Weinstein.org > Digital World > Technical Papers and Presentations

> > >

jul 23 08

Digital World

O'Reilly Open Source Convention: Apache Track: Apache and SSL, San Diego, July 24th 2002.

Hello World (Slide Two)

Introduction
What Will Be Covered
- Review of SSL
- Quick History of Apache and SSL
- Apache 1.3.x
- Apache 2.0.x
- Cool Tricks of Apache and SSL
What Won't Be Covered

Disclaimer (Slide Three)

It should be noted that this presentation does not cover all issues relating to securing networked based machines and their content. This presentation is designed only to introduce basic concepts and configuration of Apache and SSL.

SSL and TLS: (Slide Four)

Secure Sockets Layer (SSL), developed by Netscape Communications, and Transport Layer Security (TLS), the open-standard replacement for SSL from the Internet Engineering Task Force, are the two protocols that add encryption and authentication to TCP/IP.

SSL and TLS: Two Main Features (Slide Five)

Ciphers; which enable the encryption of data between the client and server.
Digital Certificates; which provide a method of authentication of a client and server.

SSL and TLS: Ciphers (Slide Six)

Symmetric (a.k.a. Secret-Key)
Asymmetric (a.k.a. Public-Key)

SSL and TLS: Digital Certificates (Slide Seven)

Advantage of Public-Key Encryption
Server Certificate
Client Certificate
Root Certificate
Certificate Authority
- Public Certificate Authority
- Private Certificate Authority

Apache and SSL: A Timeline (Slide Eight)

mod_ssl (Slide Nine)

Support for SSL v2, v3 and TLS v1
Advance pass-phrase handling for private keys
X.509 based digital certificates, certificate generation, certificate revocation list
Support for crypto acceleration hardware *
Backward compatibility

* Platform Dependent

mod_ssl (Slide Ten)

Most Popular SSL Solution for Apache
- 1,098,542 of 4,577,603 or 23.99%*
Second Only to PHP and Perl Overall
- 43.71% and 24.11%*

* Source E-Soft June Report, <http://www.securityspace.com>

Apache 1.3.x: mod_ssl (Slide Eleven)

Integration
Needs EAPI
Can Build as a DSO
OpenSSL Toolkit

Apache 2.0.x: mod_ssl (Slide Twelve)

Supports New Apache 2.0 Architecture
Included with the Apache 2.0.x source code
To add mod_ssl when building Apache
- --enable-ssl
- --with-ssl=/path/to/OpenSSL/lib

Apache and SSL: Cool Tricks - The Ubiquitous Online Store (Slide Thirteen)

Transacting of payment information for consumer good(s) in a secure manner between the customer and the business.

Apache and SSL: Cool Tricks - The Ubiquitous Online Store (Slide Fourteen)

What We Need:
- Enable mod_ssl
- Request a server certificate from a public certificate authority
- Install server certificate
- Add a CGI script to collect data
- Configure access to CGI script via HTTPS

Apache and SSL: Cool Tricks - The Ubiquitous Online Store (Slide Fifteen)

What We Get:

Apache and SSL: Cool Tricks - The Ubiquitous Online Store (Slide Sixteen)

What We Get:
- The communication with the store is secure.
- The server on the other end, decrypting the data is in fact the online store as identified by the server's digital certificate and authenticated by a trusted third party.

Apache and SSL: Cool Tricks - An Organization's Intranet (Slide Seventeen)

Transacting of organizational information in a secure manner between the organization's groups and individuals.

Apache and SSL: Cool Tricks - An Organization's Intranet (Slides Eighteen)

What We Need:
- Create a private certificate authority using OpenSSL
- Enable mod_ssl
- Request a server certificate from the private certificate authority
- Install server certificate

Apache and SSL: Cool Tricks - An Organization's Intranet (Slide Nineteen)

What We Need:
- Add a CGI script to collect data
- Configure access to CGI script via HTTPS
- Install private certificate authority's root certificate
- Configure server to authenticate clients based on certificates from private certificate authority

Apache and SSL: Cool Tricks - An Organization's Intranet (Slide Twenty)

What We Need:
- Sign client certificate requests & install in client's web browsers
- Install private certificate authority's root certificate
- Authenticate servers based on private certificate authority

Apache and SSL: Cool Tricks - An Organization's Intranet (Slide Twenty One)

What We Get:

Apache and SSL: Cool Tricks - An Organization's Intranet (Slide Twenty Two)

What We Get:
- The communication within the organization is secure.
- The server on one end is in fact organization's server - the information from is valid.
- The client on the other end is in fact a member of the organization - the information has not been compromised.

Review of Apache and SSL (Slide Twenty Three)

SSL and TLS
History of Apache and SSL
Apache 1.3.x
Apache 2.0.x
Cool Tricks of Apache and SSL

Citation (Slide Twenty Four)

Engelschall, Ralf User Manual mod_ssl Version 2.8 Jan. 2001 <http://www.modssl.org/docs/2.8>
mod_ssl: The Apache Interface to OpenSSL <http://www.modssl.org>

Citation (Slide Twenty Five)

Weinstein, Paul. "Web Security: Encryption & Authentication." Daemonnews (May 2001): 15 pars. <http://www.daemonnews.org/200105/ssl_apache.html>
Weinstein, Paul "Web Security: Apache and mod_ssl." Daemonnews (June 2001): 15 pars. <http://www.daemonnews.org/200106/ssl_apache_pt2.html>

Suggested References (Slide Twenty Six)

This Presentation:
- Article:
  - Weinstein, Paul. "Apache and SSL" O'Reilly Network: ONLamp.com (April 2002): 24 pars. <http://www.onlamp.com/pub/a/onlamp/2002/04/18/ssl.html>

Suggested References (Slide Twenty Seven)

This Presentation:
- Slides:

Suggested References (Twenty Eight)

Apache Project, <http://www.apache.org>
Apache Week, <http://www.apacheweek.com>

Suggested References (Twenty Nine)

mod_ssl Project, <http://www.modssl.org>
- Mailing Lists, List Archives:
  - <modssl-announce@modssl.org>
  - <modssl-users@modssl.org>
    - <http://marc.theaimsgroup.com/?l=apache-modssl>

Suggested References (Slide Thirty)

OpenSSL Project, <http://www.openssl.org>
- Mailing Lists, List Archives:

Life is sexually transmitted.