TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TCLUG:5987] Apache, ssl & RSADSI patents...
Looks like you have been doing your homework ! Yes I figured out
something
like this. But all I knew was that if I was going to make money out of
the
use of the server then I would have to purchase a "licensed" web
server.
But I did not quite follow why, which is excellently put, down below.
I was wondering if there are problems in locating a server outside of
the
united states while still operating it from the here. But I guess the
legalese does probably take care of that.
Thanks Ron!
regards,
sandipan
--
ron parker wrote:
>
> Sandipan and all,
>
> Does the following concur with what you've learned? It looks like I'll
> be buying a copy of Red Hat's Secure Server. Anyone running a secure
> apache product that can be recompiled?
>
> "What it boils down to is that RSADSI owns patents on the RSA algorithm
> that
> is used for key exchange and certificate signing (they own the patents
> on
> just the mathematical formula, basically -- so this covers any and all
> implementations of the RSA algorithm, including OpenSSL's). There are
> ways
> of doing SSL without using RSA, but browsers don't support them. The
> patent
> is only enforceable in the US, and expires in September 2000.
>
> Therefore, if you want to use SSL in a webserver w/ browser support in
> the
> US before September 2000, for:
>
> 1) commercial purposes, you must:
> a) license BSAFE/SSL-C from RSADSI and figure out how to get it to
> work
> with mod_ssl (supposedly people have done this, and reportedly Preston
> Brown
> of Red Hat was possibly going to submit a patch to mod_ssl which adds
> this
> option) -- however, my understanding is that BSAFE is not cheap. Note
> that
> this means that you're replacing OpenSSL with BSAFE/SSL-C.
> b) buy a commercial product which includes an RSA license. Assuming
> you
> want to use Apache, there are 3 that I know of -- Red Hat Secure Web
> Server
> (by far the cheapest); Covalent Raven (middle price); or C2Net's
> Stronghold
> (the most expensive). These are all Apache + either mod_ssl, Apache-SSL
> or
> some other cryptography module. The one caveat is that you have to
> carefully investigate exactly what you get (in terms of source and
> object
> code). For example, Red Hat ships Apache with mod_ssl statically
> compiled
> in. They ship the source for Apache, but since they can't ship the
> crypto
> source or crypto module binary, you can't recompile the server, EVEN
> THOUGH
> THEY PROVIDE THE APACHE SOURCE!! This is because of restrictions that
> their
> license agreement with RSA contains, and according to Preston Brown, may
> change now that mod_ssl has DSO support. Stronghold used to provide a
> binary SSL module plus their own patch to Apache and the sources, which
> was
> nice because you could recompile the server, but you couldn't upgrade
> the
> Apache portion separately because then the Stronghold ssl-specific patch
> wouldn't apply cleanly. I'm not sure that they even provide this much
> flexibility now, though, since it's been at least half a year since I
> checked -- their website doesn't mention it. I have no clue what Raven
> does, though I saw it on the list recently."