Commercial use of Apache and SSL

The Apache section of Slashdot is also a good place to ask questions regarding Apache and web servers in general (rather than Ask Slashdot). To start us off, here is a question concerning the "cheapest" way of implementing a SSL-capable version of Apache. Of course, you should also consider the legal aspects as well, which is why the commercial products are so attractive for US users:

jballagh writes "I use apache and need SSL for a potential customer's site. What is the cheapest way of doing this in the US? I have looked at Apache-SSL, mod-ssl, and some commercial packages. If possible I would like to license the appropriate RSA algorithms for use with Apache-SSL, or mod-ssl. Has anyone done this? Is it worth the bother compared to buying a commercial package? "

Buy RedHat Secure Server and transfer the license

[David+Jao]

If you want to run an SSL server for non-commercial purposes, you can compile mod_ssl linked against rsaref. The rsaref package is not free software--it is licensed for non-commercial use only and has a couple other restrictions. This route is the cheapest way to set up a non-commercial SSL site in the US.

If your site is a commercial site in the US, then there is no way around it--you must license the RSA algorithm from RSA (unless you want to challenge the RSA patent in court!). If you call up RSA they will give you a price quote in the thousands (I tried this once). A far cheaper way to get an RSA license is to buy RedHat Secure Web Server (now repackaged as RedHat Linux Professional).

IANAL, but I have read the "Advanced Cryptography License" that comes with Secure Web Server and I believe that the license does in fact allow you to legally run an implementation RSA using any SSL server software you want on your site. That means you can buy Secure Web Server and then legally run mod_ssl on your web site. That's what I would do if I were in your position, since mod_ssl is a quality free software product.