Slashdot Mirror

← Back to Stories (view on slashdot.org)

Commercial use of Apache and SSL

Posted by jimjag on from the Shhh-I'm-sending-a-secret dept.

The Apache section of Slashdot is also a good place to ask questions regarding Apache and web servers in general (rather than Ask Slashdot). To start us off, here is a question concerning the "cheapest" way of implementing a SSL-capable version of Apache. Of course, you should also consider the legal aspects as well, which is why the commercial products are so attractive for US users:

jballagh writes "I use apache and need SSL for a potential customer's site. What is the cheapest way of doing this in the US? I have looked at Apache-SSL, mod-ssl, and some commercial packages. If possible I would like to license the appropriate RSA algorithms for use with Apache-SSL, or mod-ssl. Has anyone done this? Is it worth the bother compared to buying a commercial package? "

8 of 78 comments (clear)

  1. RedHat by tgd · · Score: 4

    RedHat's Professional 6.1 version comes with the RedHat Secure Server, with a license to use it.

    Used to be $99, but I think they bumped it up to $149 recently.

    Still the best deal I've seen.

  2. The cheepest one is IBM's by thule · · Score: 2

    Download IBM's complementary version of Apache for Linux. It includes IBM's own SSL and a SSL API. It's what they use for their WebSphere product.
    Unfortunately I don't have the URL handy.

    1. Re:The cheepest one is IBM's by camattin · · Score: 4

      http://www.software.ibm.com/webservers/httpservers /

      You need a username/password to download it, but
      they're free.

  3. Buy RedHat Secure Server and transfer the license by David+Jao · · Score: 5
    If you want to run an SSL server for non-commercial purposes, you can compile mod_ssl linked against rsaref. The rsaref package is not free software--it is licensed for non-commercial use only and has a couple other restrictions. This route is the cheapest way to set up a non-commercial SSL site in the US.

    If your site is a commercial site in the US, then there is no way around it--you must license the RSA algorithm from RSA (unless you want to challenge the RSA patent in court!). If you call up RSA they will give you a price quote in the thousands (I tried this once). A far cheaper way to get an RSA license is to buy RedHat Secure Web Server (now repackaged as RedHat Linux Professional).

    IANAL, but I have read the "Advanced Cryptography License" that comes with Secure Web Server and I believe that the license does in fact allow you to legally run an implementation RSA using any SSL server software you want on your site. That means you can buy Secure Web Server and then legally run mod_ssl on your web site. That's what I would do if I were in your position, since mod_ssl is a quality free software product.

  4. Re:Standards and proprietary software. by tialaramex · · Score: 2

    SSL is an "opened" standard, it was developed by Netscape, but they recognised many moons ago that to get wide acceptance you need Open Standards.
    So they told everyone how to do SSL, went through the process and got the standard out there. It's a good standard (in comparison to a lot of stuff on the web) so it won.
    As patent problems go, this is far from the worst: RSA have reasonable terms, the patent runs out soon, and it's not valid in most of the world anyway.

    If SSL had been designed from scratch as an open standard, I'm sure SSL wouldn't include RSA but rather an equivalent but free algorithm. Still, as MPEG members would tell you a non-free standard is better than no standard at all.

  5. Shhhhhhh! by jd · · Score: 2

    Didn't you read the licence? *glances round* You've got to be careful, that could be construed as an unauthorised review of their system, which is a licence infringement!

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  6. Apache-SSL in the USA by Anonymous Coward · · Score: 2
    RSA does license RASREF, they just don't like to.

    While doing work-study as an (underpaid!) web administrator at a university, I was given the job of getting a secure web server up and running on a minimal budget. So I built Apache-SSL using SSLeay for our Linux web server. In the process of building SSLeay, of course, I discovered that it wasn't leagal to use in the US because of the patent owned by RSA.

    So I contacted RSA and whined about being at an educational institution on a shoe-string budget, and how we really weren't going to make a multi-million-dollar eToys site or anything, and could we please use RSAREF without paying them. They were annoyed, but they didn't want to waste the time it would take to get me off their backs, so they made me promise that we would never distribute the server, that it would only be installed at our site, etc. and let me go ahead.

    It was a pain to get the permission, and to get all the pieces to compile and link together, and to get a cheap certificate from Thawte and make that work... But in the end, work it did, and we were able to let people send in their confidential financial aid information on a secure socket.

    So was it worth the $100 or $200 we saved? Probably not for anyone but a college student, but then again things may be easier than when I did it (circa 1996).

  7. Stronghold by Spud · · Score: 2

    Get Stronghold.