Forum OpenACS Q&A: Secure Server

Collapse
1: Secure Server
Posted by Luis Garcia on 08/23/01 02:42 PM
I am a novice in this of servers and web sites. So, I have a few
questions regarding security that may be trivial for somebody else. I
want to install a secure server with my OpenACS to process credit
cards, etc. I was wondering if the server we install with OpenACS
(AOLserver) already has this feature. If it doesn't, the only Secure
server I have found open source is the one Apache has. I was
wondering if I can integrate OpenACS with this other server. The
second question is whether I should install both softwares in the
same machine or I would have to have two boxes, one for each server.
Thanks
Collapse
2: Response to Secure Server (response to 1)
Posted by S. Y. on 08/23/01 03:08 PM

Take a look at this thread first.

Basically, there are several ways you get HTTPS on AOLserver.

  • You can use the 40-bit "export grade" nsssle.so SSLv2 module available in some AOLserver binary distributions
  • You can compile your own 128-bit nsssl.so SSLv2 module with the expensive RSA BSAFE Crypto-C libraries; look in the nssock source directory and read the source, documentation, etc. Compiling it pretty straightforward
  • You can compile Scott Goodwin's open source nsopenssl.so SSLv2/SSLv3/TLSv1 module based on the open source SSL SDK from OpenSSL.

I don't know whether or not you can use OpenACS with two different servers (e.g., AOLserver and Apache-SSL) or whether or not you want to two different machines. Hopefully someone else will answer that.

Collapse
3: Response to Secure Server (response to 1)
Posted by Jonathan Marsden on 08/23/01 07:32 PM
If you really wanted, you could run Apache on port 80, and use mod_rewrite to redirect incoming HTTPS requests to http on some other port.  On the same machine, or on a second machine.

But there's really no need to do that sort of thing; Scott's openssl-based module should do exactly what is wanted, with less complexity and more efficiency.

Collapse
4: Response to Secure Server (response to 1)
Posted by Jun Yamog on 08/25/01 07:12 PM
Hi Luis,

We have used ScottG's nsopenssl for a couple of production sites.  We
are happy with it.  It is reasonably secure.  Also I think with
regards to security I think you should concentrate on hardening your
box.  Its a little harder to break a ssl connection and sniff out the
credit card transmission than exploiting a known exploit in your box.
An intruder would likelt take the later path.  Then try to get on
hold of the database.  If you are running ACS/OpenACS 3.x then all he
needs is to get into the ec_creditcards table.

A good example is if you are running ACS which runs on Oracle.  Oracle
8 has a known exploit on the listener.  A successful buffer overflow
and executing a shell will make you oracle dba.  You have now easy
access to the ACS database.