Web site directory - 613Chapter 23Running a Linux, Apache, MySQL, and PHP
613Chapter 23Running a Linux, Apache, MySQL, and PHP (LAMP) ServerDuring connection establishment between an SSL client and an SSL server, asymmet- ric (public key) cryptography is used to verify identities and establish the sessionparameters and the session key. A symmetric encryption algorithm, such as DES orRC4, is then used with the negotiated key to encrypt the data that are transmittedduring the session. The use of asymmetric encryption during the handshaking phaseallows safe communication without the use of a preshared key, and the symmetricencryption is faster and more practical for use on the session data. In order for the client to verify the identity of the server, the server must have apreviously generated private key, as well as a certificate containing the public keyand information about the server. This certificate must be verifiable using a publickey that is known to the client. In some cases, the server also requires the client to present a certificate that it canverify. However, this is not commonly found on Web servers, except in high-securityenvironments with smaller numbers of clients, where the management of certifi- cates is more practical. More information about the SSL protocol can be found athttp://developer.netscape.com/docs/manuals/security/sslin/ contents.htm. Certificates are generally digitally signed by a third-party certificate authority (CA) that has verified the identity of the requester and the validity of the request tohavethe certificate signed. In most cases, the CA is a company that has madearrangements with the Web browser vendor to have its own certificate installedand trusted by default client installations. The CA then charges the server operatorfor its services. Commercial certificate authorities vary in price, features, and browser support, butremember that price is not always an indication of quality. Some commononesinclude InstantSSL (www.instantssl.com), Thawte (www.thawte.com), andVeriSign (www.verisign.com). You also have the option of creating self-signed certificates, although these shouldonly be used for testing or when a very small number of people will be accessingyour server and you do not plan to have certificates on multiple machines. Directionsfor generating a self-signed certificate are included in the following section. The last option is to run your own certificate authority. This is probably only practi- cal if you have a small number of expected users and the means to distribute yourCA certificate to them (including assisting them with installing it in their browsers). The process for creating a CA is too elaborate to cover in this book but is a worth- while alternative to generating self-signed certificates. Guides on running your ownCA can be found at these sites: .http://pseudonym.org/ssl/ssl_cook.html .http://sial.org/howto/openssl/ca/ Note32_
We recommend you use shared web hosting services, because many users agree that it is cheap, reliable and customer-satisfying webhost.