Slashdot Mirror
On the Commercial Use Of Apache and SSL
Skapare asks: "A year ago, this question about using Apache and SSL in a commercial environment was asked in the Apache section of Slashdot. The RSA patent was still in force back then, and the focus was on commercial products like Raven. Since then, the RSA patent has been released and then expired. That same month a year ago, Ask Slashdot also featured a question about encumbrance of SSL/PGP. But with the RSA patent gone, and Diffie-Hellman before it, this surely opens up Apache with SSL free for commercial use. Now I'm exploring options for free SSL for Apache, and note at least two choices, Apache-SSL, and mod_ssl. What I'd like to ask is what are the fundamental and principle differences between these free versions that I should consider in deciding which I should use in a commercial environment."
I know tha apache-ssl is just a patch that you apply to the apache source code. Then you have to recompile it, the httpd created is your ssl server. i dont know how mod_ssl works
Basically, it depends.
If you're doing it for some PHBs, wait a bit and find out which version is selling the most. It doesn't have to be good, it just has to be popular.
If you're doing it for yourself or in a non-PHB environment, try them both and see which one holds up the best under loads above your peak usage.
--- Will in Seattle - What are you doing to fight the War?
You still have to buy a certificate from one of the big CAs or else people will get scary errors in their browsers... I don't suppose there are any free CAs out there that are already setup in IE by default? (I think I know the answer to that already).
--- Where's my X.400 protocol decoder?
How long do you think it will take before SSL,etc become totally widespread? I'd like to be able to use SSL in Outlook Express with my POP mail accounts, but I never had any luck with it(I'm assuming it's not turned on). But there's always SecureCRT for shell account usage and pine.
http://www.modssl.org/docs/2.6/ ssl _faq.html#ToC3
I've been using mod_ssl. Much easier to set up, and when I tried Apache-SSL, apache would die unexpectedly and it was SLOW. No problems at all with mod_ssl.
Need Free Juniper/NetScreen Support? JuniperForum
The question is will your certificate you pay for from a certificate authority work with the SSL module you install. I know for a fact that you can get comercial certificates to work with mod_ssl under apache. An example of a comercial site that uses comcerial certs with Apache and mod_ssl is www.qwest.net (Formally www.uswest.net).
If you're planning to serve SSL pages only, it might be better to compare Apache-SSL and statically compiled mod_ssl, and see which performs the best.
mod_ssl is a dynamic-loaded apache extension. you load it, configure it, and forget it.
apache-ssl is a patch against the vanilla apache tree. i believe you have to run two instances of apache, one for normal requests, and one for ssl requests. i may be incorrect, since it seems pretty lame to have an apache that only serves ssl requests. someone correct me if i'm wrong.
--
Apache-ssl is just a patch to the source code. You end up with an SSL enabled httpsd binary. You run that for your SSL site, and the normal Apache for your non-SSL site.
mod_ssl is just a module that apache loads and uses when it needs SSL. Seems to be a cleaner design and install for me. I've switched several of our servers over... It also seems to be the "new" way of doing it. I know my O'Reilly book covered apache-ssl, but all the current online info I found referenced mod_ssl.
I think it's apparent from the tone that there is a healthy level of rivalry between the two projects :) The mod_ssl source code is peppered with quotes by the author of Apache-SSL that are intended (I think) to be unflattering... like:
-- Ben Laurie, Apache-SSL author */
or...
# ``What you are missing, I suppose, is that I'm not
# prepared to give equal rights to Ralf on the basis
# that he's spent a few hours doing what he thinks is
# better than what I've spent the last 4 years on,
# and so he isn't prepared to cooperate with me.''
# -- Ben Laurie, Apache-SSL author
The biggest difference I remember hearing between mod_ssl and Apache-SSL is that mod_ssl team was more focused on new features and the Apache-SSL team was more focused on stability/speed. Things may have changed in the last year or so however.
Both Apache/SSL solutions use the OpenSSL programs and libraries to generate certificates. I use Verisign as my CA. Never had a problem with either the initial request renewed certificates.
In general, I would say that it depends on exactly what you're looking for - they're both free, why not evaluate them both and see how they work in your envirnoment.
I have used and installed both, in both commerical and academic environments. I started out using Apache-SSL, but have now moved over to using mod_ssl.
Some background - Apache-SSL came first, and ships as a set of patches for the core Apache code. mod_ssl ships as patches, and an additional Apache module. When I last compared them, the fundamental difference was the Apache-SSL just patches itself into the Apache code, mod_ssl extends the Apache module interface definition to allow the SSL functionality to be contained in a module. In general, I have found mod_ssl to be easier to use and debug. It also appears to have more features, although whether thats a good thing probably depends on how much use the features are to you!
There's more background available from both of the websites.
Finally, as others have pointed out, if you're wanting to use your server with a wider community, you'll need to obtain a certificate from a recognised CA (this isn't as expensive, or difficult, a process as many make out).
apache-ssl.
I've compiled, installed and configured 3 customer sites with mod_ssl so far.
No problems with compilation, interaction with mod_php or mod_perl, CSR generation, getting the CSR signed through Verisign or final implementation of the SSL key and keyring.
The only thing missing is a nice keyring management X11 GUI like IBM includes with their IBMHTTPD package *drool*. The OpenSSL CLI key management interface requires memorizing yet another set of commands and flags. It works, but is annoying.
-Rusty
The Master (Angelo Rossitto) in Mad Max Beyond Thunderdome, "Not shit, energy!"
I recently installed Apache/mod_ssl at work and tried to use it with our existing Verisign certificate. Verisign has some weird double certificate system that caused connection errors with some builds of IE5 under mod_ssl. The same certificates worked under Apache/Stronghold. The mod_ssl FAQ has lots of information on connection problems with IE, but I tried every single suggestion and couldn't get it to work. I eventually switched to a Thawte certificate. That worked like a charm.
So - does anyone know if the problems I encountered were mod_ssl/verisign specific, or does Apache-SSL have the same issues?
Cheers.
*BZZZZZZZZZZZZZZZZT* WRONG!
Verisign supports both mod_ssl and Apache-SSL.
See http://www.verisign.com/cus/srv/install/s/
for installation instructions.
As stated in this quote from the bottom of the Apache-SSL page:
"Apache-SSL is not mod_ssl
There appears to be some confusion regarding Apache-SSL and mod_ssl. To set the record straight: mod_ssl is not a replacement for Apache-SSL - it is an alternative, in the same way that Apache is an alternative to Netscape/Microsoft servers, or Linux is an alternative to FreeBSD. It is a matter of personal choice as to which you run. mod_ssl is what is known as a 'split' - i.e. it was originally derived from Apache-SSL, but has been extensively redeveloped so the code now bears little relation to the original.
Apache-SSL continues to be developed and maintained, our main focus being on reliability, security and performance, rather than features and bells and whistles. I hope this makes things clear. (Adam Laurie)."
Personal Note: Over this past summer, I have had a great deal of experience with Apache-SSL in particular. My employer decided to upgrade our web server from IIS to Apache, and they decided on Apache-SSL. We had some minor problems setting it up, mainly with the daemon not starting/stopping properly when PHP4 was compiled in (we did everything as DSO's). Once we got the server working (after compiling everything as static libraries), all we needed to do was make some certificates. We made all the certificates ourselves and signed the certs for our internal websites. For our external sites, we made the certificates and sent them to VeriSign for "official" signing (that was the only thing we actually needed to pay for). Overall, everything seems to be working quite nicely.
Sometimes I doubt your commitment to Sparkle Motion.
I have setup SSL for apache on both Linux and WinNT. I found that it was much easier to setup mod_ssl than apache-ssl. Actually if I remember correctly I think I tried using apache-ssl on Linux and WinNT, but I couldn't get it working right. So then I tried mod_ssl and it worked right away the first time...
Mod_SSL is really easy...The instructions I used made it really easy:
Linux: Installation Guide
WinNT: Installation Guide
FoonDog
Ive been using apache+ssl for about 2 years with all certs from verisign, verisign has been supporting apache and mod_ssl and apache+ssl for the past 3 years. Get a Clue Dude!!!
- I came I saw I Conquered
They used to be $49, but apparently they've raised their prices to $79. They claim that their certificates will work with Apache+SSLeay and Apache+Raven. I am wondering if anyone has had experience with using Equifax certificates (in general), and specifically whether they work with Apache+mod_ssl?
Also, they offer "wildcard" certificates, which allow you to secure *.yourdomain.tld, which seem pretty interesting for an app I'm working on. Any experience with these?
Verisign, when I checked them out last year, would sign any certificate you sent them, provided you could prove your identity and forked over the cash. They never even asked what httpd you used.
I am usign mod_ssl with a Verisign signed 128-bit certificate. Unfortunately, IE as shipped with Win2K is 56-bit and buggy. When a 56-bit SP1 Win2K box connects, all is good. When a 56-bit non-SP1 box connects, it errors out. A 128-bit machine works in either circumstance.
Any suggestions
If you're using RedHat, I'd recommend mod_ssl, only because the RPM setup is fairly easy and quick and the modular support of mod_ssl in Apache is easy to setup, all you need to do is edit your httpd.conf and restart httpd to load it up. If you're using other distros then it depends. The RedHat Knowledgebase FAQ has some information on setup (with lots of typos and mistakes, but informative nonetheless). The FAQ also mentions Verisign and Thawte.
Linux at home
We are upset because MS IE 5.5 will not support wildcard certs. Flat out, there is no way around this and MS has made it clear that they are going to make everyone pay thawte or versign for every single domain you want to secure. It is pretty sick, but it is the truth. You will waste money on a wildcard cert unless you can figure out how to change Microsoft. Good luck. The CAs screw you from the top (CA authority) and MS screws you from the bottom (browser) and you are stuck in the middle trying to run a web server.
-- Solaris Central - http://w
The process you go through says a lot about what measures they take to verify your identity, and I've inferred that a LOT of it CAN'T be done without human intervention (given the current state of technology) - and not without dedicated hardware in a centralized location. The "authority" part of "certificate authority" is by definition a single entity. They usually request a copy of your business' Certificate of Incorporation, which must be verified by a human being, and they always request a phone number for verification, and they usually request your company's DUNS number (Dun and Bradstreet's corporation database) for simplicity's sake. Verification of the DUNS is about the only thing that can be done automatically, and it's not sufficient to prove your identity, since anyone can look it up.
--
Note that none of this reflects the opinions or views of my employer. Well actually it might, but I'm not allowed to say so.
--
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
If you did this before RSA released the patent into the public domain, then you should have paid for your SSL library -- your failure to do so gives RSA the right to sue you for denying them license fees.
As I understand it, we still don't have a clear answer on whether it's legal to use SSL without paying RSA a license. It's just that everyone is assuming it's so. I won't be surprised if RSA lawyers start calling everyone up and demanding license fees because of some other patent that SSL requires.
Apache-ssl works very well, mod-ssl almost work.
That's probably because the author of Apache-SSL is also one of the authors of the O'Reilly Apache book. I've used mod_ssl, and it was pretty easy to use. It also seems to be the more popular choice.
Software sucks. Open Source sucks less.
Um, what crack are you smoking? The IBM gsk uses a totally proprietary file format, making it completely useless in combo with any other ssl platform. Everything IBM has done in terms of web development (from IBMHTTPD to WebSphere) must die a hideous, flaming death.
See for yourself:
http://www.globalsign.net/prod/freeserver.cfm
Keep in mind I'm pointing this out just so you won't in the future look stupid when you are trying (too hard?) to appear smart.
cf. does not mean "Compare because it's similar," it means "Contrast."
-james.
I'm using a Globalsign certificate with mod_ssl and it works very nicely (their root is in both netscape and ie). and they have a freecert program http://www.globalsign.net/prod/freeserver.cfm I'm just not sure if this is a permanent thing
I just went there with 5.5 - no errors.
It seems interesting to me that people might think that certificates would work differently in Apache-SSL v.s. Apache+mod_ssl. More so when they both use the same API for performing the crypto layer to read/write the certificate files (SSLeay; now known as OpenSSL).
I've also tried to think about how one could guage the differences objectivly. As far as I've seen, neither seems any faster (which would make sense being that they both use OpenSSL for the "real work"), and I can't think of any features that one has that the other doesn't; and I'm not talking about configuration directives, I'm talking about XXX obtains information YYY and logs it, but product ZZZ doesn't. I'd love to see some enlightenment on that note.
And on that note (karma and enlightenment, that is) I have had no difficulties with either in installation, or uninstallation, or even configuration. I do however like having the "SSL Module". It's quite handy when duplicating disks. I just flip a flag in my configuration files instead of having to recompile Apache. But other than that, I can't see any reason why you would pick one over the other.
Maybe it would be constructive (ooh, big word!) if people posted WHY they use Apache+SSL or WHY they use Apache+mod_ssl instead of just listing off angry posts, and turning my display into a voting log.
To say it another way, I don't think that anyone is interested in why YOU use Apache-SSL or YOU use Apache+mod_ssl. I know that I'm not! Instead, I'd like to hear WHY you use Apache-SSL, or WHY you use Apache+mod_ssl.
On most systems root does get a lot of mail but it's forwarded to some user (the admin usually)'s account, possibly on another machine. Otherwise you'd have to send the root passwd across the wire for pop or imap . . . or log in as root and get only primitive command line mailreaders. (so far.) I use procmail to sort the mail I get from my 8 admined servers which all deliver to my account . . . works really well.
Although it took a couple of compiles to get it to work correctry...
I kept getting strange errors when I tried to look at https-pages with Netscape (Although IE went well, and Netscape on "usual" pages) (netscape crashed with an error in "the security subsystem")
It looks like Apache (or mod_ssl or php4) (at least the versions I used) aren't 100% compatible. But the problem disappered when I changed the order of --with-module=php, --with-module etc to apaches autoconf script (don't remember which combination finally did work...)
PS. I did try Apache-SSL as well... but that didn't even compile
I didn't say their keyring format or their really friggin old version of Apache was good. Only that the GUI tool for key management was much better than screwing around with openssl CLI calls for key managment. Being able to click [Generate a CSR] button and fill in a form, click the [Export CSR to ASCII armored format] menu item and then use the [Import signed CSR to keyring] option is preferable to issuing the equivalent openssl commands.
I'm advocating the authoring a a nice X11 GUI client for keyring management, nothing more.
-Rusty
The Master (Angelo Rossitto) in Mad Max Beyond Thunderdome, "Not shit, energy!"
I'm sure this won't be popular due to the current mood of RedHat bashing, but it is worth pointing out that RedHat 7 comes with mod_ssl. RedHat also compiles the EAPI patch needed by mod_ssl directly into the apache package and all dependent services (such as PHP) are compiled with EAPI so that there are no package complaints. This gives you a SSL enabled web server right out of the box (or off the wire) with RedHat.
Regarding the EAPI patch, a little background should be presented here. As mentioned earlier, Apache must be patched with EAPI (Extended API) in order to handle the SSL functions provided by mod_ssl. Other packages compiled with the Apache lib like PHP as a DSO module will complain loudly if you load them against a patched Apache when the module was compiled against unpatched libs. Because of this, you have to make sure that all your Apache related services are recompiled. RedHat's decision to include EAPI in their default Apache package simlifies this.
For a modular installation, mod_ssl is probably better being that you can turn an insecure server secure by adding a package rather than replacing an existing one. This gives you better consistency with configuration files and version control. In fact, the same configuration file can support the secure and insecure installs just by using some directives in the file.
One thing I'm curious about is if Apache 2.0 will have EAPI built in by default. This will help to avoid recompile problems like this in the future.
As for using mod_ssl, I've loaded it on several machines. Runs wonderfully. One of my machines has two secure virtual servers and four non-secure virtual servers. The only headache is that you can not do name based virtual hosting with SSL. This is a problem with SSL, not Apache, due to the point where SSL authentication and encryption takes place.
World Beach List, my latest project.
Sorry , you've been ripped off.
The only important thing in the certificate (that can't be changed) is the dns name of the server (www.xxx.abc). If you are upgrading to a new server, and that new server gets the same name, you're fine - just copy the files over.
There is nothing magical about the particular hardware or operating system you made the original request on.
Find it at http://www.stunnel.org/.
Got time? Spend some of it coding or testing
Trust you to cut to the chase, leaving all of these other Slashdotters floundering in the trivia 30 minutes back in the plot. How are they supposed to work up a good flame war when you axe their ``reason'' for a good does/doesn't war with one small, well-placed, fixed-pitch question? (-:
I use mod_ssl because that's what Mandrake ship with their distros. You can call that laziness, or you can call it pragmatism, but really it's the only reason I have.
Got time? Spend some of it coding or testing
If performance is your thing, why not off-load the SSL calculations to some dedicated hardware?
For instance Rainbow (isglabs.rainbow.com) sells some really nice hardware. It includes drivers for Linux and FreeBSD. It also works with most popular web servers, including Apache.
Mathijs
...and now that the patent has expired, ships it on the main CD set from 7.2 (currently -rc1). Mandrake 7.2 also includes Apache-ASP and the semi-separate Apache-PERL daemon. And lots of other yummy stuff. (-:
Got time? Spend some of it coding or testing
Performance might be nice. Reliability and security (as in no buffer holes for script kiddies) are certainly important. However, simplified visual interfaces are not my forté. Can Zeus be administered in the most literal and detailed sense?
now we need to go OSS in diesel cars
I don't see why apache-ssl would be faster than mod_ssl. Just because it's patched and compiled in doesn't make it faster. It still needs to perform the same tasks. The difference in spead comes from the efficiency of the code, and modularity does not necessarily hurt it. Can you explain your reasoning?
___
___
If you think big enough, you'll never have to do it.
I can't speak for apache-ssl, but I can echo some peoples' experience with mod_ssl / IE5 / Versign "Global Server Certificates" (128-bit certs with 'stepping up'). The problem is a nasty one and despite regular posts on the mailing lists, Ralph (the mod_ssl author) seemed to think that the problem was solved, and that all problems derived from IE's implementation of SSL. But the problem is not solved - look at the mailing list archives and every week someone has the same problem. In fact I think the problem derives from a *combination* of some of the experimental ciphers in OpenSSL 0.9.5a and IE5+. The problem was eating up too much of my time, so now I'm only using 56-bit certs, for which there is no problem. But that's not what I would call an ideal situation...
Authentication doesn't matter so much to me because
1) I don't really know the other party anyway.
2) The CA's usually don't bother either
3) And even if the CA's care, they just verify identity not trustworthiness.
Most of those domain name thefts only worked because of Network Solutions gross negligence.
Only when certificates become drastically compulsory for almost everything will they be worth anything. I hope that doesn't happen soon.
Cheerio.
Link.
http://www.umma.lsa.umich.edu/Pub/Writer/Latin.htm l
Gives a short commentary on the correct usage of cf. Misuse of language is just a little pet peeve of mine, I didn't mean to come down so hard!
James
Apache 1.3.14 was released, and an update to apache-ssl for this new version cannot be found (perhaps I am REALLY blind). Mod_ssl has the update already. Now why would I want to continue running apache 1.3.12 just because this Ben person is slow to posting a new patch? Got me..
Also, although I've had problems with both apache-ssl and mod_ssl previously (newbie disease), mod_ssl was a much easier install than apache-ssl (having to deal with openssl include directories not being found automagically by apache-ssl's configure, numerous other edits by hand had to be done to get it working as well).
Another plus for mod_ssl is that it is able to be compiled as loadable module, making upgrades easier.
After using both, it seems to me like Ben is just reinventing the wheel when his efforts could more than likely be more productive if focused on the modssl project.
Ooops,
I meant to post that one to continue in the anonymous coward vein. Oh well.
Elgon
First of all yes, root gets lots of e-mail, all of which should be forwarded away to some admin's mailbox (or more likely to some admin's automated mail parser). You should never ever ever need to manually read root's e-mail.
As for cleartext mail passwords, well, you *can* do it that way, or you can use OPIE, APOP, KPOP, SSL, IMAP with GSS, IMAP with CRAM-MD5, regular POP or IMAP over ssh or IPSec.... Hell, you could even use NTLM if you're auth'ing against an Exchange server or something.
Really, there's no excuse for sending your admin passwords across the wire cleartext. They should have to work to get access to your machines.
--
"Don't trolls get tired?"