Re: [TCLUG:5987] Apache, ssl & RSADSI patents...

[pani@frontiernet.net]

Looks like you have been doing your homework !  Yes I figured out
something
like this. But all I knew was that if I was going to make money out of
the
use of the server then I would have to purchase a "licensed" web
server.  
But I did not quite follow why, which is excellently put, down below.

I was wondering if there are problems in locating a server outside of
the 
united states while still operating it from the here. But I guess the 
legalese does probably take care of that.

Thanks Ron!

regards,
sandipan
--

ron parker wrote:
> 
> Sandipan and all,
> 
> Does the following concur with what you've learned? It looks like I'll
> be buying a copy of Red Hat's Secure Server. Anyone running a secure
> apache product that can be recompiled?
> 
> "What it boils down to is that RSADSI owns patents on the RSA algorithm
> that
> is used for key exchange and certificate signing (they own the patents
> on
> just the mathematical formula, basically -- so this covers any and all
> implementations of the RSA algorithm, including OpenSSL's).  There are
> ways
> of doing SSL without using RSA, but browsers don't support them.  The
> patent
> is only enforceable in the US, and expires in September 2000.
> 
> Therefore, if you want to use SSL in a webserver w/ browser support in
> the
> US before September 2000, for:
> 
> 1) commercial purposes, you must:
>     a) license BSAFE/SSL-C from RSADSI and figure out how to get it to
> work
> with mod_ssl (supposedly people have done this, and reportedly Preston
> Brown
> of Red Hat was possibly going to submit a patch to mod_ssl which adds
> this
> option) -- however, my understanding is that BSAFE is not cheap.  Note
> that
> this means that you're replacing OpenSSL with BSAFE/SSL-C.
>     b) buy a commercial product which includes an RSA license.  Assuming
> you
> want to use Apache, there are 3 that I know of -- Red Hat Secure Web
> Server
> (by far the cheapest); Covalent Raven (middle price); or C2Net's
> Stronghold
> (the most expensive).  These are all Apache + either mod_ssl, Apache-SSL
> or
> some other cryptography module.  The one caveat is that you have to
> carefully investigate exactly what you get (in terms of source and
> object
> code).  For example, Red Hat ships Apache with mod_ssl statically
> compiled
> in.  They ship the source for Apache, but since they can't ship the
> crypto
> source or crypto module binary, you can't recompile the server, EVEN
> THOUGH
> THEY PROVIDE THE APACHE SOURCE!!  This is because of restrictions that
> their
> license agreement with RSA contains, and according to Preston Brown, may
> change now that mod_ssl has DSO support. Stronghold used to provide a
> binary SSL module plus their own patch to Apache and the sources, which
> was
> nice because you could recompile the server, but you couldn't upgrade
> the
> Apache portion separately because then the Stronghold ssl-specific patch
> wouldn't apply cleanly.  I'm not sure that they even provide this much
> flexibility now, though, since it's been at least half a year since I
> checked -- their website doesn't mention it.  I have no clue what Raven
> does, though I saw it on the list recently."