Docstoc

Apache and SSL

Document Sample
Apache and SSL Powered By Docstoc
					       Apache and SSL

  Presented by Paul Weinstein,
     Waubonsie Consulting,
    <pdw@waubonsie.com>

O’Reilly Open Source Convention
          July 24, 2002
              Hello World
• Introduction
• What Will Be Covered
   o Review of SSL
   o Quick History of Apache and SSL
   o Apache 1.3.x
   o Apache 2.0.x
   o Cool Tricks of Apache and SSL
• What Won’t Be Covered


           Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 2
                Disclaimer

 It should be noted that this presentation
    does not cover all issues relating to
securing networked based machines and
     their content. This presentation is
designed only to introduce basic concepts
   and configuration of Apache and SSL.




            Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 3
            SSL and TLS:

Secure Sockets Layer (SSL), developed by
Netscape Communications, and Transport
 Layer Security (TLS), the open-standard
  replacement for SSL from the Internet
   Engineering Task Force, are the two
    protocols that add encryption and
        authentication to TCP/IP.




           Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 4
             SSL and TLS:
           Two Main Features


• Ciphers; which enable the encryption
  of data between the client and server.


• Digital Certificates; which provide a
  method of authentication of a client
  and server.



            Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 5
            SSL and TLS:
                     Ciphers


• Symmetric (a.k.a. Secret-Key)

• Asymmetric (a.k.a. Public-Key)




           Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 6
              SSL and TLS:
             Digital Certificates

•   Advantage of Public-Key Encryption
•   Server Certificate
•   Client Certificate
•   Root Certificate

• Certificate Authority
  o Public Certificate Authority
  o Private Certificate Authority

             Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 7
Apache and SSL:
      A Timeline




Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 8
                   mod_ssl
• Support for SSL v2, v3 and TLS v1
• Advance pass-phrase handling for
  private keys
• X.509 based digital certificates,
  certificate generation, certificate
  revocation list
• Support for crypto acceleration
  hardware *
• Backward compatibility
                                              * Platform Dependent
            Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 9
                       mod_ssl

• Most Popular SSL Solution for Apache
  o 1,098,542 of 4,577,603 or 23.99%*

• Second Only to PHP and Perl Overall
   o 43.71% and 24.11%*




    * Source: E-Soft June 2002 Report, <http://www.securityspace.com>
              Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 10
               Apache 1.3.x:
                      mod_ssl

• Integration
   o Needs EAPI
   o Can Build as a
     DSO
   o OpenSSL
     Toolkit



             Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 11
            Apache 2.0.x:
                   mod_ssl


• Supports New Apache 2.0 Architecture
• Included with the Apache 2.0.x source
  code
• To add mod_ssl when building Apache
   o --enable-ssl
   o --with-ssl=/path/to/OpenSSL/lib



          Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 12
         Apache and SSL:
Cool Tricks - The Ubiquitous Online Store




Transacting of payment information for
 consumer good(s) in a secure manner
between the customer and the business.


          Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 13
          Apache and SSL:
 Cool Tricks - The Ubiquitous Online Store

• What We Need:
  o Enable mod_ssl
  o Request a server certificate from a
    public certificate authority
  o Install server certificate
  o Add a CGI script to collect data
  o Configure access to CGI script via
    HTTPS

           Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 14
          Apache and SSL:
 Cool Tricks - The Ubiquitous Online Store

• What We Get:




           Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 15
          Apache and SSL:
 Cool Tricks - The Ubiquitous Online Store

• What We Get:
  o The communication with the store is
    secure.
  o The server on the other end, decrypting
    the data is in fact the online store as
    identified by the server’s digital
    certificate and authenticated by a
    trusted third party.



           Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 16
          Apache and SSL:
 Cool Tricks - An Organization’s Intranet




     Transacting of organizational
information in a secure manner between
     the organization’s groups and
              individuals.

           Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 17
          Apache and SSL:
 Cool Tricks - An Organization’s Intranet

• What We Need:
  o Create a private certificate authority
    using OpenSSL
  o Enable mod_ssl
  o Request a server certificate from the
    private certificate authority
  o Install server certificate



           Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 18
           Apache and SSL:
 Cool Tricks - An Organization’s Intranet

• What We Need:
  o Add a CGI script to collect data
  o Configure access to CGI script via
    HTTPS
  o Install private certificate authority's
    root certificate
  o Configure server to authenticate
    clients based on certificates from
    private certificate authority
           Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 19
           Apache and SSL:
 Cool Tricks - An Organization’s Intranet

• What We Need:
  o Sign client certificate requests &
    install in client’s web browsers
  o Install private certificate authority’s
    root certificate
  o Authenticate servers based on
    private certificate authority



           Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 20
          Apache and SSL:
 Cool Tricks - An Organization’s Intranet

• What We Get:




           Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 21
          Apache and SSL:
 Cool Tricks - An Organization’s Intranet
• What We Get:
    oThe communication within the
     organization is secure.
    oThe server on one end is in fact
     organization’s server - the
     information from is valid.
    oThe client on the other end is in
     fact a member of the organization
     - the information has not been
     compromised.

           Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 22
      Review of Apache and SSL
•   SSL and TLS
•   History of Apache and SSL
•   Apache 1.3.x
•   Apache 2.0.x
•   Cool Tricks of Apache and SSL




           Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 23
                  Citation
• Engelschall, Ralf User Manual mod_ssl
  Version 2.8 Jan. 2001
  <http://www.modssl.org/docs/2.8>
• mod_ssl: The Apache Interface to
  OpenSSL <http://www.modssl.org>




          Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 24
                  Citation
• Weinstein, Paul. "Web Security:
  Encryption & Authentication."
  Daemonnews (May 2001): 15 pars.
  <http://www.daemonnews.org/200105/s
  sl_apache.html>
• Weinstein, Paul "Web Security: Apache
  and mod_ssl." Daemonnews (June
  2001): 15 pars.
  <http://www.daemonnews.org/200106/s
  sl_apache_pt2.html>

          Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 25
       Suggested References
• This Presentation:
  o Article:
     • Weinstein, Paul. “Apache and
       SSL” O’Reilly Network:
       ONLamp.com (April 2002): 24
       pars.
       <http://www.onlamp.com/pub/a/o
       nlamp/2002/04/18/ssl.html>



         Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 26
        Suggested References
• This Presentation:
  o Slides:
     • <http://www.waubonsie.com>
     • <http://www.weinstein.org/work/
       presentations/oscon02/apache_ssl/
       > (HTML)
     • <http://www.weinstein.org/work/
       presentations/oscon02/apache_ssl.
       pdf> (PDF)



          Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 27
       Suggested References
• Apache Project,
  <http://www.apache.org>
• Apache Week,
  <http://www.apacheweek.com>




         Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 28
        Suggested References
• mod_ssl Project,
  <http://www.modssl.org>
  o Mailing Lists, List Archives:
     • <modssl-announce@modssl.org>
     • <modssl-users@modssl.org>
        o<http://marc.theaimsgroup.co
          m/?l=apache-modssl>




          Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 29
            Suggested References
•   OpenSSL Project, <http://www.openssl.org>
     o Mailing Lists, List Archives:
        • <openssl-announce@openssl.org>
            o <http://marc.theaimsgroup.com/?l=openssl-
              announce>
        • <openssl-cvs@openssl.org>
            o <http://marc.theaimsgroup.com/?l=
              openssl-cvs>
        • <openssl-dev@openssl.org>
            o <http://marc.theaimsgroup.com/?l=
              openssl-dev>
        • <openssl-users@openssl.org>
            o <http://marc.theaimsgroup.com/?l=
              openssl-users>


               Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 30

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:3
posted:8/27/2011
language:English
pages:30