Re: Apache-SSL

[Glen Mehn <glen () myvest com>]

Kim Nielsen wrote:

> On Tue, 2002-11-05 at 23:35, Mayur Kamat wrote:
>  
>
> > Newbie question: I need to setup up a secure webserver. Do I install apache
> > 2.0 and then go for mod-ssl or open-ssl OR do I directly opt for the
> > apache-SSL project? which one is better in terms of security, functionality
> > and convinience (in the same order of priority).
> >
> >    
>
> You don't use apache 2.0 but apache 1.3.27 and then enable the mod-ssl.
> Even though the apache developers says that 2.0 is final its not!. 
>
> /Kim
>
>  
apache-ssl is a fork of apache1.3 and mod_ssl. Apache 1.3. can be 
complied with mod_ssl, although you'll need the openssl libraries for it.

apache2.x has mod_ssl as a builtin, and there are instructions to 
compiling it with mod_ssl support, although, again, you'll need openssl 
for it.

Whether or not apache 2.0 is 'final' or not is really a question of what 
fits your needs-- there's probably more support out there for apache1.3, 
although apache2.0 is a newer development, and has some streamlined 
configuration, multithreading (thus higher performance) etc.

As in most of these things, the question of 'which is more secure' is 
pretty arguable, and probably depends on who's administering it. I 
haven't seen any strong arguments either way whether or not apache-ssl 
or apache/mod_ssl is more secure-- even the developers don't fight over 
it much (as they state on their sites).

apache-ssl is arguably easier to set up, for a newbie.
apache/mod_ssl is, well, modular, and may be easier to get vendor 
support for (for proprietary systems like weblogic, for instance, BEA 
will only support apache, although there's no reason why their mod_wl.so 
file wouldn't work with apache-ssl)

hope this helps.

-g