|
Chapter 2:
Introduction to SSL
__Topics_____________________________________
What is SSL?
How widely
used is SSL?
How are
Apache-SSL, mod_ssl, and OpenSSL related?
How does
mod_ssl fit into HP Secure Web Server?
What is SSL?
Secure Sockets Layer (SSL)
is the open standard security protocol for the secure transfer of
sensitive information over the Internet. Implementing SSL requires
software to be installed in servers and on browsers that use the SSL
protocol. SSL provides three things: privacy through encryption,
server authentication, and message integrity. Client authentication
is available as an optional function.
With your SSL-aware HP Secure
Web Server you can ensure a level of security that cannot be
achieved by other means. SSL is the most widely used secure method
for transmitting sensitive information across the Internet,
extranets, and intranets.
With
the growth of the Internet and digital data transmission, many
applications need to securely transmit data to remote applications
and computers. SSL was originally developed by Netscape to solve this
problem using a server-independent architecture. In
point-to-point connections, SSL enables mutual authentication
between servers and clients by establishing an authenticated and
encrypted connection.
SSL runs above TCP/IP and below
HTTP, LDAP, IMAP, NNTP, and other high-level network protocols. It
provides protection against eavesdropping, tampering, and forgery.
Clients and servers are able to authenticate each other and to
establish a secure link, or "pipe," across the Internet or
intranets to protect the information transmitted. |
Important:
SSL
data transport requires encryption. Many governments, including the
United States, have restrictions on the import and export of
cryptographic algorithms. Please ensure that your use of SSL is in
compliance with all national and international laws that apply to you.
RSA
Security SSL and TLS
Apache
Server FAQs
How widely used is SSL?
SSL is a cooperative technology, requiring reciprocating server and
client technologies. Both Netscape and Microsoft have built
full-featured SSL security into their browsers.
Security and trust are pivotal to the rapid development of eBusiness.
More and more web sites are using the SSL protocol to offer clients
secure connections and to exchange confidential information. In
addition to server-side security, client authentication, also using
the SSL protocol for digital IDs and signatures, is gaining much
wider acceptance.
By convention, Web pages that require an SSL connection start with https:
instead of http: (in the browser's address
field). Whenever you enter a secure connection, your browser also
shows the familiar padlock image in the status bar, indicating that
the page is encrypted.
|
|
|
SSL security symbols in Netscape
Navigator and Microsoft Internet Explorer status bars |
Depending on your browser and its security settings, you may be
unaware of the authentication process unless you are prompted to
install a certificate issued by the server. This is because your
browser has a store of certificates signed by the same certifying
authorities as most servers use (such as VeriSign, for example). You
can easily view your certificate store and the details of individual
certificates. 
SSL is not Secure HTTP
Another protocol for transmitting data securely over the World Wide
Web is Secure HTTP (S-HTTP). Encryption of the transport layer allows
SSL to be application-independent, while S-HTTP is limited to the
specific software implementing it. Both protocols have been approved
by the Internet Engineering Task Force (IETF) as a standard.
IETF
Security Area |
How are Apache-SSL, mod_ssl, and OpenSSL related?
Fortunately, open-source
implementations of SSL for Apache are available. The original Apache
implementation of SSL was Apache-SSL.
Subsequently,
mod_ssl
was derived from Apache-SSL and has become an alternative to it. In
open source terminology, mod_ssl is a "split" - derived
from Apache-SSL but extensively redeveloped, so the code now bears
little relation to the original.
Apache-SSL
Apache-SSL
continues to be developed and maintained, with the focus being on
reliability, security and performance within a limited feature set.
The increasing popularity of mod_ssl among Apache users is a result
of its added-value features and quality. The mod_ssl package is not
standalone: it works in conjunction with OpenSSL.
OpenSSL
represents a collaborative effort to develop a robust,
commercial-grade, full-featured, and open-source toolkit. It
implements the
SSL
Versions 2 and 3 and Transport
Layer Security (TLS)
Version 1
protocols, as well as a full-strength, general-purpose cryptography library.
OpenSSL:
The Open Source toolkit for SSL/TLS
How does
mod_ssl fit into HP
Secure Web Server?
You
can think of mod_ssl as the glue joining OpenSSL with HP
Secure Web Server. The
mod_ssl interface provides Apache 1.3.12 web server (on which CSWS
is based) with full use of the OpenSSL toolkit. CSWS uses RSA Security's Crypto-C (BSAFE
) library in OpenSSL.
mod_ssl:
The Apache Interface to OpenSSL
|