Re: RSA Security and Red Hat, Inc. Sign Licensing Agreement
This isn't quite true - you can compile OpenSSL to be copyright free. However, as far as I know (and my knowledge is a bit out-of-date, so this may have changed), this then leaves SSL with cipher suites which are not supported by the common browsers. So you can only write secure applications that do not talk to browsers. But you can still use SSL, if both ends of the connection have a comprehensive (ie OpenSSL) implementation. Sorry if this repeats stuff - I've just re-subscribed to the list after having not read it for a long time (since SSLeay, I guess). Andrew "Aaron D. Turner" wrote: After about 2 weeks worth of research (talking to this list, RSA, our lawyers, etc) I found that if your a company in the US, and you want SSL to talk to IE or Netscape, you have to either: - Break the law or - Buy a license from RSA (very expensive) or - Buy a commercial SSL implimentation (not cheap, but about 100 times cheaper than getting a license from RSA) Using only des/des3 won't work because you need a PK algorithm to exchange the des/des3 keys. -- Aaron Turner[EMAIL PROTECTED] 650.237.0300 x252 Security Engineer Vicinity Corp. Cell: 408-314-9874 Pager: 650-317-1821 http://www.vicinity.com On Wed, 24 Nov 1999, Tim Riker wrote: OK, so what is a distributor to do? ;-) In short: Is it possible to build OpenSSL without and code that is patent infringed, and still have it talk to Netscape and M$IE? What if I did: ./Configure --prefix=/usr --openssldir=%{openssldir} linux-elf \ no-bf no-idea no-rc2 no-rc4 no-rc5 no-rsa no-sha to get just des/des3, is that enough? (the astute will notice that this will not build, but hey) It should be ok to leave in blowfish, but M$IE/Netscape do not have blowfish anyway right? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Cannot Load openssl.cnf
From: Arne Coucheron [EMAIL PROTECTED] Date: 30 Nov 1999 02:15:06 +0100 I have a fixed rpm package available at URL:ftp://ftp.sol.no/public/users/a/arneco/linux/ Many Thanks! -- Mark __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Another RSApkc Primer
At 07:59 AM 11/29/99 , Leland V. Lammert wrote: I, for one, would be most interested if you can comment on (or add to) the following options as I see them for a US based company that wishes to build a SSL-based web server: 1) Purchase an Apache like Stronghold (at $1K+ not an option for a small company). Completely legal in the US? 2) Build Apache with OpenSSL (or, as we did three years ago, with SSLeay). Legal for non-commercial purposes in the US and questionable for e-commerce? 3) Purchase the RedHat Secure Server (as I commented earlier), .. though I did not think to phrase that I was advocating using the RH SSL binaries and linking to a standard Apache (which I have been told is completely legal). Legal, but may be problematic merging standard Apache and RH implementations? 4) Install OpenBSD (though we have not used it, it appears to have the SSL libraries built-in). Legal status unknown? Since it is not practical for a small company to deal directly with RSA (or the like), our only option at the time seemed to be #2, as the server was initially a 'test site'. We need to rebuild the server in the near future, .. and I would be very interested in pros and cons. The easiest way to get to the center of this Gordian knot is to identify what you need, and identify where you're getting it, and under which terms. If you're going to use the RSA public key crypto algorithm inside the United States between now and September 20 of 2000, you need a license to do so. (It doesn't matter if your use is "commercial" or "noncommercial" or whatever else - you need a license.) You can only get a license from RSA, or someone to whom they've given the right to sublicense. The latter includes several Apache-derivative vendors including Covalent, Red Hat, and C2Net. Note that it's very, very unlikely that the terms of the sublicense grant given to any of the above sublicensors allows them to bless any arbitrary use of the RSA algorithm, but it's very likely that their right to sublicense users of the patent is limited to specific named products or product lines. If one of the vendors tells you they have the right to grant a patent license good for any program or device which uses the RSA public key method, ask to see a copy of the original license grant from RSA to that effect, as you're probably talking to someone full of too much eggnog. Another way to get a license to use the RSA public key method is to use the RSAREF library, which includes a license grant to use the method when that's done by calling the RSAREF library. RSAREF licenses are only available on certain terms, and you'll need to figure out whether or not your use is compatible with the RSAREF license. It's that simple - you need to identify the source of your right to use the algorithm, and look at the license restrictions accompanying the grant of that right. If you can't identify the grant, you probably don't have a patent license. All of the RSA license grants that I've seen have required the licensee to mark their product with a notation that it uses (and has licensed) the RSA patent from RSA, I don't know if the commercial vendors now operating are subject to that restriction, or if they're complying if they are subject to it. Regarding your choices listed above - number 3 doesn't work if you're thinking of the "buy server X, run server Y, but 'using the license from X'" theory, but it does work if you use server X as an SSL proxy for a plain Apache (where the plaintext appears only on your local network), or if you use server X only to handle pages which must be encrypted (like,say, the page(s) which accept credit card numbers or sensitive information) with the other pages served by a generic Apache. Since http and https use different port numbers, it's easy to have the two servers running on one physical machine reading the same document tree, for relatively seamless (and legal) integration. Also, apropros your #1, you might look at Covalent's Raven server, which is $357. http://www.covalent.net/raven/ssl/. -- Greg Broiles [EMAIL PROTECTED] PGP: 0x26E4488C __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HELP!
I'm using openssl version 0.9.4 and have an odd problem. I can make a valid SSL connection every other time that I run my app (this happens on both win32 and Solaris). I have debugged down into the ssl library and find that when it fails, it fails in the get_server_hello() function. The low level read call in the bio library returns -1 and errno says ECONNRESET (Connection reset by peer). An ECONNRESET error is an indication that you have networking problems. High packet loss rates or two machines with the same IP address. Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2 The Kermit Project * Columbia University 612 West 115th St #716 * New York, NY * 10025 http://www.kermit-project.org/k95.html * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Another RSApkc Primer
Here's another couple options: 1) www.thwaite.com 2) co-locate with a hosting company not in the USA. On Mon, 29 Nov 1999 09:59:14 -0600, Leland V. Lammert wrote: At 03:54 AM 11/24/99 , you wrote: Didn't mean for this to run on so, but it's now the wee hours of a holiday eve. I beg your pardon for any pedantic airs that crept in; summary histories seem to foster them. Vin, Thank you for the excellent SSL history! Though there might be inaccuracies (of which someone else may point out), I, for one, would be most interested if you can comment on (or add to) the following options as I see them for a US based company that wishes to build a SSL-based web server: 1) Purchase an Apache like Stronghold (at $1K+ not an option for a small company). Completely legal in the US? 2) Build Apache with OpenSSL (or, as we did three years ago, with SSLeay). Legal for non-commercial purposes in the US and questionable for e-commerce? 3) Purchase the RedHat Secure Server (as I commented earlier), .. though I did not think to phrase that I was advocating using the RH SSL binaries and linking to a standard Apache (which I have been told is completely legal). Legal, but may be problematic merging standard Apache and RH implementations? 4) Install OpenBSD (though we have not used it, it appears to have the SSL libraries built-in). Legal status unknown? Since it is not practical for a small company to deal directly with RSA (or the like), our only option at the time seemed to be #2, as the server was initially a 'test site'. We need to rebuild the server in the near future, .. and I would be very interested in pros and cons. TIA, Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA Security and Red Hat, Inc. Sign Licensing Agreement
Does anybody know why both IE and Netscape browser implement exclusively RSA certificates? My feeling is that Microsoft and Netscape both made a deal with RSA Security to get a "low" price RSA license at the condition of not implementing DSA. Nicolas Roumiantzeff. -Message d'origine- De : Andrew Cooke [EMAIL PROTECTED] À : [EMAIL PROTECTED] [EMAIL PROTECTED] Date : mardi 30 novembre 1999 17:21 Objet : Re: RSA Security and Red Hat, Inc. Sign Licensing Agreement This isn't quite true - you can compile OpenSSL to be copyright free. However, as far as I know (and my knowledge is a bit out-of-date, so this may have changed), this then leaves SSL with cipher suites which are not supported by the common browsers. So you can only write secure applications that do not talk to browsers. But you can still use SSL, if both ends of the connection have a comprehensive (ie OpenSSL) implementation. Sorry if this repeats stuff - I've just re-subscribed to the list after having not read it for a long time (since SSLeay, I guess). Andrew __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA Security and Red Hat, Inc. Sign Licensing Agreement
Andrew Cooke [EMAIL PROTECTED] writes: This isn't quite true - you can compile OpenSSL to be copyright free. You mean without the patented algrorithms, presumably? (i.e., "patent free" not "copyright free".) The code is still copyright, but the copyright looks pretty liberal (and wouldn't cover mere use of the software anyway). However, as far as I know (and my knowledge is a bit out-of-date, so this may have changed), this then leaves SSL with cipher suites which are not supported by the common browsers. Yes, I think that's still true. DSA and things are mandatory for TLS-1.0, but browsers don't support them (or not very well, anyway) yet. (It'll probably be a while until the browsers support these things properly---probably after next September when it won't matter anyway.) -- Bruce Stephens [EMAIL PROTECTED] MessagingDirect(UK) Ltd URL:http://www.MessagingDirect.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Another RSApkc Primer
At 01:08 PM 11/30/99 , you wrote: "Leland V. Lammert" [EMAIL PROTECTED] writes: 1) Purchase an Apache like Stronghold (at $1K+ not an option for a small company). Completely legal in the US? Frankly, I find this baffling. I work for a small company (two people) and we bought well over 3K in computers and software last year. If you can afford computers, Internet service, and a web site, you should be able to fork over $1K for a web server. Sorry, .. but the economics just don't work - even using your example, $3K of hardware can host 50-100 sites, . . at, say, a net profit of $25/ea makes the payback about a year. Spending $1K on an SSL server just doesn't make sense, .. unless you had a specific project with requisite revenues. Besides, .. for the past three years our hardware budget has been exactly $0 (we have used recycled machines quite successfully to build servers for quite some time - one of the main advantages with Unix; the only problem has been that power supply fan bearings only last about five years of 24/7 g!). Since it is not practical for a small company to deal directly with RSA (or the like), our only option at the time seemed to be #2, as the server was initially a 'test site'. We need to rebuild the server in the near future, .. and I would be very interested in pros and cons. You've missed at least one interesting option: use IIS on Windows. You get SSL with RSA for free. That is not consistent with my information - when we priced IIS three years ago, MS required a purchase of SITE SERVER (at $1K+) to get SSL capability. Have they changed the terms? It is not my understanding that you could run SSL in plan IIS. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to get Net::SSLeay to work with client cert
Hi I'd like to post some stuff to a https server from a perl script using client cert secured SSL v3 connections. At the moment everything works with server cert SSL v2 but I have no idea how to switch to SSL v3. How do I tell my script which cert file to use and which password is needed to use it? Is this possible with perl and Net::SSLeay (or another perl module) and if so could somebody point me to some sample code for this particular case? Regards, Reiner. -- Reiner Buehl Internet: P.O. Box 100324 [EMAIL PROTECTED] 70747 Leinfelden-Echterdingen Germany -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Getting root certs
Unless we're missing something very badly (always a possibility), Verisign is still the key player in the server side certificate market, with Thawte next up. There are a number of smaller up and coming CAs out there as well - we've been publishing stats on the pentration of CAs, and SSL as a whole in our on-line secure web survey located at http://www.e-softinc.com. Also, we have all the root certs we use for validating sites as part of our survey on-line as well at http://www.e-softinc.com/cacerts.txt Cheers, Thomas "Rene G. Eberhard" wrote: Is there a repository of root certificates somewhere I can use to verify SSL servers against? How can I extract root certificates from Netscape and IE? I think Verisign is not anylonger the keyplayer in the certificate market. IE 5.01 contains about 120 root certificates. About your request: 1. You may download IE 5.01 and extract all the 120 root certs. 2. You can send me a mail and I send you (personal email) a zipped archive which includes all the 120 root certs PEM encoded. Regards Rene -- --- Rene G. Eberhard Mail : [EMAIL PROTECTED] -- Thomas ReinkeTel/Fax: (905) 331-2260 Director of Technology Cell: (416) 460-7021 E-Soft Inc. http://www.e-softinc.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]