mod_ssl
mod_ssl is an Apache HTTP Server module that provides strong cryptography via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Here is detailed information about mod_ssl:
Overview
mod_ssl integrates the OpenSSL library into the Apache web server, allowing for encrypted communication between the server and clients. It supports:
- SSL/TLS encryption for secure connections.
- Public key infrastructure (PKI) for certificate management.
- Session caching to improve performance.
- Secure renegotiation to handle security updates and key changes during sessions.
History and Development
- mod_ssl was developed by Ralf S. Engelschall in 1998, initially as a standalone module for the Apache web server.
- It was officially included in the Apache distribution starting with Apache version 2.0.
- The module has been continuously updated to support new features and security standards in the OpenSSL library.
Key Features
- SSL/TLS Support: Offers SSLv2, SSLv3, TLSv1, TLSv1.1, and TLSv1.2 protocols.
- Certificate Management: Manages server certificates, client certificates, and certificate chains.
- Security Enhancements: Includes support for OCSP stapling, HSTS (HTTP Strict Transport Security), and secure session resumption.
- Configuration: Provides flexible configuration options through Apache's configuration files, allowing for per-directory, per-virtual-host, and per-request settings.
- Performance: Utilizes session caching to reduce the overhead of establishing new SSL/TLS sessions.
- Compatibility: Works with various cryptographic backends like OpenSSL, which is the most common, but also supports others like NSS (Network Security Services).
Security Considerations
Security is a paramount concern with mod_ssl:
- Regular updates are essential to patch vulnerabilities in the OpenSSL library.
- Proper configuration is critical to avoid common pitfalls like weak cipher suites or misconfigured certificates.
- Heartbleed bug (CVE-2014-0160) in OpenSSL, which affected mod_ssl, highlighted the importance of timely updates.
Usage
To use mod_ssl, it must be compiled or dynamically loaded into the Apache server. Here's a basic setup:
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog exec:/path/to/passphrase-script
SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 300
Sources and Further Reading
Related Topics