FreeBSD secure connection Mode SSL

In the usual connection mode, communication is transmitted in unencrypted form on the network, which may be illegally tapped, especially for authenticated password information. To avoid this vulnerability, the transport process must be encrypted. The Protocol for encrypting HTTP transmission is HTTPS, which is the protocol of HTTP transmission via SSL (Secure Socket Layer), which guarantees the security of transmission not only through the algorithm of public key, but also by obtaining the authentication CA to ensure that the server connected by the client is not counterfeited.

The use of public keys ensures that data transfer is not a problem, but this is also a serious security issue if the site visited by a browser client is spoofed. This problem does not belong to the encryption itself, but to ensure the correctness of the key itself. To ensure that the other site public key is the correct key, rather than the fake site key, you must pass a certification mechanism, the site's key to authenticate. Of course, even if not authenticated, still can guarantee information transmission security, but customers can not be sure access to the server is not counterfeit. If not to provide e-commerce and other aspects of high security requirements of services, generally do not need so strict consideration.

Although the Apache server does not support SSL, the Apache server has two freely available programs to support SSL, one for APACHE-SSL, it integrates the Apache server and SSL, and the other is Apache+mod_ssl, It is supported by dynamically loaded module Mod_ssl, where the latter is differentiated by the previous one, and because of the use of modules, Ease-of-use is very good, so the scope of use is more extensive. There are also commercial Web servers based on Apache and integrated SSL capabilities, but using these commercial Web servers is primarily North America, because the public key algorithm used for SSL there is patented and cannot be used for commercial purposes, and other countries do not have to consider this patent issue, And you can use SSL freely.

Although typically mod_ssl and other complex Apache modules provide detailed compilation installation instructions, they provide very useful scripting and makefile to help users install. However, adding a module to the Web server is not a simple but easy to describe task, and fortunately, FreeBSD provides ports Collection, which allows the user to install the module without having to relate to the details of each step.

If you do not intend to use ports collection to install MOD_SSL, then things are slightly more troublesome, you must manually download the Apache source code, as well as mod_ssl code, follow the instructions step-by-step compilation installation.

Apache+mod_ssl relies on another software: OpenSSL, which is a freely available SSL implementation that first needs to install this port (due to the patent impact, these software without legal system as can be directly installed binary package, must use the ports Collection installation). OpenSSL is located under the Security subdirectory under/usr/ports, you need to set the environment variable usa_resident to avoid patent disputes before downloading its source program.