                       _             _ 
   _ __ ___   ___   __| |    ___ ___| |  
  | '_ ` _ \ / _ \ / _` |   / __/ __| |  
  | | | | | | (_) | (_| |   \__ \__ \ |  mod_ssl - Apache Interface to SSLeay  
  |_| |_| |_|\___/ \__,_|___|___/___/_|  http://www.engelschall.com/sw/mod_ssl/
                       |_____|         
  _____________________________________________________________________________


  Description
  -----------

  The mod_ssl package is a source extension and set of patches for the
  Apache 1.3 webserver providing Secure Socket Layer (SSL) support through the
  SSL implementation library SSLeay. 
  
  This product includes software developed by Ben Laurie for use in the
  Apache-SSL HTTP server project. Additionally it uses a tool developed by
  Larry Wall and David MacKenzie for use in the GNU project of the FSF.

  Features
  --------

  The mod_ssl package provides the following features:

   o  Free SSL implementation for both commercial and non-commercial use,
      because mod_ssl stays under an Apache-style license and SSLeay is freely
      available, too.
   
   o  128 bit strong encryption world-wide, because developed in Europe and
      also distributed from Europe, only.

   o  Complete server and client authentication to be able to both
      authenticate a server for the clients and to create closed user groups
      for a server.

   o  Full source code available in clean format, i.e. people have the chance
      to verify and enhance the code theirself if necessary.
   
   o  Automated and robust application of the source extension and patches to
      a fresh Apache 1.3 source tree.

   o  Clean integration into Apache 1.3 through the new Apache 1.3
      Autoconf-style Interface (APACI), i.e. no manual source patching or
      editing necessary. Even the patched Apache source tree can be still
      compile an unencumbered Apache server containing no SSL stuff.  This way
      you can add additional third-party packages like mod_perl or PHP without
      conflicts.

   o  Full installation support inside Apache 1.3, i.e. you can still use
      APACI's "make install" and all SSL stuff is automatically installed,
      too.

  Disclaimer
  ----------

  But the price you have to pay for getting a free SSL implementation for
  Apache is the following:

  THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY EXPRESSED
  OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
  NO EVENT SHALL RALF S. ENGELSCHALL OR THEIR CONTRIBUTORS BE LIABLE FOR ANY
  DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

  Restrictions
  ------------

  Additionally you have to accept the following restriction:
  
  Please REMEMBER that export/import and/or use of cryptography software or
  even just providing cryptography hooks is illegal in some parts of the
  world.  When you re-distribute this package or even email
  patches/suggestions to the authors or other people PLEASE PAY CLOSE
  ATTENTION TO ANY APPLICABLE EXPORT/IMPORT LAWS. The authors of mod_ssl are
  not liable for any violations you make here. So be carefully yourself.

  Security Concerns
  -----------------

  You should be very sensible when using cryptography software, because just
  running an SSL server _DOES NOT_ mean your system is then secure!  This is
  for a number of reasons. The following questions illustrate some of the
  problems.

   o  SSL itself may not be secure. People think it is, do you?
   o  Does this code implement SSL correctly?
   o  Have the authors of the various components put in back doors?
   o  Does the code take appropriate measures to keep private keys private? 
      To what extent is your cooperation in this process required?
   o  Is your system physically secure?
   o  Is your system appropriately secured from intrusion over the network?
   o  Whom do you trust? Do you understand the trust relationship involved 
      in SSL certificates? Do your system administrators?
   o  Are your keys, and keys you trust, generated careful enough to
      avoid reverse engineering of the private keys?
   o  How do you obtain certificates, keys, and the like, securely?
   o  Can you trust your users to safeguard their private keys?
   o  Can you trust your browser to safeguard its generated private key?
  
  If you can't answer these questions to your personala satisfaction, then you
  usually have a problem. Even if you can, you may still _NOT_ be secure.
  Don't blame the authors if it all goes horribly wrong. Use it at your own
  risk!

  Compatibility
  -------------

  This version is configuration and runtime compatible with Ben Laurie's
  original Apache-SSL. For differences between mod_ssl and Apache-SSL please
  read the README.ApSSL document. 
  
  It was tested with Netscape 4.05 under FreeBSD as the client only.  But it
  should work with other Netscape variants, too.  Even Internet Explorer users
  should be able to use this software.

  Resources
  ---------

  The following resources can be useful to read for further information about
  Apache, mod_ssl, SSLeay and SSL itself:

  Apache:

   o  Apache Group:
      http://www.apache.org/
   o  Apache Server Documenation:
      http://www.apache.org/docs/
   o  Apache Reference Card:
      http://www.ford-mason.co.uk/resources/apache-refcard/

  Apache and SSLeay:

   o  mod_ssl:
      http://www.engelschall.com/sw/mod_ssl/
   o  Apache-SSL:
      http://www.apache-ssl.org/
   o  Apache and Secure Transactions (ApacheWeek)
      http://www.apacheweek.com/features/ssl
   o  SSLeay and Apache (iX article, german)
      http://www.heise.de/ix/artikel/E/9606128/
   o  Thawte Apache-SSL FAQ
      http://www.thawte.com/faq/apachessl.html

  SSL Tests Possibilities:

   o  Netscraft Server SSL Check:
      http://www.netcraft.co.uk/cgi-bin/Survey/sslwhats
   o  SSLeay Client Cryto-Strength Test: 
      https://mozilla-crypto.ssleay.org/cryptocheck.php
   o  SSLeay Test Server:
      https://tls.cryptsoft.com/

  SSLeay and SSL:

   o  Introducing SSL and Certificates with SSLeay
      http://www.camb.opengroup.org/RI/www/prism/wwwj/
   o  Enabling Network Security with SSLeay
      http://www.mikom.csir.co.za/SSLeay/
   o  SSLeay FAQ: 
      http://www.psy.uq.oz.au/~ftp/Crypto/
   o  SSLeay Programmers Reference:
      http://www.psy.uq.oz.au/~ftp/Crypto/ssl.html
   o  SSLeay Mailing-List Archive:
      http://remus.prakinf.tu-ilmenau.de/ssl-users/
   o  Netscape SSL-Talk List Archive (ssl-talk@netscape.com)
      http://www.consensus.com/security/ssl-talk-faq.html
   o  SSLv3 Protocol Specification:
      http://www.netscape.com/newsref/std/SSL.html

  Security:

   o  Security and Encryption-related Resource Page:
      http://www.cs.auckland.ac.nz/~pgut001/links.html

  Digital Certificates
  --------------------

  Digital certificates for SSL can be bought from the following commercial
  organizations: 

   o  Verisign
      http://digitalid.verisign.com/server/apacheNotice.htm
   o  Thawte Consulting
      http://www.thawte.com/certs/server/request.html 
   o  CertiSign Certificadora Digital Ltda.
      http://www.certisign.com.br 
   o  IKS GmbH
      http://www.iks-jena.de/produkte/ca/ 
   o  Uptime Commerce Ltd.
      http://www.uptimecommerce.com 
   o  BelSign NV/SA
      http://www.belsign.be

  But on the other hand to use SSL this is not really necessary.
  You can also make your own certificate, of course ;-) 

  Credits
  -------

  Thanks to The Apache Group and the NCSA for Apache, to Eric Young and Tim
  Hudson for SSLeay and to Ben Laurie for the original Apache-SSL on which
  mod_ssl is based. Without the effort of these people mod_ssl would not be
  possible.

