Introduction to SSL
What is SSL?
used is SSL?
Apache-SSL, mod_ssl, and OpenSSL related?
mod_ssl fit into HP Secure Web Server?
What is SSL?
Secure Sockets Layer (SSL)
is the open standard security protocol for the secure transfer of
sensitive information over the Internet. Implementing SSL requires
software to be installed in servers and on browsers that use the SSL
protocol. SSL provides three things: privacy through encryption,
server authentication, and message integrity. Client authentication
is available as an optional function.
With your SSL-aware HP Secure
Web Server you can ensure a level of security that cannot be
achieved by other means. SSL is the most widely used secure method
for transmitting sensitive information across the Internet,
extranets, and intranets.
the growth of the Internet and digital data transmission, many
applications need to securely transmit data to remote applications
and computers. SSL was originally developed by Netscape to solve this
problem using a server-independent architecture. In
point-to-point connections, SSL enables mutual authentication
between servers and clients by establishing an authenticated and
SSL runs above TCP/IP and below
HTTP, LDAP, IMAP, NNTP, and other high-level network protocols. It
provides protection against eavesdropping, tampering, and forgery.
Clients and servers are able to authenticate each other and to
establish a secure link, or "pipe," across the Internet or
intranets to protect the information transmitted.
data transport requires encryption. Many governments, including the
United States, have restrictions on the import and export of
cryptographic algorithms. Please ensure that your use of SSL is in
compliance with all national and international laws that apply to you.
Security SSL and TLS
How widely used is SSL?
SSL is a cooperative technology, requiring reciprocating server and
client technologies. Both Netscape and Microsoft have built
full-featured SSL security into their browsers.
Security and trust are pivotal to the rapid development of eBusiness.
More and more web sites are using the SSL protocol to offer clients
secure connections and to exchange confidential information. In
addition to server-side security, client authentication, also using
the SSL protocol for digital IDs and signatures, is gaining much
By convention, Web pages that require an SSL connection start with https:
instead of http: (in the browser's address
field). Whenever you enter a secure connection, your browser also
shows the familiar padlock image in the status bar, indicating that
the page is encrypted.
SSL security symbols in Netscape
Navigator and Microsoft Internet Explorer status bars
Depending on your browser and its security settings, you may be
unaware of the authentication process unless you are prompted to
install a certificate issued by the server. This is because your
browser has a store of certificates signed by the same certifying
authorities as most servers use (such as VeriSign, for example). You
can easily view your certificate store and the details of individual
SSL is not Secure HTTP
Another protocol for transmitting data securely over the World Wide
Web is Secure HTTP (S-HTTP). Encryption of the transport layer allows
SSL to be application-independent, while S-HTTP is limited to the
specific software implementing it. Both protocols have been approved
by the Internet Engineering Task Force (IETF) as a standard.
How are Apache-SSL, mod_ssl, and OpenSSL related?
implementations of SSL for Apache are available. The original Apache
implementation of SSL was Apache-SSL.
was derived from Apache-SSL and has become an alternative to it. In
open source terminology, mod_ssl is a "split" - derived
from Apache-SSL but extensively redeveloped, so the code now bears
little relation to the original.
continues to be developed and maintained, with the focus being on
reliability, security and performance within a limited feature set.
The increasing popularity of mod_ssl among Apache users is a result
of its added-value features and quality. The mod_ssl package is not
standalone: it works in conjunction with OpenSSL.
represents a collaborative effort to develop a robust,
commercial-grade, full-featured, and open-source toolkit. It
Versions 2 and 3 and Transport
Layer Security (TLS)
protocols, as well as a full-strength, general-purpose cryptography library.
The Open Source toolkit for SSL/TLS
mod_ssl fit into HP
Secure Web Server?
can think of mod_ssl as the glue joining OpenSSL with HP
Secure Web Server. The
mod_ssl interface provides Apache 1.3.12 web server (on which CSWS
is based) with full use of the OpenSSL toolkit. CSWS uses RSA Security's Crypto-C (BSAFE
) library in OpenSSL.
The Apache Interface to OpenSSL