On Wed, 13 May 1998, Roeland M.J. Meyer wrote:
> At 10:45 AM 5/11/98 -0500, Chris Owen wrote:
> >
> >We've used Stronghold for the past 2 years, but frankly I'd much rather
> >use plain old apache-ssl. However, there is the Verisign certificate
> >problem.
> >
> >My question is this: What is the real limitation against doing this? The
> >apache-ssl web page says it isn't allowed, but on the Verisign site it
> >doesn't really make such claims. I've also checked out the Verisign
> >contract and except for some vague language about using "appropriate SSL
> >software" it doesn't really say anything about any limits as to what
> >software you can use the certificate with.
> >
> >What happens if you use apache-ssl? Do they revoke your certificate? I'd
> >rather stay legal, but I'd really rather use the real deal rather than
> >Stronghold.
I did some research on this a while back and talked at length to someone
at RSA on this. I was told that I could buy a copy of RSA's BSAFE library
for in house commercial use for about $300 per machine, and that it would
work as a drop in replacement for rsaref. I specifically told RSA that my
intent was to link bsafe to ssleay, and they didn't have a problem with
that. But then again the guy I talked to actually knew what ssleay was.
Assuming that is true, you could compile ssleay against bsafe (anyone done
this?) and use that with apache-ssl. Legal in the US for less than the
price of Stronghold.
Chris