Kurt Seifried, [email protected]
There are a variety of secure webservers, but which one is right for you? In this article I will start the process of helping you to choose the right server for your environment. In this series of closet articles I will cover legality, availability, features, and so on of the major secure server packages, using Linux primarily for my testing. The choice of operating system is important, but the choice of www server is usually more important, since that will define your feature set, and long term potential. In conjunction with these articles will be a series of individual product reviews of the more popular servers. This review will only cover 128 bit platforms as I feel 128 bit encryption is relatively weak, and 40 and 56 bit encryption is worthless, please keep this in mind as it will affect availability quite a bit.
This is the first hurdle, if the webserver available in your country, and for your platform of choice? Servers made in the USA for example are generally not much use outside the USA since the export of strong crypto is heavily restricted (to Canada only). Free servers that have not paid for RSA data licenses are generally not used in the USA since RSA is patented there, and you must pay for the use of RSA data components. This first table is a list of server products, their origin and the countries you may or may not use them in:
|Server||Made in||Available to||Restricted from|
|Apache-SSL||uses OpenSSL from Australia||Most countries||unknown (suspected none)|
|Apache mod-ssl||uses OpenSSL from Australia||Most countries||unknown (suspected none)|
|Netscape Enterprise 4.0SP2||USA||USA, Canada||unknown (7 crypto restricted countries possibly)|
|Raven||USA||USA, Canada||unknown (7 crypto restricted countries possibly)|
|Red Hat Secure Server||USA||USA, Canada||unknown (7 crypto restricted countries possibly)|
Belgium, Canada, Denmark, Finland, France, Germany,
Greece, Ireland, Italy, Japan, Luxembourg, Netherlands,
New Zealand, Norway, Portugal, Spain, Sweden,
Switzerland, United Kingdom
United States (they are negotiating with RSA, it should be legal to use in the USA in the near future)
|Restricted from all countries not listed, however you can apply for an export permit, availability will vary|
|Stronghold||Britain||Most countries||None (although you might want to check as there are British export laws that may effect you)|
|Zeus||Britain||Most countries||Restricted from: Afghanistan, Angola, Armenia, Azerbaijan, Bosnia and Herzegovina, Burma (Myanmar), Burundi, Croatia, Democratic Republic of the Congo, Ethiopia, Eritrea, Iran, Iraq, Liberia, Libya, Nigeria, North Korea, People's Republic of China (excluding Hong Kong SAR), Rwanda, Sierra Leone, Somalia, Sudan, Tanzania, Uganda, Yugoslavia (Federal Republic of)|
Platform availability is your next concern, if you are experienced with Solaris and have no experience with Linux you'd probably be best off with a server that runs on Solaris. When handling secure web serving the server platform MUST be secure otherwise it isn't worth bothering in the first place. In the following chart I have attempted to be as precise as possible, yes is more likes a "probably", no is "definitely not", blank means I don't know.
|OS/Server||Apache-SSL *±||Apache mod-ssl *±||Netscape Enterprise 4.0SP2||Raven||Red Hat Secure Server 3.1||Roxen ±||Stronghold||Zeus|
|BSDi||yes||yes||no||3.x+||no||2.x, 3.x, 4.x||yes|
|FreeBSD||yes||yes||no||x86 3.x||no||Yes||2.1, 2.2, 3.0||yes|
|HP-UX||yes||yes||11.x||10.x / 11.x||no||Yes||10||yes|
|IRIX||yes||yes||6.5||5.3, 6.x||no||5.3, 6.2||yes|
|Linux libc**||x86 / Sparc / Most||x86 / Sparc / Most||no||x86 / Sparc / Alpha||no||Yes||x86 / Sparc / Most||yes|
|Linux glibc**||x86 / Sparc / Most||x86/Sparc/Most||no||x86 / Sparc / Alpha||x86 Red Hat 5.x, 6.x||Yes||x86 / Sparc / Most||yes|
|NetBSD||x86 / Sparc / Most||x86 / Sparc / Most||no||x86 1.3.x||no||x86 / Sparc|
|OpenBSD||x86 / Sparc / Most||x86 / Sparc / Most||no||x86 2.x||no|
|SCO||no||no||Openserver 3.2, 5.0||x86 / Sparc|
|Solaris||x86 / Sparc||x86 /Sparc||x86 /Sparc||Sparc 2.x / x86 2.x||no||x86 /Sparc||Sparc 2.x / x86 2.x||x86 / Sparc|
*Apache and OpenSSL support most platforms.
**Linux glibc is Red Hat 5.x and beyond, Slackware 7.0, or basically any modern distribution (I can't think of any current Linux distributions that are not glibc based).
± These software packages are OpenSource, so if your platform is not supported you can port it yourself or pay someone to, chances are an effort is underway
As you can see the most prolific platforms are Linux and Solaris, both of which service their respective markets ver well. Apache has a variety of SSL options, either relying on "free" SSL implementations, like OpenSSL, or commercial ones, like Raven. Apache currently has 50%+ of the non secure server market, so if you are looking for a familiar face Apache with an SSL module, or an Apache derived server (Like Red Hat's, or Stronghold's) are a good bet.
Another major factor in choosing your webserver will be the license, cost and support options available. For many people it is preferable to simply get a quick answer from a support organization rather then spend time trying to figure it out themselves, just as some people will be opposed to anything that is not open source. Luckily the RSA patent has expired in the USA and you can now legally use OpenSource software with OpenSSL without having to disable RSA, use RSAREF (a broken implementation) or paying RSA for a license.
|Apache-SSL||BSD style||Free||No vendor, so support is limited to third party organizations and other online (mailing lists, newsgroups, IRC, etc.) support options|
|Apache mod-ssl||BSD style||Free||No vendor, so support is limited to third party organizations and other online (mailing lists, newsgroups, IRC, etc.) support options|
|Netscape Enterprise 4.0SP2||Commercial||?????||Vendor support|
|Raven||Commercial||$357 USD||Vendor support, and since it is Apache based the usual online support options are available (mailing lists, newsgroups, IRC, etc.)|
|Red Hat Secure Server||Commercial||$149.95 USD||Vendor support, and since it is Apache based the usual online support options are available (mailing lists, newsgroups, IRC, etc.)|
|Roxen||GPL (however additional server add-ons are not)||Free||Vendor support|
|Stronghold||Commercial||$995||Vendor support, and since it is Apache based the usual online support options are available (mailing lists, newsgroups, IRC, etc.)|
|Zeus||Commercial||$1699 USD||Vendor support|
The various secure web servers can be broadly broken into two categories, those based on Apache, and those that are not. The Apache based servers tend to be somewhat barebones, with no fancy web based GUI's for setup and management of servers, which some people dislike in any case. On advantage is the sheer number of non secure Apache www sites have resulted in a large number of people that are very proficient with Apache, so finding online support is less difficult then one would think, however if it is a secure server issue as opposed to a generic Apache issue, finding support will be somewhat more difficult. Another decision is to use an OpenSource server (such as Apache or Roxen) or a closed source, there are arguments both ways, but ultimately it will be more of a political issue then anything else in most cases. Another issue is the use of hardware cryptographic accelerators. These range from a plug in PCI card to a full blown network appliance you plug in between the www server and the internet. Depending on the cryptographic accelerator you buy you may not even need a secure www server (this generally is only for the high end network appliances).
There is no overall "best" www server even just taking availability issues into account. Various servers are appropriate for various situations. In the following articles and product reviews I will attempt to cover the major areas of www server considerations such as configuration, features, security, flexibility, scalability, and so on. Next week I'll be covering smart cards (which tie in nicely to secure web serving), the week after that we'll start comparing features of the various www server products.
Last month I started the web server round up, and unfortunately it looks like I bit off a lot more then I can chew. Properly testing each web server takes a lot of time (10-30 hours), and that doesn't include any time to actually write about the results. Well I've finally worked my way through most of the servers, and it's been interesting. A web server isn't any good if you can't get it installed properly, configured properly, or if it simply does not posses the feature set you require. The majority of these products do allow you to download demonstration versions (or are completely free in some cases), I would advise trying them out first to make sure you end up with the one you want (in other words don't believe everything you read, including this =).
This is an obvious choice for the first thing to cover, if you can't get the server installed properly it's probably not going to do you much good. In some cases the installation required compiling of software components, but the majority of the commercial products that are OpenSource (and partially or completely available as source code) came in binary format, easing installation. Where possible I used binary installations, as this is what the majority of users will opt to do (I have nothing against compiling personally, but most people will take the path of least resistance, myself included). For the "free" SSL based server that use OpenSSL you also have to compile or find a binary of OpenSSL, so I included that in the process where it was required. In all cases I would recommend getting the most recent version, they will contain any needed bug fixes, and any installation/compiling problems that exist in older ones have probably been fixed. All my installations were done on a stock Red Hat 6.1 box, and in no case did I hit any significant difficulties, in most cases the installs took less then 5 minutes.
The next big item on the road to "getting it to work". All but one of the Apache based servers don't have any significant improvements (i.e. any tools for configuration), which shouldn't be a problem for most administrators, but for maintaining many sites automated tools and templates are useful. In addition to this is the degree of detail allowed, can you easily set one virtual site to have access to Java servlets, and no others sites for example? If you plan to host more then one site chances are you will find yourself wanting a high degree of control over who gets access to what, especially if you charge people for features (think virtual web hosting).
|Server||Compiling||Configuration||Granularity of Configuration|
|Apache-SSL||OpenSSL takes a while to compile (also available in binary formats for RedHat, etc.), I personally have not had OpenSSL give me any trouble. Apache-SSL is a simple patch to the Apache source code, and it never gave me any problems as well.||Default Apache style, edit the config file(s) by hand. There are automated tools but many of them do a poor job on the server server configs.||Some functionality but you cannot for example restrict things like who gets access to various services such as authentication or Java servlets very easily, some control given by the access configurations, but more control would be nice.|
|Apache mod-ssl||OpenSSL takes a while to compile (also available in binary formats for RedHat, etc.), I personally have not had OpenSSL give me any trouble. Apache mode-ssl is a bit more tricky then installing Apache-SSL, but assuming your platform is reasonably sane you shouldn't have any real problems.||Default Apache style, edit the config file(s) by hand. There are automated tools but many of them do a poor job on the server server configs.||Some functionality but you cannot for example restrict things like who gets access to various services such as authentication or Java servlets very easily, some control given by the access configurations, but more control would be nice.|
|Netscape Enterprise||Binary only installation (proprietary package), installs to a self contained directory, asks a few simple questions that setup the www based config.||Really nice www interface, cleanly laid out, very easy to use, Netscape put a lot of work into it.||High granularity, relatively easy to use. The only product that had an obvious method to setting the encryption strength required to access the server (very nice feature).|
|Raven||Run the install script and stand back, there's not much to do.||Default Apache style, edit the config file(s) by hand. There are automated tools but many of them do a poor job on the server server configs.||Some functionality but you cannot for example restrict things like who gets access to various services such as authentication or Java servlets very easily, some control given by the access configurations, but more control would be nice.|
|Red Hat Secure Server||This product is designed for Red hat Linux, and installing it is extremely simple (rpm -Uvh). Please note you do need Red Hat 6.x for the latest version of Red hat Secure Server.|
|Roxen||Available as source and binary, the binary package installs painlessly into a self contained directory, asks a variety of simple questions that setup the www based config.||Really nice www interface, a bit quirky, but easy to learn.||High granularity, relatively easy to use. You can easily grant certain sites access to items like www-auth, or restrict them from using them.|
|Stronghold||Stronghold has a very nice install script that installs itself to a self contained directory, asks a variety of easy to answer questions and walks you through setup of your first secure host.||Default Apache style, edit the config file(s) by hand. Initial setup of one site handled during install by prompting user with questions.|
|Zeus||Binary only installation (proprietary package), installs to a self contained directory, asks a few simple questions that setup the www based config.||One of the best www interfaces to a piece of software I have seen, allows you to control multiple Zeus servers, group multiple sites into standard configurations (like allow Java or not).||High granularity, extremely easy to use. Unlike Roxen it scales well to, you can create groups of servers with common config files (i.e. access to FrontPage extensions, but not Java servlets), reduces mistakes significantly.|
This is one area where most people exhibit interest, in all honesty most of these web servers do a pretty fair job of serving data, they are all pretty stable (almost all the above products are used at a variety of large sites). All the servers provide a certain baseline of functionality, they can server static documents, a variety of dynamic documents (such as server side includes), they have a CGI interface (so you can tie programs into your site), and so on. One major feature more and more sites (especially sites doing virtual hosting) are using is FrontPage extensions, which are full of security holes under UNIX and not really recommended (the vendor that wrote the FrontPage extensions for UNIX has a less then stellar track record security wise). One way around this is to use Samba to share out the www files selectively to clients (the username and password can be encrypted, the data is not, so it isn't any worse from a security point of view then FrontPage extensions are), however it does not allow them to make use of some of FrontPages more advanced features. I actually started an HTML table with a listing of all the important features, but in almost all cases all the servers supported the features listed, so it struck me as rather pointless. The Zeus, Roxen and Netscape Enterprise web servers do have some additional features not currently available in Apache, Roxen for example has RXML, a server side scripting language that allows for dynamic content (similar to PHP).
As with any products chances are at some point you will need assistance with it. When that time comes you will need to find help, if you're lucky it will be covered in the documentation. The Apache based products of course are the best documented, there are many books available, and the apache web site which has pretty much full documentation on the server itself (although some of the SSL directives are not covered or are different). All the vendors support their own products, and several will probably support Apache-SSL, and Apache mod-ssl if you pay them (since in some cases the commercial products makes use of the same OpenSSL that the two free ones do). There is a definite advantage to choose an Apache based product, with over 50% of the non-secure market, finding a competent Apache administrator or support organization is not to difficult.
|Server||Online documentation and help||Vendor / Commercial support|
|Apache-SSL||Yes, http://www.apache.org/, help is also available by a variety of mailing lists, www boards and IRC.||Some commercial support available|
|Apache mod-ssl||Yes, http://www.apache.org/, help is also available by a variety of mailing lists, www boards and IRC.||Some commercial support available|
|Netscape Enterprise||Yes, http://www.netscape.com/, help is also available by a variety of mailing lists, www boards and IRC, product ships with excellent context sensitive help.||Various vendor support options available|
|Raven||Yes, http://www.apache.org/, help is also available by a variety of mailing lists, www boards and IRC.||Various vendor support options available, they also support Apache|
|Red Hat Secure Server||Various vendor support options available, they also support Apache|
|Roxen||Extensive documentation at http://www.roxen.com/, product ships with excellent context sensitive help.||Various vendor support options available|
|Stronghold||Various vendor support options available|
|Zeus||Extensive documentation at http://www.zeustechnology.com/||Various vendor support options available|
For the cost conscious, especially if only running one or two sites, an Apache based solution is ideal. For high volume web serving, or serving many sites with similar configurations Apache also works very well, but you will need to apply a lot of elbow grease in administration and maintenance (basically you will probably want to write scripts and other automation tools to assist you). The Apache based servers are in some ways the simplest to configure (one nicely commented text file), and the easiest to find support for online (there are many books devoted to Apache) as well as being very cheap (ranging from free to $160 USD, $357 USD and up). If you want something with a few more bells and whistles, and a nice www interface Roxen is the next logical step, Roxen is OpenSource and free (for the basic server), however you cannot yet use it legally in the US (due to the RSA patent). If you're willing to spend the money then Roxen probably wins for sheer number of features and add-ons (but $11,800 USD might be seen as a bit pricey for many people). If you don't mind spending money, and want to get an extremely high performance server then Zeus is the ticket (every single web record I have seen uses Zeus). Zeus has the best configuration interface I have seen, allowing you to manage multiple servers, multiple sites, and it scales well. Netscape seems like a very popular secure web server for major sites, it has great java servlet support, and a wonderful www interface, making it very simple to setup and maintain. They are all very good server products, if used in the right environment and administered properly (unfortunately there is no way around that yet). Fortunately with almost all the products you can get evaluation versions, so try before you commit to a web server, and make sure it supports features you think you might need in the future (because chances are you will need them).
Last updated 4/10/2001
Copyright Kurt Seifried 2001