Slashdot Mirror
Commercial use of Apache and SSL
The Apache section of Slashdot is also a good place to ask questions regarding Apache and web servers in general (rather than Ask Slashdot). To start us off, here is a question concerning the "cheapest" way of implementing a SSL-capable version of Apache. Of course, you should also consider the legal aspects as well, which is why the commercial products are so attractive for US users:
jballagh writes "I use apache and need SSL for a potential customer's site. What is the cheapest way of doing this in the US? I have looked at Apache-SSL, mod-ssl, and some commercial packages. If possible I would like to license the appropriate RSA algorithms for use with Apache-SSL, or mod-ssl. Has anyone done this? Is it worth the bother compared to buying a commercial package? "
RedHat's Professional 6.1 version comes with the RedHat Secure Server, with a license to use it.
Used to be $99, but I think they bumped it up to $149 recently.
Still the best deal I've seen.
If your site is a commercial site in the US, then there is no way around it--you must license the RSA algorithm from RSA (unless you want to challenge the RSA patent in court!). If you call up RSA they will give you a price quote in the thousands (I tried this once). A far cheaper way to get an RSA license is to buy RedHat Secure Web Server (now repackaged as RedHat Linux Professional).
IANAL, but I have read the "Advanced Cryptography License" that comes with Secure Web Server and I believe that the license does in fact allow you to legally run an implementation RSA using any SSL server software you want on your site. That means you can buy Secure Web Server and then legally run mod_ssl on your web site. That's what I would do if I were in your position, since mod_ssl is a quality free software product.
http://www.software.ibm.com/webservers/httpservers /
You need a username/password to download it, but
they're free.