Re: RSA + OpenSSL + Legal

Eric Murray Wed, 09 Aug 2000 11:23:52 -0700
On Wed, Aug 09, 2000 at 01:10:52PM -0500, Benji Spencer wrote:
> we are looking at moving from out Netscape Enterprise SSL web server and 
> going to Apache+SSL (Apache-ssl, Ben's SSL) anyhow..we want to do this 
> legally, and we know that RSA has some copyright issues....I thought this 
> would be a problem..but it might not be.
> 
> I looked at our current NES server was using, and RSA isn't on the list 
> (RC[24] and DES with MD5 and SHA message authentication is basically all 
> that is listed).

Generally when the key-exchange/authenticaton algorithm isn't
listed in proto-ciphersuites, it's RSA.

You can use my web page that checks server security to see
what ciphersuites you're currently supporting:

http://www.lne.com/ericm/papers/check_server.html


> now...when I was on the phone with the RSA Tech, he said that in order to 
> Use OpenSSL with Apache+SSL, I would have to no include the rsaref, and rip 
> the RSA Crypto out of OpenSSL. Do I need to go that far?  What if I just 
> specified the "-no-rsa" when I compile OpenSSL?

That would probably do it.

> Is there any RSA code in 
> the compiled version at that point?

There's no code written by RSA Inc in it now.
There is code that implements the RSA algorithm.  If you
compile with -no-rsa and do not perform the RSA algorithm, you
should be safe.  Note: I'm not a lawyer.  If you want a real
legal opinion on this, get one.  Or wait until sept 21 when the
RSA patent runs out.

You will need a DSA cert too.  I don't know of any CA
that issues them, does anyone?

> Our main concerns are
> 1) we don't want to loose functionality. If RSA was being used before, we 
> still want it (was it being used before though?)

It was, and you'll lose it.

> 2) we want it implement the SSL legally.

There's a number of ciphersuites that don't use the RSA algorithm, especially
in TLS1.  There also ones that don't use RSA Inc's trademarked RC4
algorithm.



-- 
  Eric Murray http://www.lne.com/ericm  ericm at lne.com  PGP keyid:E03F65E5
Security consulting: secure protocols, security reviews, standards, smartcards. 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Re: RSA + OpenSSL + Legal

Reply via email to
