O'Reilly Open Source Convention: Apache Track: Web Security for Business: Introduction to mod_ssl, San Diego, July 26th 2001.

• What Apache Is
• How to Build Apache and Apache Modules
• How to Maintain An Apache Install

• Quick Review of SSL
• A Look at Apache and SSL
• Case No. 1: Online Store
• Case No. 2: Corporate Intranet
• A Look into the Future of Apache and SSL

• It should be noted that this presentation does not cover all of the issues involved in securing a networked based machine and its contents, but only covers issues invloved in securing and authenticating data transmitted between machines.
• Secure Sockets Layer (SSL), developed by Netscape Communications and Transport Layer Security (TLS), the open-standard replacement for SSL, are the two protocols that add encryption and authentication onto the TCP/IP stack.

• Ciphers; which enable the encryption of data between two parties (a client and a server).
• Digital Certificates; which provide the authentication of the two parties (a client and a server).

• Symmetric (secret-key ciphers)
  • Use a single key for both encrypting and decrypting data.
• Asymmetric (public-key ciphers)
  • Use a key pair, a public key and a private key. The public key can encrypt, but can't decrypt data. Only the private key can decrypt data.

• Digital Certificates allow authentication of the parties engaged in a secure transaction.
• Digital Certificates are in the X.509 format and are issued by a Certificate Authority (CA) that acts as a trusted third party, verifying the identity of the first two parties.

• Public CAs, like Verisign, Thawte or Equifax, are recognized as trusted by most web browsers and servers by default. A certificate issued by a public CA is usually used when no other relation exists between the first two parties.
• Private CAs, are not recognized as trusted, by default, but can be configured as such. Used where some kind of trust relationship already exisits in an exclusive group such as an employee and the employer.

• mod_ssl is the most popular solution for adding SSL to Apache
• Approximately 12% of all Apache installs use mod_ssl
  • 1,100 modssl-users
  • 280,000 Installations
  • 1,900,000 Domains

• Fully integrates with Apache 1.3
  • Hooks into Apache via Extended API (EAPI)
  • Can be build as Dynamic Shared Object (DSO)
  • Integrates the OpenSSL Toolkit to enable SSL transactions.

• Supports SSL v2, v3 and TLS v1
• Advanced pass-phrase handling for private keys
• X.509 based client & server authentication; certificate generation; certificate revocation list support
• Support for Crypto Acceleration Hardware
• Backward compatibility to other SSL Solutions (Apache-SSL, Stronghold, et al.)
• Inter-process SSL session cache

• Problem:
  • To collect customer data such as mailing address and credit card information in a way that the customer trusts the store and the data is transmitted securely.
• Solution:
  • Apache with mod_ssl

• What we need to do:
  • Add mod_ssl to Apache
  • Request a server certificate from a Public Certificate Authority
  • Install server certificate from Public CA
  • Add a CGI script to collect data
  • Link to script via https

• What we get:

• What we get:

• What we get:
  • The communication with the store is secure, so that no one can collect the customer's information while that data is in transit.
  • The server on the other end, decrypting the data is in fact the online store, and the customer information will in fact be used to process the order.

• Problem:
  • To allow access to company information without locking an employee into access from a specific location, while at the same time making sure confidential information does not pass to unauthrized hands.
• Solution:
  • Apache with mod_ssl
  Case No. 2: Corporate Intranet (Slide Nineteen)
  • What we need to do:
    • Create a private certificate authority using OpenSSL
    • "Distribute" CA's public key within the company
    • Add mod_ssl to Apache
    • Requrest a server certificate from a private CA
    • Install server certificate
    • "Distribute" cleint certificates to employees based on private CA
    • Configure mod_ssl to authenticate valid access for those only presenting a client certificate based on private CA
  Case No. 2: Corporate Intranet (Slide Twenty)
  • What we get:
  Case No. 2: Corporate Intranet (Slide Twenty One)
  • What we get:
  Case No. 2: Corporate Intranet (Slide Twenty Two)
  • What we get:
  Case No. 2: Corporate Intranet (Slide Twenty Three)
  • The communication between the company is secure, so that no one can collect the company information while it's in transit.
  • The server on one end of the decryption is in fact the company server and the information is valid.
  • The client on the other end of decryption is in fact an employee and that the information has not been compromised.
  Apahce and SSL: The Future? (Slide Twenty Four)
  "Either we have to maintain mod_ssl again externally as an alternative to Apache 2.0's mod_tls -- or we are able to integrate mod_ssl's functionality into mod_tls." (Engelschall, 1)
  "At ApacheCon Europe in November 2000, a meeting took place between Ben Laurie (Apache-SSL), Ralf Engelschall (mod_ssl), Mark Cox (Red Hat Stronghold), and Randy Terbush (Covalent Raven). The meeting was held to decide the fate of SSL support for Apache 2.0, aiming to avoid the current situation of parallel module development for Apache 1.3." (ApacheWeek, 1)
  "ApacheCon 2001 was held in Santa Clara...the last class of the first day was a highly entertaining and animated talk by Rlf S. Engelschall...the future of mod_ssl was discussed including the work currently going on to port it to Apache 2.0...it is not certian how this effort will fit into the work being done in Apache 2.0 on mod_tls and if we will end up with two SSL solutions like we have with Apache 1.3." (ApacheWeek, 2)
  Apahce and SSL: THe Future? (Slide Twenty Five)
  Apache and SSL: The Future? (Slide Twenty Six)
  Citation (Slide Twenty Seven)
  • Engelschall, Ralf. "Security Solutions with SSL." ApacheCon, Santa Clara. 4 Apr. 2001.
  • Engelschall, Ralf User Manual mod_ssl Version 2.8 Jan. 2001 <http://www.modssl.org/docs/2.8>
  • mod_ssl: The Apache Interface to OpenSSL <http://www.modssl.org>
  • "Apache 2: Brief History." ApacheWeek (30 Mar 2001): 1 pars. <http://www.apacheweek.com/features/ap2/>
  • ApacheCon Santa Clara 2001: Day1." ApacheWeek (13 Apr 2001): 2 pars. <http://www.apacheweek.com/issues/01-04-13>
  • Weinstein, Paul. "Web Security: Encyption & Authentication." Daemonnews (May 2001): 15 pars. <http://www.daemonnews.org/200105/ssl_apache.html>
  Acknowledgments & Suggested References (Slide Twenty Eight)
  • Red Hat's Stronghold Team
  • Portions of this presentation used with permission from Ralf Engelshcall.
  • This Presentation:
    • <http://www.weinstein.org/redhat/presentations/oscon01/intro_to_mod_ssl> (HTML)
    • <http://www.weinstein.org/redhat/presentations/oscon01/intro_to_mod_ssl.pdf> (PDF)
  • Apache Project, <http://www.apache.org>
  • Apache Week, <http://www.apacheweek.com>
  Acknowledgments & Suggested References (Slide Twenty Nine)
  • mod_ssl Project, <http://www.modssl.org>
  • Mailing Lists, List Archives:
    • <modssl-announce@modssl.org>
    • <modssl-users@modssl.org>
    • <http://marc.theaimsgroup.com/?l=apache-modssl
  • OpenSSL Project, <http://www.openssl.org>
  • Mailing Lists, List Archives:
    • <openssl-announce@openssl.org>
    • <http://marc.theaimsgroup.com/?l=openssl-announce>
    • <openssl-cvs@openssl.org>
    • <http://www.progressive-comp.com/Lists/?l=openssl-cvs>
    • <openssl-dev@openssl.org>
    • <http://www.progressive-comp.com/Lists/?l=openssl-dev>
    • <openssl-users@openssl.org>
    • <http://www.progressive-comp.com/Lists/?l=openssl-users>