On the Commercial Use Of Apache and SSL

Skapare asks: "A year ago, this question about using Apache and SSL in a commercial environment was asked in the Apache section of Slashdot. The RSA patent was still in force back then, and the focus was on commercial products like Raven. Since then, the RSA patent has been released and then expired. That same month a year ago, Ask Slashdot also featured a question about encumbrance of SSL/PGP. But with the RSA patent gone, and Diffie-Hellman before it, this surely opens up Apache with SSL free for commercial use. Now I'm exploring options for free SSL for Apache, and note at least two choices, Apache-SSL, and mod_ssl. What I'd like to ask is what are the fundamental and principle differences between these free versions that I should consider in deciding which I should use in a commercial environment."

use mod_ssl

[Phexro]

mod_ssl is a dynamic-loaded apache extension. you load it, configure it, and forget it.

apache-ssl is a patch against the vanilla apache tree. i believe you have to run two instances of apache, one for normal requests, and one for ssl requests. i may be incorrect, since it seems pretty lame to have an apache that only serves ssl requests. someone correct me if i'm wrong.

--

From the Apache-SSL and mod_ssl documentation

[localman]

There appears to be some confusion regarding Apache-SSL and mod_ssl. To set the record straight: mod_ssl is not a replacement for Apache-SSL - it is an alternative, in the same way that Apache is an alternative to Netscape/Microsoft servers, or Linux is an alternative to FreeBSD. It is a matter of personal choice as to which you run. mod_ssl is what is known as a 'split' - i.e. it was originally derived from Apache-SSL, but has been extensively redeveloped so the code now bears little relation to the original. Apache-SSL continues to be developed and maintained, our main focus being on reliability, security and performance, rather than features and bells and whistles. I hope this makes things clear.

I think it's apparent from the tone that there is a healthy level of rivalry between the two projects :) The mod_ssl source code is peppered with quotes by the author of Apache-SSL that are intended (I think) to be unflattering... like:

/* ``I'll be surprised if others think that what you are doing is honourable.''
-- Ben Laurie, Apache-SSL author */

or...

# ``What you are missing, I suppose, is that I'm not
# prepared to give equal rights to Ralf on the basis
# that he's spent a few hours doing what he thinks is
# better than what I've spent the last 4 years on,
# and so he isn't prepared to cooperate with me.''
# -- Ben Laurie, Apache-SSL author

Mod-ssl and Apache-SSL

[sxxw]

In general, I would say that it depends on exactly what you're looking for - they're both free, why not evaluate them both and see how they work in your envirnoment.

I have used and installed both, in both commerical and academic environments. I started out using Apache-SSL, but have now moved over to using mod_ssl.

Some background - Apache-SSL came first, and ships as a set of patches for the core Apache code. mod_ssl ships as patches, and an additional Apache module. When I last compared them, the fundamental difference was the Apache-SSL just patches itself into the Apache code, mod_ssl extends the Apache module interface definition to allow the SSL functionality to be contained in a module. In general, I have found mod_ssl to be easier to use and debug. It also appears to have more features, although whether thats a good thing probably depends on how much use the features are to you!

There's more background available from both of the websites.

Finally, as others have pointed out, if you're wanting to use your server with a wider community, you'll need to obtain a certificate from a recognised CA (this isn't as expensive, or difficult, a process as many make out).

Cheap(er) source of server certificates

[humphreybogus]

I'm sure there's been a slashdot thread on this already, but I just wanted to mention that Equifax Secure might be a useful solution to those looking for cheaper server certificates (vs. Verisign/Thawte).

They used to be $49, but apparently they've raised their prices to $79. They claim that their certificates will work with Apache+SSLeay and Apache+Raven. I am wondering if anyone has had experience with using Equifax certificates (in general), and specifically whether they work with Apache+mod_ssl?

Also, they offer "wildcard" certificates, which allow you to secure *.yourdomain.tld, which seem pretty interesting for an app I'm working on. Any experience with these?

wildcard certs and M$

[ragnar]

Wildcard certs are great things because they let an ISP offer a shared certificate for a broad range of users. In many cases this is a great situation. My company purchased a wildcard cert only to be very upset though.

We are upset because MS IE 5.5 will not support wildcard certs. Flat out, there is no way around this and MS has made it clear that they are going to make everyone pay thawte or versign for every single domain you want to secure. It is pretty sick, but it is the truth. You will waste money on a wildcard cert unless you can figure out how to change Microsoft. Good luck. The CAs screw you from the top (CA authority) and MS screws you from the bottom (browser) and you are stuck in the middle trying to run a web server.

RedHat 7comes with mod_ssl

[decaym]

I'm sure this won't be popular due to the current mood of RedHat bashing, but it is worth pointing out that RedHat 7 comes with mod_ssl. RedHat also compiles the EAPI patch needed by mod_ssl directly into the apache package and all dependent services (such as PHP) are compiled with EAPI so that there are no package complaints. This gives you a SSL enabled web server right out of the box (or off the wire) with RedHat.

Regarding the EAPI patch, a little background should be presented here. As mentioned earlier, Apache must be patched with EAPI (Extended API) in order to handle the SSL functions provided by mod_ssl. Other packages compiled with the Apache lib like PHP as a DSO module will complain loudly if you load them against a patched Apache when the module was compiled against unpatched libs. Because of this, you have to make sure that all your Apache related services are recompiled. RedHat's decision to include EAPI in their default Apache package simlifies this.

For a modular installation, mod_ssl is probably better being that you can turn an insecure server secure by adding a package rather than replacing an existing one. This gives you better consistency with configuration files and version control. In fact, the same configuration file can support the secure and insecure installs just by using some directives in the file.

One thing I'm curious about is if Apache 2.0 will have EAPI built in by default. This will help to avoid recompile problems like this in the future.

As for using mod_ssl, I've loaded it on several machines. Runs wonderfully. One of my machines has two secure virtual servers and four non-secure virtual servers. The only headache is that you can not do name based virtual hosting with SSL. This is a problem with SSL, not Apache, due to the point where SSL authentication and encryption takes place.