HP OpenVMS Systems

Secure Web Server (based on Apache™)
Content starts here


HP Secure Web Server Documentation

SSL User Guide

SSL Setup Information

  • Introduction to SSL

    An SSL Primer

    Using mod_ssl Directives

    Understanding Certificates

    Using the Certificate Tool

    Using Certificates


    SSL Resource Guide

  • Chapter 2:

    Introduction to SSL


    What is SSL?

    How widely used is SSL?

    How are Apache-SSL, mod_ssl, and OpenSSL related?

    How does mod_ssl fit into HP Secure Web Server?

    What is SSL?

    Secure Sockets Layer (SSL) is the open standard security protocol for the secure transfer of sensitive information over the Internet. Implementing SSL requires software to be installed in servers and on browsers that use the SSL protocol. SSL provides three things: privacy through encryption, server authentication, and message integrity. Client authentication is available as an optional function.

    With your SSL-aware HP Secure Web Server you can ensure a level of security that cannot be achieved by other means. SSL is the most widely used secure method for transmitting sensitive information across the Internet, extranets, and intranets.

    With the growth of the Internet and digital data transmission, many applications need to securely transmit data to remote applications and computers. SSL was originally developed by Netscape to solve this problem using a server-independent architecture. In point-to-point connections, SSL enables mutual authentication between servers and clients by establishing an authenticated and encrypted connection.

    SSL runs above TCP/IP and below HTTP, LDAP, IMAP, NNTP, and other high-level network protocols. It provides protection against eavesdropping, tampering, and forgery. Clients and servers are able to authenticate each other and to establish a secure link, or "pipe," across the Internet or intranets to protect the information transmitted.

    Important: SSL data transport requires encryption. Many governments, including the United States, have restrictions on the import and export of cryptographic algorithms. Please ensure that your use of SSL is in compliance with all national and international laws that apply to you.

      RSA Security SSL and TLS

    How widely used is SSL?

    SSL is a cooperative technology, requiring reciprocating server and client technologies. Both Netscape and Microsoft have built full-featured SSL security into their browsers.

    Security and trust are pivotal to the rapid development of eBusiness. More and more web sites are using the SSL protocol to offer clients secure connections and to exchange confidential information. In addition to server-side security, client authentication, also using the SSL protocol for digital IDs and signatures, is gaining much wider acceptance.

    By convention, Web pages that require an SSL connection start with https: instead of http: (in the browser's address field). Whenever you enter a secure connection, your browser also shows the familiar padlock image in the status bar, indicating that the page is encrypted.

    SSL security symbols in Netscape Navigator and Microsoft Internet Explorer status bars

    Depending on your browser and its security settings, you may be unaware of the authentication process unless you are prompted to install a certificate issued by the server. This is because your browser has a store of certificates signed by the same certifying authorities as most servers use (such as VeriSign, for example). You can easily view your certificate store and the details of individual certificates.

    SSL is not Secure HTTP

    Another protocol for transmitting data securely over the World Wide Web is Secure HTTP (S-HTTP). Encryption of the transport layer allows SSL to be application-independent, while S-HTTP is limited to the specific software implementing it. Both protocols have been approved by the Internet Engineering Task Force (IETF) as a standard.

    IETF Security Area


    How are Apache-SSL, mod_ssl, and OpenSSL related?

    Fortunately, open-source implementations of SSL for Apache are available. The original Apache implementation of SSL was Apache-SSL. Subsequently, mod_ssl was derived from Apache-SSL and has become an alternative to it. In open source terminology, mod_ssl is a "split" - derived from Apache-SSL but extensively redeveloped, so the code now bears little relation to the original.

    Apache-SSL continues to be developed and maintained, with the focus being on reliability, security and performance within a limited feature set. The increasing popularity of mod_ssl among Apache users is a result of its added-value features and quality. The mod_ssl package is not standalone: it works in conjunction with OpenSSL.

    OpenSSL represents a collaborative effort to develop a robust, commercial-grade, full-featured, and open-source toolkit. It implements the SSL Versions 2 and 3 and Transport Layer Security (TLS) Version 1 protocols, as well as a full-strength, general-purpose cryptography library.

    How does mod_ssl fit into HP Secure Web Server?

    You can think of mod_ssl as the glue joining OpenSSL with HP Secure Web Server. The mod_ssl interface provides Apache 1.3.12 web server (on which CSWS is based) with full use of the OpenSSL toolkit. CSWS uses RSA Security's Crypto-C (BSAFE ) library in OpenSSL.

      mod_ssl: The Apache Interface to OpenSSL

    The mod_ssl package integrates the OpenSSL module with a set of source patches for Apache called the Extended API (EAPI). These components are included and automatically installed in HP Secure Web Server: the OpenVMS implementation of Apache with SSL.

    mod_SSL User Manual: Overview