From owner-freebsd-questions Tue Sep 8 18:30:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA24679 for freebsd-questions-outgoing; Tue, 8 Sep 1998 18:30:14 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from loviatar.webcom.com (loviatar.webcom.com [209.1.28.41]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA24674 for ; Tue, 8 Sep 1998 18:30:12 -0700 (PDT) (envelope-from graeme@echidna.com) Received: from kigal.webcom.com (kigal.webcom.com [209.1.28.57]) by loviatar.webcom.com (8.9.1/8.9.1) with SMTP id SAA10546; Tue, 8 Sep 1998 18:30:07 -0700 Received: from [199.183.207.81] by inanna.webcom.com (WebCom SMTP 1.2.1) with SMTP id 3493056; Tue Sep 08 18:29 PDT 1998 Message-Id: <35F60387.58A6@echidna.com> Date: Tue, 08 Sep 1998 21:26:47 -0700 From: Graeme Tait Organization: Echidna X-Mailer: Mozilla 2.02 (Win16; I) Mime-Version: 1.0 To: Christopher Raven , freebsd-questions@FreeBSD.ORG Cc: info@boatbooks.com Subject: Re: Apache & Verisign References: <35F5AFFB.4631D726@ukonline.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Christopher Raven wrote: > > I don't know if anyone knew about it, but I just noticed that verisign > now supports apache > > http://www.verisign.com/guide/apache/index.html Indeed! I would guess that Verisign could not resist the potential Apache market, nor did they want to lose it to competitors. However, there is, as I understand it (and please correct me if I am wrong on any of this), one catch if you use a free version of SSLeay, and it is curious that Verisign (AFAIK) are silent on this point. I'll repeat what I posted here previously: "Just be aware that for using SSLeay in the US, you need a BSafe license from RSA (and I believe you are required to substitute their cipher code for that in SSLeay). There is a special license plan for non-profits. For individual commercial use, getting an RSA license is a practical impossibility as I understand it." Stronghold (the Verisign link appears to be incorrect - it should be http://www.c2.net/) and Raven (http://raven.covalent.net/ - no relation, I assume?), mentioned in Verisign's info at http://www.verisign.com/guide/apache/apache.html, provide RSA licensing within their products. I write this in the light of shopping around for SSL/Apache software for use in the US. It is rather frustrating that a great piece of free software like Apache (which can run on a great free OS like FreeBSD) is hobbled for serious commercial use in the US by the effective lack of free SSL support, when all the required software is available for free. Of course, it could never quite be free with RSA licensing required, but I'm sure that the RSA license fee built into all the commercial SSL server packages is a small fraction of their cost - probably of the same order as a typical shareware fee. The commercial products Verisign mention are expensive. Raven ($357) is as I understand it is based on SSLeay, and not much different from what you can have for free, but with RSA licensing included. Stronghold is even more expensive ($995), uses superior proprietary SSL code, and has many added features - ostensibly a fine product. But unfortunately it hobbles Apache by being issued in binary form, and by lagging Apache releases. They have only just released a version incorporating V1.30 Apache, and that in a rather unsatisfactory form. Apache make much of US export restrictions constraining SSL-enabled distributions, but as far as I can see that is a red herring, and the only real issue preventing the issuance of a minimal cost Apache/SSLeay distribution is the creation of a mechanism for paying RSA a reasonable license fee. The lifting of US export restrictions on encryption code will do nothing to change that fact. I apologize if this long-winded post is a bit off-topic, but I'm hoping someone can point to some source of hope in my quest for low-cost SSL. (And I'm restraining myself from getting into the issue of why SSL certificates should cost so much.) -- Graeme Tait - Echidna To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message