[lug] Stronghold my only APACHE SSL option?

Michael Deck deckm at cleansoft.com
Tue Mar 14 14:09:44 MST 2000

I'm very interested in this discussion because I am right in the middle of 
the same muddle. Here's a summary of my researches on various sites.

1. If you are considered "in the USA/Canada" then you cannot operate a 
commercial secured web server using mod_ssl or its derivatives without 
purchasing a license from RSA. (http://www.apacheweek.com/features/ssl) 
However, it looks like their patent may expire in September so if you can 
wait until then, you can do it without paying.

2. The cost to buy a license direct from RSA is very steep.  Or it seemed 
so to me yesterday. Today their site seems to be down.

3. However, you can buy a license from a commercial vendor who has made a 
deal with RSA. These include

    Stronghold (http://www.int.c2.net/products/sh2/),
    Raven (http://www.covalent.net/raven/ssl/),
    RedHat Secure Web Server (included in RH6.1 pro bundle, may be 
available separately from http://www.redhat.com)

and probably others. I'd be interested in help filling out this list. These 
all cost money because they have paid money to RSA. The cheapest appears to 
be RH SWS at USD. Raven asks USD 357. Raven appears not to come with source 
meaning it could be hard to add other modules to the Apache build. 
Stronghold is expensive at USD 995 but includes a Thawte certificate.

4. Once you have this bugger up and running, you need a certificate from a 
certificate authority, otherwise every user will get the "content signed by 
XXXCO. Do you trust it?" dialog. These certificates are expensive (upwards 
of USD 125).

5. Having the RH SWS license doesn't make it legal to build yourself 
mod_ssl using another set of sources. 

What I've been trying to find out myself is

* does RH still sell SWS standalone? Or do you have to get it in the bundle 
with Pro? I don't mind paying for it but I would like to keep my existing 
KRUD installation. I sent this question to presales at redhat.com but never 
heard back. Pity. They must be spending all their time watching their stock 

Does anyone happen to know the answer to this question?

Would it be worth having a meeting some time on Apache-related topics?


At 01:48 PM 3/14/00 -0700, Andrew Diederich wrote:
>On Tue, Mar 14, 2000 at 12:43:30PM -0700, Hugh Brown wrote:
> > openSSL is another SSL package for apache.  Don't know about the
> > legality issues.
> >
> >
> > NEWHOPE wrote:
> > >
> > > Is stronghold my only SSL software option if I want to use SSL on 
> > > will either be using Red Hat or Solaris for a new web server, and the 
> last
> > > step in the decision relates to SSL.
> > >
> > > Someone told me that some of the SSL Apache modules are illegal in 
> the US,
> > > is that true?
> > >
>Well, according the O'Reilly Apache book, p 222 in the Security chapter:
>"The next, and easiest step of all, is to decide whether you are in the
>United States and Canada or the rest of the world. Then follow these
>You ahve two chioces. You can get a commercial SSL-enabled web server,
>or you can do what the rest of the world does (see below), noting only
>that you need to get a license to use RSA's patents if you want to make
>money out of your SSL-enabled Apache (see www.rsa.com).
>In the rest of the world
>If your deliberations lead you to believe that you are in the rest of the
>proceed as described in the following sections."
>Get SSLeay, etc.
>Hope this helps.
> > > Any opinions, resources, experience, etc appreciated.
> > >
> > > Thanks,
> > >
> > > Peter Janett
> > >
> > > New Media One Web Services
> > >   ~Professional results with a personal touch~
> > >       http://www.newmediaone.com
> > >       webmaster at newmediaone.com
>"whoo-hoo!  I answered one!"
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

Michael Deck
Cleanroom Software Engineering, Inc.   

More information about the LUG mailing list