Apache and SSL

Document Sample
Apache and SSL Powered By Docstoc
					     Apache and SSL

 Presented by Paul Weinstein,
    Waubonsie Consulting,
   <pdw@waubonsie.com>

O’Reilly Open Source Convention
          July 24, 2002
               Hello World
• Introduction
• What Will Be Covered
   o Review of SSL
   o Quick History of Apache and SSL
   o Apache 1.3.x
   o Apache 2.0.x
   o Cool Tricks of Apache and SSL
• What Won’t Be Covered


        Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 2
                  Disclaimer
It should be noted that this presentation does
    not cover all issues relating to securing
     networked based machines and their
  content. This presentation is designed only
        to introduce basic concepts and
      configuration of Apache and SSL.




          Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 3
             SSL and TLS:
Secure Sockets Layer (SSL), developed by
Netscape Communications, and Transport
 Layer Security (TLS), the open-standard
  replacement for SSL from the Internet
   Engineering Task Force, are the two
    protocols that add encryption and
        authentication to TCP/IP.




        Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 4
              SSL and TLS:
             Two Main Features

• Ciphers; which enable the encryption of
  data between the client and server.


• Digital Certificates; which provide a
  method of authentication of a client and
  server.



         Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 5
             SSL and TLS:
                     Ciphers


• Symmetric (a.k.a. Secret-Key)

• Asymmetric (a.k.a. Public-Key)




        Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 6
               SSL and TLS:
               Digital Certificates

•   Advantage of Public-Key Encryption
•   Server Certificate
•   Client Certificate
•   Root Certificate

• Certificate Authority
  o Public Certificate Authority
  o Private Certificate Authority

          Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 7
 Apache and SSL:
           A Timeline




Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 8
                   mod_ssl
• Support for SSL v2, v3 and TLS v1
• Advance pass-phrase handling for
  private keys
• X.509 based digital certificates,
  certificate generation, certificate
  revocation list
• Support for crypto acceleration hardware
  *
• Backward compatibility
                                            * Platform Dependent
         Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 9
                     mod_ssl

• Most Popular SSL Solution for Apache
  o 1,098,542 of 4,577,603 or 23.99%*

• Second Only to PHP and Perl Overall
  o 43.71% and 24.11%*




 * Source: E-Soft June 2002 Report, <http://www.securityspace.com>
          Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 10
               Apache 1.3.x:
                       mod_ssl

• Integration
   o Needs EAPI
   o Can Build as a
     DSO
   o OpenSSL
     Toolkit



          Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 11
            Apache 2.0.x:
                    mod_ssl

• Supports New Apache 2.0 Architecture
• Included with the Apache 2.0.x source
  code
• To add mod_ssl when building Apache
   o --enable-ssl
   o --with-ssl=/path/to/OpenSSL/lib



       Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 12
          Apache and SSL:
Cool Tricks - The Ubiquitous Online Store




  Transacting of payment information for
  consumer good(s) in a secure manner
 between the customer and the business.


        Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 13
          Apache and SSL:
Cool Tricks - The Ubiquitous Online Store

• What We Need:
  o Enable mod_ssl
  o Request a server certificate from a
    public certificate authority
  o Install server certificate
  o Add a CGI script to collect data
  o Configure access to CGI script via
    HTTPS

        Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 14
          Apache and SSL:
Cool Tricks - The Ubiquitous Online Store

• What We Get:




        Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 15
          Apache and SSL:
Cool Tricks - The Ubiquitous Online Store

• What We Get:
  o The communication with the store is
    secure.
  o The server on the other end, decrypting
    the data is in fact the online store as
    identified by the server’s digital certificate
    and authenticated by a trusted third
    party.



        Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 16
          Apache and SSL:
 Cool Tricks - An Organization’s Intranet




Transacting of organizational information in
      a secure manner between the
   organization’s groups and individuals.


        Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 17
          Apache and SSL:
 Cool Tricks - An Organization’s Intranet

• What We Need:
  o Create a private certificate authority
    using OpenSSL
  o Enable mod_ssl
  o Request a server certificate from the
    private certificate authority
  o Install server certificate



        Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 18
           Apache and SSL:
 Cool Tricks - An Organization’s Intranet

• What We Need:
  o Add a CGI script to collect data
  o Configure access to CGI script via
    HTTPS
  o Install private certificate authority's
    root certificate
  o Configure server to authenticate
    clients based on certificates from
    private certificate authority
         Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 19
           Apache and SSL:
 Cool Tricks - An Organization’s Intranet

• What We Need:
  o Sign client certificate requests & install
    in client’s web browsers
  o Install private certificate authority’s
    root certificate
  o Authenticate servers based on private
    certificate authority



         Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 20
          Apache and SSL:
 Cool Tricks - An Organization’s Intranet

• What We Get:




        Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 21
          Apache and SSL:
 Cool Tricks - An Organization’s Intranet
• What We Get:
    oThe communication within the
      organization is secure.
    oThe server on one end is in fact
      organization’s server - the
      information from is valid.
    oThe client on the other end is in fact
      a member of the organization - the
      information has not been
      compromised.

        Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 22
     Review of Apache and SSL
•   SSL and TLS
•   History of Apache and SSL
•   Apache 1.3.x
•   Apache 2.0.x
•   Cool Tricks of Apache and SSL




         Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 23
                    Citation
• Engelschall, Ralf User Manual mod_ssl
  Version 2.8 Jan. 2001
  <http://www.modssl.org/docs/2.8>
• mod_ssl: The Apache Interface to
  OpenSSL <http://www.modssl.org>




        Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 24
                   Citation
• Weinstein, Paul. "Web Security:
  Encryption & Authentication."
  Daemonnews (May 2001): 15 pars.
  <http://www.daemonnews.org/200105/ss
  l_apache.html>
• Weinstein, Paul "Web Security: Apache
  and mod_ssl." Daemonnews (June
  2001): 15 pars.
  <http://www.daemonnews.org/200106/ss
  l_apache_pt2.html>

       Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 25
      Suggested References
• This Presentation:
  o Article:
     • Weinstein, Paul. “Apache and SSL”
       O’Reilly Network: ONLamp.com
       (April 2002): 24 pars.
       <http://www.onlamp.com/pub/a/onla
       mp/2002/04/18/ssl.html>




       Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 26
      Suggested References
• This Presentation:
   o Slides:
      • <http://www.waubonsie.com>
      • <http://www.weinstein.org/work/pre
        sentations/oscon02/apache_ssl>
        (HTML)
      • <http://www.weinstein.org/work/pre
        sentations/oscon00/apache_ssl.pdf
        > (PDF)



        Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 27
     Suggested References
• Apache Project,
  <http://www.apache.org>
• Apache Week,
  <http://www.apacheweek.com>




       Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 28
      Suggested References
• mod_ssl Project,
  <http://www.modssl.org>
   o Mailing Lists, List Archives:
      • <modssl-announce@modssl.org>
      • <modssl-users@modssl.org>
         o<http://marc.theaimsgroup.com/?
           l=apache-modssl>




        Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 29
        Suggested References
• OpenSSL Project, <http://www.openssl.org>
   o Mailing Lists, List Archives:
      • <openssl-announce@openssl.org>
           o <http://marc.theaimsgroup.com/?l=apache-
             modssl>
      • <openssl-cvs@openssl.org>
           o <http://www.progressive-
             comp.com/Lists/?l=openssl-cvs>
      • <openssl-dev@openssl.org>
           o <http://www.progressive-
             comp.com/Lists/?l=openssl-dev>
      • <openssl-users@openssl.org>
           o <http://www.progressive-
             comp.com/Lists/?l=openssl-users>


          Apache and SSL - Paul Weinstein - <pdw@waubonsie.com> - 30

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:8/27/2011
language:English
pages:30