Home page logo

basics logo Security Basics mailing list archives

Re: Apache-SSL
From: Glen Mehn <glen () myvest com>
Date: Thu, 07 Nov 2002 10:24:56 -0800

Kim Nielsen wrote:

On Tue, 2002-11-05 at 23:35, Mayur Kamat wrote:
Newbie question: I need to setup up a secure webserver. Do I install apache
2.0 and then go for mod-ssl or open-ssl OR do I directly opt for the
apache-SSL project? which one is better in terms of security, functionality
and convinience (in the same order of priority).

You don't use apache 2.0 but apache 1.3.27 and then enable the mod-ssl.
Even though the apache developers says that 2.0 is final its not!.

apache-ssl is a fork of apache1.3 and mod_ssl. Apache 1.3. can be complied with mod_ssl, although you'll need the openssl libraries for it.

apache2.x has mod_ssl as a builtin, and there are instructions to compiling it with mod_ssl support, although, again, you'll need openssl for it.

Whether or not apache 2.0 is 'final' or not is really a question of what fits your needs-- there's probably more support out there for apache1.3, although apache2.0 is a newer development, and has some streamlined configuration, multithreading (thus higher performance) etc.

As in most of these things, the question of 'which is more secure' is pretty arguable, and probably depends on who's administering it. I haven't seen any strong arguments either way whether or not apache-ssl or apache/mod_ssl is more secure-- even the developers don't fight over it much (as they state on their sites).

apache-ssl is arguably easier to set up, for a newbie.
apache/mod_ssl is, well, modular, and may be easier to get vendor support for (for proprietary systems like weblogic, for instance, BEA will only support apache, although there's no reason why their mod_wl.so file wouldn't work with apache-ssl)

hope this helps.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]