HP3000-L Archives

May 2000, Week 3

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: WebWise Secure Web Server pricing details
From:
Shawn Gordon <[log in to unmask]>
Reply To:
Shawn Gordon <[log in to unmask]>
Date:
Tue, 16 May 2000 18:18:10 -0700
Content-Type:
text/plain
Parts/Attachments:
text/plain (104 lines) 
One quick note on the encryption cert.  You can get them from Equifax for
$40, and Verisign was under $200 last I checked.

shawn

At 06:16 PM 5/16/2000, Mark Bixby wrote:
>Gavin Scott wrote:
> > I'll just mention that in order to use the "secure" features of the server,
> > I believe you need to get your encryption key signed by Verisign or another
> > first tier CA, which cost something like $400/year the last time I checked
> > (which was at least a couple years ago).  I only mention this because, at
> > these low prices for the server, the key signing charge may become a
> > non-trivial percentage of the cost of setting up a secure web site.
>
>If you will be doing Internet applications, a certificate from a trusted CA
>such as Verisign (to name just one) is required.
>
>If you're only doing intranet applications, a free self-signed certificate
>that
>you can create yourself by using tools that come with WebWise may be
>sufficient.  Of course, you may still want to use a trusted CA certificate
>even
>for intranet purposes.
>
> > A potential gotcha with the WebWise server is that (I assume) HP
> won't/can't
> > release the source code for it, so if you need Apache compiled with some
> > special option then you're out of luck until you can convince HP to change
> > the way they build their version.
>
>The bulk of the source code is no big secret, and the MPE diffs will be
>submitted back to the appropriate opensource places (apache.org, etc) for all
>to see.  I'm currently working on this.
>
>However, the one portion that cannot be released is RSA's BSAFE Crypto-C
>product which is used to provide legal-for-HP-products RSA, RC2, and RC4
>algorithms.  We can't release that source, obviously, and we also choose
>not to
>release the binary Crypto-C API libraries at the current time.
>
>But you don't need Crypto-C to build your own secure web server.  WebWise
>consists of Apache plus mod_ssl, and mod_ssl wants to use OpenSSL for the RSA,
>RC2, and RC4 algorithms.  Because of patent and copyright issues, I modified
>OpenSSL to use Crypto-C (which HP has licensed for our internal use) for those
>3 algorithms.  However 100% vanilla OpenSSL works fine on MPE, as long as you
>meet the legal requirements (copyright, USA vs. rest of the world, commercial
>vs. non-commercial, etc, etc, etc, I am not a lawyer, etc) for using
>RSA/RC2/RC4.
>
>My non-lawyer understanding is that life becomes much simpler starting in
>September when the RSA patent expires.  OpenSSL RSA will become legal at that
>time without restriction.  I don't think anything changes regarding RC2 and
>RC4, but there are plenty of other ciphers browsers are willing to use, like
>3DES, which at 168 bits is even stronger than 128-bit RC4.  So you could build
>your own legal opensource secure web server starting in September, but you
>wouldn't be able to get any support from HP.  Your life would just be much
>simpler if you buy fully-supported WebWise from HP.  :-)
>
>Aside from the encryption capabilities of the WebWise secure web server, the
>next most important feature is Apache Dynamic Shared Object (DSO) support.
>This means that you can add on your own functionality to the server in the
>form
>of Apache modules loaded from an external NMXL at server initialization time.
>You only need to build your specific module; you don't need to rebuild all of
>WebWise from source.  Your module provides functions that the server will
>invoke at approximately 20 or so different places in the request life cycle.
>Many opensource modules like mod_perl or mod_php or mod_jserv are
>available, or
>you could write your own from scratch after reading about the Apache API at
>www.apache.org.  A custom module of your own would provide the tightest
>integration and greatest performance for interacting with your existing
>applications.
>
>DSO is really an important thing, and I hope that people do great things with
>it on MPE, such as creating MPE-based user authentication modules, Vesoft
>authentication modules, SAFE/3000 modules, etc.  Have no fear, DSO will be
>coming to the next release of HP-supported FOS Apache too.
>
>WebWise is built with almost ALL of the Apache modules available from
>www.apache.org as a part of the standard Apache distribution.  The 1 or 2
>modules I couldn't include depend on subsystems not yet ported to
>MPE.  You can
>see the complete list of WebWise modules at
>http://jazz.external.hp.com/src/webwise/beta.html#features.  As you can see,
>you're getting about ~98% complete Apache here, and it is all fully supported
>by HP.
>
> > It's also not clear how often the product
> > will be updated to the latest Apache version, or how long it will take to
> > get each new version released.
>
>I can't speak in detail about future plans.  I can say that it took me about 2
>or 3 months to create the WebWise A.01.00 bits, using the latest release of
>each of the components available at the start of the project.
>
> > Of course you could always run a mixture of the latest free Apache for most
> > purposes and use the WebWise server to serve only your https secure stuff,
> > so this may not be a big problem.
>
>You could certainly do that; they will both run on the same machine without
>conflicting with each other.
>
>- Mark B.

ATOM RSS1 RSS2