SSL_CAFILE  "  "

with

Config SSL_CAFILE  [file join [Config SSL_CADIR] intermediate.crt]

5. Save tclhttpd.rc.

6. Get your immediate certificate from your certificate authority and create a file called intermediate.crt.

7. Open the intermediate.crt and copy the contents of your intermediate certificate into the intermediate.crt file.

8. Copy the intermediate.crt file to the ListManager tclweb/bin/certs directory.

9. Restart the ListManager tclhttpd web server.

 

Note: ListManager 9.x uses OpenSSL 0.9.7. This version may give false positives under certain circumstances.