Kbase 18265: Using SSL with WebSpeed 2.1
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
24/09/1998 |
|
Using SSL with WebSpeed 2.1
INTRODUCTION:
=============
The purpose of this kbase is to discuss issues that may arise
when using WebSpeed 2.1 with SSL (Secured Socket Layer). It
will not discuss ways in which you can secure your web site,
as this is already covered in a whitepaper on
http://developer.webspeed.com. It will not discuss how to
configure SSL on your web server, as this is covered in the
documentation that came with web server.
WHAT IS SSL?
============
SSL (Secure Sockets Layer) is a protocol originally developed by
Netscape to provide secure communications across the WWW. In a
very simple view, it provides encryption and decryption of data being
sent between web servers and browsers. For more information on
SSL, see http://home.netscape.com
ewsref/std/SSL.html. For the
purposes of this discussion, it is important to remember that
SSL operates between the web browser and the web server. The web
browser and web server are responsible for the encryption and
decryption of the data.
HOW DOES SSL AFFECT WEBSPEED?
=============================
In theory, WebSpeed and SSL do not affect each other. The reason
for this is because of where the two operate. SSL is a protocol
that operates between the web server and the web browser. WebSpeed
runs on the other side of the web server. In a simple view, the
diagram shows the components.
+---------+ +--------------+
| web | | encrypted | | web | | normal +----------+
|browser|A|------------|B| server|CGI|---------| WebSpeed |
+---------+ data +--------------+ data +----------+
SSL operates between A (on the browser side) and B (on the server
side). When data is sent back from the browser to the server,
the data is encrypted at point A. Once the encrypted data reaches
the web server, it is decrypted at B, for processing by the web
server. Beyond the web server, this data is passed to WebSpeed,
via CGI (or the WSNSA/WSISA messengers) to WebSpeed. At the point
the data leaves the web server, it is decrypted.
Webspeed only ever creates HTML/HTTP data for the web server to
transfer back to the client. By the time the agent has finished
running the program, it has generated HTML/HTTP data to be sent
back to the web server, then the client. It is then up to the web
server to encrypt this data again, if it is going via SSL.
From this example, it can be seen that SSL and WebSpeed are,
in theory, independent. Hence, SSL should have no effect on each
other.
In practice, this might be slightly different. In review, WebSpeed
complies to the CGI 1.1 specification (for information on the CGI 1.1
specification, see http://hoohoo.ncsa.uiuc.edu/cgi/env.html).
With CGI, information is transferred from the web server to the
program on the server machine via environment variables. The CGI 1.1
specification defines a finite set of variables, with which to
communicate with the web server. Because WebSpeed 2.1 is CGI 1.1
compliant, it will correctly handle all CGI variables that are
defined the CGI 1.1 specification.
However, some versions of web servers might provide a higher level of
CGI. Within the CGI environment (using the CGI messenger), there may
be other CGI environment variables that are
created by the web server. Typically, some web servers provide some
SSL-related environment variables, that the CGI program could
interrogate. In addition to this, other web server vendors have
provided "extra" CGI environment variables, that do not meet the
CGI spec.
If you reference environment variables in your WebSpeed code that are
not part of the CGI 1.1 specification, then WebSpeed may or may not
work as expected. Also note that these environment variables may or
may not be available from different web servers, meaning your
application is not portable. WebSpeed is only certified to CGI 1.1,
so this is NOT a WebSpeed bug. The same holds true for the WSNSA
and WSISA messengers. These messengers will only make available to
the agent the values that meet the CGI 1.1 specification.
Given this information, WebSpeed Transaction Server in WebSpeed 2.1
can run with SSL.
REFERENCES TO WRITTEN DOCUMENTATION:
====================================
For SSL: http://home.netscape.com
ewsref/std/SSL.html
For CGI: http://hoohoo.ncsa.uiuc.edu/cgi/env.html
Doc provided with your web server
gih 23/09/98 (-d dmy)