Upload
samson-murphy
View
221
Download
0
Embed Size (px)
Citation preview
Apache and SSL
Presented by Paul Weinstein,Waubonsie Consulting,
O’Reilly Open Source Convention
July 24, 2002
Apache and SSL - Paul Weinstein - <[email protected]> - 2
Hello World
• Introduction• What Will Be Covered
o Review of SSLo Quick History of Apache and SSLo Apache 1.3.xo Apache 2.0.xo Cool Tricks of Apache and SSL
• What Won’t Be Covered
Apache and SSL - Paul Weinstein - <[email protected]> - 3
Disclaimer
It should be noted that this presentation does not cover all issues relating to securing networked based
machines and their content. This presentation is designed only to
introduce basic concepts and configuration of Apache and SSL.
Apache and SSL - Paul Weinstein - <[email protected]> - 4
SSL and TLS:
Secure Sockets Layer (SSL), developed by Netscape Communications, and Transport Layer Security (TLS), the open-standard replacement for SSL from the Internet Engineering Task
Force, are the two protocols that add encryption and authentication to
TCP/IP.
Apache and SSL - Paul Weinstein - <[email protected]> - 5
SSL and TLS:Two Main Features
• Ciphers; which enable the encryption of data between the client and server.
• Digital Certificates; which provide a method of authentication of a client and server.
Apache and SSL - Paul Weinstein - <[email protected]> - 6
SSL and TLS:Ciphers
• Symmetric (a.k.a. Secret-Key)
• Asymmetric (a.k.a. Public-Key)
Apache and SSL - Paul Weinstein - <[email protected]> - 7
SSL and TLS:Digital Certificates
• Advantage of Public-Key Encryption• Server Certificate• Client Certificate• Root Certificate
• Certificate Authorityo Public Certificate Authorityo Private Certificate Authority
Apache and SSL - Paul Weinstein - <[email protected]> - 8
Apache and SSL:A Timeline
Apache and SSL - Paul Weinstein - <[email protected]> - 9
* Platform Dependent
mod_ssl
• Support for SSL v2, v3 and TLS v1• Advance pass-phrase handling for
private keys• X.509 based digital certificates,
certificate generation, certificate revocation list
• Support for crypto acceleration hardware *
• Backward compatibility
Apache and SSL - Paul Weinstein - <[email protected]> - 10
* Source: E-Soft June 2002 Report, <http://www.securityspace.com>
mod_ssl
• Most Popular SSL Solution for Apacheo 1,098,542 of 4,577,603 or
23.99%*
• Second Only to PHP and Perl Overallo 43.71% and 24.11%*
Apache and SSL - Paul Weinstein - <[email protected]> - 11
Apache 1.3.x:mod_ssl
• Integrationo Needs EAPIo Can Build as
a DSOo OpenSSL
Toolkit
Apache and SSL - Paul Weinstein - <[email protected]> - 12
• Supports New Apache 2.0 Architecture• Included with the Apache 2.0.x source
code• To add mod_ssl when building Apache
o --enable-sslo --with-ssl=/path/to/OpenSSL/lib
Apache 2.0.x:mod_ssl
Apache and SSL - Paul Weinstein - <[email protected]> - 13
Transacting of payment information for consumer good(s) in a secure
manner between the customer and the business.
Apache and SSL:Cool Tricks - The Ubiquitous Online
Store
Apache and SSL - Paul Weinstein - <[email protected]> - 14
Apache and SSL:Cool Tricks - The Ubiquitous Online
Store
• What We Need:o Enable mod_sslo Request a server certificate from
a public certificate authorityo Install server certificateo Add a CGI script to collect datao Configure access to CGI script via
HTTPS
Apache and SSL - Paul Weinstein - <[email protected]> - 15
Apache and SSL:Cool Tricks - The Ubiquitous Online
Store
• What We Get:
Apache and SSL - Paul Weinstein - <[email protected]> - 16
Apache and SSL:Cool Tricks - The Ubiquitous Online
Store
• What We Get:o The communication with the store is
secure. o The server on the other end,
decrypting the data is in fact the online store as identified by the server’s digital certificate and authenticated by a trusted third party.
Apache and SSL - Paul Weinstein - <[email protected]> - 17
Transacting of organizational information in a secure manner
between the organization’s groups and individuals.
Apache and SSL:Cool Tricks - An Organization’s
Intranet
Apache and SSL - Paul Weinstein - <[email protected]> - 18
Apache and SSL:Cool Tricks - An Organization’s
Intranet
• What We Need:o Create a private certificate
authority using OpenSSLo Enable mod_sslo Request a server certificate from
the private certificate authorityo Install server certificate
Apache and SSL - Paul Weinstein - <[email protected]> - 19
Apache and SSL:Cool Tricks - An Organization’s
Intranet
• What We Need:o Add a CGI script to collect datao Configure access to CGI script via
HTTPSo Install private certificate
authority's root certificateo Configure server to authenticate
clients based on certificates from private certificate authority
Apache and SSL - Paul Weinstein - <[email protected]> - 20
Apache and SSL:Cool Tricks - An Organization’s
Intranet
• What We Need:o Sign client certificate requests &
install in client’s web browserso Install private certificate
authority’s root certificateo Authenticate servers based on
private certificate authority
Apache and SSL - Paul Weinstein - <[email protected]> - 21
Apache and SSL:Cool Tricks - An Organization’s
Intranet
• What We Get:
Apache and SSL - Paul Weinstein - <[email protected]> - 22
Apache and SSL:Cool Tricks - An Organization’s
Intranet
• What We Get:oThe communication within the
organization is secure.
oThe server on one end is in fact organization’s server - the information from is valid.
oThe client on the other end is in fact a member of the organization - the information has not been compromised.
Apache and SSL - Paul Weinstein - <[email protected]> - 23
Review of Apache and SSL
• SSL and TLS• History of Apache and SSL• Apache 1.3.x• Apache 2.0.x• Cool Tricks of Apache and SSL
Apache and SSL - Paul Weinstein - <[email protected]> - 24
Citation
• Engelschall, Ralf User Manual mod_ssl Version 2.8 Jan. 2001 <http://www.modssl.org/docs/2.8>
• mod_ssl: The Apache Interface to OpenSSL <http://www.modssl.org>
Apache and SSL - Paul Weinstein - <[email protected]> - 25
Citation
• Weinstein, Paul. "Web Security: Encryption & Authentication." Daemonnews (May 2001): 15 pars. <http://www.daemonnews.org/200105/ssl_apache.html>
• Weinstein, Paul "Web Security: Apache and mod_ssl." Daemonnews (June 2001): 15 pars. <http://www.daemonnews.org/200106/ssl_apache_pt2.html>
Apache and SSL - Paul Weinstein - <[email protected]> - 26
Suggested References
• This Presentation: o Article:
•Weinstein, Paul. “Apache and SSL” O’Reilly Network: ONLamp.com (April 2002): 24 pars. <http://www.onlamp.com/pub/a/onlamp/2002/04/18/ssl.html>
Apache and SSL - Paul Weinstein - <[email protected]> - 27
Suggested References• This Presentation:
o Slides:•<http://www.waubonsie.com>•<http://www.weinstein.org/
work/presentations/oscon02/apache_ssl> (HTML)
•<http://www.weinstein.org/work/presentations/oscon00/apache_ssl.pdf> (PDF)
Apache and SSL - Paul Weinstein - <[email protected]> - 28
Suggested References
• Apache Project, <http://www.apache.org>
• Apache Week, <http://www.apacheweek.com>
Apache and SSL - Paul Weinstein - <[email protected]> - 29
Suggested References
• mod_ssl Project, <http://www.modssl.org> o Mailing Lists, List Archives:
•<[email protected]> o<http://
marc.theaimsgroup.com/?l=apache-modssl>
Apache and SSL - Paul Weinstein - <[email protected]> - 30
Suggested References• OpenSSL Project, <http://www.openssl.org>
o Mailing Lists, List Archives: • <[email protected]>
o <http://marc.theaimsgroup.com/?l=apache-modssl>
• <[email protected]> o <http://www.progressive-comp.com/
Lists/?l=openssl-cvs> • <[email protected]>
o <http://www.progressive-comp.com/Lists/?l=openssl-dev>
• <[email protected]> o
<http://www.progressive-comp.com/Lists/?l=openssl-users>