Slashdot Mirror
Commercial use of Apache and SSL
The Apache section of Slashdot is also a good place to ask questions regarding Apache and web servers in general (rather than Ask Slashdot). To start us off, here is a question concerning the "cheapest" way of implementing a SSL-capable version of Apache. Of course, you should also consider the legal aspects as well, which is why the commercial products are so attractive for US users:
jballagh writes "I use apache and need SSL for a potential customer's site. What is the cheapest way of doing this in the US? I have looked at Apache-SSL, mod-ssl, and some commercial packages. If possible I would like to license the appropriate RSA algorithms for use with Apache-SSL, or mod-ssl. Has anyone done this? Is it worth the bother compared to buying a commercial package? "
Just download the demo. It comes with a preinstalled certificate. You will see how easy it is to use it by itself. As for the people concerned for support, they are going 24/7 this month.
I live in Australia, and I had to use SSL on Apache. I decided to get Apache-SSL, but, oh, how to get 128-bit ? ftp.replay.com offers great archives of everything encrypted, and, since they're in the Netherlands, it's not illegal to export - just illegal out of the US. I thought that was pretty cool - and, BTW, mod_ssl was really cool and very easy to configure !! All you have to do is download openssl, apache, and then mod_ssl off replay.com and bang! fast, easy SSL =) d (BTW : I'm not in any way associated with replay.com, nor is anyone I know. Same with mod_ssl)
-
-
I rather like cows.
It looks like the took apache and spiffied it up. Some of nicer new features (besides SSL) are:
"
Remote Configuration: a browser-based configuration tool to allo[w manipulation of the server configuration via a GUI.
Machine Translation Support: This new function, when used with an available IBM Machine Translation Engine, enables the IBM HTTP Server to translate English Web pages into other languages without human intervention. This permits a Web site visitor to read the page in his native language, effectively broadening the reach of your Web site. IBM Machine Translation Engines are included in the WebSphere Application Server 3.0 and include: German, Simplified Chinese and Traditional Chinese. Additional languages will be available in the future.
"
-- Virtual Windows Project
I've been using RavenSSL since it came out. They give you their module and a pre-patched version of Apache. However, they also give you the patches so you can apply them yourself to the standard Apache distribution.
It's mostly just another Apache module, but they say since SSL must be more integrated than most modules, they have to make a few patches (SSL hooks?) to the Apache source.
In fact, the original Raven was from the early mod_ssl source. It used SSLeay and everything. They've since made their own library and tools, but the idea is still the same.
A year and a half ago I spent some time researching the least expensive licensing for SSL with Apache for a webserver running approximately 80-128 sites, and it came out that at that time, for that setup that Raven "/A> was the best option. This may well have changed, as it looks like they've raised their prices, and it depends largely on how many customers you have, because of licensing fees and such. It's probably worth a look, though.
When the RSA patent expires next year, it will be nice to see these people have to drop their prices to a sane level.
However, Netscape has a patent on SSL. They apparently haven't been trying to force people to license it... yet.
But what if NetscAOL were to sell the patent to those bastards at RSADI?
Why not use IIS (pls no spam :P). I too use linux but have found NT4 with IIS works perfectly as a SSL server - I have a 1000+ user intranet working via SSL and it's perfect - just setup your own CA (for free) and SSL away.
In the past I have personally gone the rounds with RSADSI about BSAFE licenses. In turns out that RSA when it was a young and stupid company sold AT&T a license that allows them to resell the RSA algorithm. Therefore, you can actually license the algorithm from a competitor. (RSA will deny this is true but I simply told them that AT&T has a hell a lot more lawyers IMHO.) In September 2000 none of this is going to matter since the RSA patent expires. RSA claims they have some kind IP rights on the RC4(tm) algorithm which is also used by SSL. RSA has nothing other than a trademark on its name. I have found that the ARCFOUR algorithm published on Usenet back in 1995 is actually faster than RC4 and seems to be equivalent in its results.
If you mean about the igloo and such, of course I am... I'm from Alberta.
We purchased Mandrakes Redhat linux 6.0 (from McMillian publishing)for about $65 at compusa and it includes a single server Advanced Cryptography Licence from RSA. It more than suits our needs, installed fine, and is upgraded with RPMs from webmonkeys extranet server page. Everything instaled great and its is compiled for 686. The apache server is nicely modularized and we get a discount on a thwate cert. look at http://www.netrevolution.com/extranet/ for his latest stuff.
So if I purchased RAVEN(even though I use only slackware), it might still be safe to use mod_ssl?
I bought the standard version of Red Hat Linux 6.1 -- can I get the Secure Server separately????
It happens. Actually we've observed it happening about 30% of the upgrades we did on our workstations (500+)
However all hope is not lost. The install creates a directory c:\windows\ws2bakup
All your old TCP/IP bits(if you're lucky) are there.
You need to run the ws2backup.exe from windows, and then exit to dos and run it from dos.
(It puts back registery entries so you need to run it from windows, but tries to replace open DLL's which means you need to run it from DOS)
Sometimes, it will keep the Winsock2 and runs just fine... sometimes you have to reinstall Winsock2... and sometimes it didn't backup the files and you have to manually re-install everything.
Good Luck
*A)bort, R)etry, I)nfluence with large hammer.*
What is the difference between Apache-SSL and mod_ssl? Pros/cons?
I don't mean to start a religious war; I'm really interested in what the difference is. I have to set up an SSL server soon so I'll need info to decide.
I'm not in the USA so the RSA patent is a non-issue.
Yes, but you would have a license for a product that most likely uses RSA's BSAFE dev kit. You would be running a binary that uses RSA's "RSAREF" encryption. They are not considered the same thing. You cannot license RSAREF from RSA. They won't sell it to you. I tried!
i have been sysadmin for quite a few commercial sites which use a similar setup, namely the linux/apache/mod_ssl/openssl combination.
.. i strongly suggest openssl (formerly SSLeay) used in combination with the standard apache mod_ssl -- for all the info on this, you should definately check out the apache server mod_ssl documentation at http://www.apache.org/related_projects.html#modssl
:)
it works quite well, is 100% free (though you will still need a CA certificate from verisign or thawte or whomever) and is completely legal.
unfortunately, though, because of the legal restrictions in the USA, there are very few easily implemented ssl packages
which tells you everything you need to know.
i understand that if my servers were based in the USA, i would have to pay the big bucks for this instead of being able to just download openssl, but i am not american and neither are you, so rejoice !
at least, i have been able to resist the magnetic pull to "silicon valley" thus far (unlike the majority of my former room-mates) and hopefully i will remain canadian until the RSA patent wears off !
-abf.
-abf.
How does downloading IBM's "free" version help? Wouldn't you still need to license the RSA patent to use it?
My understanding was the SSL did not require any specific encryption algorithm, but was a way to encapsulate any encrypted data - or is it HTTPS that I am thinking of?
Either way, we don't NEED to use RSA. Can't someone just make a Netscape+Apache support Blowfish or something like that
They simply will not license RSA to end users.
A BSAFE development license is more expensive
than any of the commercial servers. Your cheapest
approach is Raven or (if you're Linux) RedHat
Secure Server.
If your client needs more complete documentation,
service, and support, get Stronghold.
RedHat's Professional 6.1 version comes with the RedHat Secure Server, with a license to use it.
Used to be $99, but I think they bumped it up to $149 recently.
Still the best deal I've seen.
I've also used Apache-SSL. The reason we use Raven is just to avoid the hassle, plain and simple. Apache-SSL and mod_ssl both require you to install and configure a bunch of stuff including the reference RSA library from a while back, and even then it's only legal for non commercial usage. Rather than worry about installing all those packages and possibly breaking the law, we decided it was just simpler to pay for it. With Raven you just execute a script and it's installed. You get free updates almost immediately to new apache releases, and their support is great. I guess it all comes down to whether it's worth the money to avoid the hassle... Their homepage is http://www.covalent.net/
Of course, you'll have to learn to build igloos (since that's what we live in) and you'll also have to buy a snowmobile to get around (or get a dog sled team if you're a traditionalist). :)
It may just be my newbie-esque naivete, but I can't understand why a standard such as SSL is based on proprietary software such as RSA.
You can find IBM's HTTP Server at http://www-4.ibm.com/software /webservers/httpservers/. It is based on Apache and includes SSL support.
Download IBM's complementary version of Apache for Linux. It includes IBM's own SSL and a SSL API. It's what they use for their WebSphere product.
Unfortunately I don't have the URL handy.
If your site is a commercial site in the US, then there is no way around it--you must license the RSA algorithm from RSA (unless you want to challenge the RSA patent in court!). If you call up RSA they will give you a price quote in the thousands (I tried this once). A far cheaper way to get an RSA license is to buy RedHat Secure Web Server (now repackaged as RedHat Linux Professional).
IANAL, but I have read the "Advanced Cryptography License" that comes with Secure Web Server and I believe that the license does in fact allow you to legally run an implementation RSA using any SSL server software you want on your site. That means you can buy Secure Web Server and then legally run mod_ssl on your web site. That's what I would do if I were in your position, since mod_ssl is a quality free software product.
Red Hat Secure Server - 100-150 USD, not only do you get the SSL/apache you get an entire OS + programs.
Or
Strong Hold Commerical Server, avaibale for ALOt of differant platforms, 1000$ USD
I have yet to look at the licence, so I'm going on an assumption...
Regardless of the OS, just buy a copy of redhat, keep the license and run apache_ssl. You have the license through redhat for RSA. Unless RSA expects that you run it using a certain license, this should be kosher.
-
ping -f 255.255.255.255 # if only
RSA Security, Inc. vehemently denies the legality of using RSAREF for even non-commercial use (see http://www.mail -archive.com/openssl-users@openssl.org/msg03870.ht ml for a particularly amusing account of one encounter). There is sufficient room for legal wrangling around the term "revenue-generating" in the RSAREF 2.0 license to cause concern for corporate lawyers, it seems.
Another nice alternative is Cobalt Networks' SSL server, that as of this morning was still $99. You can order it online over at Cobalt Networks.
This piece should definitely have been posted in the "Ask Slashdot" section because I know that's where I'd look first if I want to come back and refer to it later. Duh!
PS (off topic, sorry) where's the news about Butler Bloor's Linux v NT test? There's not been a single peep about it on Slashdot and I know at least one person posted about it a few days ago...
Consciousness is not what it thinks it is
Thought exists only as an abstraction
I wanted to run Apache on Win95, just for a little while, and I needed the Winsock2 upgrade. So I downloaded it from Microsoft's site, and it errored out during install and corrupted my TCP/IP stack. WTF is with that??!!
It also has some decent modules that can be slapped in very easily. and some built in toys for application building (like support for a number of databases out of the box).
The product is free, but they'll want to try to sell you site developement tools and the like after you've had a chance to use it. It's also written in a strangish language called pike, but you really don't have to deal with it much if at all, and if you're familiar with C, then pike will look very normal to you. Pike is basically C, but in an interpreted form like perl.
http://www.roxen.com/
There's no question in my mind that on a high-volume server you'd rather have an ongoing SSH tunnel between the machines using a nice, fast, symmetric key algorithm than force both the mail server and the web server to go through anexpensive public/private key session negotiation every time somebody accesses a piece of mail.
-Chris
After reading all of the comments about Raven, I decided to check it out myself.
If you want an amusing read, take a look at their FAQ with an eye toward "Can I use Raven with my stock version of Apache?" This question is asked in several forms, and Coherent's response always seems to be "Yes, you can use your stock version of Apache. To do this, simply download our customized version of Apache and use it."
These guys seem somewhat confused about the difference between "my version" and "your version."
It's really very frustrating. I can't speak to the quality of their module, or to how reasonable their "custom Apache" requirement is, but at this point I'm not inclined to buy from them simply because they seem to have a hard time providing clear, honest answers.
if you are in the unpleasant situation of living in a non-free country that doesn't allow you to use RSA encryption on your secure HTTP(S) server, just disable RSA. HTTPS is not depandant on the encryption algorithm and runs just as fine with IDEA, 3DES or blowfish. Of these encryption schemes 3DES is patent free, as secure as 128bit RC4 and implemented by all major browsers.
here is your cooking receipt for an unencumbered secure http server residing in the US:
Except if you build a browser with such an SSL library that doesn't support RSA, you won't be able to connect to 99% of secure web sites which use RSA certificates and require the algorithm in the client in the SSL handshake.
So it would be a pretty useless implementation of SSL/TLS today.
-- Julien Pierre http://www.madbrain.com/blog
I far prefer OpenSSL than RedHat's Secure Server. But since I bought RedHat's Secure Server I am licensed to use OpenSSL... from what I gather.
?
I build programs all the time by using the freeware libs. I don't believe in this sort of bullshit therefore I refuse to follow it. I could care less about the law. If the law isn't in the interest of the public, but rather in the interest of the rich and powerful then I despise it and will violate it at will. I strongly suggest everyone who happens to read this will do so as well. By not violating it then you are agreeing to it's legitimacy. Patents on this sort of bullshit are wrong. I don't give a rat's ass if not having patents on this type of stuff "stifles" industry. If it is needed then it will be made regardless. Fuck the law, it's invalid.
The technical support is great, the price was good and it is a lot more current usually than the RedHat secure server. At the time we purchased RedHat Secure was 3 full point releases behind.
i'd like to be able to use stunnel (used for SSL-ing just about anything) in a commercial environment; how would i go about getting the appropriate licenses?
A project I'm involved in will soon need to set up an Apache/SSL server on NetBSD. The site is commercial and located in Norway.
What are my options? (I want to stay legal of course.)
Where can I read more about the licensing terms and legalities involved in doing this?
Gunnar
And remember kids: Never trust a computer you can actually lift.
The cobalt secure server is RedHat's secure server compiled for the Cobalt RaQ/Qube systems. We have ran into quite a few problems with SSL because we want to use PHP under SSL, and haven't been able to get Cobalt to release apxs, headers, etc. We ended up just compiling apache w/ mod_ssl (and own a copy of the RSA licensed secure server that cobalt sales).
Didn't you read the licence? *glances round* You've got to be careful, that could be construed as an unauthorised review of their system, which is a licence infringement!
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
While doing work-study as an (underpaid!) web administrator at a university, I was given the job of getting a secure web server up and running on a minimal budget. So I built Apache-SSL using SSLeay for our Linux web server. In the process of building SSLeay, of course, I discovered that it wasn't leagal to use in the US because of the patent owned by RSA.
So I contacted RSA and whined about being at an educational institution on a shoe-string budget, and how we really weren't going to make a multi-million-dollar eToys site or anything, and could we please use RSAREF without paying them. They were annoyed, but they didn't want to waste the time it would take to get me off their backs, so they made me promise that we would never distribute the server, that it would only be installed at our site, etc. and let me go ahead.
It was a pain to get the permission, and to get all the pieces to compile and link together, and to get a cheap certificate from Thawte and make that work... But in the end, work it did, and we were able to let people send in their confidential financial aid information on a secure socket.
So was it worth the $100 or $200 we saved? Probably not for anyone but a college student, but then again things may be easier than when I did it (circa 1996).
I went through Verisign which recommended using SSLeay and freeware with Apache, am I correct in assuming that this comes with the necessary RSA license stuff? http://www.verisign.com/guide/apache/apache.html
Where I work we use a product called Raven by Covalent for SSL on Apache. Works very well and i s almost too simple to setup. Generates keys to signing athorities and the whole bit. Not the cheapest probably, but very good support and it is licenced for commercial use. http://www.covalent.net
i hope you're kidding.
either that or american.
either way you're excused.
"..Constructive critizism is always welcome however."
Will expiration of the RSA patent in 2000 make it free to implement RSA in the US? - Dustin -
Just to note, RSA lost their patent on the encryption about a month ago I heard. There should be no reason now to need to legaly pay for it because it is legal not to pay for it.
-Nicholas Blasgen
Get Stronghold.
Until September 2000, RSA is protected by a US patent, which is (it seems) strictly enforced by RSA Inc.
There's a whole lot of meta-discussion that could take place about the bizarre intricacies of American patent law; in fact, it's all been done here on /. Several times, I'll wager.
In most of the rest of the world, if you disclose your patent-able process/algorithm/whatever BEFORE you apply for the patent, you won't be granted a patent. Period. In the States, though, you generally have up to a year AFTER you publish, and you'll still get the patent.
The RSA algorithm was published before the patents were applied for. So, in most of the world, RSA can be used free of legal implications. Not in the US, though.
Apache/SSL uses SSLeay (I believe). SSLeay has all the software you need, including parts that are illegal in the US because of RSA's patent.
Since you will be running in Norway, I think RSA's patent doesn't apply at all, and you can use the standard Apache/SSL configuration with SSLeay (which I think is actually faster than RSA's version).
IANAL