Date: Tue, 08 Sep 1998 21:26:47 -0700 From: Graeme Tait <graeme@echidna.com> To: Christopher Raven <c.raven@ukonline.co.uk>, freebsd-questions@FreeBSD.ORG Cc: info@boatbooks.com Subject: Re: Apache & Verisign Message-ID: <35F60387.58A6@echidna.com> References: <35F5AFFB.4631D726@ukonline.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Christopher Raven wrote: > > I don't know if anyone knew about it, but I just noticed that verisign > now supports apache > > http://www.verisign.com/guide/apache/index.html Indeed! I would guess that Verisign could not resist the potential Apache market, nor did they want to lose it to competitors. However, there is, as I understand it (and please correct me if I am wrong on any of this), one catch if you use a free version of SSLeay, and it is curious that Verisign (AFAIK) are silent on this point. I'll repeat what I posted here previously: "Just be aware that for using SSLeay in the US, you need a BSafe license from RSA (and I believe you are required to substitute their cipher code for that in SSLeay). There is a special license plan for non-profits. For individual commercial use, getting an RSA license is a practical impossibility as I understand it." Stronghold (the Verisign link appears to be incorrect - it should be http://www.c2.net/) and Raven (http://raven.covalent.net/ - no relation, I assume?), mentioned in Verisign's info at http://www.verisign.com/guide/apache/apache.html, provide RSA licensing within their products. I write this in the light of shopping around for SSL/Apache software for use in the US. It is rather frustrating that a great piece of free software like Apache (which can run on a great free OS like FreeBSD) is hobbled for serious commercial use in the US by the effective lack of free SSL support, when all the required software is available for free. Of course, it could never quite be free with RSA licensing required, but I'm sure that the RSA license fee built into all the commercial SSL server packages is a small fraction of their cost - probably of the same order as a typical shareware fee. The commercial products Verisign mention are expensive. Raven ($357) is as I understand it is based on SSLeay, and not much different from what you can have for free, but with RSA licensing included. Stronghold is even more expensive ($995), uses superior proprietary SSL code, and has many added features - ostensibly a fine product. But unfortunately it hobbles Apache by being issued in binary form, and by lagging Apache releases. They have only just released a version incorporating V1.30 Apache, and that in a rather unsatisfactory form. Apache make much of US export restrictions constraining SSL-enabled distributions, but as far as I can see that is a red herring, and the only real issue preventing the issuance of a minimal cost Apache/SSLeay distribution is the creation of a mechanism for paying RSA a reasonable license fee. The lifting of US export restrictions on encryption code will do nothing to change that fact. I apologize if this long-winded post is a bit off-topic, but I'm hoping someone can point to some source of hope in my quest for low-cost SSL. (And I'm restraining myself from getting into the issue of why SSL certificates should cost so much.) -- Graeme Tait - Echidna To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?35F60387.58A6>