| |
| #use "ssl_template.inc" title="Preface" tag=over num=1 |
| |
| <page_prev name="Cover" url="index.html"> |
| <page_next name="Introduction" url="ssl_intro.html"> |
| |
| <quotation width=300 author="Tim J. Hudson, SSLeay F.A.Q."> |
| ``Ralf Engelschall has released an |
| excellent module that integrates |
| Apache and SSLeay.'' |
| </quotation> |
| |
| <p> |
| <table cellspacing=0 cellpadding=0 border=0> |
| <tr valign=bottom> |
| <td> |
| |
| <big T>his module provides strong cryptography for the <A |
| HREF="http://www.apache.org/">Apache</A> (v1.3) webserver via the <A |
| HREF="http://www.netscape.com/newsref/std/SSL.html">Secure Socket Layer</A> |
| (SSL v2/v3) and <A HREF="http://www.consensus.com/ietf-tls/">Transport Layer |
| Security</A> (TLS v1) protocols by the help of the excellent SSL/TLS |
| implementation library <A HREF="http://www.openssl.org/">OpenSSL</A> from <A |
| HREF="mailto:eay@aus.rsa.com">Eric A. Young</A> and <A |
| HREF="mailto:tjh@cryptsoft.com">Tim Hudson</A>. |
| |
| </td> |
| <td> |
| |
| </td> |
| <td> |
| |
| <div align=right> |
| <table cellspacing=0 cellpadding=5 border=0 bgcolor="#ccccff"> |
| <tr> |
| <td bgcolor="#333399"> |
| <font face="Arial,Helvetica" color="#ccccff"> |
| <b>Global Table Of Contents</b> |
| </font> |
| </td> |
| </tr> |
| <tr> |
| <td> |
| <font face="Arial,Helvetica" size=-1> |
| <b> |
| |
| <a href="ssl_overview.html">Chapter 1: Preface</a><br> |
| <a href="ssl_intro.html">Chapter 2: Introduction</a><br> |
| <a href="ssl_reference.html">Chapter 3: Reference</a><br> |
| <a href="ssl_compat.html">Chapter 4: Compatibility</a><br> |
| <a href="ssl_howto.html">Chapter 5: HowTo</a><br> |
| <a href="ssl_faq.html">Chapter 6: F.A.Q. List</a><br> |
| <a href="ssl_glossary.html">Chapter 7: Glossary</a><br> |
| |
| </b> |
| </font> |
| </td> |
| </tr> |
| </table> |
| </div> |
| |
| </td> |
| </tr> |
| </table> |
| |
| <p> |
| The <A HREF="http://www.modssl.org/">mod_ssl</A> package was |
| created in April 1998 by <A HREF="mailto:rse@engelschall.com">Ralf S. |
| Engelschall</A> and was originally derived from the <A |
| HREF="http://www.apache-ssl.org/">Apache-SSL</A> package developed by <A |
| HREF="mailto:ben@algroup.co.uk">Ben Laurie</A>. It stays under a BSD-style |
| license which is equivalent to the license used by <A |
| HREF="http://www.apache.org/">The Apache Group</a> for the Apache webserver |
| itself. This means, in short, that you are free to use it both for commercial |
| and non-commercial purposes as long as you retain the authors' copyright |
| notices and give the proper credit. |
| |
| <h2>Legalese</h2> |
| |
| Although the above conditions also apply to Apache and OpenSSL in general (both |
| are freely available and useable software packages), you should be aware that |
| especially the cryptographic algorithms used inside OpenSSL stay under |
| certain patents and perhaps import/export/use restrictions in some countries |
| of the world. So whether you can actually use the combination |
| Apache+mod_ssl+OpenSSL in your country depends mainly on your local state laws. |
| The authors of neither Apache nor mod_ssl nor OpenSSL are liable for any |
| violations you make here. |
| |
| <p> |
| If you're not sure what law details apply to your country you're strongly |
| advised to first determine them by consulting an attorney before using this |
| module. A lot of hints you can find in the <a |
| href="http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm">International Law |
| Crypto Survey</a> which is a really comprehensive resource on this topic. At |
| least two countries with heavy cryptography restrictions are well known: |
| In the United States (USA) it's not allowed to (re-)export mod_ssl |
| or OpenSSL And inside France it's not allowed to use any cryptography at all |
| when keys with more than 40 bits are used. |
| |
| <p> |
| <box bdcolor="#cccccc" bdwidth=1 bdspace=10 bgcolor=white> |
| <font face="Arial,Helvetica"> |
| This software package uses strong cryptography, so while it is created, |
| maintained and distributed from Germany and Switzerland (where it is legal to |
| do this), it falls under certain export/import and/or use restrictions in some |
| other parts of the world. |
| <p> |
| PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY |
| SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL |
| DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD. |
| SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM |
| THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE |
| AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO |
| ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHOR OF MOD_SSL |
| IS NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFULLY YOURSELF, IT |
| IS YOUR RESPONSIBILITY. |
| </font> |
| <p> |
| <font face="Arial,Helvetica"> |
| CREDIT INFORMATION: |
| This product includes software developed by Ben Laurie for use in the |
| Apache-SSL HTTP server project, software developed by Larry Wall and David |
| MacKenzie for use in the GNU project of the FSF and software developed by Dr. |
| Stephen N. Henson as a companion to OpenSSL. |
| </font> |
| </box> |
| |
| <h2>Module Architecture</h2> |
| |
| The mod_ssl package consists of the SSL module (part 1 in <a |
| href="#figure1">Figure 1</a>) and a set of source patches for Apache adding the |
| Extended API (EAPI) (part 2 in <a href="#figure1">Figure 1</a>) which is an |
| essential prerequisite in order to use mod_ssl. In other words: you can only |
| use the mod_ssl module when Apache's core code contains the Extended API. But |
| because when applying mod_ssl to the Apache source tree the Extended API is |
| also automatically added you usually don't have to think about this. It's |
| mainly important for package vendors who want to build separate packages for |
| Apache and mod_ssl. For more details on how to apply mod_ssl to the Apache |
| source tree please follow the <code>INSTALL</code> file in the mod_ssl |
| distribution. |
| |
| <p> |
| <float name="figure1" caption="Figure 1: Module Architecture"> |
| <img src="ssl_overview_fig1.gif" alt=""> |
| </float> |
| |
| <h2>Module Building</h2> |
| |
| The SSL module (mod_ssl) resides under the <CODE>src/modules/ssl/</CODE> |
| subdirectory inside the Apache source tree and is a regular Apache module. This |
| means that you can configure, build and install it like any other Apache module. |
| Usually this is done by using the APACI command |
| |
| <blockquote> |
| <pre> |
| $ cd apache_1.3.x/ |
| $ SSL_BASE=/path/to/openssl ./configure ... --enable-module=ssl |
| </pre> |
| </blockquote> |
| |
| or by manually editing the <code>SSL_BASE</code> variable, |
| uncommenting the corresponding <code>AddModule</code> directive inside the |
| <code>src/Configuration</code> file and using the command |
| |
| <blockquote> |
| <pre> |
| $ cd apache_1.3.x/src |
| $ ./Configure |
| </pre> |
| </blockquote> |
| |
| for configuring. Additionally you can enable the <a |
| href="http://www.apache.org/docs/dso.html">Dynamic Shared Object</a> (DSO) |
| support for mod_ssl by either adding the <code>--enable-shared=ssl</code> |
| option to the APACI configure command line or by replacing the |
| |
| <blockquote> |
| <pre> |
| AddModule ssl_module modules/ssl/libssl.a |
| </pre> |
| </blockquote> |
| |
| line in <code>src/Configuration</code> with |
| |
| <blockquote> |
| <pre> |
| SharedModule ssl_module modules/ssl/libssl.so |
| </pre> |
| </blockquote> |
| |
| Building mod_ssl as a DSO is especially interesting to achieve more run-time |
| flexibility, i.e. you can decide whether to use SSL or not at run-time instead |
| of build-time. But notice that building mod_ssl as a DSO requires that your |
| OS/compiler supports building DSOs in the first place, and additionally that |
| they support linking of a DSO against a static library (libssl.a, libcrypo.a). |
| Not all platform support this. |
| |