From 1a13e1f44494bc77ca8eda998e9a204009f3224f Mon Sep 17 00:00:00 2001 From: Rich Bowen Date: Wed, 20 Nov 2002 03:12:35 +0000 Subject: [PATCH] Submitted by: Mads Toftum Reviewed by: Rich Bowen Another bunch of changes to remove some of the stuff that has been obsoleted by the inclusion of mod_ssl in apache. There is still some of the submitting bugs / mailing list stuff (see http://httpd.apache.org/ssl/ssl_faq.html#contact) that needs to be reworked - but someone needs to decide whether to point at bugzilla and/or the bugdb at modssl.org. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97572 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/ssl/ssl_faq.html.en | 118 ++----------------------------- docs/manual/ssl/ssl_faq.xml | 119 ++------------------------------ 2 files changed, 14 insertions(+), 223 deletions(-) diff --git a/docs/manual/ssl/ssl_faq.html.en b/docs/manual/ssl/ssl_faq.html.en index 4816c7cccd..ea84151446 100644 --- a/docs/manual/ssl/ssl_faq.html.en +++ b/docs/manual/ssl/ssl_faq.html.en @@ -23,9 +23,6 @@ author.

top

About The Module

@@ -53,98 +50,6 @@ author.

opened, mod_ssl was integrated into the code base of Apache V2 in 2001.

-

What are the functional differences between mod_ssl and Apache-SSL, from which -it is originally derived?

-

This neither can be answered in short (there were too many code changes) - nor can be answered at all by the author (there would immediately be flame - wars with no reasonable results at the end). But as you easily can guess - from the 5% of remaining Apache-SSL code, a lot of differences exists, - although user-visible backward compatibility exists for most things.

- - -

When you really want a detailed comparison you have to read the entries in - the large CHANGES file that is in the mod_ssl - distribution. Usually this is much too hard-core. So I recommend you to - either believe in the opinion and recommendations of other users (the - simplest approach) or do a comparison yourself (the most reasonable - approach). For the latter, grab distributions of mod_ssl (from http://www.modssl.org) and Apache-SSL - (from http://www.apache-ssl.org), - install both packages, read their documentation and try them out yourself. - Then choose the one which pleases you most.

- -

A few final hints to help direct your comparison: quality of documentation - ("can you easily find answers and are they sufficient?"), quality of - source code ("is the source code reviewable so you can make sure there - aren't any trapdoors or inherent security risks because of bad programming - style?"), easy and clean installation ("can the SSL functionality easily - added to an Apache source tree without manual editing or patching?"), - clean integration into Apache ("is the SSL functionality encapsulated and - cleanly separated from the remaining Apache functionality?"), support for - Dynamic Shared Object (DSO) facility ("can the SSL functionality built as - a separate DSO for maximum flexibility?"), Win32 port ("is the SSL - functionality available also under the Win32 platform?"), amount and - quality of functionality ("is the provided SSL functionality and control - possibilities sufficient for your situation?"), quality of problem tracing - ("is it possible for you to easily trace down the problems via logfiles, - etc?"), etc. pp.

- - -

What are the major differences between mod_ssl and -the commercial alternatives like Raven or Stronghold?

-

In the past (until September 20th, 2000) the major difference was - the RSA license which one received (very cheaply in contrast to - a direct licensing from RSA DSI) with the commercial Apache SSL - products. On the other hand, one needed this license only in the US, - of course. So for non-US citizens this point was useless. But now - even for US citizens the situations changed because the RSA patent - expired on September 20th, 2000 and RSA DSI also placed the RSA - algorithm explicitly into the public domain.

- -

Second, there is the point that one has guaranteed support from - the commercial vendors. On the other hand, if you monitored the - Open Source quality of mod_ssl and the support activities - found on - modssl-users@modssl.org, you could ask yourself - whether you are really convinced that you can get better support - from a commercial vendor.

- - -

Third, people often think they would receive perhaps at least a - better technical SSL solution than mod_ssl from the commercial - vendors. But this is not really true, because all commercial - alternatives (Raven 1.4.x, Stronghold 3.x, RedHat SWS 2.x, etc.) - are actually based on mod_ssl and OpenSSL. The reason for - this common misunderstanding is mainly because some vendors make no - attempt to make it reasonably clear that their product is actually - mod_ssl based. So, do not think, just because the commercial - alternatives are usually more expensive, that you are also receiving - an alternative technical SSL solution. This is usually not - the case. Actually the vendor versions of Apache, mod_ssl and OpenSSL - often stay behind the latest free versions and perhaps this way still do not - include important bug and security fixes. On the other hand, - it sometimes occurs that a vendor version includes useful changes - which are not available through the official freely available - packages. But most vendors play fair and contribute back those - changes to the free software world, of course.

- -

So, in short: There are lots of commercial versions of the popular - Apache+mod_ssl+OpenSSL server combination available. Every user - should decide carefully whether they really need to buy a commercial - version or whether it would not be sufficient to directly use the - free and official versions of the Apache, mod_ssl and OpenSSL - packages.

- - -

How do I know which mod_ssl version is for which Apache version?

-

That's trivial: mod_ssl uses version strings of the syntax - <mod_ssl-version>-<apache-version>, for - instance 2.4.0-1.3.9. This directly indicates that it's - mod_ssl version 2.4.0 for Apache version 1.3.9. And this also means you - only can apply this mod_ssl version to exactly this Apache - version (unless you use the --force option to mod_ssl's - configure command ;-).

- -

Is mod_ssl Year 2000 compliant?

Yes, mod_ssl is Year 2000 compliant.

@@ -983,24 +888,16 @@ server" What's the reason? subscribe to the list first, but then you can easily discuss your problem with both the author and the whole mod_ssl user community. -
  • Write a Problem Report to the author
    - rse@engelschall.com
    - This is the last way of submitting your problem report. Please avoid this - in your own interest because the author is really a very busy men. Your - mail will always be filed to one of his various mail-folders and is - usually not processed as fast as a posting on modssl-users. -
    • -

    What information and details I've to provide to -the author when writing a bug report?

    +

    What information and details should I + provide when writing a bug report?

    You have to at least always provide the following information:

    -
    Apache, mod_ssl and OpenSSL version information
    -
    The mod_ssl version you should really know. For instance, it's the version - number in the distribution tarball. The Apache version can be determined +
    Apache and OpenSSL version information
    +
    The Apache version can be determined by running ``httpd -v''. The OpenSSL version can be determined by running ``openssl version''. Alternatively when you have Lynx installed you can run the command ``lynx -mime_header @@ -1011,12 +908,11 @@ the author when writing a bug report?
    The details on how you built and installed Apache+mod_ssl+OpenSSL
    For this you can provide a logfile of your terminal session which shows the configuration and install steps. Alternatively you can at least - provide the author with the APACI configure command line - you used (assuming you used APACI, of course). + provide the configure command line you used.
    In case of core dumps please include a Backtrace
    -
    In case your Apache+mod_ssl+OpenSSL should really dumped core please attach +
    In case your Apache+mod_ssl+OpenSSL should really dump core please attach a stack-frame ``backtrace'' (see the next question on how to get it). Without this information the reason for your core dump cannot be found. So you have to provide the backtrace, please. @@ -1044,7 +940,7 @@ the author when writing a bug report?

    Follow the following steps:

    1. Make sure you have debugging symbols available in at least - Apache and mod_ssl. On platforms where you use GCC/GDB you have to build + Apache. On platforms where you use GCC/GDB you have to build Apache+mod_ssl with ``OPTIM="-g -ggdb3"'' to achieve this. On other platforms at least ``OPTIM="-g"'' is needed.
      2. diff --git a/docs/manual/ssl/ssl_faq.xml b/docs/manual/ssl/ssl_faq.xml index c9889392cc..e2f531a789 100644 --- a/docs/manual/ssl/ssl_faq.xml +++ b/docs/manual/ssl/ssl_faq.xml @@ -30,9 +30,6 @@ author.

      About The Module @@ -63,99 +60,6 @@ author.

      opened, mod_ssl was integrated into the code base of Apache V2 in 2001.

      -
      What are the functional differences between mod_ssl and Apache-SSL, from which -it is originally derived? -

      This neither can be answered in short (there were too many code changes) - nor can be answered at all by the author (there would immediately be flame - wars with no reasonable results at the end). But as you easily can guess - from the 5% of remaining Apache-SSL code, a lot of differences exists, - although user-visible backward compatibility exists for most things.

      - - -

      When you really want a detailed comparison you have to read the entries in - the large CHANGES file that is in the mod_ssl - distribution. Usually this is much too hard-core. So I recommend you to - either believe in the opinion and recommendations of other users (the - simplest approach) or do a comparison yourself (the most reasonable - approach). For the latter, grab distributions of mod_ssl (from http://www.modssl.org) and Apache-SSL - (from http://www.apache-ssl.org), - install both packages, read their documentation and try them out yourself. - Then choose the one which pleases you most.

      - -

      A few final hints to help direct your comparison: quality of documentation - ("can you easily find answers and are they sufficient?"), quality of - source code ("is the source code reviewable so you can make sure there - aren't any trapdoors or inherent security risks because of bad programming - style?"), easy and clean installation ("can the SSL functionality easily - added to an Apache source tree without manual editing or patching?"), - clean integration into Apache ("is the SSL functionality encapsulated and - cleanly separated from the remaining Apache functionality?"), support for - Dynamic Shared Object (DSO) facility ("can the SSL functionality built as - a separate DSO for maximum flexibility?"), Win32 port ("is the SSL - functionality available also under the Win32 platform?"), amount and - quality of functionality ("is the provided SSL functionality and control - possibilities sufficient for your situation?"), quality of problem tracing - ("is it possible for you to easily trace down the problems via logfiles, - etc?"), etc. pp.

      -
      - -
      What are the major differences between mod_ssl and -the commercial alternatives like Raven or Stronghold? -

      In the past (until September 20th, 2000) the major difference was - the RSA license which one received (very cheaply in contrast to - a direct licensing from RSA DSI) with the commercial Apache SSL - products. On the other hand, one needed this license only in the US, - of course. So for non-US citizens this point was useless. But now - even for US citizens the situations changed because the RSA patent - expired on September 20th, 2000 and RSA DSI also placed the RSA - algorithm explicitly into the public domain.

      - -

      Second, there is the point that one has guaranteed support from - the commercial vendors. On the other hand, if you monitored the - Open Source quality of mod_ssl and the support activities - found on - modssl-users@modssl.org, you could ask yourself - whether you are really convinced that you can get better support - from a commercial vendor.

      - - -

      Third, people often think they would receive perhaps at least a - better technical SSL solution than mod_ssl from the commercial - vendors. But this is not really true, because all commercial - alternatives (Raven 1.4.x, Stronghold 3.x, RedHat SWS 2.x, etc.) - are actually based on mod_ssl and OpenSSL. The reason for - this common misunderstanding is mainly because some vendors make no - attempt to make it reasonably clear that their product is actually - mod_ssl based. So, do not think, just because the commercial - alternatives are usually more expensive, that you are also receiving - an alternative technical SSL solution. This is usually not - the case. Actually the vendor versions of Apache, mod_ssl and OpenSSL - often stay behind the latest free versions and perhaps this way still do not - include important bug and security fixes. On the other hand, - it sometimes occurs that a vendor version includes useful changes - which are not available through the official freely available - packages. But most vendors play fair and contribute back those - changes to the free software world, of course.

      - -

      So, in short: There are lots of commercial versions of the popular - Apache+mod_ssl+OpenSSL server combination available. Every user - should decide carefully whether they really need to buy a commercial - version or whether it would not be sufficient to directly use the - free and official versions of the Apache, mod_ssl and OpenSSL - packages.

      -
      - -
      How do I know which mod_ssl version is for which Apache version? -

      That's trivial: mod_ssl uses version strings of the syntax - <mod_ssl-version>-<apache-version>, for - instance 2.4.0-1.3.9. This directly indicates that it's - mod_ssl version 2.4.0 for Apache version 1.3.9. And this also means you - only can apply this mod_ssl version to exactly this Apache - version (unless you use the --force option to mod_ssl's - configure command ;-).

      -
      -
      Is mod_ssl Year 2000 compliant?

      Yes, mod_ssl is Year 2000 compliant.

      @@ -1014,24 +918,16 @@ server" What's the reason? subscribe to the list first, but then you can easily discuss your problem with both the author and the whole mod_ssl user community. -
    2. Write a Problem Report to the author
      - rse@engelschall.com
      - This is the last way of submitting your problem report. Please avoid this - in your own interest because the author is really a very busy men. Your - mail will always be filed to one of his various mail-folders and is - usually not processed as fast as a posting on modssl-users. -
    -
    What information and details I've to provide to -the author when writing a bug report? +
    What information and details should I + provide when writing a bug report?

    You have to at least always provide the following information:

    -
    Apache, mod_ssl and OpenSSL version information
    -
    The mod_ssl version you should really know. For instance, it's the version - number in the distribution tarball. The Apache version can be determined +
    Apache and OpenSSL version information
    +
    The Apache version can be determined by running ``httpd -v''. The OpenSSL version can be determined by running ``openssl version''. Alternatively when you have Lynx installed you can run the command ``lynx -mime_header @@ -1042,12 +938,11 @@ the author when writing a bug report?
    The details on how you built and installed Apache+mod_ssl+OpenSSL
    For this you can provide a logfile of your terminal session which shows the configuration and install steps. Alternatively you can at least - provide the author with the APACI configure command line - you used (assuming you used APACI, of course). + provide the configure command line you used.
    In case of core dumps please include a Backtrace
    -
    In case your Apache+mod_ssl+OpenSSL should really dumped core please attach +
    In case your Apache+mod_ssl+OpenSSL should really dump core please attach a stack-frame ``backtrace'' (see the next question on how to get it). Without this information the reason for your core dump cannot be found. So you have to provide the backtrace, please. @@ -1075,7 +970,7 @@ the author when writing a bug report?

    Follow the following steps:

    1. Make sure you have debugging symbols available in at least - Apache and mod_ssl. On platforms where you use GCC/GDB you have to build + Apache. On platforms where you use GCC/GDB you have to build Apache+mod_ssl with ``OPTIM="-g -ggdb3"'' to achieve this. On other platforms at least ``OPTIM="-g"'' is needed.
      2. -- 2.50.1