SGI Techpubs Library

Freeware (IRIX)  »  Product Release Notes / Information
find in page


mod_ssl-2.8.12-1.3.27: description + notes

This module provides strong cryptography for the Apache 1.3 webserver via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols by the help of the Open Source SSL/TLS toolkit OpenSSL.

You should be very sensible when using cryptography software, because just running an SSL server DOES NOT mean your system is then secure! This is for a number of reasons. The following questions illustrate some of the problems.

  • SSL itself may not be secure. People think it is, do you?
  • Does this code implement SSL correctly?
  • Have the authors of the various components put in back doors?
  • Does the code take appropriate measures to keep private keys private? To what extent is your cooperation in this process required?
  • Is your system physically secure?
  • Is your system appropriately secured from intrusion over the network?
  • Who do you trust? Do you understand the trust relationship involved in SSL certificates? Do your system administrators?
  • Are your keys, and keys you trust, generated careful enough to avoid reverse engineering of the private keys?
  • How do you obtain certificates, keys, and the like, securely?
  • Can you trust your users to safeguard their private keys?
  • Can you trust your browser to safeguard its generated private key?

If you can't answer these questions to your personal satisfaction, then you usually have a problem. Even if you can, you may still NOT be secure. Don't blame us if it all goes horribly wrong. Use it at your own risk!

See the mod_ssl home page for more information.

IMPORTANT NOTES:

  • You must generate your own certificates before using this secure server. A set of self-signed test "Snake Oil" certificates are included for testing purposes only. The /var/sgi_apache/mod_ssl/mkcert.sh script can help you create your own certificates: invoke it with SSL_PROGRAM=/usr/freeware/lib/openssl/bin/openssl


  • For each server that you want to support SSL connections edit the /etc/config/sgi_apache.options.httpd-server file to contain the word "startssl".


  • Please read the Apache SSL/TLS Encryption FAQ, particularly the item on entropy. There is presently no /dev/random on IRIX, and the mod_ssl builtin PRNG seed usually does not suffice. Alternatives such as the Entropy Gathering Daemon or the truerand program appear to work well.


  • If you have customized your httpd.conf or apachectl files this package may not be able to apply the necessary changes for SSL support automatically. If this happens you will get error messages from inst describing the exitops that failed. Apply the rejected patches manually. To avoid spurious failures the patches will not be applied if ".pre-ssl" files are found.


Note: this package extends the sgi_apache 1.3.27 web server first shipped in IRIX 6.5.19. Please see ftp://patches.sgi.com/support/free/security/advisories/20020605-01-I if you are running an older version of sgi_apache. The fw_apache web server has a non-default subsystem that contains its support for mod_ssl.


To install this package, go to the SGI Freeware site.


home/search | what's new | help