O'Reilly Open Source Convention: Apache Track: Web Security for Business: Introduction to mod_ssl, San Diego, July 26th 2001.
What You Should Know (Slide Two)
What We're Going to Talk About (Slide Three)
- What Apache Is
- How to Build Apache and Apache Modules
- How to Maintain An Apache Install
SSL/TLS (Slide Four)
- Quick Review of SSL
- A Look at Apache and SSL
- Case No. 1: Online Store
- Case No. 2: Corporate Intranet
- A Look into the Future of Apache and SSL
SSL/TLS: Two Main Features (Slide Five)
- It should be noted that this presentation does not cover all of the issues involved in securing a networked based machine and its contents, but only covers issues invloved in securing and authenticating data transmitted between machines.
- Secure Sockets Layer (SSL), developed by Netscape Communications and Transport Layer Security (TLS), the open-standard replacement for SSL, are the two protocols that add encryption and authentication onto the TCP/IP stack.
SSL/TLS: Ciphers (Slide Six)
- Ciphers; which enable the encryption of data between two parties (a client and a server).
- Digital Certificates; which provide the authentication of the two parties (a client and a server).
SSL/TLS: Digital Certificates (Slide Seven)
- Symmetric (secret-key ciphers)
- Use a single key for both encrypting and decrypting data.
- Asymmetric (public-key ciphers)
- Use a key pair, a public key and a private key. The public key can encrypt, but can't decrypt data. Only the private key can decrypt data.
SSL/TLS: Digital Certificates (Slide Eight)
- Digital Certificates allow authentication of the parties engaged in a secure transaction.
- Digital Certificates are in the X.509 format and are issued by a Certificate Authority (CA) that acts as a trusted third party, verifying the identity of the first two parties.
Apache and SSL (Slide Nine)
Apache and SSL: mod_ssl (Slide Ten)
- Public CAs, like Verisign, Thawte or Equifax, are recognized as trusted by most web browsers and servers by default. A certificate issued by a public CA is usually used when no other relation exists between the first two parties.
- Private CAs, are not recognized as trusted, by default, but can be configured as such. Used where some kind of trust relationship already exisits in an exclusive group such as an employee and the employer.
Apache and SSL: mod_ssl (Slide Eleven)
- mod_ssl is the most popular solution for adding SSL to Apache
- Approximately 12% of all Apache installs use mod_ssl
- 1,100 modssl-users
- 280,000 Installations
- 1,900,000 Domains
Apache and SSL: mod_ssl (Slide Twelve)
- Fully integrates with Apache 1.3
- Hooks into Apache via Extended API (EAPI)
- Can be build as Dynamic Shared Object (DSO)
- Integrates the OpenSSL Toolkit to enable SSL transactions.
Case No. 1: Online Store (Slide Thirteen)
- Supports SSL v2, v3 and TLS v1
- Advanced pass-phrase handling for private keys
- X.509 based client & server authentication; certificate generation; certificate revocation list support
- Support for Crypto Acceleration Hardware
- Backward compatibility to other SSL Solutions (Apache-SSL, Stronghold, et al.)
- Inter-process SSL session cache
Case No. 1: Online Store (Slide Fourteen)
- To collect customer data such as mailing address and credit card information in a way that the customer trusts the store and the data is transmitted securely.
Case No. 1: Online Store (Slide Fifteen)
Case No. 1: Online Store (Slide Sixteen)
Case No. 1: Online Store (Slide Seventeen)
- What we need to do:
- Add mod_ssl to Apache
- Request a server certificate from a Public Certificate Authority
- Install server certificate from Public CA
- Add a CGI script to collect data
- Link to script via https
Case No. 2: Corporate Intranet (Slide Eighteen)
- What we get:
- The communication with the store is secure, so that no one can collect the customer's information while that data is in transit.
- The server on the other end, decrypting the data is in fact the online store, and the customer information will in fact be used to process the order.
- To allow access to company information without locking an employee into access from a specific location, while at the same time making sure confidential information does not pass to unauthrized hands.
Case No. 2: Corporate Intranet (Slide Nineteen)
Case No. 2: Corporate Intranet (Slide Twenty)
Case No. 2: Corporate Intranet (Slide Twenty One)
Case No. 2: Corporate Intranet (Slide Twenty Two)
Case No. 2: Corporate Intranet (Slide Twenty Three)
- What we need to do:
- Create a private certificate authority using OpenSSL
- "Distribute" CA's public key within the company
- Add mod_ssl to Apache
- Requrest a server certificate from a private CA
- Install server certificate
- "Distribute" cleint certificates to employees based on private CA
- Configure mod_ssl to authenticate valid access for those only presenting a client certificate based on private CA
Apahce and SSL: The Future? (Slide Twenty Four)
- The communication between the company is secure, so that no one can collect the company information while it's in transit.
- The server on one end of the decryption is in fact the company server and the information is valid.
- The client on the other end of decryption is in fact an employee and that the information has not been compromised.
"Either we have to maintain mod_ssl again externally as an alternative to Apache 2.0's mod_tls -- or we are able to integrate mod_ssl's functionality into mod_tls." (Engelschall, 1)
Apahce and SSL: THe Future? (Slide Twenty Five)
Apache and SSL: The Future? (Slide Twenty Six)
Citation (Slide Twenty Seven)
Acknowledgments & Suggested References (Slide Twenty Eight)
Acknowledgments & Suggested References (Slide Twenty Nine)
"At ApacheCon Europe in November 2000, a meeting took place between Ben Laurie (Apache-SSL), Ralf Engelschall (mod_ssl), Mark Cox (Red Hat Stronghold), and Randy Terbush (Covalent Raven). The meeting was held to decide the fate of SSL support for Apache 2.0, aiming to avoid the current situation of parallel module development for Apache 1.3." (ApacheWeek, 1)
"ApacheCon 2001 was held in Santa Clara...the last class of the first day was a highly entertaining and animated talk by Rlf S. Engelschall...the future of mod_ssl was discussed including the work currently going on to port it to Apache 2.0...it is not certian how this effort will fit into the work being done in Apache 2.0 on mod_tls and if we will end up with two SSL solutions like we have with Apache 1.3." (ApacheWeek, 2)
Any sufficiently advanced technology is indistinguishable from magic.
-Arthur C. Clarke