This is the software running a course at MIT, based on the Ur/Web language and the UPO library (with MIT extensions). The primary author is Adam Chlipala.
-
Go to an IS&T certificates & Apache help page and grab the
mitCAclient.pemfile. -
Run:
sudo a2enmod ssl
sudo a2ensite default-ssl
- Add this line to
/etc/apache2/sites-available/default-ssl.conf:
SSLCertificateFile /etc/ssl/certs/frap_csail_mit_edu_cert.cer
- Add this line, too (get the intermediate cert from CA):
SSLCertificateChainFile /etc/ssl/certs/frap_csail_mit_edu_interm.cer
- To require a CSAIL certificate for
/PATH, use this in the same file:
<Location /PATH>
SSLOptions +OptRenegotiate +StdEnvVars
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 3
SSLRequire %{SSL_CLIENT_S_DN_O} == "Massachusetts Institute of Technology"
</Location>
- To protect clients from recently discovered SSL vulnerabilities, add this configuration globally:
SSLProtocol All -SSLv2 -SSLv3
- To install the FastCGI Apache module in Debian-flavored Linux (need to enable
multiversein Ubuntu):
sudo apt-get install libapache2-mod-fastcgi
-
Apply the MIT-certificate recipe above to the path
/of thedefault-sslconfig. -
Again in the
default-sslconfig, set up a FastCGI server, substituting paths as appropriate:
ScriptAliasMatch ^/.*$ /home/adamc/git/frapapp/testing.exe
FastCgiServer /home/adamc/git/frapapp/testing.exe -idle-timeout 120
- If any funny business pops up about access control, add this to the same virtual host config:
<Location />
Require all granted
</Location>
sudo python -m smtpd -n -c DebuggingServer localhost:25
Install package ntp and copy over /etc/ntp.conf from a CSAIL Ubuntu workstation.
Apparently MIT's CA uses weaker crypto than Ubuntu 20.04 enforced by default.
Tweak the setting in /etc/apache2/mods-available/ssl.conf like so:
SSLCipherSuite DEFAULT@SECLEVEL=1