docs/manual/ssl/ssl_overview.wml - httpd - Git at Google


 #use "ssl_template.inc" title="Preface" tag=over num=1

 <page_prev name="Cover" url="index.html">
 <page_next name="Introduction" url="ssl_intro.html">

 <quotation width=300 author="Tim J. Hudson, SSLeay F.A.Q.">
 ``Ralf Engelschall has released an
 excellent module that integrates
 Apache and SSLeay.''
 </quotation>

 <p>
 <table cellspacing=0 cellpadding=0 border=0>
 <tr valign=bottom>
 <td>

 <big T>his module provides strong cryptography for the <A
 HREF="http://www.apache.org/">Apache</A> (v1.3) webserver via the <A
 HREF="http://www.netscape.com/newsref/std/SSL.html">Secure Socket Layer</A>
 (SSL v2/v3) and <A HREF="http://www.consensus.com/ietf-tls/">Transport Layer
 Security</A> (TLS v1) protocols by the help of the excellent SSL/TLS
 implementation library <A HREF="http://www.openssl.org/">OpenSSL</A> from <A
 HREF="mailto:eay@aus.rsa.com">Eric A. Young</A> and <A
 HREF="mailto:tjh@cryptsoft.com">Tim Hudson</A>.

 </td>
 <td>
 &nbsp;&nbsp;
 </td>
 <td>

 <div align=right>
 <table cellspacing=0 cellpadding=5 border=0 bgcolor="#ccccff">
 <tr>
 <td bgcolor="#333399">
 <font face="Arial,Helvetica" color="#ccccff">
 <b>Global Table Of Contents</b>
 </font>
 </td>
 </tr>
 <tr>
 <td>
 <font face="Arial,Helvetica" size=-1>
 <b>

 <a href="ssl_overview.html">Chapter 1: Preface</a><br>
 <a href="ssl_intro.html">Chapter 2: Introduction</a><br>
 <a href="ssl_reference.html">Chapter 3: Reference</a><br>
 <a href="ssl_compat.html">Chapter 4: Compatibility</a><br>
 <a href="ssl_howto.html">Chapter 5: HowTo</a><br>
 <a href="ssl_faq.html">Chapter 6: F.A.Q. List</a><br>
 <a href="ssl_glossary.html">Chapter 7: Glossary</a><br>

 </b>
 </font>
 </td>
 </tr>
 </table>
 </div>

 </td>
 </tr>
 </table>

 <p>
 The <A HREF="http://www.modssl.org/">mod_ssl</A> package was
 created in April 1998 by <A HREF="mailto:rse@engelschall.com">Ralf S.
 Engelschall</A> and was originally derived from the <A
 HREF="http://www.apache-ssl.org/">Apache-SSL</A> package developed by <A
 HREF="mailto:ben@algroup.co.uk">Ben Laurie</A>. It stays under a BSD-style
 license which is equivalent to the license used by <A
 HREF="http://www.apache.org/">The Apache Group</a> for the Apache webserver
 itself. This means, in short, that you are free to use it both for commercial
 and non-commercial purposes as long as you retain the authors' copyright
 notices and give the proper credit.

 <h2>Legalese</h2>

 Although the above conditions also apply to Apache and OpenSSL in general (both
 are freely available and useable software packages), you should be aware that
 especially the cryptographic algorithms used inside OpenSSL stay under
 certain patents and perhaps import/export/use restrictions in some countries
 of the world. So whether you can actually use the combination
 Apache+mod_ssl+OpenSSL in your country depends mainly on your local state laws.
 The authors of neither Apache nor mod_ssl nor OpenSSL are liable for any
 violations you make here.

 <p>
 If you're not sure what law details apply to your country you're strongly
 advised to first determine them by consulting an attorney before using this
 module. A lot of hints you can find in the <a
 href="http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm">International Law
 Crypto Survey</a> which is a really comprehensive resource on this topic.  At
 least two countries with heavy cryptography restrictions are well known:
 In the United States (USA) it's not allowed to (re-)export mod_ssl
 or OpenSSL And inside France it's not allowed to use any cryptography at all
 when keys with more than 40 bits are used.

 <p>
 <box bdcolor="#cccccc" bdwidth=1 bdspace=10 bgcolor=white>
 <font face="Arial,Helvetica">
 This software package uses strong cryptography, so while it is created,
 maintained and distributed from Germany and Switzerland (where it is legal to
 do this), it falls under certain export/import and/or use restrictions in some
 other parts of the world.
 <p>
 PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
 SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL
 DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD.
 SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM
 THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE
 AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO
 ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU.  THE AUTHOR OF MOD_SSL
 IS NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFULLY YOURSELF, IT
 IS YOUR RESPONSIBILITY.
 </font>
 <p>
 <font face="Arial,Helvetica">
 CREDIT INFORMATION:
 This product includes software developed by Ben Laurie for use in the
 Apache-SSL HTTP server project, software developed by Larry Wall and David
 MacKenzie for use in the GNU project of the FSF and software developed by Dr.
 Stephen N. Henson as a companion to OpenSSL.
 </font>
 </box>

 <h2>Module Architecture</h2>

 The mod_ssl package consists of the SSL module (part 1 in <a
 href="#figure1">Figure 1</a>) and a set of source patches for Apache adding the
 Extended API (EAPI) (part 2 in <a href="#figure1">Figure 1</a>) which is an
 essential prerequisite in order to use mod_ssl. In other words: you can only
 use the mod_ssl module when Apache's core code contains the Extended API. But
 because when applying mod_ssl to the Apache source tree the Extended API is
 also automatically added you usually don't have to think about this. It's
 mainly important for package vendors who want to build separate packages for
 Apache and mod_ssl. For more details on how to apply mod_ssl to the Apache
 source tree please follow the <code>INSTALL</code> file in the mod_ssl
 distribution.

 <p>
 <float name="figure1" caption="Figure 1: Module Architecture">
 <img src="ssl_overview_fig1.gif" alt="">
 </float>

 <h2>Module Building</h2>

 The SSL module (mod_ssl) resides under the <CODE>src/modules/ssl/</CODE>
 subdirectory inside the Apache source tree and is a regular Apache module.  This
 means that you can configure, build and install it like any other Apache module.
 Usually this is done by using the APACI command

 <blockquote>
 <pre>
 $ cd apache_1.3.x/
 $ SSL_BASE=/path/to/openssl ./configure ... --enable-module=ssl
 </pre>
 </blockquote>

 or by manually editing the <code>SSL_BASE</code> variable,
 uncommenting the corresponding <code>AddModule</code> directive inside the
 <code>src/Configuration</code> file and using the command

 <blockquote>
 <pre>
 $ cd apache_1.3.x/src
 $ ./Configure
 </pre>
 </blockquote>

 for configuring. Additionally you can enable the <a
 href="http://www.apache.org/docs/dso.html">Dynamic Shared Object</a> (DSO)
 support for mod_ssl by either adding the <code>--enable-shared=ssl</code>
 option to the APACI configure command line or by replacing the

 <blockquote>
 <pre>
 AddModule ssl_module modules/ssl/libssl.a
 </pre>
 </blockquote>

 line in <code>src/Configuration</code> with

 <blockquote>
 <pre>
 SharedModule ssl_module modules/ssl/libssl.so
 </pre>
 </blockquote>

 Building mod_ssl as a DSO is especially interesting to achieve more run-time
 flexibility, i.e. you can decide whether to use SSL or not at run-time instead
 of build-time.  But notice that building mod_ssl as a DSO requires that your
 OS/compiler supports building DSOs in the first place, and additionally that
 they support linking of a DSO against a static library (libssl.a, libcrypo.a).
 Not all platform support this.

	#use "ssl_template.inc" title="Preface" tag=over num=1

	<page_prev name="Cover" url="index.html">
	<page_next name="Introduction" url="ssl_intro.html">

	<quotation width=300 author="Tim J. Hudson, SSLeay F.A.Q.">
	``Ralf Engelschall has released an
	excellent module that integrates
	Apache and SSLeay.''
	</quotation>

	<p>
	<table cellspacing=0 cellpadding=0 border=0>
	<tr valign=bottom>
	<td>

	<big T>his module provides strong cryptography for the <A
	HREF="http://www.apache.org/">Apache</A> (v1.3) webserver via the <A
	HREF="http://www.netscape.com/newsref/std/SSL.html">Secure Socket Layer</A>
	(SSL v2/v3) and <A HREF="http://www.consensus.com/ietf-tls/">Transport Layer
	Security</A> (TLS v1) protocols by the help of the excellent SSL/TLS
	implementation library <A HREF="http://www.openssl.org/">OpenSSL</A> from <A
	HREF="mailto:eay@aus.rsa.com">Eric A. Young</A> and <A
	HREF="mailto:tjh@cryptsoft.com">Tim Hudson</A>.

	</td>
	<td>

	</td>
	<td>

	<div align=right>
	<table cellspacing=0 cellpadding=5 border=0 bgcolor="#ccccff">
	<tr>
	<td bgcolor="#333399">
	<font face="Arial,Helvetica" color="#ccccff">
	<b>Global Table Of Contents</b>
	</font>
	</td>
	</tr>
	<tr>
	<td>
	<font face="Arial,Helvetica" size=-1>
	<b>

	<a href="ssl_overview.html">Chapter 1: Preface</a><br>
	<a href="ssl_intro.html">Chapter 2: Introduction</a><br>
	<a href="ssl_reference.html">Chapter 3: Reference</a><br>
	<a href="ssl_compat.html">Chapter 4: Compatibility</a><br>
	<a href="ssl_howto.html">Chapter 5: HowTo</a><br>
	<a href="ssl_faq.html">Chapter 6: F.A.Q. List</a><br>
	<a href="ssl_glossary.html">Chapter 7: Glossary</a><br>

	</b>
	</font>
	</td>
	</tr>
	</table>
	</div>

	</td>
	</tr>
	</table>

	<p>
	The <A HREF="http://www.modssl.org/">mod_ssl</A> package was
	created in April 1998 by <A HREF="mailto:rse@engelschall.com">Ralf S.
	Engelschall</A> and was originally derived from the <A
	HREF="http://www.apache-ssl.org/">Apache-SSL</A> package developed by <A
	HREF="mailto:ben@algroup.co.uk">Ben Laurie</A>. It stays under a BSD-style
	license which is equivalent to the license used by <A
	HREF="http://www.apache.org/">The Apache Group</a> for the Apache webserver
	itself. This means, in short, that you are free to use it both for commercial
	and non-commercial purposes as long as you retain the authors' copyright
	notices and give the proper credit.

	<h2>Legalese</h2>

	Although the above conditions also apply to Apache and OpenSSL in general (both
	are freely available and useable software packages), you should be aware that
	especially the cryptographic algorithms used inside OpenSSL stay under
	certain patents and perhaps import/export/use restrictions in some countries
	of the world. So whether you can actually use the combination
	Apache+mod_ssl+OpenSSL in your country depends mainly on your local state laws.
	The authors of neither Apache nor mod_ssl nor OpenSSL are liable for any
	violations you make here.

	<p>
	If you're not sure what law details apply to your country you're strongly
	advised to first determine them by consulting an attorney before using this
	module. A lot of hints you can find in the <a
	href="http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm">International Law
	Crypto Survey</a> which is a really comprehensive resource on this topic. At
	least two countries with heavy cryptography restrictions are well known:
	In the United States (USA) it's not allowed to (re-)export mod_ssl
	or OpenSSL And inside France it's not allowed to use any cryptography at all
	when keys with more than 40 bits are used.

	<p>
	<box bdcolor="#cccccc" bdwidth=1 bdspace=10 bgcolor=white>
	<font face="Arial,Helvetica">
	This software package uses strong cryptography, so while it is created,
	maintained and distributed from Germany and Switzerland (where it is legal to
	do this), it falls under certain export/import and/or use restrictions in some
	other parts of the world.
	<p>
	PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
	SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL
	DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD.
	SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM
	THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE
	AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO
	ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHOR OF MOD_SSL
	IS NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFULLY YOURSELF, IT
	IS YOUR RESPONSIBILITY.
	</font>
	<p>
	<font face="Arial,Helvetica">
	CREDIT INFORMATION:
	This product includes software developed by Ben Laurie for use in the
	Apache-SSL HTTP server project, software developed by Larry Wall and David
	MacKenzie for use in the GNU project of the FSF and software developed by Dr.
	Stephen N. Henson as a companion to OpenSSL.
	</font>
	</box>

	<h2>Module Architecture</h2>

	The mod_ssl package consists of the SSL module (part 1 in <a
	href="#figure1">Figure 1</a>) and a set of source patches for Apache adding the
	Extended API (EAPI) (part 2 in <a href="#figure1">Figure 1</a>) which is an
	essential prerequisite in order to use mod_ssl. In other words: you can only
	use the mod_ssl module when Apache's core code contains the Extended API. But
	because when applying mod_ssl to the Apache source tree the Extended API is
	also automatically added you usually don't have to think about this. It's
	mainly important for package vendors who want to build separate packages for
	Apache and mod_ssl. For more details on how to apply mod_ssl to the Apache
	source tree please follow the <code>INSTALL</code> file in the mod_ssl
	distribution.

	<p>
	<float name="figure1" caption="Figure 1: Module Architecture">
	<img src="ssl_overview_fig1.gif" alt="">
	</float>

	<h2>Module Building</h2>

	The SSL module (mod_ssl) resides under the <CODE>src/modules/ssl/</CODE>
	subdirectory inside the Apache source tree and is a regular Apache module. This
	means that you can configure, build and install it like any other Apache module.
	Usually this is done by using the APACI command

	<blockquote>
	<pre>
	$ cd apache_1.3.x/
	$ SSL_BASE=/path/to/openssl ./configure ... --enable-module=ssl
	</pre>
	</blockquote>

	or by manually editing the <code>SSL_BASE</code> variable,
	uncommenting the corresponding <code>AddModule</code> directive inside the
	<code>src/Configuration</code> file and using the command

	<blockquote>
	<pre>
	$ cd apache_1.3.x/src
	$ ./Configure
	</pre>
	</blockquote>

	for configuring. Additionally you can enable the <a
	href="http://www.apache.org/docs/dso.html">Dynamic Shared Object</a> (DSO)
	support for mod_ssl by either adding the <code>--enable-shared=ssl</code>
	option to the APACI configure command line or by replacing the

	<blockquote>
	<pre>
	AddModule ssl_module modules/ssl/libssl.a
	</pre>
	</blockquote>

	line in <code>src/Configuration</code> with

	<blockquote>
	<pre>
	SharedModule ssl_module modules/ssl/libssl.so
	</pre>
	</blockquote>

	Building mod_ssl as a DSO is especially interesting to achieve more run-time
	flexibility, i.e. you can decide whether to use SSL or not at run-time instead
	of build-time. But notice that building mod_ssl as a DSO requires that your
	OS/compiler supports building DSOs in the first place, and additionally that
	they support linking of a DSO against a static library (libssl.a, libcrypo.a).
	Not all platform support this.