LISTSERV - HP3000-L Archives

HP3000-L Archives

May 2000, Week 3

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L May 2000, Week 3

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: WebWise Secure Web Server pricing details
From:	Mark Bixby <[log in to unmask]>
Reply To:	Mark Bixby <[log in to unmask]>
Date:	Tue, 16 May 2000 18:16:42 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (91 lines)

Gavin Scott wrote:
> I'll just mention that in order to use the "secure" features of the server,
> I believe you need to get your encryption key signed by Verisign or another
> first tier CA, which cost something like $400/year the last time I checked
> (which was at least a couple years ago).  I only mention this because, at
> these low prices for the server, the key signing charge may become a
> non-trivial percentage of the cost of setting up a secure web site.

If you will be doing Internet applications, a certificate from a trusted CA
such as Verisign (to name just one) is required.

If you're only doing intranet applications, a free self-signed certificate that
you can create yourself by using tools that come with WebWise may be
sufficient.  Of course, you may still want to use a trusted CA certificate even
for intranet purposes.

> A potential gotcha with the WebWise server is that (I assume) HP won't/can't
> release the source code for it, so if you need Apache compiled with some
> special option then you're out of luck until you can convince HP to change
> the way they build their version.

The bulk of the source code is no big secret, and the MPE diffs will be
submitted back to the appropriate opensource places (apache.org, etc) for all
to see.  I'm currently working on this.

However, the one portion that cannot be released is RSA's BSAFE Crypto-C
product which is used to provide legal-for-HP-products RSA, RC2, and RC4
algorithms.  We can't release that source, obviously, and we also choose not to
release the binary Crypto-C API libraries at the current time.

But you don't need Crypto-C to build your own secure web server.  WebWise
consists of Apache plus mod_ssl, and mod_ssl wants to use OpenSSL for the RSA,
RC2, and RC4 algorithms.  Because of patent and copyright issues, I modified
OpenSSL to use Crypto-C (which HP has licensed for our internal use) for those
3 algorithms.  However 100% vanilla OpenSSL works fine on MPE, as long as you
meet the legal requirements (copyright, USA vs. rest of the world, commercial
vs. non-commercial, etc, etc, etc, I am not a lawyer, etc) for using
RSA/RC2/RC4.

My non-lawyer understanding is that life becomes much simpler starting in
September when the RSA patent expires.  OpenSSL RSA will become legal at that
time without restriction.  I don't think anything changes regarding RC2 and
RC4, but there are plenty of other ciphers browsers are willing to use, like
3DES, which at 168 bits is even stronger than 128-bit RC4.  So you could build
your own legal opensource secure web server starting in September, but you
wouldn't be able to get any support from HP.  Your life would just be much
simpler if you buy fully-supported WebWise from HP.  :-)

Aside from the encryption capabilities of the WebWise secure web server, the
next most important feature is Apache Dynamic Shared Object (DSO) support.
This means that you can add on your own functionality to the server in the form
of Apache modules loaded from an external NMXL at server initialization time.
You only need to build your specific module; you don't need to rebuild all of
WebWise from source.  Your module provides functions that the server will
invoke at approximately 20 or so different places in the request life cycle.
Many opensource modules like mod_perl or mod_php or mod_jserv are available, or
you could write your own from scratch after reading about the Apache API at
www.apache.org.  A custom module of your own would provide the tightest
integration and greatest performance for interacting with your existing
applications.

DSO is really an important thing, and I hope that people do great things with
it on MPE, such as creating MPE-based user authentication modules, Vesoft
authentication modules, SAFE/3000 modules, etc.  Have no fear, DSO will be
coming to the next release of HP-supported FOS Apache too.

WebWise is built with almost ALL of the Apache modules available from
www.apache.org as a part of the standard Apache distribution.  The 1 or 2
modules I couldn't include depend on subsystems not yet ported to MPE.  You can
see the complete list of WebWise modules at
http://jazz.external.hp.com/src/webwise/beta.html#features.  As you can see,
you're getting about ~98% complete Apache here, and it is all fully supported
by HP.

> It's also not clear how often the product
> will be updated to the latest Apache version, or how long it will take to
> get each new version released.

I can't speak in detail about future plans.  I can say that it took me about 2
or 3 months to create the WebWise A.01.00 bits, using the latest release of
each of the components available at the start of the project.

> Of course you could always run a mixture of the latest free Apache for most
> purposes and use the WebWise server to serve only your https secure stuff,
> so this may not be a big problem.

You could certainly do that; they will both run on the same machine without
conflicting with each other.

- Mark B.

ATOM RSS1 RSS2

RAVEN.UTC.EDU