Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Apache Software

Commercial use of Apache and SSL 78

Posted by jimjag from the Shhh-I'm-sending-a-secret dept.
The Apache section of Slashdot is also a good place to ask questions regarding Apache and web servers in general (rather than Ask Slashdot). To start us off, here is a question concerning the "cheapest" way of implementing a SSL-capable version of Apache. Of course, you should also consider the legal aspects as well, which is why the commercial products are so attractive for US users:

jballagh writes "I use apache and need SSL for a potential customer's site. What is the cheapest way of doing this in the US? I have looked at Apache-SSL, mod-ssl, and some commercial packages. If possible I would like to license the appropriate RSA algorithms for use with Apache-SSL, or mod-ssl. Has anyone done this? Is it worth the bother compared to buying a commercial package? "

This discussion has been archived. No new comments can be posted.

Commercial use of Apache and SSL More

Commercial use of Apache and SSL

Comments Filter:
  • I live in Australia, and I had to use SSL on Apache. I decided to get Apache-SSL, but, oh, how to get 128-bit ? ftp.replay.com offers great archives of everything encrypted, and, since they're in the Netherlands, it's not illegal to export - just illegal out of the US. I thought that was pretty cool - and, BTW, mod_ssl was really cool and very easy to configure !! All you have to do is download openssl, apache, and then mod_ssl off replay.com and bang! fast, easy SSL =) d (BTW : I'm not in any way associated with replay.com, nor is anyone I know. Same with mod_ssl)


    -
  • It looks like the took apache and spiffied it up. Some of nicer new features (besides SSL) are:

    "
    Remote Configuration: a browser-based configuration tool to allo[w manipulation of the server configuration via a GUI.

    Machine Translation Support: This new function, when used with an available IBM Machine Translation Engine, enables the IBM HTTP Server to translate English Web pages into other languages without human intervention. This permits a Web site visitor to read the page in his native language, effectively broadening the reach of your Web site. IBM Machine Translation Engines are included in the WebSphere Application Server 3.0 and include: German, Simplified Chinese and Traditional Chinese. Additional languages will be available in the future.
    "

  • raven (Score:1)

    by rark ( 15224 )
    A year and a half ago I spent some time researching the least expensive licensing for SSL with Apache for a webserver running approximately 80-128 sites, and it came out that at that time, for that setup that Raven "/A> was the best option. This may well have changed, as it looks like they've raised their prices, and it depends largely on how many customers you have, because of licensing fees and such. It's probably worth a look, though. [covalent.net]

  • Get Stronghold.
    Doesn't answer the question, which was how to set up a secure server inexpensively. Stronghold costs way too much.

    When the RSA patent expires next year, it will be nice to see these people have to drop their prices to a sane level.

  • RSA lost their patent on the encryption about a month ago I heard.
    Please cite a reference. If such a thing happened, it should have been big news!
  • Will expiration of the RSA patent in 2000 make it free to implement RSA in the US?
    In principle, yes.

    However, Netscape has a patent on SSL. They apparently haven't been trying to force people to license it... yet.

    But what if NetscAOL were to sell the patent to those bastards at RSADI?

  • Why not use IIS (pls no spam :P). I too use linux but have found NT4 with IIS works perfectly as a SSL server - I have a 1000+ user intranet working via SSL and it's perfect - just setup your own CA (for free) and SSL away.
  • i hope you're kidding

    If you mean about the igloo and such, of course I am... I'm from Alberta.

  • We purchased Mandrakes Redhat linux 6.0 (from McMillian publishing)for about $65 at compusa and it includes a single server Advanced Cryptography Licence from RSA. It more than suits our needs, installed fine, and is upgraded with RPMs from webmonkeys extranet server page. Everything instaled great and its is compiled for 686. The apache server is nicely modularized and we get a discount on a thwate cert. look at http://www.netrevolution.com/extranet/ for his latest stuff.
  • It happens. Actually we've observed it happening about 30% of the upgrades we did on our workstations (500+)

    However all hope is not lost. The install creates a directory c:\windows\ws2bakup

    All your old TCP/IP bits(if you're lucky) are there.

    You need to run the ws2backup.exe from windows, and then exit to dos and run it from dos.

    (It puts back registery entries so you need to run it from windows, but tries to replace open DLL's which means you need to run it from DOS)

    Sometimes, it will keep the Winsock2 and runs just fine... sometimes you have to reinstall Winsock2... and sometimes it didn't backup the files and you have to manually re-install everything.


    Good Luck


  • Speaking of Apache and SSL...

    What is the difference between Apache-SSL and mod_ssl? Pros/cons?

    I don't mean to start a religious war; I'm really interested in what the difference is. I have to set up an SSL server soon so I'll need info to decide.

    I'm not in the USA so the RSA patent is a non-issue.


  • Yes, but you would have a license for a product that most likely uses RSA's BSAFE dev kit. You would be running a binary that uses RSA's "RSAREF" encryption. They are not considered the same thing. You cannot license RSAREF from RSA. They won't sell it to you. I tried!
  • i have been sysadmin for quite a few commercial sites which use a similar setup, namely the linux/apache/mod_ssl/openssl combination.

    it works quite well, is 100% free (though you will still need a CA certificate from verisign or thawte or whomever) and is completely legal.

    unfortunately, though, because of the legal restrictions in the USA, there are very few easily implemented ssl packages .. i strongly suggest openssl (formerly SSLeay) used in combination with the standard apache mod_ssl -- for all the info on this, you should definately check out the apache server mod_ssl documentation at http://www.apache.org/related_projects.html#modssl
    which tells you everything you need to know.

    i understand that if my servers were based in the USA, i would have to pay the big bucks for this instead of being able to just download openssl, but i am not american and neither are you, so rejoice !

    at least, i have been able to resist the magnetic pull to "silicon valley" thus far (unlike the majority of my former room-mates) and hopefully i will remain canadian until the RSA patent wears off ! :)

    -abf.

  • Re:The cheepest one is IBM's (Score:1)

    by Anonymous Coward
    How does downloading IBM's "free" version help? Wouldn't you still need to license the RSA patent to use it?
  • My understanding was the SSL did not require any specific encryption algorithm, but was a way to encapsulate any encrypted data - or is it HTTPS that I am thinking of?

    Either way, we don't NEED to use RSA. Can't someone just make a Netscape+Apache support Blowfish or something like that
  • We bought Secure Server a couple of months ago (before 6.1 came out) directly from Redhat. I've also seen it in Borders bookstore. The only problem with buying the Secure Server is that you are limited to upgrading Apache when Redhat releases new versions (which has been, since version 2 came out, never) since they don't release the RPMs or source of the SSL part of the package.
  • They simply will not license RSA to end users.
    A BSAFE development license is more expensive
    than any of the commercial servers. Your cheapest
    approach is Raven or (if you're Linux) RedHat
    Secure Server.

    If your client needs more complete documentation,
    service, and support, get Stronghold.

  • RedHat (Score:4)

    by tgd ( 2822 ) on Monday October 25, 1999 @07:34AM (#1589202)
    RedHat's Professional 6.1 version comes with the RedHat Secure Server, with a license to use it.

    Used to be $99, but I think they bumped it up to $149 recently.

    Still the best deal I've seen.

  • We use Raven (Score:1)

    by Anonymous Coward
    I've also used Apache-SSL. The reason we use Raven is just to avoid the hassle, plain and simple. Apache-SSL and mod_ssl both require you to install and configure a bunch of stuff including the reference RSA library from a while back, and even then it's only legal for non commercial usage. Rather than worry about installing all those packages and possibly breaking the law, we decided it was just simpler to pay for it. With Raven you just execute a script and it's installed. You get free updates almost immediately to new apache releases, and their support is great. I guess it all comes down to whether it's worth the money to avoid the hassle... Their homepage is http://www.covalent.net/
  • You could always move to (or open up an office in) Canada where it's okay to use Apache with mod_ssl/OpenSSL.

    Of course, you'll have to learn to build igloos (since that's what we live in) and you'll also have to buy a snowmobile to get around (or get a dog sled team if you're a traditionalist). :)

  • It may just be my newbie-esque naivete, but I can't understand why a standard such as SSL is based on proprietary software such as RSA.
  • You can find IBM's HTTP Server at http://www-4.ibm.com/software /webservers/httpservers/ [ibm.com]. It is based on Apache and includes SSL support.
  • Download IBM's complementary version of Apache for Linux. It includes IBM's own SSL and a SSL API. It's what they use for their WebSphere product.
    Unfortunately I don't have the URL handy.
  • If you want to run an SSL server for non-commercial purposes, you can compile mod_ssl [modssl.org] linked against rsaref [replay.com]. The rsaref package is not free software--it is licensed for non-commercial use only and has a couple other restrictions. This route is the cheapest way to set up a non-commercial SSL site in the US.

    If your site is a commercial site in the US, then there is no way around it--you must license the RSA algorithm from RSA [rsa.com] (unless you want to challenge the RSA patent in court!). If you call up RSA they will give you a price quote in the thousands (I tried this once). A far cheaper way to get an RSA license is to buy RedHat Secure Web Server (now repackaged as RedHat Linux Professional [redhat.com]).

    IANAL, but I have read the "Advanced Cryptography License" that comes with Secure Web Server and I believe that the license does in fact allow you to legally run an implementation RSA using any SSL server software you want on your site. That means you can buy Secure Web Server and then legally run mod_ssl on your web site. That's what I would do if I were in your position, since mod_ssl is a quality free software product.

  • SSL is an "opened" standard, it was developed by Netscape, but they recognised many moons ago that to get wide acceptance you need Open Standards.
    So they told everyone how to do SSL, went through the process and got the standard out there. It's a good standard (in comparison to a lot of stuff on the web) so it won.
    As patent problems go, this is far from the worst: RSA have reasonable terms, the patent runs out soon, and it's not valid in most of the world anyway.

    If SSL had been designed from scratch as an open standard, I'm sure SSL wouldn't include RSA but rather an equivalent but free algorithm. Still, as MPEG members would tell you a non-free standard is better than no standard at all.
  • Good question. I wonder what it would take to get the SSL "standard" (Is that the correct term?) changed to use a non-proprietary encryption scheme? Is SSL (secure HTTP, whatever the right term is) subject to the RFC process?
  • I have yet to look at the licence, so I'm going on an assumption...

    Regardless of the OS, just buy a copy of redhat, keep the license and run apache_ssl. You have the license through redhat for RSA. Unless RSA expects that you run it using a certain license, this should be kosher.

  • Re:The cheepest one is IBM's (Score:4)

    by camattin ( 66581 ) on Monday October 25, 1999 @07:53AM (#1589213)
    http://www.software.ibm.com/webservers/httpservers /

    You need a username/password to download it, but
    they're free.
  • Even if you move to somewhere where it is legal to export SSL, it would still be illegal to sell your product in the US because it would violate RSA's patents. This is a good example of what happens when you base a standard on proprietary algorithms.
  • RSA Security, Inc. vehemently denies the legality of using RSAREF for even non-commercial use (see http://www.mail -archive.com/openssl-users@openssl.org/msg03870.ht ml [mail-archive.com] for a particularly amusing account of one encounter). There is sufficient room for legal wrangling around the term "revenue-generating" in the RSAREF 2.0 license to cause concern for corporate lawyers, it seems.
  • Another nice alternative is Cobalt Networks' SSL server, that as of this morning was still $99. You can order it online over at Cobalt Networks [cobaltnet.com].
  • It would take new releases of the browsers. SSL lets you pick which encryption algorithm you wish to use. If the browsers just picked Diffie-Hellman, then there would be no issue. One good thing to keep in mind is that some of the other RSA algorithms expire in the next few years. This means that you'll no longer have to license this stuff from RSA.
  • This piece should definitely have been posted in the "Ask Slashdot" section because I know that's where I'd look first if I want to come back and refer to it later. Duh!

    PS (off topic, sorry) where's the news about Butler Bloor's Linux v NT test? There's not been a single peep about it on Slashdot and I know at least one person posted about it a few days ago...

    Consciousness is not what it thinks it is
    Thought exists only as an abstraction
  • What if you have the same development kits?

  • TLS (the IETF standard), the slightly modified SSL, does have non-proprietary algorithms. More, it requires implementations to support DSS.

    Good luck in getting a DSS certificate from a CA, however, and you may need to wait a while until browsers reliably support non-RSA keys.

    All in all, it's probably best to pay up for RSA until next September, when the patent expires anyway, IIRC.

  • If I recall, it's free, does 128 bit ssl, is very easy to install/configure, and has a nice web (ssl'd of course) administration interface.

    It also has some decent modules that can be slapped in very easily. and some built in toys for application building (like support for a number of databases out of the box).

    The product is free, but they'll want to try to sell you site developement tools and the like after you've had a chance to use it. It's also written in a strangish language called pike, but you really don't have to deal with it much if at all, and if you're familiar with C, then pike will look very normal to you. Pike is basically C, but in an interpreted form like perl.

    http://www.roxen.com/ [roxen.com]

  • There's no question in my mind that on a high-volume server you'd rather have an ongoing SSH tunnel between the machines using a nice, fast, symmetric key algorithm than force both the mail server and the web server to go through anexpensive public/private key session negotiation every time somebody accesses a piece of mail.

    -Chris
  • so whats the deal?

    if you are in the unpleasant situation of living in a non-free country that doesn't allow you to use RSA encryption on your secure HTTP(S) server, just disable RSA. HTTPS is not depandant on the encryption algorithm and runs just as fine with IDEA, 3DES or blowfish. Of these encryption schemes 3DES is patent free, as secure as 128bit RC4 and implemented by all major browsers.

    here is your cooking receipt for an unencumbered secure http server residing in the US:

    1. dowload openssl, mod_ssl, apache
    2. build & install openssl *without* RSA
    3. patch apache with mod_ssl
    4. build, install & configure apache as usual, enabling mod_ssl
    5. lean back and enjoy
  • Except if you build a browser with such an SSL library that doesn't support RSA, you won't be able to connect to 99% of secure web sites which use RSA certificates and require the algorithm in the client in the SSL handshake.

    So it would be a pretty useless implementation of SSL/TLS today.
  • I recently contacted RSA about this, an internal BSAFE licess (meaning that you can use it within your orgaization) is $50,000 US per year, $100,000 for their SSL library. Needless to say, we went with Raven. I have nothing but good things to say about Raven and Covalent in general.

    So far I have no love for RSA, but doesn't their patent expire soon anyway?
  • I build programs all the time by using the freeware libs. I don't believe in this sort of bullshit therefore I refuse to follow it. I could care less about the law. If the law isn't in the interest of the public, but rather in the interest of the rich and powerful then I despise it and will violate it at will. I strongly suggest everyone who happens to read this will do so as well. By not violating it then you are agreeing to it's legitimacy. Patents on this sort of bullshit are wrong. I don't give a rat's ass if not having patents on this type of stuff "stifles" industry. If it is needed then it will be made regardless. Fuck the law, it's invalid.
  • RSA isn't realy "proprietary" in the true sense of the word. The patent on the RSA algorithm is held by MIT, where it was developed, and licensed exclusively to RSA Security.

    Fortunately, it expires next year, so you can look forward to more open imlementations in the furure.

    Having dealt with RSA on this very topic, all I can say is "Thank God!"

  • OK, I'm confused. Why this distinction on US sites? What's so special about setting up a commercial Apache/SSL site in the US?

    A project I'm involved in will soon need to set up an Apache/SSL server on NetBSD. The site is commercial and located in Norway.

    What are my options? (I want to stay legal of course.)

    Where can I read more about the licensing terms and legalities involved in doing this?

    Gunnar

  • The cobalt secure server is RedHat's secure server compiled for the Cobalt RaQ/Qube systems. We have ran into quite a few problems with SSL because we want to use PHP under SSL, and haven't been able to get Cobalt to release apxs, headers, etc. We ended up just compiling apache w/ mod_ssl (and own a copy of the RSA licensed secure server that cobalt sales).
  • Two things to be aware of with stunnel. (Beyond the legal requirements)

    1: The private key has to be kept in plaintext for it to work. Make sure you use a key that you don't mind changing...

    2: You can't really get a signed key from anyone for stunnel.

    That being said, I haven't yet found an E-Mail client that won't accept a self-signed key. If the PHB's want a chained certificate, I think you're out of luck.

    BTW, any thoughts on how to tunnel IMP via stunnel to access IMAP, or would I be better off to do a SSH tunnel between machines?

    Good Luck

    Dan
  • Actually, I have been told that RSA recently changed its policy and will now issue licenses to individual companies (and other orgs).

    This is hearsay, but I bet you could go to the RSA web site and get the straight poop.

  • Shhhhhhh! (Score:2)

    by jd ( 1658 )
    Didn't you read the licence? *glances round* You've got to be careful, that could be construed as an unauthorised review of their system, which is a licence infringement!
  • Nope, the license doesn't work that way. I sure wish it did.
  • Yes, this is a really cheap deal, plus if you use Red Hat linux, you get a discount certificate at Thawte, which saves you even more $.
  • I applaud your willingness to stand by your principles here, but I can't grasp how abiding by a law implies agreement that it's legitimate. If somebody comes into my crumpet shop and points a gun at my head and a finger at the till, she will certainly leave with all my cash- did my self-preserving actions in such a case imply that I thought she had a legitimate right to my cashbox? Of course not. The gu'ment has a gun at my head, too- the Big House. I don't want to go there and if staying on the outside means walking around with my cryptographic tail between my legs, so be it. Having said that, please let me know your new address if you follow your principles into incarceration, and I'd be happy to send you a box of crumpets... just don't ask me to bake a file into them. That could get me busted!

  • Apache-SSL in the USA (Score:2)

    by Anonymous Coward
    RSA does license RASREF, they just don't like to.

    While doing work-study as an (underpaid!) web administrator at a university, I was given the job of getting a secure web server up and running on a minimal budget. So I built Apache-SSL using SSLeay for our Linux web server. In the process of building SSLeay, of course, I discovered that it wasn't leagal to use in the US because of the patent owned by RSA.

    So I contacted RSA and whined about being at an educational institution on a shoe-string budget, and how we really weren't going to make a multi-million-dollar eToys site or anything, and could we please use RSAREF without paying them. They were annoyed, but they didn't want to waste the time it would take to get me off their backs, so they made me promise that we would never distribute the server, that it would only be installed at our site, etc. and let me go ahead.

    It was a pain to get the permission, and to get all the pieces to compile and link together, and to get a cheap certificate from Thawte and make that work... But in the end, work it did, and we were able to let people send in their confidential financial aid information on a secure socket.

    So was it worth the $100 or $200 we saved? Probably not for anyone but a college student, but then again things may be easier than when I did it (circa 1996).

  • I have been using the Raven module for a year now. And I have to agree with the lack of clear technical writing on their part. It took me awhile to figure out that I could simple compile the module in the same as any other and run it all under once daemon (instead of two).

    Once I got all that straight, I found Raven to be a very good product. You don't have to worry about RSA problems and it is easier to upgrade to the latest Apache. And since I use non-standard modules I find it a plus. Oh yah, and having an intergrated configuration file is really nice too.

    Course I am just getting to play with the Red Hat version now. So far, I don't like it but that is probably because I am cleaning up someone elses mess.

    In my opnion, Raven's only real draw back is price. But compare it to Stronghold and one will have a change of heart.

  • i hope you're kidding.
    either that or american.
    either way you're excused.

  • Just to note, RSA lost their patent on the encryption about a month ago I heard. There should be no reason now to need to legaly pay for it because it is legal not to pay for it.
  • US patent law, pure and simple.

    Until September 2000, RSA is protected by a US patent, which is (it seems) strictly enforced by RSA Inc.

    There's a whole lot of meta-discussion that could take place about the bizarre intricacies of American patent law; in fact, it's all been done here on /. Several times, I'll wager.

    In most of the rest of the world, if you disclose your patent-able process/algorithm/whatever BEFORE you apply for the patent, you won't be granted a patent. Period. In the States, though, you generally have up to a year AFTER you publish, and you'll still get the patent.

    The RSA algorithm was published before the patents were applied for. So, in most of the world, RSA can be used free of legal implications. Not in the US, though.

  • SSL == Secure Sockets Layer(s?)
    This is *not* Secure HTTP. Secure HTTP was a competing spec used by IBM on it's OS/2 web browser for a little while. It completely flopped.
  • The distinction in the US relates entirely to the patents on the RSA algorithm in the US. (I don't believe there is a patent on it anywhere else in the world.)

    Basically, because of this patent, US sites must license the RSA algorithm from RSADSI to use it.
    Anyone outside the US doesn't really need to worry about that, and can use mod_ssl, or any other free variant you want.

Slashdot Top Deals

"When the going gets tough, the tough get empirical." -- Jon Carroll

Close