iTP Secure WebServer System Administrator's Guide (iTPWebSvr 6.0+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

411

412

413

414

415

416

417

418

419

420

Security Concepts

iTP Secure WebServer System Administrator’s Guide—523346-002

D-8

SSL 3.0 Protocol Enhancements Over SSL 2.0

SSL 3.0 includes a number of enhancements over SSL 2.0:

•

Requires fewer handshake messages, thus allowing faster handshakes.

•

Supports additional key-exchange and encryption algorithms (for example,

Diffie-Hellman, Fortezza). However, the iTP Secure WebServer supports only the

RSA key-exchange algorithm.

•

Supports hardware tokens in the form of Fortezza cards. This is the first step

toward more general support for cryptography-capable smart cards.

•

Includes an improved client certificate request protocol, allowing a server to specify

a list of CAs that it trusts to issue client certificates. The web client returns a

certificate signed by one of those CAs; if the server does not have such a

certificate, the connection handshake fails. This improvement frees users from

having to choose a certificate for each connection. (For more information about the

certificate request protocol, see Requesting a Certificate on page 4-10.)

Deploying SSL

You deploy SSL on your server as follows:

1. Configure and enable your server to use the SSL security protocol.

2. Use Region commands to enforce the use of SSL on specific server contents.

For example, to enable secure access to the file secret-recipes.html, you might

include the following directive in the server configuration file (httpd.config):

Region /cookbook/secret-recipes.html {

RequireSecureTransport

}

The reference to this file in the HTML document accessing your secret recipes might

then look like this:

Here are the <a href="https://cookbooks.org/cookbook/

secret-recipes.html">secret recipes</a>!

To enable SSL connections and specify the certificate to be used for SSL connections,

you specify the AcceptSecureTransport directive in the server configuration file

(httpd.config). The AcceptSecureTransport directive sets the default certificate for

all regions on the server, similarly to the following example:

AcceptSecureTransport -cert {CN=Juliet,O=Capulet’s House of

Keys}