Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Apache Software

On the Commercial Use Of Apache and SSL 105

Posted by Cliff from the oh-what-a-difference-a-year-makes dept.
Skapare asks: "A year ago, this question about using Apache and SSL in a commercial environment was asked in the Apache section of Slashdot. The RSA patent was still in force back then, and the focus was on commercial products like Raven. Since then, the RSA patent has been released and then expired. That same month a year ago, Ask Slashdot also featured a question about encumbrance of SSL/PGP. But with the RSA patent gone, and Diffie-Hellman before it, this surely opens up Apache with SSL free for commercial use. Now I'm exploring options for free SSL for Apache, and note at least two choices, Apache-SSL, and mod_ssl. What I'd like to ask is what are the fundamental and principle differences between these free versions that I should consider in deciding which I should use in a commercial environment."
This discussion has been archived. No new comments can be posted.

On the Commercial Use of Apache and SSL... More

On the Commercial Use of Apache and SSL...

Comments Filter:
  • I know tha apache-ssl is just a patch that you apply to the apache source code. Then you have to recompile it, the httpd created is your ssl server. i dont know how mod_ssl works
  • Basically, it depends.

    If you're doing it for some PHBs, wait a bit and find out which version is selling the most. It doesn't have to be good, it just has to be popular.

    If you're doing it for yourself or in a non-PHB environment, try them both and see which one holds up the best under loads above your peak usage.

  • It's not totally free. (Score:3)

    by Garpenlov ( 34711 ) on Wednesday October 11, 2000 @09:21AM (#714198) Homepage
    You still have to buy a certificate from one of the big CAs or else people will get scary errors in their browsers... I don't suppose there are any free CAs out there that are already setup in IE by default? (I think I know the answer to that already).

  • widespread use (Score:3)

    by British ( 51765 ) <british1500@gmail.com> on Wednesday October 11, 2000 @09:24AM (#714199) Homepage Journal
    How long do you think it will take before SSL,etc become totally widespread? I'd like to be able to use SSL in Outlook Express with my POP mail accounts, but I never had any luck with it(I'm assuming it's not turned on). But there's always SecureCRT for shell account usage and pine.

  • Jefus say (Score:1)

    by Anonymous Coward
    check the faq.

    http://www.modssl.org/docs/2.6/ ssl _faq.html#ToC3 [modssl.org]

  • Comment removed (Score:3)

    by account_deleted ( 4530225 ) on Wednesday October 11, 2000 @09:25AM (#714201)
    Comment removed based on user account deletion
  • The question is will your certificate you pay for from a certificate authority work with the SSL module you install. I know for a fact that you can get comercial certificates to work with mod_ssl under apache. An example of a comercial site that uses comcerial certs with Apache and mod_ssl is www.qwest.net (Formally www.uswest.net).
  • I chose mod_ssl because it can be compiled as a Dynamic Shared Object (DSO), and it only gets loaded as needed.

    If you're planning to serve SSL pages only, it might be better to compare Apache-SSL and statically compiled mod_ssl, and see which performs the best.

  • use mod_ssl (Score:4)

    by Phexro ( 9814 ) on Wednesday October 11, 2000 @09:34AM (#714204)
    mod_ssl is a dynamic-loaded apache extension. you load it, configure it, and forget it.

    apache-ssl is a patch against the vanilla apache tree. i believe you have to run two instances of apache, one for normal requests, and one for ssl requests. i may be incorrect, since it seems pretty lame to have an apache that only serves ssl requests. someone correct me if i'm wrong.

    --
  • Apache-ssl is just a patch to the source code. You end up with an SSL enabled httpsd binary. You run that for your SSL site, and the normal Apache for your non-SSL site.

    mod_ssl is just a module that apache loads and uses when it needs SSL. Seems to be a cleaner design and install for me. I've switched several of our servers over... It also seems to be the "new" way of doing it. I know my O'Reilly book covered apache-ssl, but all the current online info I found referenced mod_ssl.

  • From the Apache-SSL and mod_ssl documentation (Score:5)

    by localman ( 111171 ) on Wednesday October 11, 2000 @09:34AM (#714206) Homepage
    There appears to be some confusion regarding Apache-SSL and mod_ssl. To set the record straight: mod_ssl is not a replacement for Apache-SSL - it is an alternative, in the same way that Apache is an alternative to Netscape/Microsoft servers, or Linux is an alternative to FreeBSD. It is a matter of personal choice as to which you run. mod_ssl is what is known as a 'split' - i.e. it was originally derived from Apache-SSL, but has been extensively redeveloped so the code now bears little relation to the original. Apache-SSL continues to be developed and maintained, our main focus being on reliability, security and performance, rather than features and bells and whistles. I hope this makes things clear.

    I think it's apparent from the tone that there is a healthy level of rivalry between the two projects :) The mod_ssl source code is peppered with quotes by the author of Apache-SSL that are intended (I think) to be unflattering... like:

    /* ``I'll be surprised if others think that what you are doing is honourable.''
    -- Ben Laurie, Apache-SSL author */

    or...

    # ``What you are missing, I suppose, is that I'm not
    # prepared to give equal rights to Ralf on the basis
    # that he's spent a few hours doing what he thinks is
    # better than what I've spent the last 4 years on,
    # and so he isn't prepared to cooperate with me.''
    # -- Ben Laurie, Apache-SSL author

  • Apache-SSL for me (Score:3)

    by briany ( 5932 ) <briany@spea k e a s y .net> on Wednesday October 11, 2000 @09:34AM (#714207) Homepage
    I have been running a server with Apache-ssl for several years now w/o any problems. The patch does change some program names (ie httpd -> httpsd, apachectl -> httpsdctl) which can break some apache scripts.

    The biggest difference I remember hearing between mod_ssl and Apache-SSL is that mod_ssl team was more focused on new features and the Apache-SSL team was more focused on stability/speed. Things may have changed in the last year or so however.

    Both Apache/SSL solutions use the OpenSSL programs and libraries to generate certificates. I use Verisign as my CA. Never had a problem with either the initial request renewed certificates.

  • Stunnel [stunnel.org] is not too hard to setup for SPOP3 and SIMAP. Just tell your users to ignore the certificate warnings...

  • Mod-ssl and Apache-SSL (Score:4)

    by sxxw ( 124344 ) on Wednesday October 11, 2000 @09:38AM (#714209) Homepage
    In general, I would say that it depends on exactly what you're looking for - they're both free, why not evaluate them both and see how they work in your envirnoment.

    I have used and installed both, in both commerical and academic environments. I started out using Apache-SSL, but have now moved over to using mod_ssl.

    Some background - Apache-SSL came first, and ships as a set of patches for the core Apache code. mod_ssl ships as patches, and an additional Apache module. When I last compared them, the fundamental difference was the Apache-SSL just patches itself into the Apache code, mod_ssl extends the Apache module interface definition to allow the SSL functionality to be contained in a module. In general, I have found mod_ssl to be easier to use and debug. It also appears to have more features, although whether thats a good thing probably depends on how much use the features are to you!

    There's more background available from both of the websites.

    Finally, as others have pointed out, if you're wanting to use your server with a wider community, you'll need to obtain a certificate from a recognised CA (this isn't as expensive, or difficult, a process as many make out).
  • apache-ssl.

  • I don't suppose there are any free CAs out there that are already setup in IE by default...

    Think about what you're asking for. The whole point of a certificate is to prove identity. If there was some free service out there, they're not going to do much proving of identity.


    --

  • I've compiled, installed and configured 3 customer sites with mod_ssl so far.

    No problems with compilation, interaction with mod_php or mod_perl, CSR generation, getting the CSR signed through Verisign or final implementation of the SSL key and keyring.

    The only thing missing is a nice keyring management X11 GUI like IBM includes with their IBMHTTPD package *drool*. The OpenSSL CLI key management interface requires memorizing yet another set of commands and flags. It works, but is annoying.

    -Rusty
  • I don't have any experience with Apache-SSL, so perhaps someone else can help there...

    I recently installed Apache/mod_ssl at work and tried to use it with our existing Verisign certificate. Verisign [verisign.com] has some weird double certificate system that caused connection errors with some builds of IE5 under mod_ssl. The same certificates worked under Apache/Stronghold. The mod_ssl FAQ [modssl.org] has lots of information on connection problems with IE, but I tried every single suggestion and couldn't get it to work. I eventually switched to a Thawte [thawte.com] certificate. That worked like a charm.

    So - does anyone know if the problems I encountered were mod_ssl/verisign specific, or does Apache-SSL have the same issues?

    Cheers.

  • It should be pointed out that mod_ssl also requires a patch to Apache; it can't be run with the plain vanilla Apache binary that may have come with your Linux distribution.

  • *BZZZZZZZZZZZZZZZZT* WRONG!

    Verisign supports both mod_ssl and Apache-SSL.

    See http://www.verisign.com/cus/srv/install/s/
    for installation instructions.
  • As stated in this quote from the bottom of the Apache-SSL page:
    "Apache-SSL is not mod_ssl
    There appears to be some confusion regarding Apache-SSL and mod_ssl. To set the record straight: mod_ssl is not a replacement for Apache-SSL - it is an alternative, in the same way that Apache is an alternative to Netscape/Microsoft servers, or Linux is an alternative to FreeBSD. It is a matter of personal choice as to which you run. mod_ssl is what is known as a 'split' - i.e. it was originally derived from Apache-SSL, but has been extensively redeveloped so the code now bears little relation to the original.
    Apache-SSL continues to be developed and maintained, our main focus being on reliability, security and performance, rather than features and bells and whistles. I hope this makes things clear. (Adam Laurie)."

    Personal Note: Over this past summer, I have had a great deal of experience with Apache-SSL in particular. My employer decided to upgrade our web server from IIS to Apache, and they decided on Apache-SSL. We had some minor problems setting it up, mainly with the daemon not starting/stopping properly when PHP4 was compiled in (we did everything as DSO's). Once we got the server working (after compiling everything as static libraries), all we needed to do was make some certificates. We made all the certificates ourselves and signed the certs for our internal websites. For our external sites, we made the certificates and sent them to VeriSign for "official" signing (that was the only thing we actually needed to pay for). Overall, everything seems to be working quite nicely.
  • The downside to the SSH + Pine solution is that Pine has a remotely exploitable buffer overflow that was recently disclosed -- well, okay, not just *A* overflow, a *WHOLE LOT* of them. Pine usage at this point is very, very dangerous, and should probably be discouraged.

    Of course, this really sucks since I've been using Pine for several years and I really don't want to switch. (Yes, I know Mutt can be made to kinda sorta emulate Pine, but it's not exact by any means and it still takes some getting used to.)
  • I have setup SSL for apache on both Linux and WinNT. I found that it was much easier to setup mod_ssl than apache-ssl. Actually if I remember correctly I think I tried using apache-ssl on Linux and WinNT, but I couldn't get it working right. So then I tried mod_ssl and it worked right away the first time...

    Mod_SSL is really easy...The instructions I used made it really easy:
    Linux: Installation Guide [modssl.org]
    WinNT: Installation Guide [modssl.org]

    FoonDog
  • I would have to differ. Just because it's free (or cheap) doesn't automaticaly make it crap. PGP key servers are free and public.
  • Ive been using apache+ssl for about 2 years with all certs from verisign, verisign has been supporting apache and mod_ssl and apache+ssl for the past 3 years. Get a Clue Dude!!!
  • The root-CA's must take the time to investigate the applicant to ensure that the certs being issued are for legit uses. This is where I figure the majority of the cost comes from.

    i.e. That I am who I say I am, and that my use of the cert is considered legit.

    Otherwise virus authors could obtain a cert that claims to be from Microsofl. A user who isn't paying attention might think it says Microsoft and accept the malicious code. Correct me if I am wrong...

    jc
  • Verisign certs require you to use an intermediate CA cert, available gratis on their site. It's trivial to set up, and is required because you need to specify a CA chain to an authoritative trusted CA.
    mE
  • Apache-SSL provides the same features as vanilla
    Apache, which means you can define one or more virtual servers, each with or without SSL, within the same configuration of Apache-SSL. Works great.

  • Cheap(er) source of server certificates (Score:5)

    by humphreybogus ( 99410 ) on Wednesday October 11, 2000 @10:03AM (#714224)
    I'm sure there's been a slashdot thread on this already, but I just wanted to mention that Equifax Secure [equifaxsecure.com] might be a useful solution to those looking for cheaper server certificates (vs. Verisign/Thawte).

    They used to be $49, but apparently they've raised their prices to $79. They claim that their certificates will work with Apache+SSLeay and Apache+Raven. I am wondering if anyone has had experience with using Equifax certificates (in general), and specifically whether they work with Apache+mod_ssl?

    Also, they offer "wildcard" certificates, which allow you to secure *.yourdomain.tld, which seem pretty interesting for an app I'm working on. Any experience with these?

  • IT creates a httpsd bin that just SSL aware you can have it turned on or off for each individual vhost.IT rocks mod_ssl's arse =)
  • The converse is also true... just because you pay for it doesn't automatically make it legitimate. Certificates are routinely sold to companies that turn out to be less-than-honorable. (E trade?)
    Just keep that in mind the next time you click on that Grant button *grin*.

  • Verisign, when I checked them out last year, would sign any certificate you sent them, provided you could prove your identity and forked over the cash. They never even asked what httpd you used.
  • I am usign mod_ssl with a Verisign signed 128-bit certificate. Unfortunately, IE as shipped with Win2K is 56-bit and buggy. When a 56-bit SP1 Win2K box connects, all is good. When a 56-bit non-SP1 box connects, it errors out. A 128-bit machine works in either circumstance.

    Any suggestions

  • Certificates are routinely sold to companies that turn out to be less-than-honorable. (E trade?)

    Certificates prove identity. They have nothing to do with "honor".


    --

  • First of all, there's a world of difference between "free" and "cheap". The point of a certificate is to prove identity, and the point of a CA is to be a trusted authority. Maybe you don't care how trusted the authority is, but the point is that they should go through some motions to verify identity before issuing a certificate.

    It's hard to imagine how a free service could pay the people to do the corporate research.


    --

  • Verisign certs require you to use an intermediate CA cert

    Right - and I did this. I carefully followed every set of instructions I could find, and then tried every random combination of configurations - still experienced problems when connecting via MSIE 5 (only some builds - for example W2K version works...).

    Have you actually gotten Apache/mod_ssl/Verisign to work with _all_ versions of IE? If so, would you be willing to send me the snippet from your httpd.conf file?

    Cheers.

  • If you're using RedHat, I'd recommend mod_ssl, only because the RPM setup is fairly easy and quick and the modular support of mod_ssl in Apache is easy to setup, all you need to do is edit your httpd.conf and restart httpd to load it up. If you're using other distros then it depends. The RedHat Knowledgebase FAQ [redhat.com] has some information on setup (with lots of typos and mistakes, but informative nonetheless). The FAQ also mentions Verisign and Thawte.
  • nah, not very very dangerous... theoretically there might be a remotely exploitable hole that would allow a remote attacker to gain access as the local user. That's bad but certainly not very very dangerous, as long as root isn't reading mail with pine (and why would root be reading mail at all).

    To steal an amusing phrase from Bugtraq: "Pine, from the same people who brought you WU-FTP and UW imap"

    --
    "Don't trolls get tired?"
  • Corporate Research? What, you mean run your DUNS number through D&B and run a Whois to see if company name matches on both records? OK, I am coming off with a bit of an attitude, but isn't this about the extent that Verisign "researches" its applicants? I really think they issued my moms certificate way too fast to do much else.


  • Sendmail and Postfix both have SSL capabilities (Postfix requires a patch) and UW Imap2000 can do SSL imap and pop. These are not widely adopted though... Really, I think if there were cheap certificates available, SSL would be more widespread. Equifax recently came out with a $40 certificate but the clients don't recognize it's authority unless the server supports a CA certificate as well which can verify it through some sort of funky magic :)
  • Each different server (either mod_ssl or apache_ssl) will generate a server-specific CSR (certificate signing request). Each server has a unique server signature generated at compile time that identifies THAT particular site. AFAIK, you can not take an old cert from a old server and move it to a new server - the server signatures are different. I've used Verisign, Thawte and Entrust nad have had to do a cert transfer/renewal for about $100 on changing the server.

  • wildcard certs and M$ (Score:5)

    by ragnar ( 3268 ) on Wednesday October 11, 2000 @10:26AM (#714237) Homepage
    Wildcard certs are great things because they let an ISP offer a shared certificate for a broad range of users. In many cases this is a great situation. My company [spinweb.net] purchased a wildcard cert only to be very upset though.

    We are upset because MS IE 5.5 will not support wildcard certs. Flat out, there is no way around this and MS has made it clear that they are going to make everyone pay thawte or versign for every single domain you want to secure. It is pretty sick, but it is the truth. You will waste money on a wildcard cert unless you can figure out how to change Microsoft. Good luck. The CAs screw you from the top (CA authority) and MS screws you from the bottom (browser) and you are stuck in the middle trying to run a web server.

  • But didn't they turn down a certificate for your cat?
  • But how often do ordinary users even check who a certificate is issued to?
  • The problems could have been Verisign/IE specific. The Verisign "Commerce Site Services" certificates use the X509 v3 format. These certificates are enabled for Server Gated Cryptography which lets old export browsers establish SSL connections using 128 bit encryption. If the browser is accessing the site using a different DNS name from that in the certificate (or if you were using an IP address) then IE closes the SSL connection immediately after it's established and posts a horribly incorrect message saying that there was a server error. You can work around this one in IE by setting "Check for server certificate revocation" to true in the browser security settings.

    Of course, it could have been any of the numerous other IE SSL bugs but as you worked through the FAQ I'll assume not.
  • I have actually applied for certificates from several different vendors as part of our testing (my employer, PeopleSoft [peoplesoft.com], currently supports SSL with Apache).

    The process you go through says a lot about what measures they take to verify your identity, and I've inferred that a LOT of it CAN'T be done without human intervention (given the current state of technology) - and not without dedicated hardware in a centralized location. The "authority" part of "certificate authority" is by definition [dictionary.com] a single entity. They usually request a copy of your business' Certificate of Incorporation, which must be verified by a human being, and they always request a phone number for verification, and they usually request your company's DUNS number (Dun and Bradstreet's corporation database) for simplicity's sake. Verification of the DUNS is about the only thing that can be done automatically, and it's not sufficient to prove your identity, since anyone can look it up.
    --
    Note that none of this reflects the opinions or views of my employer. Well actually it might, but I'm not allowed to say so.
    --

  • ...that was the only thing we actually needed to pay for

    If you did this before RSA released the patent into the public domain, then you should have paid for your SSL library -- your failure to do so gives RSA the right to sue you for denying them license fees.

    As I understand it, we still don't have a clear answer on whether it's legal to use SSL without paying RSA a license. It's just that everyone is assuming it's so. I won't be surprised if RSA lawyers start calling everyone up and demanding license fees because of some other patent that SSL requires.

  • Is it worth pointing out that there are two different institutions involved here? UW is the University of Washington (in Seattle) and WU is Washington University (in St. Louis).
  • Don't a lot of daemons and the like send messages straight to root for reports, etc?

    I look at it this way. If I'm checking email every 20 minutes in Outlook Express, Netscape mail, etc, my password's being sent out in the clear every 20 minutes between x routers. A simple packet sniffing can grab the password easily. Once did it on a company lan with Web(or was it Net?)Xray where I had to time it just right since it was a crippled demo version.

    (and why would root be reading mail at all).
  • Apache-ssl works very well, mod-ssl almost work.
  • Generally only as often as the "Security Warning" screen that comes up when your cert is not signed by a trusted CA pops up.

    If you went to bn.com to buy a book and you got a message telling you that the certificate was self-signed, do you think you'd think twice about whether or not you are really truly using bn.com?

    ~GoRK
  • I know my O'Reilly book covered apache-ssl, but all the current online info I found referenced mod_ssl.

    That's probably because the author of Apache-SSL is also one of the authors of the O'Reilly Apache book. I've used mod_ssl, and it was pretty easy to use. It also seems to be the more popular choice.

  • I believe this is covered in the mod_ssl faq..
    It has something to do with them having a problem with SSL v3.
  • Since that last post is mod'ed up as informative I'll chip in with my anecdotal experience too, just to counter. :-)

    We use Apache-SSL. We got Apache 1.3.12, iirc, on a pretty standard Redhat 6.1 (yeah I much prefer 6.2 too *g*) and it's never died. It seems plenty fast. I had no problems setting it up either, and Verisign's certificate installed fine.

    Have to admit to not trying mod_ssl but I think the tone of the documentation was the deciding factor for me....

  • Um, what crack are you smoking? The IBM gsk uses a totally proprietary file format, making it completely useless in combo with any other ssl platform. Everything IBM has done in terms of web development (from IBMHTTPD to WebSphere) must die a hideous, flaming death.

  • Free Certs for a year (Score:1)

    by Anonymous Coward
    FYI, GlobalSign (one of the big CA's) is currently giving server certificates away for free.

    See for yourself:

    http://www.globalsign.net/prod/freeserver.cfm [globalsign.net]

  • Keep in mind I'm pointing this out just so you won't in the future look stupid when you are trying (too hard?) to appear smart.

    cf. does not mean "Compare because it's similar," it means "Contrast."

    -james.
  • disable support for RC4-56 encryption... it will work after that (may also need to disable 56 bit des, ymmv)

  • Certificates prove identity. They have nothing to do with "honor".

    This is quite true. Nevertheless, I'm certain that a large fraction of those who participate in e-commerce have made the false assumption that such certificates come with some form of implied legitimacy in how the company they are interacting with does business.

    Now that digital signatures are considered legal and binding, I wonder if the legal meaning of a digital certificate is affected? Is there now some form of implied contract when they are used for communications?

    Lawyers? :)

  • Free certs (Score:1)

    by Anonymous Coward
    I'm using a Globalsign certificate with mod_ssl and it works very nicely (their root is in both netscape and ie). and they have a freecert program http://www.globalsign.net/prod/freeserver.cfm I'm just not sure if this is a permanent thing

  • The only thing that a web certificate proves is that the owner had access to a (stolen) credit card.

    SSL certificates can cryptographically prove identity. However as currently implemented commercial certificates do not prove identity. Just about anyone can get a commericial certificate without properly proveing their identity to the CA.

  • I just went there with 5.5 - no errors.
  • You can still establish secure communications with a server that doesn't have a certificate from a recognized authority, it just gives you a warning that the it's not recognized. That's not a big tradeoff. Really, the only reason that you'd want one that doesn't generate that sort of message is if you're selling stuff or otherwise collecting sensitive information from people, in which case you're probably making money, so the $300 that it'd cost for a "real" certificate isn't that much when what you're really paying for is an added level of "trust" from the public.

    Free PGP keyservers are out there. But that's all they store keys. Verisign and the likes actually go through the motions of trying to prove that the person who they've given a key to is that actual person. No PGP keyservers attempt to do that.

  • differences (certificates, performance, and karma) (Score:3)

    by mrsbrisby ( 60242 ) on Wednesday October 11, 2000 @11:41AM (#714259) Homepage
    It seems interesting to me that people might think that certificates would work differently in Apache-SSL v.s. Apache+mod_ssl. More so when they both use the same API for performing the crypto layer to read/write the certificate files (SSLeay; now known as OpenSSL).

    I've also tried to think about how one could guage the differences objectivly. As far as I've seen, neither seems any faster (which would make sense being that they both use OpenSSL for the "real work"), and I can't think of any features that one has that the other doesn't; and I'm not talking about configuration directives, I'm talking about XXX obtains information YYY and logs it, but product ZZZ doesn't. I'd love to see some enlightenment on that note.

    And on that note (karma and enlightenment, that is) I have had no difficulties with either in installation, or uninstallation, or even configuration. I do however like having the "SSL Module". It's quite handy when duplicating disks. I just flip a flag in my configuration files instead of having to recompile Apache. But other than that, I can't see any reason why you would pick one over the other.

    Maybe it would be constructive (ooh, big word!) if people posted WHY they use Apache+SSL or WHY they use Apache+mod_ssl instead of just listing off angry posts, and turning my display into a voting log.

    To say it another way, I don't think that anyone is interested in why YOU use Apache-SSL or YOU use Apache+mod_ssl. I know that I'm not! Instead, I'd like to hear WHY you use Apache-SSL, or WHY you use Apache+mod_ssl.
  • mod_ssl is just a dynamic module that you add to your current apache. It's compiled separately. It's like using mod_perl or mod_php.
  • On most systems root does get a lot of mail but it's forwarded to some user (the admin usually)'s account, possibly on another machine. Otherwise you'd have to send the root passwd across the wire for pop or imap . . . or log in as root and get only primitive command line mailreaders. (so far.) I use procmail to sort the mail I get from my 8 admined servers which all deliver to my account . . . works really well.
  • Is Apache/1.3.12 (Unix) PHP/4.0.1pl2 mod_ssl/2.6.5 OpenSSL/0.9.5a (on an old 486 :) )
    Although it took a couple of compiles to get it to work correctry...
    I kept getting strange errors when I tried to look at https-pages with Netscape (Although IE went well, and Netscape on "usual" pages) (netscape crashed with an error in "the security subsystem")
    It looks like Apache (or mod_ssl or php4) (at least the versions I used) aren't 100% compatible. But the problem disappered when I changed the order of --with-module=php, --with-module etc to apaches autoconf script (don't remember which combination finally did work...)

    /droid
    PS. I did try Apache-SSL as well... but that didn't even compile :(

  • True, I'm not a lawyer, but I thought that RSA patent had expired? Anyway, we did this over this past summer, as in 2 months ago. Before we set anything up, we looked over the documentation to be sure that everything would be ok. Hell, at the top of Apache-SSL's web page, the first feature says "Free for both commercial and non-commercial use". If they're saying that it's ok to use their copy of SSL, then I don't see where the answer is unclear. Anyway, that's just my $0.02.
  • The whole point of a certificate is to prove identity.

    Yeah - but if I'm only interested in encrypted communication. Can I do this without a costly certification? And I wouldn't want to cause those scary warnings to user either. (I know that I lose some of the security this way because I cannot be sure that the other end is what I think it is.)
    _________________________

  • I didn't say their keyring format or their really friggin old version of Apache was good. Only that the GUI tool for key management was much better than screwing around with openssl CLI calls for key managment. Being able to click [Generate a CSR] button and fill in a form, click the [Export CSR to ASCII armored format] menu item and then use the [Import signed CSR to keyring] option is preferable to issuing the equivalent openssl commands.

    I'm advocating the authoring a a nice X11 GUI client for keyring management, nothing more.

    -Rusty

  • Well, mod_ssl works by being a module. You add the module and that's it. By giving apache a define (httpd -DSSL) it will enable the proper sections in httpd.conf and turn itself into a SSL server. You can run one copy or run seperate copies (one for normal and one for SSL)
  • Just a note that Stronghold v5 now uses mod_ssl. The only reason to buy it is if you want a nice installer and commercial support (which isn't that great by the way). We finally ended up ditching the $1000 stronghold and just installing mod_ssl because we couldn't get stronghold to work and couldn't get any decent support for it. And we had ditched Raven beforehand because of the same thing.
  • If this is so, which it seems to be, as it's mentioned in several other posts, it's not very surprising.
    Wouldn't it be nice, though, if enough sites would use wildcard certificates anyway, so that it became such a burden to IE users that they either would get fed up and switch browsers or Microsoft would have to realize that the browser's functionality was taking such a hit because of it that they had to change it.
    I can imagine that if people using IE want to check their accounts on their bank's secure server, they would not be happy to get a message like this:
    We're sorry, but due to intentional incompatibilies in Microsoft Internet Explorer, you can not view this page. Please try again with a different browser.
    This would be such an inconvenience for users that MS would have to fix it! Too bad so few companies are willing to risk evoking the wrath of Microsoft.

  • RedHat 7comes with mod_ssl (Score:4)

    by decaym ( 12155 ) on Wednesday October 11, 2000 @01:20PM (#714269) Homepage

    I'm sure this won't be popular due to the current mood of RedHat bashing, but it is worth pointing out that RedHat 7 comes with mod_ssl. RedHat also compiles the EAPI patch needed by mod_ssl directly into the apache package and all dependent services (such as PHP) are compiled with EAPI so that there are no package complaints. This gives you a SSL enabled web server right out of the box (or off the wire) with RedHat.

    Regarding the EAPI patch, a little background should be presented here. As mentioned earlier, Apache must be patched with EAPI (Extended API) in order to handle the SSL functions provided by mod_ssl. Other packages compiled with the Apache lib like PHP as a DSO module will complain loudly if you load them against a patched Apache when the module was compiled against unpatched libs. Because of this, you have to make sure that all your Apache related services are recompiled. RedHat's decision to include EAPI in their default Apache package simlifies this.

    For a modular installation, mod_ssl is probably better being that you can turn an insecure server secure by adding a package rather than replacing an existing one. This gives you better consistency with configuration files and version control. In fact, the same configuration file can support the secure and insecure installs just by using some directives in the file.

    One thing I'm curious about is if Apache 2.0 will have EAPI built in by default. This will help to avoid recompile problems like this in the future.

    As for using mod_ssl, I've loaded it on several machines. Runs wonderfully. One of my machines has two secure virtual servers and four non-secure virtual servers. The only headache is that you can not do name based virtual hosting with SSL. This is a problem with SSL, not Apache, due to the point where SSL authentication and encryption takes place.

  • Your understanding is wrong. RSA explicitly released those patents into the public domain 2 weeks early [slashdot.org].
  • Sorry , you've been ripped off.

    The only important thing in the certificate (that can't be changed) is the dns name of the server (www.xxx.abc). If you are upgrading to a new server, and that new server gets the same name, you're fine - just copy the files over.

    There is nothing magical about the particular hardware or operating system you made the original request on.
  • This would be such an inconvenience for users that MS would have to fix it!

    No, this would be such an inconvenience for users that they'd either switch banks or just not use internet banking. Think about it.
  • Equifax Secure is very good. I purchased a certificate for them for use in my Apache+mod_ssl configuration and had no problems installing it. They even provide step-by-step instructions for many different web servers on how to install the certificate. I highly recommend them.

  • Yeah - but if I'm only interested in encrypted communication. Can I do this without a costly certification? And I wouldn't want to cause those scary warnings to user either. (I know that I lose some of the security this way because I cannot be sure that the other end is what I think it is.)

    What use is encryption if anyone can de-crypt it? If you just want cheap, there are various "webs of trust" out there, but bear in mind, you get what you pay for. And if a member proves to be less than trustworthy, it's difficult to revoke their trust.
  • Identity is equally meaningless unless it's tied to accountability. So you're Joe Schmoe. Or SmallCorpX. Does that mean you won't commit credit card fraud?

    I'm curious why SSL can't work similarly to SSH; you negotiate a key with that particular server. Why does the server have to pay to be identified by a CA? If you're not sure of the identity of those running the server, why are you sending them your credit card information anyways?

    This is a serious question, can someone explain this to me?

  • I'm sure that SSL is going to be more popular now than it was before, but you're unlikely to see most sites, like /. running on SSL. Why? Well, an SSL server can only serve about 10% of the requests of a regular web server because the encryption takes so much processor time. There are hardware solutions that can offload the SSL processing from the CPU, but all of them are expensive.
  • To say it another way, I don't think that anyone is interested in why YOU use Apache-SSL or YOU use Apache+mod_ssl. I know that I'm not! Instead, I'd like to hear WHY you use Apache-SSL, or WHY you use Apache+mod_ssl.

    Trust you to cut to the chase, leaving all of these other Slashdotters floundering in the trivia 30 minutes back in the plot. How are they supposed to work up a good flame war when you axe their ``reason'' for a good does/doesn't war with one small, well-placed, fixed-pitch question? (-:

    I use mod_ssl because that's what Mandrake ship with their distros. You can call that laziness, or you can call it pragmatism, but really it's the only reason I have.

  • You're right, very few people are going to put a credit card into a site where MSIE warned them that quote "There is a problem with the site's security certificate". Netscape provides an identical warning. They would sooner punch in their number over a connection that doesnt have any SSL than punch it in after getting such a warning. And that is the funny part..

    At thawte.com [thawte.com] you can get 3rd level domain certs for $125 - they have excellent support too - even telling you how to get a cert out of an NT box and putting it into openssl.

  • If performance is your thing, why not off-load the SSL calculations to some dedicated hardware?

    For instance Rainbow (isglabs.rainbow.com) sells some really nice hardware. It includes drivers for Linux and FreeBSD. It also works with most popular web servers, including Apache.

    Mathijs
  • It does work that way - it establishes a secure session by exchanging encryption keys, so the connection is secure whether or not the cert has been signed by a CA or not.

    I guess this whole thing was created just to go through the motions of making it seem as if things are "Certified" by an "Authority". In the real world this doesn't mean much - anyone with a DBA can get a cert from a trusted CA. Anyone with $10 can set up a DBA (in some states of the states). And how would thawte or verisign know how to verify whether a business in Timbuktu or Kaliningrad is genuine...

    An alternative would be to toss the CA concept and pull the domain name owners out of a whois database, and ask for any certificate whether we trust it or not by its own merits...

  • ...and now that the patent has expired, ships it on the main CD set from 7.2 (currently -rc1). Mandrake 7.2 also includes Apache-ASP and the semi-separate Apache-PERL daemon. And lots of other yummy stuff. (-:
  • It can be static if you want it to be. When I evaluated mod_ssl and Apache-SSL I was sold by the effort spent on documenting mod_ssl and making it clear and hackable by those who probly aren't qualified to be doing that.

    I'm waiting for the apache 1.3.13 release later this week (according to the CVS tarball STATUS from a few days ago); the bit where you can tell it a directory instead of a config file, and it'll parse the files in that directory as that config, that sounds like it'll make some real fun possible.

    [ever more offtopic] I saw something in those same files about GDBM, I presume for auth_dbm replacement; I've got a simple hack that does that but not the time to spray it with the substances called for in the official patch submission rituals. Anybody wants it send me an email...

  • Performance might be nice. Reliability and security (as in no buffer holes for script kiddies) are certainly important. However, simplified visual interfaces are not my forté. Can Zeus be administered in the most literal and detailed sense?

  • I've been quite happy with mod_ssl.

    You may have a point regarding features/stability; I know that with mod_ssl, restarting apache doesn't always work smoothly for me (graceful restart does, however). But in the long run, Apache modules are cleaner, more stable, and easier to upgrade, so it is the right approach (vs patches) in many ways.

    Another factor to consider is fixes, support, documentation. I spent a long time getting the mod_ssl mailing list, and Ralph Engelshall is uncommonly helpful. Minor version fixes are frequent when they involve bug fixes, and infrequent otherwise (seems obvious, but not everyone does that). The documentation is glossy and has large images, but it's accurate and I always found what I was looking for.

    Boss of nothin. Big deal.
    Son, go get daddy's hard plastic eyes.

  • That would be nice if it could happen. In reality banks are run by PHB's who buy Microsoft whnever they don't think about what it is they are buying into, which is never, anyway. They will bite the M$ song hook, line and sinker when M$ tells the bank that IE is just being extra secure for places like banks. The PHB won't analyze it to see if there is any merit to the statement; he'll just switch to what works with IE, and quite possibly wonder about restricting access to IE only.
  • we thought the same thing, but in running mod_ssl found that it has conflicts with IE 5.0 on windows and Mac. It is a bug in IE5's implemetation.

    Still Apache-SSL still works regardless of the bug, wheras Mod_ssl doesn't.

  • I don't see why apache-ssl would be faster than mod_ssl. Just because it's patched and compiled in doesn't make it faster. It still needs to perform the same tasks. The difference in spead comes from the efficiency of the code, and modularity does not necessarily hurt it. Can you explain your reasoning?

    ___
  • Don't have any problem with IE 5.5. Then of course, I'm using the latest browser from the Evil Empire (TM). Since old Netscape accounts for less than 15% of my logs, it wouldn't be such a problem to use these certs.

  • austad: I've been using mod_ssl. Much easier to set up, and when I tried Apache-SSL, apache would die unexpectedly and it was SLOW. No problems at all with mod_ssl.

    boy case: We use Apache-SSL. We got Apache 1.3.12, iirc, on a pretty standard Redhat 6.1 (yeah I much prefer 6.2 too *g*) and it's never died. It seems plenty fast. I had no problems setting it up either, and Verisign's certificate installed fine.

    I tried Apache-SSL first, then switched to mod_ssl; I did not think there was much difference in the difficulty setting them up, both seem quite stable, and speed was not an issue for me - both were fast enough - so I never measured it.

    boy case: Have to admit to not trying mod_ssl but I think the tone of the documentation was the deciding factor for me....

    The documentation was a factor in my decision to change - I found the mod_ssl documentation much more comprehensive and easier to understand so I did not let the tone bother me.

    One particular reason for the switch was that I wanted to use client certificate authentication and mod_ssl seems to be much more flexible in that area. I have set up part of my secure web hierarchy to require CCA with mod_ssl, Apache-SSL seemed to be an all or nothing for the whole site proposition.

    Although I find mod_ssl better for CCA, neither is particularly good. I would really like something better than the "fake basic auth" method of access control which both seem to offer in the same way. I would also like to be able to check the revocation list via an LDAP query rather than a file. Unfortunately, I have not had enough spare time to look into this in any detail; this is at-work stuff but not part of my real job unfortunately.

  • I can't speak for apache-ssl, but I can echo some peoples' experience with mod_ssl / IE5 / Versign "Global Server Certificates" (128-bit certs with 'stepping up'). The problem is a nasty one and despite regular posts on the mailing lists, Ralph (the mod_ssl author) seemed to think that the problem was solved, and that all problems derived from IE's implementation of SSL. But the problem is not solved - look at the mailing list archives and every week someone has the same problem. In fact I think the problem derives from a *combination* of some of the experimental ciphers in OpenSSL 0.9.5a and IE5+. The problem was eating up too much of my time, so now I'm only using 56-bit certs, for which there is no problem. But that's not what I would call an ideal situation...
  • There's a lot of confusion over this issue. I had exactly the same problem and *never* solved it. I followed all the FAQs on the site, found out several new IE5 bugs, corresponded with Ralph, and gave up. The suggestions on the FAQ solve *some* IE5 problems, but your one (and mine...) doesn't go away. I ended up buying a 56-bit cert :(

    I've also heard that Thwate certs work OK.

    The only thing I never tried but saw suggested on a mailing list is recompiling openSSL without experimental ciphers (it's a compiler flag). Sounded plausible at the time.
  • No, they released the one patent into, but not this one [delphion.com]. How many others are there like this, and do they affect SSL?
  • Shirotae wrote some interesting stuff check it out above..

    I guess in the end our decision was arbitrary. I think I liked the part about correctness over features, it just appealed to me personally. From what people have said here, I think I'll take a look at mod_ssl too, if I get a chance; the system is up and running already so like your case it's not a major priority for my company.

    We don't use client certificates, so we never hit that issue.

  • First of all yes, root gets lots of e-mail, all of which should be forwarded away to some admin's mailbox (or more likely to some admin's automated mail parser). You should never ever ever need to manually read root's e-mail.

    As for cleartext mail passwords, well, you *can* do it that way, or you can use OPIE, APOP, KPOP, SSL, IMAP with GSS, IMAP with CRAM-MD5, regular POP or IMAP over ssh or IPSec.... Hell, you could even use NTLM if you're auth'ing against an Exchange server or something.

    Really, there's no excuse for sending your admin passwords across the wire cleartext. They should have to work to get access to your machines.

    --
    "Don't trolls get tired?"

Slashdot Top Deals

Intel CPUs are not defective, they just act that way. -- Henry Spencer

Close