Apache, ssl & RSADSI patents...

To: tclug-list <tclug-list@listserv.real-time.com>
Subject: Apache, ssl & RSADSI patents...
From: ron parker <rtp@iaxs.net>
Date: Wed, 12 May 1999 15:47:29 -0500
Organization: Mi-Recordz
Sender: rtp@mi-recordz.com

Sandipan and all,

Does the following concur with what you've learned? It looks like I'll
be buying a copy of Red Hat's Secure Server. Anyone running a secure
apache product that can be recompiled?

"What it boils down to is that RSADSI owns patents on the RSA algorithm
that
is used for key exchange and certificate signing (they own the patents
on
just the mathematical formula, basically -- so this covers any and all
implementations of the RSA algorithm, including OpenSSL's).  There are
ways
of doing SSL without using RSA, but browsers don't support them.  The
patent
is only enforceable in the US, and expires in September 2000.

Therefore, if you want to use SSL in a webserver w/ browser support in
the
US before September 2000, for:

1) commercial purposes, you must:
    a) license BSAFE/SSL-C from RSADSI and figure out how to get it to
work
with mod_ssl (supposedly people have done this, and reportedly Preston
Brown
of Red Hat was possibly going to submit a patch to mod_ssl which adds
this
option) -- however, my understanding is that BSAFE is not cheap.  Note
that
this means that you're replacing OpenSSL with BSAFE/SSL-C.
    b) buy a commercial product which includes an RSA license.  Assuming
you
want to use Apache, there are 3 that I know of -- Red Hat Secure Web
Server
(by far the cheapest); Covalent Raven (middle price); or C2Net's
Stronghold
(the most expensive).  These are all Apache + either mod_ssl, Apache-SSL
or
some other cryptography module.  The one caveat is that you have to
carefully investigate exactly what you get (in terms of source and
object
code).  For example, Red Hat ships Apache with mod_ssl statically
compiled
in.  They ship the source for Apache, but since they can't ship the
crypto
source or crypto module binary, you can't recompile the server, EVEN
THOUGH
THEY PROVIDE THE APACHE SOURCE!!  This is because of restrictions that
their
license agreement with RSA contains, and according to Preston Brown, may
change now that mod_ssl has DSO support. Stronghold used to provide a
binary SSL module plus their own patch to Apache and the sources, which
was
nice because you could recompile the server, but you couldn't upgrade
the
Apache portion separately because then the Stronghold ssl-specific patch
wouldn't apply cleanly.  I'm not sure that they even provide this much
flexibility now, though, since it's been at least half a year since I
checked -- their website doesn't mention it.  I have no clue what Raven
does, though I saw it on the list recently."

Follow-Ups:
- Re: [TCLUG:5987] Apache, ssl & RSADSI patents...
  - From: Scott Dier <dieman@ringworld.org>
- Re: [TCLUG:5987] Apache, ssl & RSADSI patents...
  - From: pani@frontiernet.net

Prev by Date: Mounting Netware volumes
Next by Date: test udma
Prev by thread: Mounting Netware volumes
Next by thread: Re: [TCLUG:5987] Apache, ssl & RSADSI patents...
Index(es):
- Date
- Thread