Professional Documents
Culture Documents
Rob’s Notebook
This article is part of a series of articles about making XAMPP more secure. See the overview page for all the
security measures.
If you don’t have encryption enabled on a password protected folder, the password will be sent in cleartext -
meaning that it can be seen by anyone using a network sniffer. It is a good idea to encrypt the transmission of
these passwords. There are 2 steps to this process, first we need to create SSL certificates, and then we need to
make sure that the password protected pages are only accessed with encryption. It’s also a good idea to import
your certificates into any browsers on all machines that you plan to use to access your server, otherwise you’ll
get a warning about an untrusted certificate authority.
XAMPP provides a batch file for creating a new certificate/key with random encryption keys. To execute this
batch file, do the following:
Enter in a pass phrase for decrypting your private server key, and press Enter. Write down this passphrase so
you don’t forget it. Now you will be asked to verify it:
Verifying - Enter PEM pass phrase:
Enter your passphrase a second time and hit Enter. Now, you’ll see this:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
http://robsnotebook.com/xampp-ssl-encrypt-passwords 15/10/2010
XAMPP: SSL Encrypt the Transmission of Passwords with https Page 2 of 15
Enter in your 2 letter country code. You’ll be asked for a few more items (shown below). Enter is what you
think is most appropriate, but stop when you are asked for “Common Name”
State or Province Name (full name) [Some-State]:NY
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Rob's Great Company
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
For “Common Name”, you need to enter in the DNS name or IP address of your website. The name that you
enter in here will need to match the server name that is entered into the browser that is accessing the page. It is
important that this common name match the address that goes into a browser, otherwise you will get
extra warnings when navigating to your secure web pages. If you are running this website over the public
internet on an IP address that changes sometimes, you can use a Dynamic DNS service such as dyndns.org to
get a free domain name that always points to your server. After you enter in the “Common Name”, you are
asked for more information. Fill in what you think is appropriate, but it is OK to just hit ENTER to accept the
defaults. Eventually, you will be asked for the pass phrase for privkey.pem:
Email Address []:
Enter the pass phrase that you created earlier, and now you will see this:
writing RSA key
Loading 'screen' into random state - done
Signature ok
subject=/C=xx/ST=xx/L=xxxx/O=xxx/CN=commonname
Getting Private key
—–
Das Zertifikat wurde erstellt.
The certificate was provided.
C:\xampp\apache>
You are now finished creating your SSL certificate and private key. The makecert.bat script will move your
server private key and certificates in the appropriate directories for you.
Tools->Internet Options
Content Tab->Certificates Button
Trusted Root Certification Authorities Tab->Import Button
http://robsnotebook.com/xampp-ssl-encrypt-passwords 15/10/2010
XAMPP: SSL Encrypt the Transmission of Passwords with https Page 3 of 15
Tools->Options
Advanced->Encryption Tab->View Certificates Button
Authorities Tab->Import Button
Select file: c:\xampp\apache\conf\ssl.crt\server.crt, and click “Open”
Check “Trust this CA to identify web sites”
Click “OK’
Click “OK” in Certificate manager
Click “OK” In original Options window to get back into Firefox
First, we need to inform Apache that the folders you want to encrypt should use always use encryption (and
never go in the clear). This is accomplished by putting an SSLRequireSSL directive inside of each desired
<Directory> listing in the config files (it is ok to put it at the end, just before the </Directory>). The red text
below shows what to do.
Alias /web_folder_name “C:/xampp/foldername”
<Directory “C:/xampp/foldername“>
…
…
SSLRequireSSL
</Directory>
I suggest doing this for the following folders (if you still have them):
This next optional step is to redirect “http” requests to “https” requests for the pages we want to secure. This is
more user friendly and allows you to still use http when you type in the address (and automatically switch to
https:// and encryption). If you don’t do this, and you used SSLRequireSSL, you will only be able to access
these pages by typing https://. This is fine and probably a little bit more secure, but is not so user friendly. To
accomplish the redirection, we will use mod_rewrite so that we don’t have to use the server name in this part of
the config file. This helps keep small the number of places in the config files where the server name is written
(making your config files more maintainable).
First, we need to make sure that mod_rewrite is enabled. To do this, edit c:\xampp\apache\conf\httpd.conf and
get rid of the comment (# character) in this line:
http://robsnotebook.com/xampp-ssl-encrypt-passwords 15/10/2010
XAMPP: SSL Encrypt the Transmission of Passwords with https Page 4 of 15
If you have other folders you want to redirect to https://, add the generic text below (but substitute your folder
name):
# Redirect /folder_name folder to https
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} folder_name
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
If you are going to host a webdav server, it is probably best to not have this redirection and to just require
https://. This way, people can only use https:// when addressing your webdav folder. I tried using redirection for
a webdav server and giving http:// in both XP and MAC OS X, and it didn’t work when encryption is required.
One thing to keep in mind with this redirection is that if you have virtual hosts, you need to place the redirection
code (with the RewriteCond and RewriteRule) inside of your virtual host declarations, otherwise the redirection
won’t work.
59 Comments »
1. Rob Oudendijkon 01 Nov 2007 at 12:11 am
thanks
regards Rob Oudendijk
http://robsnotebook.com/xampp-ssl-encrypt-passwords 15/10/2010
XAMPP: SSL Encrypt the Transmission of Passwords with https Page 5 of 15
Hey! This is a great tutorial! =D Can you make one like this but using other certification authorities? like
Verisign? Thanks
thank u..
ngeee:D
this is a very useful article. Thank you. I solve my problem for class project.
Thank you Rob! Another note, folks will likely also want to change entries in apache/conf/extra/httpd-
ssl.conf to reflect your domain, server root, folder permissions and so forth.
Thank you for the article. This helped me immensely — I have set up HTTPS and certs on an IIS
machine, but never with Apache. Thanks.
You’re a freaking XAMPP king. Many thanks. Seconding the third party / verisign comment from above.
You’re doing the work for me and at the same time, demonstrating in a way that makes it stick in my
head.
All I can say is WOW and Thanks a million times for your efforts.
thanks a lot. Without you my database could’ve been spoilt by irrisponsible peeps. cheers
Hi there! This is a great tutorial, but I’ve a got a bug in my system & I was hoping someone can tell me
how to fix it. I’m currently using XAMPP-win32 version 1.6.8 & my problem is that after running the
makecert command I’m unable to type anything when requested for the pass phrase & as a result I can’t
proceed. Can anyone help me out with this?
Thank you!
http://robsnotebook.com/xampp-ssl-encrypt-passwords 15/10/2010
XAMPP: SSL Encrypt the Transmission of Passwords with https Page 6 of 15
I don’t get which pass phrase gets revealed to others and which stays private?? I don’t understand! all I
want is for https:// to work why do they make it so difficult? Where is config file? Where do I add this
stuff? When I follow directions it doesn’t work then I go to my site and it says forbidden!
I already do your step I got success with Firefox browser but IE browser, it doesn’t works, can you tell
detail about this?
chhivhorng
why this step by step, not work with URL with other 80 port ??
please
Your tutorial is simply the best I could find in all the web.
I didn’t understand the last point…
“One thing to keep in mind with this redirection is that if you have virtual hosts, you need to place the
redirection code (with the RewriteCond and RewriteRule) inside of your virtual host declarations,
otherwise the redirection won’t work.”
How can I place the redirection code in my host declaration? Where is my host declaration? Because my
redirections seem not to work… Thank you
Hello!
First, i’d like to thank the author for this article, it’s absolutely great and helpful.
Does anybody know how to automatically install certificate from server, so i don’t need to manualy
import it on every browser?
For example, i am building Adobe Flex application, and i am not getting any warrnings for untrusted
certificate authority.. ofcourse, my application doesn’t work without imported certificate in used browser.
http://robsnotebook.com/xampp-ssl-encrypt-passwords 15/10/2010
XAMPP: SSL Encrypt the Transmission of Passwords with https Page 7 of 15
* This could be a problem with the server’s configuration, or it could be someone trying to impersonate
the server.
* If you have connected to this server successfully in the past, the error may be temporary, and you can
try again later.
Hi ppl can some one plz help me? i’am stuck at: Edit Apache config for encryption only access to
password protected folders. all the other stuff is done. have i done this right or not.. it does not use https
now :/ here is my httpd-xampp.
RewriteEngine On
# XAMPP settings
#
http://robsnotebook.com/xampp-ssl-encrypt-passwords 15/10/2010
XAMPP: SSL Encrypt the Transmission of Passwords with https Page 8 of 15
…
…
SSLRequireSSL
AllowOverride AuthConfig
Order allow,deny
Allow from all
…
…
SSLRequireSSL
AllowOverride AuthConfig
Order allow,deny
Allow from all
…
…
SSLRequireSSL
AllowOverride AuthConfig
Order allow,deny
Allow from all
…
…
SSLRequireSSL
AllowOverride AuthConfig
Order allow,deny
Allow from all
…
…
SSLRequireSSL
AllowOverride All
AuthType Basic
AuthName “AUTH REMOTE TEST”
AuthRemoteServer localhost
AuthRemotePort 80
AuthRemoteURL /forbidden/
Require valid-user
#User: user / Password: pass
…
…
SSLRequireSSL
http://robsnotebook.com/xampp-ssl-encrypt-passwords 15/10/2010
XAMPP: SSL Encrypt the Transmission of Passwords with https Page 9 of 15
AuthMySQLEnable On
AuthName “MySQL Secured Place”
AuthType Basic
require valid-user
AuthMySQLHost localhost
AuthMySQLUser root
# AuthMySQLPassword
AuthMySQLDB webauth
AuthMySQLUserTable user_pwd
AuthMySQLNameField name
AuthMySQLPasswordField pass
AuthMySQLPwEncryption none
Thank you very much…!!! It is a great post and it works fine. I’d like to know if the certification file
register step (on the client side) my be automatic.
“Well, I have solved the above problem just after posting the thread !
The indication was in “Tue Dec 11 12:02:55 2007] [error] [client 10.96.10.10] client denied by server
configuration: /usr/local/apache2/htdocs/”
I did not know that SSL needs separate DocumentRoot setting in httpd-ssl.conf ! When I change it
from /usr/local/apache2/htdocs/ to /home/web/homepage, it works perfectly !
http://robsnotebook.com/xampp-ssl-encrypt-passwords 15/10/2010
XAMPP: SSL Encrypt the Transmission of Passwords with https Page 10 of 15
Now I have a second related question to ask. I want to serve a few folders (e.g. webmail) ONLY under
https, and NOT http. How do I achieve that ?”
In summary change the document root in httpd-ssl.conf to the one in the httpd.conf too.
I’ve follwed this step but it dosen’t work :(.when I acces my site from another computer I have just a
attention message.How could I locked site access from other computer using new certificate?
Many thanks,
your tutorials are really awesome, but i can’t make the ssl certificate due to some unknown reason. I can’t
enter the PEM password in the beginning, the characters simply won’t input. I tried several times,
restarted everything but nothing seems to change….
Cindy, just type in your password, you won’t see the characters, but your password will be inputted!
Could any one explain to me how to secure folder inside htdoc because i tried many times but it does not
work especially when i use SSLRequireSSL
Thank you
43. Need to create a HTTPS site from home.. - Digital World Cable Satellite Console Forumon 12 Dec 2009
at 8:27 pm
[…] Need to create a HTTPS site from home.. this is how to change the password in xampp XAMPP:
SSL Encrypt the Transmission of Passwords with https __________________ Guns don’t kill people,
people kill […]
Thanks alot!
Hi,
The xammp successfully works and I have done all those configuration except the “SSL”. When I click
Start- run - cmd the c:\xampp\apache did not show, instead c:\Documents and Setting\myname
hi bro, i just tryed you tutorial and its work fine for me, so i ust want to say a lot of big thanks for you
tutorial. you have save my time bro, thanks bro keep up the good work thanks
http://robsnotebook.com/xampp-ssl-encrypt-passwords 15/10/2010
XAMPP: SSL Encrypt the Transmission of Passwords with https Page 11 of 15
Hola, la verdad es que este artículo es una maravilla. Gracias por todo, hace mucho tiempo buscaba algo
parecido y me ha funcionado a la perfección pero tengo un problema.
Cuando hago todos los pasos el servidor general un Certificado SSL para un sitio, quisiera generar uno
para cada sitio.
Si me pueden ayudar se lo agradecería.
Saludos
Hello everybody, I am setting up a development environment using XAMPP 1.7.3 on Windows 7 for my
school project. I have already created a self signed CA, Server and Client certificates and installed the
same to IE and Firefox. The CA and Server certificates are working fine. The problem is when I activate
the client certificates:
SSLVerifyClient require
SSLVerifyDepth 2)
I get the following error messages:
Secure Connection Failed
An error occurred during a connection to www.buwbcs.com.
SSL peer was unable to negotiate an acceptable set of security parameters.
(Error code: ssl_error_handshake_failure_alert)
What is the possible reason for this error?
IE displays the list of client certificates to select from but Firefox does not.
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache “dbm:logs/ssl.scache”
SSLSessionCacheTimeout 300
SSLMutex default
DocumentRoot “/project/htdocs”
ServerName www.buwbcs.com:443
ServerAdmin webmaster@buwbcs.com
ErrorLog “logs/error.log”
SSLEngine on
SSLCipherSuite ALL:!ADH:!
EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile “conf/ssl.SERVER/bu_SERVER.crt”
SSLCertificateKeyFile “conf/ssl.SERVER/bu_SERVER.key”
SSLCertificateChainFile “conf/ssl.CA/bu_CA.crt”
SSLCACertificatePath “conf/ssl.CA”
SSLCACertificateFile “conf/ssl.CA/bu_CA.crt”
SSLVerifyClient require
SSLVerifyDepth 2
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
Any help in analyzing these and ideas to solve this problem will be highly appreciated.
http://robsnotebook.com/xampp-ssl-encrypt-passwords 15/10/2010
XAMPP: SSL Encrypt the Transmission of Passwords with https Page 12 of 15
Aries
Cheers
Cheers
This is a really good guide, wayyyyy impressed, but i’m stuck at “Edit apache config for encryption only
access” part.
Ok for all of you that were getting blank pages, remember that you are moving from http to https and
therefore are moving from port 80 to port 443 if you are doing this on a home server make sure you port
forward all requests on port 443 to your server or your routers firewall will block it. Oh you’ll also have
to open a port on the windows firewall if you are even using it. Hope this helped someone out there.
http://robsnotebook.com/xampp-ssl-encrypt-passwords 15/10/2010
XAMPP: SSL Encrypt the Transmission of Passwords with https Page 13 of 15
Leave a comment
If you want to leave a feedback to this post or to some other user´s comment, simply fill out the form below.
Name (required)
E-mail (required)
URI
Your Comment
5
Say It!
• Subscribe
•
◦ Posts
◦ Comments
• Main Navigation
•
◦ Home
◦ About
• Categories
•
◦ FileZilla
◦ Mac
◦ Parallels
◦ Perl
◦ Tools
◦ Troubleshooting
◦ Uncategorized
◦ Windows
◦ Word
◦ Wordpress
◦ XAMPP
• Links
◦ Bluehost
• Archives
•
◦ June 2010
◦ August 2008
◦ June 2008
◦ March 2008
◦ November 2007
◦ August 2007
◦ July 2007
http://robsnotebook.com/xampp-ssl-encrypt-passwords 15/10/2010
XAMPP: SSL Encrypt the Transmission of Passwords with https Page 14 of 15
◦ June 2007
◦ May 2007
◦ April 2007
Search Form
Search
October 2010
M T W T F S S
1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
« Jun
• Latest Posts
•
◦ HDMI Audio popping noises on ATI Graphics Card - fixed!
◦ Print to PDF Without Getting Prompted for a Filename
◦ Rob’s PERL Cookbook
◦ Windows Software that I Usually Install
◦ How To Setup a Free PHP Debugger using Eclipse PDT + XDebug
◦ Display MySQL Variables with a PHP Tool
◦ Install Windows 98 SE in Parallels Desktop 3.0 for Mac
◦ Change Filezilla FTP Server Remote Administration Password
◦ Remove Default Users/Passwords from XAMPP Filezilla FTP Server
◦ Remove Default Usernames/Passwords Included With XAMPP
Valid XHTML
http://robsnotebook.com/xampp-ssl-encrypt-passwords 15/10/2010
XAMPP: SSL Encrypt the Transmission of Passwords with https Page 15 of 15
http://robsnotebook.com/xampp-ssl-encrypt-passwords 15/10/2010