From owner-freebsd-questions  Fri Jul 10 21:52:06 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA26201
          for freebsd-questions-outgoing; Fri, 10 Jul 1998 21:52:06 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from server.sensei.co.uk (server.sensei.co.uk [193.132.124.5])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA26191
          for <freebsd-questions@FreeBSD.ORG>; Fri, 10 Jul 1998 21:52:03 -0700 (PDT)
          (envelope-from glynn@sensei.co.uk)
Received: from cerise.sensei.co.uk (glynn@dialin.sensei.co.uk [193.132.124.190]) by server.sensei.co.uk (8.8.5/8.8.2) with ESMTP id FAA09995; Sat, 11 Jul 1998 05:50:15 +0100
Received: (from glynn@localhost) by cerise.sensei.co.uk (8.9.1/8.8.2) id FAA03743; Sat, 11 Jul 1998 05:54:37 +0100
From: Glynn Clements <glynn@sensei.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <13734.61453.441391.493813@cerise.sensei.co.uk>
Date: Sat, 11 Jul 1998 05:54:37 +0100 (BST)
To: "Numard (Norberto Meijome)" <numard@smartmedia.com.ar>
Cc: FreeBSD Questions <freebsd-questions@FreeBSD.ORG>
Subject: Re: Secure commerce?
In-Reply-To: <35A6D02E.C9E4D556@smartmedia.com.ar>
References: <35A6D02E.C9E4D556@smartmedia.com.ar>
X-Mailer: VM 6.53 under 21.0 "Uzbek Black" XEmacs Lucid
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


Numard (Norberto Meijome) wrote:

> i'm interested in setting up an https server to do web commerce. The
> server is in USA. I'm actually running apache. I was planning to install
> apache-ssl (w/ ssl-Leavy).
> Now, what would be the right procedure to follow? do i have to get a
> server-id from verisign or can i create my own with the ssl-leavy soft?

You need to have your public key certified by an authority which is
recognised by the popluar web browsers if you want Joe User to trust
it. Otherwise the browser will pop up a warning saying that it doesn't
recognise the certifying authority, which is enough to scare off the
average user.

There was talk on slashdot.org that VeriSign were giving up their
boycott of Apache-SSL. However, I believe that the recent browsers
recognise other authorities (e.g. Thawte), most of whom are cheaper
than Verisign.

> Any known problems with apache 1.3 + ssl?

A potential weakness in existing SSL implementations was posted to
BugTraq within the past week or so. However, it requires approximately
one million connections to retrieve a single session key. So it's more
of a theoretical concern than a practical one. Also, a fix is already
available for SSLeay.

-- 
Glynn Clements <glynn@sensei.co.uk>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message