Well, the legal troubles should be outlined in the mod_ssl docs. I think it
just has to do with using the rsa_ref libraries because of a patent held in
the USA. But I haven't looked at it lately.
In theory you're supposed to get a license to use it. When you buy
StrongHold or another commercial version of SSL apache, that company has
already paid the licensing to use those encryption algorithms.
"Down the street" from us in Singapore is a company called 3UI that makes
an open source secure WAP Gateway and they have the same issues. They
distribute the code to compile it, but they can't legally distribute the
rsa_ref stuff with their software so that the WAP version of SSL will
compile into the server. In passing, a few weeks ago one of them mentioned
me though that even when the patent expires, there are still other patents
that are held which will prevent full distribution of source unfortunately.
My caveat on saying this is that I may not be remembering the exact words
-- and in legal cases, words can make all the difference. So you should
check for yoursel what mod_ssl and the ssleay docs say.
From the website of 3UI (regarding the compiling of WTLS -- WAP SSL)
"Note: The open source version of the WTLS does not include the RC5 block
cipher and the RSA key exchange algorithms as they have been patented by
RSA. If you need any of these, you will have to buy the commercial version
of this software from us. "
By the way, as a plug, I would have to say that if anyone is doing secure
transactions with WAP, you might consider supporting these guys. They've
put a lot of $ and hours into making their WAP gateway (originally based
off of Kannel but rewritten for more efficient threading and scalability).
So to make it open source after spending so much real money on development
is really forward thinking for a VC funded company. It's also
well-abstracted so it compiles ok under both Linux *and* Windows NT (gasp!).
Later,
Gunther
At 02:49 AM 8/27/00 +0200, Stas Bekman wrote:
> >
> > --On 08/26/00 18:51:31 +0200 Stas Bekman <[EMAIL PROTECTED]> wrote:
> >
>[...snipped...]
> > BTW Stas, I haven't downloaded the current version of the guide, I'm
> > using 1.24 so my comments might be dated. But, if folks in the US
> > simply follow your instructions they will be illegal even after Sept
> > 21. Using the rsaref libraries is an absolute requirement. Take a
> > look at the mod_ssl install instructions and you might want to
> > incorporate them in the guide at the appropriate spot. Just a
> > suggestion.
>
>Weird, it's a first time I hear about that. The Guide explains the details
>of installation of the apache-ssl, mod_ssl and few others, which I don't
>think have any US regulation problems. I might be wrong of course, since
>I'm not in US... But if there is a real problem with this, I'll definitely
>add a note in the appropriate place. I really don't want someone to have
>troubles with the material in the Guide. I'm really surprised nobody have
>ever rised this issue before. I know for sure that *some* people on the
>list and among Guide readers are American :)
>
>So just tell me what to fix and where, and I'll do it.
>
>P.S. I think the ssl notes in the guide are at least one year old. How
>many of you had a legal trouble with these notes?
>
>_____________________________________________________________________
>Stas Bekman JAm_pH -- Just Another mod_perl Hacker
>http://stason.org/ mod_perl Guide http://perl.apache.org/guide
>mailto:[EMAIL PROTECTED] http://apachetoday.com http://jazzvalley.com
>http://singlesheaven.com http://perlmonth.com perl.org apache.org
