apache ssl

Apache and SSL

Presented by Paul Weinstein,Waubonsie Consulting,

OReilly Open Source ConventionJuly 24, 2002

Apache and SSL - Paul Weinstein - - 2

Hello World Introduction What Will Be Covered

o Review of SSLo Quick History of Apache and SSLo Apache 1.3.xo Apache 2.0.xo Cool Tricks of Apache and SSL

What Wont Be Covered


Disclaimer

It should be noted that this presentationdoes not cover all issues relating to

securing networked based machines andtheir content. This presentation is

designed only to introduce basic conceptsand configuration of Apache and SSL.


SSL and TLS:

Secure Sockets Layer (SSL), developed byNetscape Communications, and Transport

Layer Security (TLS), the open-standardreplacement for SSL from the InternetEngineering Task Force, are the twoprotocols that add encryption and

authentication to TCP/IP.


SSL and TLS:Two Main Features

Ciphers; which enable the encryptionof data between the client and server.

Digital Certificates; which provide amethod of authentication of a clientand server.


SSL and TLS:Ciphers

Symmetric (a.k.a. Secret-Key)

Asymmetric (a.k.a. Public-Key)


SSL and TLS:Digital Certificates

Advantage of Public-Key Encryption Server Certificate Client Certificate Root Certificate

Certificate Authorityo Public Certificate Authorityo Private Certificate Authority


Apache and SSL:A Timeline


* Platform Dependent

mod_ssl Support for SSL v2, v3 and TLS v1 Advance pass-phrase handling for

private keys X.509 based digital certificates,

certificate generation, certificaterevocation list

Support for crypto accelerationhardware *

Backward compatibility


* Source: E-Soft June 2002 Report,

mod_ssl

Most Popular SSL Solution for Apacheo 1,098,542 of 4,577,603 or 23.99%*

Second Only to PHP and Perl Overallo 43.71% and 24.11%*


Apache 1.3.x:mod_ssl

Integrationo Needs EAPIo Can Build as a

DSOo OpenSSL

Toolkit


Supports New Apache 2.0 Architecture Included with the Apache 2.0.x source

code To add mod_ssl when building Apache

o --enable-sslo --with-ssl=/path/to/OpenSSL/lib

Apache 2.0.x:mod_ssl


Transacting of payment information forconsumer good(s) in a secure manner

between the customer and the business.

Apache and SSL:Cool Tricks - The Ubiquitous Online Store



What We Need:o Enable mod_sslo Request a server certificate from a

public certificate authorityo Install server certificateo Add a CGI script to collect datao Configure access to CGI script via

HTTPS



What We Get:



What We Get:o The communication with the store is

secure.o The server on the other end, decrypting

the data is in fact the online store asidentified by the servers digitalcertificate and authenticated by atrusted third party.


Transacting of organizationalinformation in a secure manner between

the organizations groups andindividuals.

Apache and SSL:Cool Tricks - An Organizations Intranet



What We Need:o Create a private certificate authority

using OpenSSLo Enable mod_sslo Request a server certificate from the

private certificate authorityo Install server certificate



What We Need:o Add a CGI script to collect datao Configure access to CGI script via

HTTPSo Install private certificate authority's

root certificateo Configure server to authenticate

clients based on certificates fromprivate certificate authority



What We Need:o Sign client certificate requests &

install in clients web browserso Install private certificate authoritys

root certificateo Authenticate servers based on

private certificate authority



What We Get:



What We Get:oThe communication within the

organization is secure.

oThe server on one end is in factorganizations server - theinformation from is valid.

oThe client on the other end is infact a member of the organization- the information has not beencompromised.


Review of Apache and SSL SSL and TLS History of Apache and SSL Apache 1.3.x Apache 2.0.x Cool Tricks of Apache and SSL


Citation Engelschall, Ralf User Manual mod_ssl

Version 2.8 Jan. 2001

mod_ssl: The Apache Interface toOpenSSL


Citation Weinstein, Paul. "Web Security:

Encryption & Authentication."Daemonnews (May 2001): 15 pars.

Weinstein, Paul "Web Security: Apacheand mod_ssl." Daemonnews (June2001): 15 pars.


Suggested References This Presentation:

o Article: Weinstein, Paul. Apache and

SSL OReilly Network:ONLamp.com (April 2002): 24pars.


Suggested References This Presentation:

o Slides: (HTML)

(PDF)


Suggested References Apache Project,

Apache Week,


Suggested References mod_ssl Project,

o Mailing Lists, List Archives:

o


Suggested References OpenSSL Project,

o Mailing Lists, List Archives:

o

o

o

o

apache ssl

Documents