C O N T E N T S
Secure Web Server Documentation SSL User Guide SSL Setup Information Introduction to SSL An SSL Primer Using mod_ssl Directives Understanding Certificates Using the Certificate Tool Using Certificates Glossary		Chapter 2: Introduction to SSL __Topics_____________________________________ What is SSL? How widely used is SSL? How are Apache_SSL, mod_ssl, and OpenSSL related? How does mod_ssl fit into Secure Web Server? What is SSL? Secure Sockets Layer (SSL) is the open standard security protocol for the secure transfer of sensitive information over the Internet. Implementing SSL requires software to be installed in servers and on browsers that use the SSL protocol. SSL provides three things: privacy through encryption, server authentication, and message integrity. Client authentication is available as an optional function. With your SSL_aware Secure Web Server you can ensure a level of security that cannot be achieved by other means. SSL is the most widely used secure method for transmitting sensitive information across the Internet, extranets, and intranets. With the growth of the Internet and digital data transmission, many applications need to securely transmit data to remote applications and computers. SSL was originally developed by Netscape to solve this problem using a server-independent architecture. In point-to-point connections, SSL enables mutual authentication between servers and clients by establishing an authenticated and encrypted connection. SSL runs above TCP/IP and below HTTP, LDAP, IMAP, NNTP, and other high-level network protocols. It provides protection against eavesdropping, tampering, and forgery. Clients and servers are able to authenticate each other and to establish a secure link, or "pipe," across the Internet or intranets to protect the information transmitted. Important: SSL data transport requires encryption. Many governments, including the United States, have restrictions on the import and export of cryptographic algorithms. Please ensure that your use of SSL is in compliance with all national and international laws that apply to you.   RSA Security SSL and TLS Apache Server FAQs How widely used is SSL? SSL is a cooperative technology, requiring reciprocating server and client technologies. Both Netscape and Microsoft have built full_featured SSL security into their browsers. Security and trust are pivotal to the rapid development of eBusiness. More and more web sites are using the SSL protocol to offer clients secure connections and to exchange confidential information. In addition to server_side security, client authentication, also using the SSL protocol for digital IDs and signatures, is gaining much wider acceptance. By convention, Web pages that require an SSL connection start with https : instead of http: (in the browser's address field). Whenever you enter a secure connection, your browser also shows the familiar padlock image in the status bar, indicating that the page is encrypted. SSL security symbols in Netscape Navigator and Microsoft Internet Explorer status bars Depending on your browser and its security settings, you may be unaware of the authentication process unless you are prompted to install a certificate issued by the server. This is because your browser has a store of certificates signed by the same certifying authorities as most servers use (such as VeriSign, for example). You can easily view your certificate store and the details of individual certificates. SSL is not Secure HTTP Another protocol for transmitting data securely over the World Wide Web is Secure HTTP (S-HTTP). Encryption of the transport layer allows SSL to be application-independent, while S-HTTP is limited to the specific software implementing it. Both protocols have been approved by the Internet Engineering Task Force (IETF) as a standard. IETF Security Area   How are Apache_SSL, mod_ssl, and OpenSSL related? Fortunately, open_source implementations of SSL for Apache are available. The original Apache implementation of SSL was Apache_SSL . Subsequently, mod_ssl was derived from Apache_SSL and has become an alternative to it. In open source terminology, mod_ssl is a "split" _ derived from Apache_SSL but extensively redeveloped, so the code now bears little relation to the original. Apache_SSL Apache_SSL continues to be developed and maintained, with the focus being on reliability, security and performance within a limited feature set. The increasing popularity of mod_ssl among Apache users is a result of its added_value features and quality. The mod_ssl package is not standalone: it works in conjunction with OpenSSL. OpenSSL represents a collaborative effort to develop a robust, commercial_grade, full_featured, and open_source toolkit. It implements the SSL Versions 2 and 3 and Transport Layer Security (TLS) Version 1 protocols, as well as a full_strength, general_purpose cryptography library. OpenSSL: The Open Source toolkit for SSL/TLS   How does mod_ssl fit into Secure Web Server ? You can think of mod_ssl as the glue joining OpenSSL with Secure Web Server . The mod_ssl interface provides Apache 1.3.12 web server (on which CSWS is based) with full use of the OpenSSL toolkit. CSWS uses RSA Security's Crypto_C (BSAFE ) library in OpenSSL.   mod_ssl: The Apache Interface to OpenSSL