SSL stands for Secure Socket Layer, a protocol developed by Netsacpe for secure transactions across the Web. SSL uses a form of public key encryption, where the information can be encoded by the browser using a publicly available public key, but can only be decoded by someone who knows the corresponding private key.

The most common ciphers used with SSL are RC2 and RC4. These ciphers use 128-bit keys, which offers a high degree of security. An "export" version of these ciphers is also available; the export versions use 40-bit keys, but are otherwise idential to their equivalent 128-bit versions. Inside the USA a license from RSA is required to use these ciphers.

US Export Restrictions
The US Government imposes export restrictions on arms, in a set of rules called ITAR (International Traffic in Arms Regulations). Among other this, ITAR restricts "strong" encryption software. Software that implements SSL in the US cannot be exported without government approval. Presently, the US Goverment is allowing companies to export encryption with a maximum of a 56-bit key.

Encryption Patents and RSA
Netscape and IE browsers have based their SSL ciphers technology that is patented by RSA Data Security in the US. Use of this technology normally requires a license fee inside the US (non-commercial users users can use a license-free implementation of RSA, called RSAref).

Outside the US, no license fee is required for the use of the RSA methods because they are only patented inside the US and SSLeay (the technology used by most SSL implementations) uses an independant implementation of the cipher algorithms.

Certificates
A server certificate is a digitally-encrypted message that informs the browser what organisation it is accessing. To prevent people from making up certificates and pretending to be official organizations, certificates can be obtained from a certificate authority, who act as a third-party to verify that the organisation using the certificate is who they say they are. Probably the best know authority is Verisign in the US.

Configuration
The Sambar Server can run a Secure Socket Layer (SSL) Server Daemon. This implementation uses DLLs from SSLeay library. SSLeay is a free implementation of the Secure Socket Layer protocol written by Eric Young. The current version of the Sambar Server uses SSLeay DLLs v0.9.0 (10-Apr-1998).

The SSL DLLs are not shipped with the Sambar Server. In order to run in secure mode, the appropriate Sambar Server configuration parameters must be set and the SSLeay DLLs ssleay32.dll and libeay32.dll must be placed in the bin directory where the Sambar Server is installed. If these DLLs are not present, the server will fail to startup.

In order to initiatine a SSL-connection, the secure server must have a certificate (see Verisign Information Desk and RSA FAQ on Cryptography for more informat). The Sambar Server does not currently provide client-certificate verifications.

The first step of running the Sambar SSL Server is to generate a Private Key. For that, feed a file of random text (randfile) to the key generation routine provided with the SSLeay libary.

To generate a key, type:

ssleay genrsa -rand randfile -out key.pem 1024

This command sequence will generate a 1024-bit RSA private key and store it in the file key.pem. This key file should be placed in the config directory of the Sambar Server. The key should look like:

-----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBALtv55QyzG6i2PlwZ1pah7++Gv8L5j6Hnyr/uTZE1NLG0ABDDexm
q/R4KedLjFEIYjocDui+IXs62NNtXrT8odkCAwEAAQJAbwXq0vJ/+uyEvsNgxLko
nWmM1KvqnAo5uQIhALqEADu5U1Wvt8UN8UDGBRPQulHWNycuNV45d3nnskWPAiAw
ueTyr6WsZ5+SD8g/Hy3xuvF3nPmJRH+rwvVihlcFOg==
-----END RSA PRIVATE KEY-----

Obtaining a certificate (Digital ID)

Next you must generate a Certificate Signing Request (CSR). The CSR is what contains the name information for the certificate (Country, State/Province, City, Organization, Division, Web Server Domain Name, etc). It also contains your public key.

The formats of certificate and CSR used by the Sambar Server are the same as those used by Apache-SSL (both servers use SSLeay for their SSL implementations). CSR should be sent for verification to Certificate Authority (CA) e.g. Verisign (www.verisign.com) or Thawte (www.thawte.com).

To generate your CSR, run:

ssleay req -new -key key.pem -out req.pem -config ssleay.cnf

This command sequence will prompt you for the attributes of your certificate. Remember to give the secure server domain name when you would be prompted for "Common Name".

The request should look like:

-----BEGIN CERTIFICATE REQUEST-----
MIIBGzCBxgIBADBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEa
MBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGkNsaWVudCB0ZXN0
2NNtXrT8odkCAwEAATANBgkqhkiG9w0BAQQFAANBAC5JBTeji7RosqMaUIDzIW13
oO6+kPhx9fXSpMFHIsY3aH92Milkov/2A4SuZTcnv/P6+8klmS0EaiUKcRzak4E=
-----END CERTIFICATE REQUEST-----

You will now have a private key file (key.pem) and a CSR file (cert.pem). Finally, send the req.pem file to the Certificate Authority (i.e. Verisign or Thawte).

Upon reception of a signed certificate from CA, name the certification cert.pem and place it in the config directory along with the key.pem file.

The certificate should look like:

-----BEGIN CERTIFICATE-----                                     
MIICLjCCAZcCAQEwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
dp7jnmWZwKZ9cXsNUS2o4OL07qOk2HOywC0YsNZQsOBu1CBTYYkIefDiKFL1zQHh
8lwwNd4NP+OE3NzUNkCfh4DnFfg9WHkXUlD5UpxNRJ4gJA==                
-----END CERTIFICATE-----                                       

You can also generate a temporary (untrusted) test certificate by running:

ssleay req -new -key key.pem -out cert.pem -x509 -config ssleay.cnf

There is also a good temporary untrusted test certificate generator at Cryptsoft.com. For internal corporate use, you might want to get a free trial certificate server from Verisign (choose Apache-SSL) or from Thawte (chose Generate an X.509v3 certificate & Use the most basic format).