On Wed, Aug 09, 2000 at 01:10:52PM -0500, Benji Spencer wrote:
> we are looking at moving from out Netscape Enterprise SSL web server and
> going to Apache+SSL (Apache-ssl, Ben's SSL) anyhow..we want to do this
> legally, and we know that RSA has some copyright issues....I thought this
> would be a problem..but it might not be.
>
> I looked at our current NES server was using, and RSA isn't on the list
> (RC[24] and DES with MD5 and SHA message authentication is basically all
> that is listed).
Generally when the key-exchange/authenticaton algorithm isn't
listed in proto-ciphersuites, it's RSA.
You can use my web page that checks server security to see
what ciphersuites you're currently supporting:
http://www.lne.com/ericm/papers/check_server.html
> now...when I was on the phone with the RSA Tech, he said that in order to
> Use OpenSSL with Apache+SSL, I would have to no include the rsaref, and rip
> the RSA Crypto out of OpenSSL. Do I need to go that far? What if I just
> specified the "-no-rsa" when I compile OpenSSL?
That would probably do it.
> Is there any RSA code in
> the compiled version at that point?
There's no code written by RSA Inc in it now.
There is code that implements the RSA algorithm. If you
compile with -no-rsa and do not perform the RSA algorithm, you
should be safe. Note: I'm not a lawyer. If you want a real
legal opinion on this, get one. Or wait until sept 21 when the
RSA patent runs out.
You will need a DSA cert too. I don't know of any CA
that issues them, does anyone?
> Our main concerns are
> 1) we don't want to loose functionality. If RSA was being used before, we
> still want it (was it being used before though?)
It was, and you'll lose it.
> 2) we want it implement the SSL legally.
There's a number of ciphersuites that don't use the RSA algorithm, especially
in TLS1. There also ones that don't use RSA Inc's trademarked RC4
algorithm.
--
Eric Murray http://www.lne.com/ericm ericm at lne.com PGP keyid:E03F65E5
Security consulting: secure protocols, security reviews, standards, smartcards.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]