iTP Secure WebServer System Administrator's Guide (Version 7.0)

ManualsBrandsHP ManualsServerHP NonStop G-Series

411

412

413

414

415

416

417

418

419

420

Security Concepts

iTP Secure WebServer System Administrator’s Guide—523346-012

D-8

SSL 3.0 Protocol Enhancements Over SSL 2.0

Because SSL and HTTP are different protocols and typically use different port

numbers (such as 443 and 80, respectively), the iTP Secure WebServer can handle

secure and standard clients simultaneously. As a result, some information can be

provided to users in unencrypted form while other information can be provided only in

encrypted form.

SSL 3.0 Protocol Enhancements Over SSL 2.0

SSL 3.0 includes a number of enhancements over SSL 2.0:

•

Requires fewer handshake messages, therefore allowing faster handshakes.

•

Supports additional key-exchange and encryption algorithms (for example,

Diffie-Hellman, Fortezza). However, the iTP Secure WebServer supports only the

RSA key-exchange algorithm.

•

Supports hardware tokens in the form of Fortezza cards. This is the first step

toward more general support for cryptography-capable smart cards.

•

Includes an improved client certificate request protocol, allowing a server to specify

a list of CAs that it trusts to issue client certificates. The Web client returns a

certificate signed by one of those CAs; if the server does not have such a

certificate, the connection handshake fails. This improvement frees users from

having to choose a certificate for each connection. (For more information about the

certificate request protocol, see Requesting a Certificate on page 4-11.)

Deploying SSL

To deploy SSL on a server:

1. Configure and enable a server to use the SSL security protocol.

2. Use Region commands to enforce the use of SSL on specific server contents.

For example, to enable secure access to the file secret-recipes.html, you might

include the following directive in the server configuration file (httpd.config):

Region /cookbook/secret-recipes.html {

RequireSecureTransport

}

The reference to this file in the HTML document accessing your secret recipes might

then look like this:

Here are the <a href="https://cookbooks.org/cookbook/

secret-recipes.html">secret recipes</a>!

To enable SSL connections and specify the certificate to be used for SSL connections,

you specify the AcceptSecureTransport directive in the server configuration file