On the Commercial Use Of Apache and SSL 105
Skapare asks: "A year ago, this question about using Apache and SSL in a commercial environment was asked in the Apache section of Slashdot. The RSA patent was still in force back then, and the focus was on commercial products like Raven. Since then, the RSA patent has been released and then expired. That same month a year ago, Ask Slashdot also featured a question about encumbrance of SSL/PGP. But with the RSA patent gone, and Diffie-Hellman before it, this surely opens up Apache with SSL free for commercial use. Now I'm exploring options for free SSL for Apache, and note at least two choices, Apache-SSL, and mod_ssl. What I'd like to ask is what are the fundamental and principle differences between these free versions that I should consider in deciding which I should use in a commercial environment."
Apache-ssl (Score:2)
The main criteria is (Score:1)
If you're doing it for some PHBs, wait a bit and find out which version is selling the most. It doesn't have to be good, it just has to be popular.
If you're doing it for yourself or in a non-PHB environment, try them both and see which one holds up the best under loads above your peak usage.
It's not totally free. (Score:3)
widespread use (Score:3)
Jefus say (Score:1)
http://www.modssl.org/docs/2.6/ ssl _faq.html#ToC3 [modssl.org]
Comment removed (Score:3)
It's all about the certificate (Score:2)
My choice (Score:1)
If you're planning to serve SSL pages only, it might be better to compare Apache-SSL and statically compiled mod_ssl, and see which performs the best.
use mod_ssl (Score:4)
apache-ssl is a patch against the vanilla apache tree. i believe you have to run two instances of apache, one for normal requests, and one for ssl requests. i may be incorrect, since it seems pretty lame to have an apache that only serves ssl requests. someone correct me if i'm wrong.
--
I just set both up. (Score:2)
mod_ssl is just a module that apache loads and uses when it needs SSL. Seems to be a cleaner design and install for me. I've switched several of our servers over... It also seems to be the "new" way of doing it. I know my O'Reilly book covered apache-ssl, but all the current online info I found referenced mod_ssl.
From the Apache-SSL and mod_ssl documentation (Score:5)
I think it's apparent from the tone that there is a healthy level of rivalry between the two projects :) The mod_ssl source code is peppered with quotes by the author of Apache-SSL that are intended (I think) to be unflattering... like:
-- Ben Laurie, Apache-SSL author */
or...
# ``What you are missing, I suppose, is that I'm not
# prepared to give equal rights to Ralf on the basis
# that he's spent a few hours doing what he thinks is
# better than what I've spent the last 4 years on,
# and so he isn't prepared to cooperate with me.''
# -- Ben Laurie, Apache-SSL author
Apache-SSL for me (Score:3)
The biggest difference I remember hearing between mod_ssl and Apache-SSL is that mod_ssl team was more focused on new features and the Apache-SSL team was more focused on stability/speed. Things may have changed in the last year or so however.
Both Apache/SSL solutions use the OpenSSL programs and libraries to generate certificates. I use Verisign as my CA. Never had a problem with either the initial request renewed certificates.
Re:widespread use (Score:1)
Mod-ssl and Apache-SSL (Score:4)
I have used and installed both, in both commerical and academic environments. I started out using Apache-SSL, but have now moved over to using mod_ssl.
Some background - Apache-SSL came first, and ships as a set of patches for the core Apache code. mod_ssl ships as patches, and an additional Apache module. When I last compared them, the fundamental difference was the Apache-SSL just patches itself into the Apache code, mod_ssl extends the Apache module interface definition to allow the SSL functionality to be contained in a module. In general, I have found mod_ssl to be easier to use and debug. It also appears to have more features, although whether thats a good thing probably depends on how much use the features are to you!
There's more background available from both of the websites.
Finally, as others have pointed out, if you're wanting to use your server with a wider community, you'll need to obtain a certificate from a recognised CA (this isn't as expensive, or difficult, a process as many make out).
I use (Score:1)
Re:It's not totally free. (Score:3)
I don't suppose there are any free CAs out there that are already setup in IE by default...
Think about what you're asking for. The whole point of a certificate is to prove identity. If there was some free service out there, they're not going to do much proving of identity.
--
mod_ssl==GOOD, IBM mod_ssl==YUMMY! (Score:2)
No problems with compilation, interaction with mod_php or mod_perl, CSR generation, getting the CSR signed through Verisign or final implementation of the SSL key and keyring.
The only thing missing is a nice keyring management X11 GUI like IBM includes with their IBMHTTPD package *drool*. The OpenSSL CLI key management interface requires memorizing yet another set of commands and flags. It works, but is annoying.
-Rusty
My experience with mod_ssl (Score:2)
I recently installed Apache/mod_ssl at work and tried to use it with our existing Verisign certificate. Verisign [verisign.com] has some weird double certificate system that caused connection errors with some builds of IE5 under mod_ssl. The same certificates worked under Apache/Stronghold. The mod_ssl FAQ [modssl.org] has lots of information on connection problems with IE, but I tried every single suggestion and couldn't get it to work. I eventually switched to a Thawte [thawte.com] certificate. That worked like a charm.
So - does anyone know if the problems I encountered were mod_ssl/verisign specific, or does Apache-SSL have the same issues?
Cheers.
Re:use mod_ssl (Score:1)
Re:you're screwed because of Verisign (Score:2)
*BZZZZZZZZZZZZZZZZT* WRONG!
Verisign supports both mod_ssl and Apache-SSL.
See http://www.verisign.com/cus/srv/install/s/
for installation instructions.
Basically Apples and Oranges... (Score:3)
"Apache-SSL is not mod_ssl
There appears to be some confusion regarding Apache-SSL and mod_ssl. To set the record straight: mod_ssl is not a replacement for Apache-SSL - it is an alternative, in the same way that Apache is an alternative to Netscape/Microsoft servers, or Linux is an alternative to FreeBSD. It is a matter of personal choice as to which you run. mod_ssl is what is known as a 'split' - i.e. it was originally derived from Apache-SSL, but has been extensively redeveloped so the code now bears little relation to the original.
Apache-SSL continues to be developed and maintained, our main focus being on reliability, security and performance, rather than features and bells and whistles. I hope this makes things clear. (Adam Laurie)."
Personal Note: Over this past summer, I have had a great deal of experience with Apache-SSL in particular. My employer decided to upgrade our web server from IIS to Apache, and they decided on Apache-SSL. We had some minor problems setting it up, mainly with the daemon not starting/stopping properly when PHP4 was compiled in (we did everything as DSO's). Once we got the server working (after compiling everything as static libraries), all we needed to do was make some certificates. We made all the certificates ourselves and signed the certs for our internal websites. For our external sites, we made the certificates and sent them to VeriSign for "official" signing (that was the only thing we actually needed to pay for). Overall, everything seems to be working quite nicely.
Re:widespread use (Score:1)
Of course, this really sucks since I've been using Pine for several years and I really don't want to switch. (Yes, I know Mutt can be made to kinda sorta emulate Pine, but it's not exact by any means and it still takes some getting used to.)
Installation Woes (Score:1)
Mod_SSL is really easy...The instructions I used made it really easy:
Linux: Installation Guide [modssl.org]
WinNT: Installation Guide [modssl.org]
FoonDog
Re:It's not totally free. (Score:1)
Re:you're screwed because of Verisign (Score:1)
Re:It's not totally free. (Score:2)
i.e. That I am who I say I am, and that my use of the cert is considered legit.
Otherwise virus authors could obtain a cert that claims to be from Microsofl. A user who isn't paying attention might think it says Microsoft and accept the malicious code. Correct me if I am wrong...
jc
Re:My experience with mod_ssl (Score:1)
mE
Re:use mod_ssl (Score:1)
Apache, which means you can define one or more virtual servers, each with or without SSL, within the same configuration of Apache-SSL. Works great.
Cheap(er) source of server certificates (Score:5)
They used to be $49, but apparently they've raised their prices to $79. They claim that their certificates will work with Apache+SSLeay and Apache+Raven. I am wondering if anyone has had experience with using Equifax certificates (in general), and specifically whether they work with Apache+mod_ssl?
Also, they offer "wildcard" certificates, which allow you to secure *.yourdomain.tld, which seem pretty interesting for an app I'm working on. Any experience with these?
Re:use mod_ssl (Score:1)
Re:It's not totally free. (Score:1)
Just keep that in mind the next time you click on that Grant button *grin*.
Re:you're *not* screwed because of Verisign (Score:1)
OT: Please help (looking for free support) :) (Score:2)
Any suggestions
Re:It's not totally free. (Score:1)
Certificates are routinely sold to companies that turn out to be less-than-honorable. (E trade?)
Certificates prove identity. They have nothing to do with "honor".
--
Re:It's not totally free. (Score:1)
First of all, there's a world of difference between "free" and "cheap". The point of a certificate is to prove identity, and the point of a CA is to be a trusted authority. Maybe you don't care how trusted the authority is, but the point is that they should go through some motions to verify identity before issuing a certificate.
It's hard to imagine how a free service could pay the people to do the corporate research.
--
Re:My experience with mod_ssl (Score:1)
Right - and I did this. I carefully followed every set of instructions I could find, and then tried every random combination of configurations - still experienced problems when connecting via MSIE 5 (only some builds - for example W2K version works...).
Have you actually gotten Apache/mod_ssl/Verisign to work with _all_ versions of IE? If so, would you be willing to send me the snippet from your httpd.conf file?
Cheers.
RedHat or other Distro? (Score:2)
Re:widespread use (Score:2)
To steal an amusing phrase from Bugtraq: "Pine, from the same people who brought you WU-FTP and UW imap"
--
"Don't trolls get tired?"
Re:It's not totally free. (Score:2)
Re:widespread use (Score:1)
Sendmail and Postfix both have SSL capabilities (Postfix requires a patch) and UW Imap2000 can do SSL imap and pop. These are not widely adopted though... Really, I think if there were cheap certificates available, SSL would be more widespread. Equifax recently came out with a $40 certificate but the clients don't recognize it's authority unless the server supports a CA certificate as well which can verify it through some sort of funky magic
Re:My experience with mod_ssl (Score:1)
wildcard certs and M$ (Score:5)
We are upset because MS IE 5.5 will not support wildcard certs. Flat out, there is no way around this and MS has made it clear that they are going to make everyone pay thawte or versign for every single domain you want to secure. It is pretty sick, but it is the truth. You will waste money on a wildcard cert unless you can figure out how to change Microsoft. Good luck. The CAs screw you from the top (CA authority) and MS screws you from the bottom (browser) and you are stuck in the middle trying to run a web server.
Re:It's not totally free. (Score:2)
Re:It's not totally free. (Score:2)
Re:My experience with mod_ssl (Score:1)
Of course, it could have been any of the numerous other IE SSL bugs but as you worked through the FAQ I'll assume not.
Free CAs - probably not (Score:2)
The process you go through says a lot about what measures they take to verify your identity, and I've inferred that a LOT of it CAN'T be done without human intervention (given the current state of technology) - and not without dedicated hardware in a centralized location. The "authority" part of "certificate authority" is by definition [dictionary.com] a single entity. They usually request a copy of your business' Certificate of Incorporation, which must be verified by a human being, and they always request a phone number for verification, and they usually request your company's DUNS number (Dun and Bradstreet's corporation database) for simplicity's sake. Verification of the DUNS is about the only thing that can be done automatically, and it's not sufficient to prove your identity, since anyone can look it up.
--
Note that none of this reflects the opinions or views of my employer. Well actually it might, but I'm not allowed to say so.
--
I'm not a lawyer, and neither are you! (Score:1)
If you did this before RSA released the patent into the public domain, then you should have paid for your SSL library -- your failure to do so gives RSA the right to sue you for denying them license fees.
As I understand it, we still don't have a clear answer on whether it's legal to use SSL without paying RSA a license. It's just that everyone is assuming it's so. I won't be surprised if RSA lawyers start calling everyone up and demanding license fees because of some other patent that SSL requires.
Re:widespread use (Score:1)
Re:widespread use (Score:2)
I look at it this way. If I'm checking email every 20 minutes in Outlook Express, Netscape mail, etc, my password's being sent out in the clear every 20 minutes between x routers. A simple packet sniffing can grab the password easily. Once did it on a company lan with Web(or was it Net?)Xray where I had to time it just right since it was a crippled demo version.
(and why would root be reading mail at all).
A small diference (Score:1)
Re:It's not totally free. (Score:2)
If you went to bn.com to buy a book and you got a message telling you that the certificate was self-signed, do you think you'd think twice about whether or not you are really truly using bn.com?
~GoRK
Re: O'Reilly book (Score:2)
That's probably because the author of Apache-SSL is also one of the authors of the O'Reilly Apache book. I've used mod_ssl, and it was pretty easy to use. It also seems to be the more popular choice.
Re:OT: Please help (looking for free support) :) (Score:1)
It has something to do with them having a problem with SSL v3.
Re:mod_ssl all the way (Score:2)
We use Apache-SSL. We got Apache 1.3.12, iirc, on a pretty standard Redhat 6.1 (yeah I much prefer 6.2 too *g*) and it's never died. It seems plenty fast. I had no problems setting it up either, and Verisign's certificate installed fine.
Have to admit to not trying mod_ssl but I think the tone of the documentation was the deciding factor for me....
Re:mod_ssl==GOOD, IBM mod_ssl==YUMMY! (Score:1)
Free Certs for a year (Score:1)
See for yourself:
http://www.globalsign.net/prod/freeserver.cfm [globalsign.net]
Please learn what cf means. (Score:1)
cf. does not mean "Compare because it's similar," it means "Contrast."
-james.
Re:OT: Please help (looking for free support) :) (Score:1)
Re:It's not totally free. (Score:2)
This is quite true. Nevertheless, I'm certain that a large fraction of those who participate in e-commerce have made the false assumption that such certificates come with some form of implied legitimacy in how the company they are interacting with does business.
Now that digital signatures are considered legal and binding, I wonder if the legal meaning of a digital certificate is affected? Is there now some form of implied contract when they are used for communications?
Lawyers?
Free certs (Score:1)
Re:It's not totally free. (Score:2)
The only thing that a web certificate proves is that the owner had access to a (stolen) credit card.
SSL certificates can cryptographically prove identity. However as currently implemented commercial certificates do not prove identity. Just about anyone can get a commericial certificate without properly proveing their identity to the CA.
Re:wildcard certs and M$ - a different experience (Score:1)
Re:It's not totally free. (Score:1)
Free PGP keyservers are out there. But that's all they store keys. Verisign and the likes actually go through the motions of trying to prove that the person who they've given a key to is that actual person. No PGP keyservers attempt to do that.
differences (certificates, performance, and karma) (Score:3)
I've also tried to think about how one could guage the differences objectivly. As far as I've seen, neither seems any faster (which would make sense being that they both use OpenSSL for the "real work"), and I can't think of any features that one has that the other doesn't; and I'm not talking about configuration directives, I'm talking about XXX obtains information YYY and logs it, but product ZZZ doesn't. I'd love to see some enlightenment on that note.
And on that note (karma and enlightenment, that is) I have had no difficulties with either in installation, or uninstallation, or even configuration. I do however like having the "SSL Module". It's quite handy when duplicating disks. I just flip a flag in my configuration files instead of having to recompile Apache. But other than that, I can't see any reason why you would pick one over the other.
Maybe it would be constructive (ooh, big word!) if people posted WHY they use Apache+SSL or WHY they use Apache+mod_ssl instead of just listing off angry posts, and turning my display into a voting log.
To say it another way, I don't think that anyone is interested in why YOU use Apache-SSL or YOU use Apache+mod_ssl. I know that I'm not! Instead, I'd like to hear WHY you use Apache-SSL, or WHY you use Apache+mod_ssl.
Re:Apache-ssl (Score:1)
Root reading mail . . . (Score:1)
My setup... (Score:1)
Although it took a couple of compiles to get it to work correctry...
I kept getting strange errors when I tried to look at https-pages with Netscape (Although IE went well, and Netscape on "usual" pages) (netscape crashed with an error in "the security subsystem")
It looks like Apache (or mod_ssl or php4) (at least the versions I used) aren't 100% compatible. But the problem disappered when I changed the order of --with-module=php, --with-module etc to apaches autoconf script (don't remember which combination finally did work...)
PS. I did try Apache-SSL as well... but that didn't even compile
Re:I'm not a lawyer, and neither are you! (Score:1)
Re:It's not totally free. (Score:1)
Yeah - but if I'm only interested in encrypted communication. Can I do this without a costly certification? And I wouldn't want to cause those scary warnings to user either. (I know that I lose some of the security this way because I cannot be sure that the other end is what I think it is.)
_________________________
Re:mod_ssl==GOOD, IBM mod_ssl==YUMMY! (Score:1)
I'm advocating the authoring a a nice X11 GUI client for keyring management, nothing more.
-Rusty
Re:Apache-ssl (Score:1)
Re:My experience with mod_ssl (Score:1)
Re:wildcard certs and M$ (Score:1)
Wouldn't it be nice, though, if enough sites would use wildcard certificates anyway, so that it became such a burden to IE users that they either would get fed up and switch browsers or Microsoft would have to realize that the browser's functionality was taking such a hit because of it that they had to change it.
I can imagine that if people using IE want to check their accounts on their bank's secure server, they would not be happy to get a message like this:
We're sorry, but due to intentional incompatibilies in Microsoft Internet Explorer, you can not view this page. Please try again with a different browser.
This would be such an inconvenience for users that MS would have to fix it! Too bad so few companies are willing to risk evoking the wrath of Microsoft.
RedHat 7comes with mod_ssl (Score:4)
I'm sure this won't be popular due to the current mood of RedHat bashing, but it is worth pointing out that RedHat 7 comes with mod_ssl. RedHat also compiles the EAPI patch needed by mod_ssl directly into the apache package and all dependent services (such as PHP) are compiled with EAPI so that there are no package complaints. This gives you a SSL enabled web server right out of the box (or off the wire) with RedHat.
Regarding the EAPI patch, a little background should be presented here. As mentioned earlier, Apache must be patched with EAPI (Extended API) in order to handle the SSL functions provided by mod_ssl. Other packages compiled with the Apache lib like PHP as a DSO module will complain loudly if you load them against a patched Apache when the module was compiled against unpatched libs. Because of this, you have to make sure that all your Apache related services are recompiled. RedHat's decision to include EAPI in their default Apache package simlifies this.
For a modular installation, mod_ssl is probably better being that you can turn an insecure server secure by adding a package rather than replacing an existing one. This gives you better consistency with configuration files and version control. In fact, the same configuration file can support the secure and insecure installs just by using some directives in the file.
One thing I'm curious about is if Apache 2.0 will have EAPI built in by default. This will help to avoid recompile problems like this in the future.
As for using mod_ssl, I've loaded it on several machines. Runs wonderfully. One of my machines has two secure virtual servers and four non-secure virtual servers. The only headache is that you can not do name based virtual hosting with SSL. This is a problem with SSL, not Apache, due to the point where SSL authentication and encryption takes place.
Re:I'm not a lawyer, and neither are you! (Score:2)
Load of rubbish: Re:My experience with mod_ssl (Score:1)
The only important thing in the certificate (that can't be changed) is the dns name of the server (www.xxx.abc). If you are upgrading to a new server, and that new server gets the same name, you're fine - just copy the files over.
There is nothing magical about the particular hardware or operating system you made the original request on.
Re:wildcard certs and M$ (Score:1)
No, this would be such an inconvenience for users that they'd either switch banks or just not use internet banking. Think about it.
Re:Cheap(er) source of server certificates (Score:1)
Re:It's not totally free. (Score:1)
What use is encryption if anyone can de-crypt it? If you just want cheap, there are various "webs of trust" out there, but bear in mind, you get what you pay for. And if a member proves to be less than trustworthy, it's difficult to revoke their trust.
Re:It's not totally free. (Score:1)
I'm curious why SSL can't work similarly to SSH; you negotiate a key with that particular server. Why does the server have to pay to be identified by a CA? If you're not sure of the identity of those running the server, why are you sending them your credit card information anyways?
This is a serious question, can someone explain this to me?
stunnel will do that for you instantly (Score:1)
Re:widespread use (Score:1)
Dear me, that killed the conversation, didn't it? (Score:1)
Trust you to cut to the chase, leaving all of these other Slashdotters floundering in the trivia 30 minutes back in the plot. How are they supposed to work up a good flame war when you axe their ``reason'' for a good does/doesn't war with one small, well-placed, fixed-pitch question? (-:
I use mod_ssl because that's what Mandrake ship with their distros. You can call that laziness, or you can call it pragmatism, but really it's the only reason I have.
Re:It's not totally free. (Score:1)
At thawte.com [thawte.com] you can get 3rd level domain certs for $125 - they have excellent support too - even telling you how to get a cert out of an NT box and putting it into openssl.
Re:Go with APACHE SSL for heavy traffic (Score:1)
For instance Rainbow (isglabs.rainbow.com) sells some really nice hardware. It includes drivers for Linux and FreeBSD. It also works with most popular web servers, including Apache.
Mathijs
Re:It's not totally free. (Score:1)
I guess this whole thing was created just to go through the motions of making it seem as if things are "Certified" by an "Authority". In the real world this doesn't mean much - anyone with a DBA can get a cert from a trusted CA. Anyone with $10 can set up a DBA (in some states of the states). And how would thawte or verisign know how to verify whether a business in Timbuktu or Kaliningrad is genuine...
An alternative would be to toss the CA concept and pull the domain name owners out of a whois database, and ask for any certificate whether we trust it or not by its own merits...
Mandrake came with mod_ssl from distro 7.1 (Score:1)
Re:use mod_ssl (Score:1)
I'm waiting for the apache 1.3.13 release later this week (according to the CVS tarball STATUS from a few days ago); the bit where you can tell it a directory instead of a config file, and it'll parse the files in that directory as that config, that sounds like it'll make some real fun possible.
[ever more offtopic] I saw something in those same files about GDBM, I presume for auth_dbm replacement; I've got a simple hack that does that but not the time to spray it with the substances called for in the official patch submission rituals. Anybody wants it send me an email...
Re:Zeus? (Score:2)
Performance might be nice. Reliability and security (as in no buffer holes for script kiddies) are certainly important. However, simplified visual interfaces are not my forté. Can Zeus be administered in the most literal and detailed sense?
Re:Apache-SSL for me (Score:1)
You may have a point regarding features/stability; I know that with mod_ssl, restarting apache doesn't always work smoothly for me (graceful restart does, however). But in the long run, Apache modules are cleaner, more stable, and easier to upgrade, so it is the right approach (vs patches) in many ways.
Another factor to consider is fixes, support, documentation. I spent a long time getting the mod_ssl mailing list, and Ralph Engelshall is uncommonly helpful. Minor version fixes are frequent when they involve bug fixes, and infrequent otherwise (seems obvious, but not everyone does that). The documentation is glossy and has large images, but it's accurate and I always found what I was looking for.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Re:wildcard certs and M$ (Score:2)
Re:use mod_ssl (Score:1)
Still Apache-SSL still works regardless of the bug, wheras Mod_ssl doesn't.
Re:Go with APACHE SSL for heavy traffic (Score:1)
___
Re:Free Certs for a year (Score:1)
Re:mod_ssl all the way (Score:1)
austad: I've been using mod_ssl. Much easier to set up, and when I tried Apache-SSL, apache would die unexpectedly and it was SLOW. No problems at all with mod_ssl.
boy case: We use Apache-SSL. We got Apache 1.3.12, iirc, on a pretty standard Redhat 6.1 (yeah I much prefer 6.2 too *g*) and it's never died. It seems plenty fast. I had no problems setting it up either, and Verisign's certificate installed fine.
I tried Apache-SSL first, then switched to mod_ssl; I did not think there was much difference in the difficulty setting them up, both seem quite stable, and speed was not an issue for me - both were fast enough - so I never measured it.
boy case: Have to admit to not trying mod_ssl but I think the tone of the documentation was the deciding factor for me....
The documentation was a factor in my decision to change - I found the mod_ssl documentation much more comprehensive and easier to understand so I did not let the tone bother me.
One particular reason for the switch was that I wanted to use client certificate authentication and mod_ssl seems to be much more flexible in that area. I have set up part of my secure web hierarchy to require CCA with mod_ssl, Apache-SSL seemed to be an all or nothing for the whole site proposition.
Although I find mod_ssl better for CCA, neither is particularly good. I would really like something better than the "fake basic auth" method of access control which both seem to offer in the same way. I would also like to be able to check the revocation list via an LDAP query rather than a file. Unfortunately, I have not had enough spare time to look into this in any detail; this is at-work stuff but not part of my real job unfortunately.
This is a *big problem* (Score:1)
Re:OT: Please help (looking for free support) :) (Score:1)
I've also heard that Thwate certs work OK.
The only thing I never tried but saw suggested on a mailing list is recompiling openSSL without experimental ciphers (it's a compiler flag). Sounded plausible at the time.
Re:I'm not a lawyer, and neither are you! (Score:1)
Re:mod_ssl all the way (Score:1)
I guess in the end our decision was arbitrary. I think I liked the part about correctness over features, it just appealed to me personally. From what people have said here, I think I'll take a look at mod_ssl too, if I get a chance; the system is up and running already so like your case it's not a major priority for my company.
We don't use client certificates, so we never hit that issue.
Two things.... (Score:2)
As for cleartext mail passwords, well, you *can* do it that way, or you can use OPIE, APOP, KPOP, SSL, IMAP with GSS, IMAP with CRAM-MD5, regular POP or IMAP over ssh or IPSec.... Hell, you could even use NTLM if you're auth'ing against an Exchange server or something.
Really, there's no excuse for sending your admin passwords across the wire cleartext. They should have to work to get access to your machines.
--
"Don't trolls get tired?"