Apache and SSL Presented by

Apache and SSL • • • Presented by Paul Weinstein, Waubonsie Consulting, <pdw@waubonsie. com> O’Reilly Open Source Convention July 24, 2002

Hello World • Introduction • What Will Be Covered o Review of SSL o Quick History of Apache and SSL o Apache 1. 3. x o Apache 2. 0. x o Cool Tricks of Apache and SSL • What Won’t Be Covered Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 2

Disclaimer It should be noted that this presentation does not cover all issues relating to securing networked based machines and their content. This presentation is designed only to introduce basic concepts and configuration of Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 3

SSL and TLS: Secure Sockets Layer (SSL), developed by Netscape Communications, and Transport Layer Security (TLS), the open-standard replacement for SSL from the Internet Engineering Task Force, are the two protocols that add encryption and authentication to TCP/IP. Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 4

SSL and TLS: Two Main Features • Ciphers; which enable the encryption of data between the client and server. • Digital Certificates; which provide a method of authentication of a client and server. Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 5

SSL and TLS: Ciphers • Symmetric (a. k. a. Secret-Key) • Asymmetric (a. k. a. Public-Key) Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 6

SSL and TLS: Digital Certificates • • Advantage of Public-Key Encryption Server Certificate Client Certificate Root Certificate • Certificate Authority o Public Certificate Authority o Private Certificate Authority Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 7

Apache and SSL: A Timeline Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 8

mod_ssl • Support for SSL v 2, v 3 and TLS v 1 • Advance pass-phrase handling for private keys • X. 509 based digital certificates, certificate generation, certificate revocation list • Support for crypto acceleration hardware * • Backward compatibility * Platform Dependent Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 9

mod_ssl • Most Popular SSL Solution for Apache o 1, 098, 542 of 4, 577, 603 or 23. 99%* • Second Only to PHP and Perl Overall o 43. 71% and 24. 11%* * Source: E-Soft June 2002 Report, <http: //www. securityspace. com> Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 10

Apache 1. 3. x: mod_ssl • Integration o Needs EAPI o Can Build as a DSO o Open. SSL Toolkit Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 11

Apache 2. 0. x: mod_ssl • Supports New Apache 2. 0 Architecture • Included with the Apache 2. 0. x source code • To add mod_ssl when building Apache o --enable-ssl o --with-ssl=/path/to/Open. SSL/lib Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 12

Apache and SSL: Cool Tricks - The Ubiquitous Online Store Transacting of payment information for consumer good(s) in a secure manner between the customer and the business. Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 13

Apache and SSL: Cool Tricks - The Ubiquitous Online Store • What We Need: o Enable mod_ssl o Request a server certificate from a public certificate authority o Install server certificate o Add a CGI script to collect data o Configure access to CGI script via HTTPS Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 14

Apache and SSL: Cool Tricks - The Ubiquitous Online Store • What We Get: Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 15

Apache and SSL: Cool Tricks - The Ubiquitous Online Store • What We Get: o The communication with the store is secure. o The server on the other end, decrypting the data is in fact the online store as identified by the server’s digital certificate and authenticated by a trusted third party. Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 16

Apache and SSL: Cool Tricks - An Organization’s Intranet Transacting of organizational information in a secure manner between the organization’s groups and individuals. Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 17

Apache and SSL: Cool Tricks - An Organization’s Intranet • What We Need: o Create a private certificate authority using Open. SSL o Enable mod_ssl o Request a server certificate from the private certificate authority o Install server certificate Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 18

Apache and SSL: Cool Tricks - An Organization’s Intranet • What We Need: o Add a CGI script to collect data o Configure access to CGI script via HTTPS o Install private certificate authority's root certificate o Configure server to authenticate clients based on certificates from private certificate authority Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 19

Apache and SSL: Cool Tricks - An Organization’s Intranet • What We Need: o Sign client certificate requests & install in client’s web browsers o Install private certificate authority’s root certificate o Authenticate servers based on private certificate authority Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 20

Apache and SSL: Cool Tricks - An Organization’s Intranet • What We Get: Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 21

Apache and SSL: Cool Tricks - An Organization’s Intranet • What We Get: o The communication within the organization is secure. o The server on one end is in fact organization’s server - the information from is valid. o The client on the other end is in fact a member of the organization - the information has not been compromised. Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 22

Review of Apache and SSL • • • SSL and TLS History of Apache and SSL Apache 1. 3. x Apache 2. 0. x Cool Tricks of Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 23

Citation • Engelschall, Ralf User Manual mod_ssl Version 2. 8 Jan. 2001 <http: //www. modssl. org/docs/2. 8> • mod_ssl: The Apache Interface to Open. SSL <http: //www. modssl. org> Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 24

Citation • Weinstein, Paul. "Web Security: Encryption & Authentication. " Daemonnews (May 2001): 15 pars. <http: //www. daemonnews. org/200105/ss l_apache. html> • Weinstein, Paul "Web Security: Apache and mod_ssl. " Daemonnews (June 2001): 15 pars. <http: //www. daemonnews. org/200106/ss l_apache_pt 2. html> Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 25

Suggested References • This Presentation: o Article: • Weinstein, Paul. “Apache and SSL” O’Reilly Network: ONLamp. com (April 2002): 24 pars. <http: //www. onlamp. com/pub/a/onla mp/2002/04/18/ssl. html> Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 26

Suggested References • This Presentation: o Slides: • <http: //www. waubonsie. com> • <http: //www. weinstein. org/work/pre sentations/oscon 02/apache_ssl> (HTML) • <http: //www. weinstein. org/work/pre sentations/oscon 00/apache_ssl. pdf > (PDF) Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 27

Suggested References • Apache Project, <http: //www. apache. org> • Apache Week, <http: //www. apacheweek. com> Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 28

Suggested References • mod_ssl Project, <http: //www. modssl. org> o Mailing Lists, List Archives: • <modssl-announce@modssl. org> • <modssl-users@modssl. org> o <http: //marc. theaimsgroup. com/? l=apache-modssl> Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 29

Suggested References • Open. SSL Project, <http: //www. openssl. org> o Mailing Lists, List Archives: • <openssl-announce@openssl. org> o <http: //marc. theaimsgroup. com/? l=apachemodssl> • <openssl-cvs@openssl. org> o <http: //www. progressivecomp. com/Lists/? l=openssl-cvs> • <openssl-dev@openssl. org> o <http: //www. progressivecomp. com/Lists/? l=openssl-dev> • <openssl-users@openssl. org> o <http: //www. progressivecomp. com/Lists/? l=openssl-users> Apache and SSL - Paul Weinstein - <pdw@waubonsie. com> - 30