summaryrefslogtreecommitdiff
path: root/usr.sbin/httpd/README.SSL
blob: e9522ba7899635e2a4f65dd69f3fb2df8d6d030b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
                       _             _ 
   _ __ ___   ___   __| |    ___ ___| |  mod_ssl
  | '_ ` _ \ / _ \ / _` |   / __/ __| |  Apache Interface to OpenSSL
  | | | | | | (_) | (_| |   \__ \__ \ |  www.modssl.org
  |_| |_| |_|\___/ \__,_|___|___/___/_|  ftp.modssl.org
                       |_____|         
  _____________________________________________________________________________

                                              ``All the good things you want
                                                to do in your life have to be
                                                started in the next few hours,
                                                days or weeks.''
                                                       -- Tom DeMarco
                           
                                              ``The best SSL solution for 
                                                Apache money can't buy.''
  OVERVIEW

  Description
  ___________

  This Apache module provides strong cryptography for the Apache 1.3 webserver
  via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
  v1) protocols by the help of the Open Source SSL/TLS toolkit OpenSSL which
  is based on SSLeay from Eric A. Young and Tim J. Hudson. 
 
  The mod_ssl package was created in April 1998 by Ralf S. Engelschall and was
  originally derived from software developed by Ben Laurie for use in the
  Apache-SSL HTTP server project.  Additionally it uses a tool developed by
  Larry Wall and David MacKenzie for use in the GNU project of the FSF.

  Features
  ________

  The mod_ssl package provides the following features:

   o  Open-Source software (BSD-style license)
   o  Useable for both commercial and non-commercial use
   o  Available for both Unix and Win32 (Windows 95/98/NT) platforms 
   o  128-bit strong cryptography world-wide
   o  Support for SSLv2, SSLv3 and TLSv1 protocols
   o  Support for both RSA and Diffie-Hellman ciphers
   o  Clean reviewable ANSI C source code 
   o  Clean Apache module architecture
   o  Integrates seamlessly into Apache through an Extended API (EAPI)
   o  Full Dynamic Shared Object (DSO) support
   o  Support for the OpenSSL+RSAref US-situation
   o  Advanced pass-phrase handling for private keys
   o  X.509 certificate based authentication for both client and server
   o  X.509 certificate revocation list (CRL) support
   o  Support for per-URL renegotiation of SSL handshake parameters
   o  Support for explicit seeding of the PRNG from external sources
   o  Additional boolean-expression based access control facility
   o  Backward compatibility to other Apache SSL solutions
   o  Inter-process SSL session cache (DBM or Shared Memory based)
   o  Powerful dedicated SSL engine logging facility
   o  Simple and robust application to Apache source trees
   o  Fully integrated into the Apache 1.3 configuration mechanism
   o  Additional integration into the Apache Autoconf-style Interface (APACI)
   o  Assistance in X.509v3 certificate generation (both RSA and DSA)

  Disclaimer
  __________

  But the price you have to pay for getting a free SSL implementation for
  Apache is the following:

  THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY EXPRESSED
  OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
  NO EVENT SHALL RALF S. ENGELSCHALL OR THEIR CONTRIBUTORS BE LIABLE FOR ANY
  DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

  Restrictions
  ____________

  Additionally you have to accept the following restriction:
  
  Please REMEMBER that export/import and/or use of cryptography software or
  even just providing cryptography hooks is illegal in some parts of the
  world.  When you re-distribute this package or even email
  patches/suggestions to the authors or other people PLEASE PAY CLOSE
  ATTENTION TO ANY APPLICABLE EXPORT/IMPORT LAWS. The author of mod_ssl is not
  liable for any violations you make here. So be carefully yourself.

  Security Concerns
  _________________

  You should be very sensible when using cryptography software, because just
  running an SSL server _DOES NOT_ mean your system is then secure!  This is
  for a number of reasons. The following questions illustrate some of the
  problems.

   o  SSL itself may not be secure. People think it is, do you?
   o  Does this code implement SSL correctly?
   o  Have the authors of the various components put in back doors?
   o  Does the code take appropriate measures to keep private keys private? 
      To what extent is your cooperation in this process required?
   o  Is your system physically secure?
   o  Is your system appropriately secured from intrusion over the network?
   o  Whom do you trust? Do you understand the trust relationship involved 
      in SSL certificates? Do your system administrators?
   o  Are your keys, and keys you trust, generated careful enough to
      avoid reverse engineering of the private keys?
   o  How do you obtain certificates, keys, and the like, securely?
   o  Can you trust your users to safeguard their private keys?
   o  Can you trust your browser to safeguard its generated private key?
  
  If you can't answer these questions to your personal satisfaction, then you
  usually have a problem. Even if you can, you may still _NOT_ be secure.
  Don't blame the authors if it all goes horribly wrong. Use it at your own
  risk!

  Installation
  ____________

  For installing mod_ssl under Unix please read the document INSTALL,
  for installing under Win32 read the document INSTALL.Win32.

  Compatibility
  _____________

  This module was developed and tested with Netscape Communicator 4.0x, Lynx
  2.7.x and cURL 5.x under FreeBSD 2.2.x and 3.1 as the clients only. But it
  should work with other Navigator/Communicator variants, too. Even Internet
  Explorer users should be able to use this software.

  Resources
  _________

  For a large list of resources visit the web location
  http://www.modssl.org/related/ There you can find a lot of hyperlinks to all
  SSL-related things.

  Credits
  _______

  Special thanks to The Apache Group and the NCSA for Apache, to the OpenSSL
  project for the SSL/TLS toolkit and especially to Eric A. Young and Tim J.
  Hudson for SSLeay on which OpenSSL is based.  And thanks also go to Ben
  Laurie for the original Apache-SSL on which mod_ssl is based. Without the
  effort of these people mod_ssl would not be possible.