On the Commercial Use Of Apache and SSL

Skapare asks: "A year ago, this question about using Apache and SSL in a commercial environment was asked in the Apache section of Slashdot. The RSA patent was still in force back then, and the focus was on commercial products like Raven. Since then, the RSA patent has been released and then expired. That same month a year ago, Ask Slashdot also featured a question about encumbrance of SSL/PGP. But with the RSA patent gone, and Diffie-Hellman before it, this surely opens up Apache with SSL free for commercial use. Now I'm exploring options for free SSL for Apache, and note at least two choices, Apache-SSL, and mod_ssl. What I'd like to ask is what are the fundamental and principle differences between these free versions that I should consider in deciding which I should use in a commercial environment."

It's not totally free.

[Garpenlov]

You still have to buy a certificate from one of the big CAs or else people will get scary errors in their browsers... I don't suppose there are any free CAs out there that are already setup in IE by default? (I think I know the answer to that already).

Re:It's not totally free.

[Reality+Master+101]

I don't suppose there are any free CAs out there that are already setup in IE by default...

Think about what you're asking for. The whole point of a certificate is to prove identity. If there was some free service out there, they're not going to do much proving of identity.

--

widespread use

[British]

How long do you think it will take before SSL,etc become totally widespread? I'd like to be able to use SSL in Outlook Express with my POP mail accounts, but I never had any luck with it(I'm assuming it's not turned on). But there's always SecureCRT for shell account usage and pine.

mod_ssl all the way

[austad]

I've been using mod_ssl. Much easier to set up, and when I tried Apache-SSL, apache would die unexpectedly and it was SLOW. No problems at all with mod_ssl.

use mod_ssl

[Phexro]

mod_ssl is a dynamic-loaded apache extension. you load it, configure it, and forget it.

apache-ssl is a patch against the vanilla apache tree. i believe you have to run two instances of apache, one for normal requests, and one for ssl requests. i may be incorrect, since it seems pretty lame to have an apache that only serves ssl requests. someone correct me if i'm wrong.

--

From the Apache-SSL and mod_ssl documentation

[localman]

There appears to be some confusion regarding Apache-SSL and mod_ssl. To set the record straight: mod_ssl is not a replacement for Apache-SSL - it is an alternative, in the same way that Apache is an alternative to Netscape/Microsoft servers, or Linux is an alternative to FreeBSD. It is a matter of personal choice as to which you run. mod_ssl is what is known as a 'split' - i.e. it was originally derived from Apache-SSL, but has been extensively redeveloped so the code now bears little relation to the original. Apache-SSL continues to be developed and maintained, our main focus being on reliability, security and performance, rather than features and bells and whistles. I hope this makes things clear.

I think it's apparent from the tone that there is a healthy level of rivalry between the two projects :) The mod_ssl source code is peppered with quotes by the author of Apache-SSL that are intended (I think) to be unflattering... like:

/* ``I'll be surprised if others think that what you are doing is honourable.''
-- Ben Laurie, Apache-SSL author */

or...

# ``What you are missing, I suppose, is that I'm not
# prepared to give equal rights to Ralf on the basis
# that he's spent a few hours doing what he thinks is
# better than what I've spent the last 4 years on,
# and so he isn't prepared to cooperate with me.''
# -- Ben Laurie, Apache-SSL author

Apache-SSL for me

[briany]

I have been running a server with Apache-ssl for several years now w/o any problems. The patch does change some program names (ie httpd -> httpsd, apachectl -> httpsdctl) which can break some apache scripts.

The biggest difference I remember hearing between mod_ssl and Apache-SSL is that mod_ssl team was more focused on new features and the Apache-SSL team was more focused on stability/speed. Things may have changed in the last year or so however.

Both Apache/SSL solutions use the OpenSSL programs and libraries to generate certificates. I use Verisign as my CA. Never had a problem with either the initial request renewed certificates.

Mod-ssl and Apache-SSL

[sxxw]

In general, I would say that it depends on exactly what you're looking for - they're both free, why not evaluate them both and see how they work in your envirnoment.

I have used and installed both, in both commerical and academic environments. I started out using Apache-SSL, but have now moved over to using mod_ssl.

Some background - Apache-SSL came first, and ships as a set of patches for the core Apache code. mod_ssl ships as patches, and an additional Apache module. When I last compared them, the fundamental difference was the Apache-SSL just patches itself into the Apache code, mod_ssl extends the Apache module interface definition to allow the SSL functionality to be contained in a module. In general, I have found mod_ssl to be easier to use and debug. It also appears to have more features, although whether thats a good thing probably depends on how much use the features are to you!

There's more background available from both of the websites.

Finally, as others have pointed out, if you're wanting to use your server with a wider community, you'll need to obtain a certificate from a recognised CA (this isn't as expensive, or difficult, a process as many make out).

Basically Apples and Oranges...

[da3dAlus]

As stated in this quote from the bottom of the Apache-SSL page:
"Apache-SSL is not mod_ssl
There appears to be some confusion regarding Apache-SSL and mod_ssl. To set the record straight: mod_ssl is not a replacement for Apache-SSL - it is an alternative, in the same way that Apache is an alternative to Netscape/Microsoft servers, or Linux is an alternative to FreeBSD. It is a matter of personal choice as to which you run. mod_ssl is what is known as a 'split' - i.e. it was originally derived from Apache-SSL, but has been extensively redeveloped so the code now bears little relation to the original.
Apache-SSL continues to be developed and maintained, our main focus being on reliability, security and performance, rather than features and bells and whistles. I hope this makes things clear. (Adam Laurie)."

Personal Note: Over this past summer, I have had a great deal of experience with Apache-SSL in particular. My employer decided to upgrade our web server from IIS to Apache, and they decided on Apache-SSL. We had some minor problems setting it up, mainly with the daemon not starting/stopping properly when PHP4 was compiled in (we did everything as DSO's). Once we got the server working (after compiling everything as static libraries), all we needed to do was make some certificates. We made all the certificates ourselves and signed the certs for our internal websites. For our external sites, we made the certificates and sent them to VeriSign for "official" signing (that was the only thing we actually needed to pay for). Overall, everything seems to be working quite nicely.

Cheap(er) source of server certificates

[humphreybogus]

I'm sure there's been a slashdot thread on this already, but I just wanted to mention that Equifax Secure might be a useful solution to those looking for cheaper server certificates (vs. Verisign/Thawte).

They used to be $49, but apparently they've raised their prices to $79. They claim that their certificates will work with Apache+SSLeay and Apache+Raven. I am wondering if anyone has had experience with using Equifax certificates (in general), and specifically whether they work with Apache+mod_ssl?

Also, they offer "wildcard" certificates, which allow you to secure *.yourdomain.tld, which seem pretty interesting for an app I'm working on. Any experience with these?

wildcard certs and M$

[ragnar]

Wildcard certs are great things because they let an ISP offer a shared certificate for a broad range of users. In many cases this is a great situation. My company purchased a wildcard cert only to be very upset though.

We are upset because MS IE 5.5 will not support wildcard certs. Flat out, there is no way around this and MS has made it clear that they are going to make everyone pay thawte or versign for every single domain you want to secure. It is pretty sick, but it is the truth. You will waste money on a wildcard cert unless you can figure out how to change Microsoft. Good luck. The CAs screw you from the top (CA authority) and MS screws you from the bottom (browser) and you are stuck in the middle trying to run a web server.

differences (certificates, performance, and karma)

[mrsbrisby]

It seems interesting to me that people might think that certificates would work differently in Apache-SSL v.s. Apache+mod_ssl. More so when they both use the same API for performing the crypto layer to read/write the certificate files (SSLeay; now known as OpenSSL).

I've also tried to think about how one could guage the differences objectivly. As far as I've seen, neither seems any faster (which would make sense being that they both use OpenSSL for the "real work"), and I can't think of any features that one has that the other doesn't; and I'm not talking about configuration directives, I'm talking about XXX obtains information YYY and logs it, but product ZZZ doesn't. I'd love to see some enlightenment on that note.

And on that note (karma and enlightenment, that is) I have had no difficulties with either in installation, or uninstallation, or even configuration. I do however like having the "SSL Module". It's quite handy when duplicating disks. I just flip a flag in my configuration files instead of having to recompile Apache. But other than that, I can't see any reason why you would pick one over the other.

Maybe it would be constructive (ooh, big word!) if people posted WHY they use Apache+SSL or WHY they use Apache+mod_ssl instead of just listing off angry posts, and turning my display into a voting log.

To say it another way, I don't think that anyone is interested in why YOU use Apache-SSL or YOU use Apache+mod_ssl. I know that I'm not! Instead, I'd like to hear WHY you use Apache-SSL, or WHY you use Apache+mod_ssl.

RedHat 7comes with mod_ssl

[decaym]

I'm sure this won't be popular due to the current mood of RedHat bashing, but it is worth pointing out that RedHat 7 comes with mod_ssl. RedHat also compiles the EAPI patch needed by mod_ssl directly into the apache package and all dependent services (such as PHP) are compiled with EAPI so that there are no package complaints. This gives you a SSL enabled web server right out of the box (or off the wire) with RedHat.

Regarding the EAPI patch, a little background should be presented here. As mentioned earlier, Apache must be patched with EAPI (Extended API) in order to handle the SSL functions provided by mod_ssl. Other packages compiled with the Apache lib like PHP as a DSO module will complain loudly if you load them against a patched Apache when the module was compiled against unpatched libs. Because of this, you have to make sure that all your Apache related services are recompiled. RedHat's decision to include EAPI in their default Apache package simlifies this.

For a modular installation, mod_ssl is probably better being that you can turn an insecure server secure by adding a package rather than replacing an existing one. This gives you better consistency with configuration files and version control. In fact, the same configuration file can support the secure and insecure installs just by using some directives in the file.

One thing I'm curious about is if Apache 2.0 will have EAPI built in by default. This will help to avoid recompile problems like this in the future.

As for using mod_ssl, I've loaded it on several machines. Runs wonderfully. One of my machines has two secure virtual servers and four non-secure virtual servers. The only headache is that you can not do name based virtual hosting with SSL. This is a problem with SSL, not Apache, due to the point where SSL authentication and encryption takes place.