mailing list archives
From: Glen Mehn <glen () myvest com>
Date: Thu, 07 Nov 2002 10:24:56 -0800
Kim Nielsen wrote:
apache-ssl is a fork of apache1.3 and mod_ssl. Apache 1.3. can be
complied with mod_ssl, although you'll need the openssl libraries for it.
On Tue, 2002-11-05 at 23:35, Mayur Kamat wrote:
Newbie question: I need to setup up a secure webserver. Do I install apache
2.0 and then go for mod-ssl or open-ssl OR do I directly opt for the
apache-SSL project? which one is better in terms of security, functionality
and convinience (in the same order of priority).
You don't use apache 2.0 but apache 1.3.27 and then enable the mod-ssl.
Even though the apache developers says that 2.0 is final its not!.
apache2.x has mod_ssl as a builtin, and there are instructions to
compiling it with mod_ssl support, although, again, you'll need openssl
Whether or not apache 2.0 is 'final' or not is really a question of what
fits your needs-- there's probably more support out there for apache1.3,
although apache2.0 is a newer development, and has some streamlined
configuration, multithreading (thus higher performance) etc.
As in most of these things, the question of 'which is more secure' is
pretty arguable, and probably depends on who's administering it. I
haven't seen any strong arguments either way whether or not apache-ssl
or apache/mod_ssl is more secure-- even the developers don't fight over
it much (as they state on their sites).
apache-ssl is arguably easier to set up, for a newbie.
apache/mod_ssl is, well, modular, and may be easier to get vendor
support for (for proprietary systems like weblogic, for instance, BEA
will only support apache, although there's no reason why their mod_wl.so
file wouldn't work with apache-ssl)
hope this helps.