mod_ssl-2.8.12-1.3.27: description + notes

This module provides strong cryptography for the Apache 1.3 webserver via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols by the help of the Open Source SSL/TLS toolkit OpenSSL.

You should be very sensible when using cryptography software, because just running an SSL server DOES NOT mean your system is then secure! This is for a number of reasons. The following questions illustrate some of the problems.

If you can't answer these questions to your personal satisfaction, then you usually have a problem. Even if you can, you may still NOT be secure. Don't blame us if it all goes horribly wrong. Use it at your own risk!

See the mod_ssl home page for more information.

IMPORTANT NOTES:

  • You must generate your own certificates before using this secure server. A set of self-signed test "Snake Oil" certificates are included for testing purposes only. The /var/sgi_apache/mod_ssl/mkcert.sh script can help you create your own certificates: invoke it with SSL_PROGRAM=/usr/freeware/lib/openssl/bin/openssl


  • For each server that you want to support SSL connections edit the /etc/config/sgi_apache.options.httpd-server file to contain the word "startssl".


  • Please read the Apache SSL/TLS Encryption FAQ, particularly the item on entropy. There is presently no /dev/random on IRIX, and the mod_ssl builtin PRNG seed usually does not suffice. Alternatives such as the Entropy Gathering Daemon or the truerand program appear to work well.


  • If you have customized your httpd.conf or apachectl files this package may not be able to apply the necessary changes for SSL support automatically. If this happens you will get error messages from inst describing the exitops that failed. Apply the rejected patches manually. To avoid spurious failures the patches will not be applied if ".pre-ssl" files are found.


Note: this package extends the sgi_apache 1.3.27 web server first shipped in IRIX 6.5.19. Please see ftp://patches.sgi.com/support/free/security/advisories/20020605-01-I if you are running an older version of sgi_apache. The fw_apache web server has a non-default subsystem that contains its support for mod_ssl.


To auto-install this package, go back and click on the respective install icon.