Very Computer

I need someone to explain, in terms even I can understand, exactly
what my requirements for licensing are in order to setup a secure
server.  I've read and read and searched and searched, and am
perfectly willing to concede that it's lack of gray matter hindering
me from finding the answers.  Be that as it may, I really, really need
answers, so I'm hoping this will help.

First, a brief synopsis of what I'm trying to do, then my questions:

I am currently running Apache 1.3.4 with some virtual servers on a
Linux box.  Working great, no problems.  I want to do some e-commerce
on some (not all) of those virtual hosts, which means I want SSL so
that I can take credit card orders and give the customer a warm fuzzy
about his "security" in the transaction.

So far so good.  However, being the gotta-meddle-with-the-code kinda
person I am, I really, really want to build my own server.  I don't
want to buy Stronghold or RedHat's Secure Server; I want to build my
own.  But since I'm in the U.S., my understanding is sort of that it's
worse than pulling teeth to try to handle licensing directly with RSA,
and that's why you pay these folks for a secure server.

So, my questions are these:

1) Is it possible and feasible and practical to roll my own server
from Apache1.3.4+mod_ssl+SSLeay+RSARef and use it for commercial
purposes for multiple hosts (sort of like an ISP, except that we're
not an ISP exactly)?  Is it really more trouble than any sane person
would ever want to get into?

2) If I buy the secure module from http://raven.covalent.com, which
includes a license from RSA, and build Apache with it, may I host
multiple secure servers on that one Apache installation without
getting into hot water?

3) Likewise, if I buy a single copy of Stronghold, or Redhat's secure
server, can I run virtual hosts and have multiple sites doing secure
commerce on that one server without violating some bizarre license
agreement that I probably wouldn't understand anyway?

4) If I purchase a certificate (or receive one as part of a package,
as with Stronghold or RSS), may I use that same certificate for all my
virtual hosts, or does each entity need his own certificate?  Or is
that my choice whether I let them all piggyback on my certificate?

5) If I have to buy a secure Apache server pre-built, why would I pay
near 10 times as much for Stronghold as for Redhat's Secure Server?
Is there that much difference between them?

Thanks for any and all help, pointers, info, etc., that anyone can
provide.

--

C/Linux/Email/Samba/Web guy for rent

"The web goes ever, ever on, down from the site where it began..."

The main obstacle is the US patent on RSA cryptography that expires
next September.  If you are willing to wait til then, you have smooth
sailing.

Quote:>So far so good.  However, being the gotta-meddle-with-the-code kinda
>person I am, I really, really want to build my own server.  I don't
>want to buy Stronghold or RedHat's Secure Server; I want to build my
>own.  But since I'm in the U.S., my understanding is sort of that it's
>worse than pulling teeth to try to handle licensing directly with RSA,
>and that's why you pay these folks for a secure server.

If you just want a single (or a few) servers, you can buy retail
copies of RSA's BSAFE library and use them in your server.  If you
want a lot of copies to ship to customers and don't want to pay retail
for each one, you have to negotiate volume deals with RSA which can be
a hair raising experience.

Quote:>1) Is it possible and feasible and practical to roll my own server
>from Apache1.3.4+mod_ssl+SSLeay+RSARef and use it for commercial
>purposes for multiple hosts (sort of like an ISP, except that we're
>not an ISP exactly)?  

If you mean from a technical point of view, then yes.  From a
licensing point of view, you're not allowed to use RSAREF for
commercial purposes.  Also, be aware that RSAREF is intended as an
educational/reference implementation of RSA and it's about 10x slower
than an optimized implementation.

Quote:>Is it really more trouble than any sane person would ever want to get
>into?

Well, you're the one who said you wanted to roll your own server.  If
that's what you want to be spending your time doing, then fine, it's
not that bad.  If you mainly want to be *operating* a server, then
messing with the code is just another thing taking up your time and
it's easier to let someone else (e.g. Redhat, Covalent, Stronghold) do
it for you.

Quote:>2) If I buy the secure module from http://raven.covalent.com, which
>includes a license from RSA, and build Apache with it, may I host
>multiple secure servers on that one Apache installation without
>getting into hot water?

If you mean multiple virtual hosts, that would mean just one instance
of the RSA module.  If you mean multiple servers, I expect you'd need
more licenses.

Quote:>3) Likewise, if I buy a single copy of Stronghold, or Redhat's secure
>server, can I run virtual hosts and have multiple sites doing secure
>commerce on that one server without violating some bizarre license
>agreement that I probably wouldn't understand anyway?

Multiple virtual hosts in the same server: no problem, from what I can
tell.  Multiple servers (separate machines): you're supposed to pay
for each copy separately.

Quote:>4) If I purchase a certificate (or receive one as part of a package,
>as with Stronghold or RSS), may I use that same certificate for all my
>virtual hosts, or does each entity need his own certificate?  Or is
>that my choice whether I let them all piggyback on my certificate?

You need a seperate certificate for each domain name.  If your
customers use your domain they can use your certificate.  If they want
their own domains they need their own certificates.

Quote:>5) If I have to buy a secure Apache server pre-built, why would I pay
>near 10 times as much for Stronghold as for Redhat's Secure Server?
>Is there that much difference between them?

One difference I know of is Stronghold comes with a Thawte certificate
($200).  It has good docs too.  Also, I don't think the Red Hat secure
server has source available.  Stronghold may be charging extra for
source these days, though; I've gotten different stories.  I'm using
an evaluation version of Stronghold and have been pretty satisified
with C2's responsiveness to various issues.  I'm in a situation where
the cost doesn't matter much though.

This is a very complicated issue which will hopefully get a little better in
September of 2000 when some of RSA's patents expire...

Some comments inline...

I don't think its anything relating to stupidity on your part.   This is a
very
complicated matter.  A large company should consider speaking with
a laywer on the issues.

Quote:>So far so good.  However, being the gotta-meddle-with-the-code kinda
>person I am, I really, really want to build my own server.  I don't
>want to buy Stronghold or RedHat's Secure Server; I want to build my
>own.  But since I'm in the U.S., my understanding is sort of that it's
>worse than pulling teeth to try to handle licensing directly with RSA,
>and that's why you pay these folks for a secure server.

I agree with you.   Since, I don't use Red Hat, I wanted to build my
own server, which I did with the mod_ssl add-on.   Tip of the hat to
Ralf Engelschall (hope I didn't butcher your name!).

Quote:

>1) Is it possible and feasible and practical to roll my own server
>from Apache1.3.4+mod_ssl+SSLeay+RSARef and use it for commercial
>purposes for multiple hosts (sort of like an ISP, except that we're
>not an ISP exactly)?  Is it really more trouble than any sane person
>would ever want to get into?

It certainly is possible, and not very difficult.   When I was looking to do
this I tried  contacting RSA regarding RSAref.   I was told by some
customer support person there that RSAref no longer exists.  There
is, however, some replacement for it, which I cannot remember off of the
top of my head.   Note that RSAref, or its replacement, is not integral to
creating the server--it is just rolled in for lisencing issues.

Quote:

>2) If I buy the secure module from http://raven.covalent.com, which
>includes a license from RSA, and build Apache with it, may I host
>multiple secure servers on that one Apache installation without
>getting into hot water?

I am not sure how this works.  I don't believe it is a problem, though.

Quote:

>3) Likewise, if I buy a single copy of Stronghold, or Redhat's secure
>server, can I run virtual hosts and have multiple sites doing secure
>commerce on that one server without violating some bizarre license
>agreement that I probably wouldn't understand anyway?

Again, I am not sure about this, but I don't think it is a problem.  Someone
will correct me if I am wrong.

Quote:>4) If I purchase a certificate (or receive one as part of a package,
>as with Stronghold or RSS), may I use that same certificate for all my
>virtual hosts, or does each entity need his own certificate?  Or is
>that my choice whether I let them all piggyback on my certificate?

This depends on how warn and fuzzy you want your users to feel.  You
can use the same certificate for all of the hosts, but browsers will put
up red flags for users saying the cert name doesn't match the host
name and such.

Quote:

>5) If I have to buy a secure Apache server pre-built, why would I pay
>near 10 times as much for Stronghold as for Redhat's Secure Server?
>Is there that much difference between them?

I think it depends on how the licensing is handled with RSA.   A larger
company
can pass on better savings to the consumers,  I think.

There is a lot of debate on whether you can pick up a copy of Red Hat Secure
Server and shelve it, using the license for a server you created on your
own.
There is nothing really special about RHSS--It is a copy of Apache built
with
SSLeay and one of the SSL modules.    Again, a lawyer familiar with these
issues may be invaluable.

Good Luck
Jay R.

writes:

Quote:> I tried  contacting RSA regarding RSAref.   I was told by some
> customer support person there that RSAref no longer exists.  

FYI, it still exists, goto:
ftp://ftp.rsa.com/rsaref/

--

Computer System Manager         http://www.math.unl.edu/~rdieter/
Mathematics and Statistics              
University of Nebraska-Lincoln

Well, how 'bout that.   I tried doing that a long time ago, and the special
'time limited, ever changing' directory for RSAref never worked.  When I
contacted them they told me that was because it no longer existed.  Maybe
I got someone on their first day on the job.    Thanks for pointing out my
error.

Jay

Thanks much to Paul, Jay, and Rex for the great info.  This is exactly
the sort of info I was looking for.  Two quick followup questions, and
then I'll hush and head back into the dungeon to make this all work.

Is there any chance of their being able to extend this patent, the way
you can renew a copyright?  Or do patents not work like that?  Does
that mean that anyone can use RSA crypto for whatever they want,
license-free, after Sep. 2000?

Quote:>If you just want a single (or a few) servers, you can buy retail
>copies of RSA's BSAFE library and use them in your server.  If you

Great!

Quote:>not that bad.  If you mainly want to be *operating* a server, then
>messing with the code is just another thing taking up your time and
>it's easier to let someone else (e.g. Redhat, Covalent, Stronghold) do
>it for you.

Does anyone have any experience using the Covalent libs to build up an
Apache server and use it in an environment similar to the one I'm
trying to (i.e., virtual domains running on a single server)?  Any
real-world input about its performance or ease-of-use or reliability?

Quote:>You need a seperate certificate for each domain name.  If your
>customers use your domain they can use your certificate.  If they want
>their own domains they need their own certificates.

This is great info.  Thanks again to all who responded.

--

C/Linux/Email/Samba/Web guy for rent

"The web goes ever, ever on, down from the site where it began..."

Once a patent expires, it is over.  They cannot be renewed.

Quote:>Does that mean that anyone can use RSA crypto for whatever they want,
>license-free, after Sep. 2000?

Yes.

Quote:>Does anyone have any experience using the Covalent libs to build up an
>Apache server and use it in an environment similar to the one I'm
>trying to (i.e., virtual domains running on a single server)?  Any
>real-world input about its performance or ease-of-use or reliability?

Why don't you talk to Covalent and ask about their existing
installations?  Contact info would be at www.covalent.net.

I've used sslmod for internal purposes which is pretty much the same
code as Covalent, though not licensed for commercial use.  I haven't
had serious problems but I haven't really stressed it.  It is based on
SSLEAY and performance is quite good.  You don't get a spiffy point
and click admin interface with sslmod like you get with a Netscape
server.  Stronghold -does- come with an interface like that; I don't
know about Covalent.  But if you're planning on doing your own server
development, you should also be capable of editing config files
directly instead of pointing and clicking ;-).