In this issue

Over the last year there have been a number of changes that affect users wishing to deploy a secure web server based on Apache. Some of the changes since our article Apache and Secure Transactions in 1998 are:

• The USA relaxed export restrictions on cryptography allowing most of the rest of the world ready access to full strength browsers and servers. However, the incorporation of cryptography code into open-source projects and the mixtures of binaries and overseas developer issues are still not entirely clear
• Thawte Consulting, a popular provider of digital server certificates were bought by their competitors Verisign. This gave Verisign a combined market share of over 99% for server certificates
• The authors of the open-source SSLeay cryptography library were employed by RSA Security and all work on the library stopped. The OpenSSL project was formed to carry on development of the library
• Hardware cryptographic accelerators have increased in popularity with a number of vendors producing new products
• The RSA patent on the use of RSA encryption technology in the USA expires later this year. Once the patent has expired, users will be able to combine open-source technologies in order to make their own secure web server. Although the technologies for this already exist, users have been unable to legally use the open-source OpenSSL library inside their servers due to the patent.

Each time a secure web server receives a connection from a new client it has to establish a new SSL session. This negotiation requires the server to perform a private key operation, usually with a 1024 bit RSA key. This operation is mathematically complex and is therefore time consuming. Hardware accelerators are designed to offload the most complex parts of this operation allowing more new connections to be established every second. Existing hardware units handle anywhere between 75 and 300 of these operations per second using a number of internal processors, and can cost up to US$15,000. One chip manufacturer at the conference announced a new, affordable, processor that could handle 600 operations a second as well as providing key management facilities. During the conference a talk was given about the design of a custom accelerator chip that would be capable of around 2000 operations per second. However, even with these advances it is difficult for the hardware solutions to keep up with the low cost and high speeds available from standard processors. A paper with more details of these issues was presented at ApacheCon 2000.

At the conference Compaq announced a breakthrough in high-speed RSA cryptography, named MultiPrime. The original RSA algorithm patented by RSA has traditionally used two prime numbers to form a large key. The new, patented MultiPrime technology, uses three or more prime numbers to do the same task but can run at twice the speed. This announcement comes shortly before the expiry of the original patent by RSA on the use of two prime numbers for cryptography, and Compaq has exclusively licensed MultiPrime technology to RSA. What is means is that whilst users will be able to legally run their own open-source servers based on OpenSSL once the RSA patent has expired, they will not be able to make use of MultiPrime technology without using a licensed RSA security toolkit.

The Jakarta Project this week announced the release of version 3.1 of Tomcat. Tomcat is the open source servlet container that runs within Apache to implement Java Servlets and JavaServer Pages. Tomcat 3.1 is available for download.

Each month we report on the new figures from the Netcraft and E-Soft surveys of web sites. Both surveys show similar results, with Apache far in the lead, as they follow similar methods for collecting their data. The Netcraft survey for example probes as many hosts that may be running web services as they can find. This month a new survey from BizNix was released. Rather than examine every site available, they chose to take a smaller sample looking at the servers run by companies in the Fortune 500 and Global 500 lists. For this sample they found that Microsoft and Netscape servers were still more popular than Apache.

This occasional section contains short announcements of jobs which require significant Apache experience. To see more jobs or find out how to submit your vacancy visit the Apache Week Jobs section.

Application Developer (Canada)

TUCOWS seeks developers with a background in Apache, Perl, mod_perl, C/C++, and SQL in a Unix (Linux) environment. Java, Javascript, Python experience is beneficial as well.

Apache Site: www.apache.org/httpd
Release: 1.3.12 (Released 25^th February 2000) (local download sites)
Beta: None
Alpha: 2.0a2 (Released 31^st March 2000) (local download sites)

Apache 1.3.12 is the current stable release. Users of Apache 1.3.11 and earlier on Unix and Windows systems should upgrade to this version. Read the Guide to 1.3.12, the Guide to 1.3.11 for information about changes between 1.3.9 and 1.3.11 and the Guide to 1.3.9 for information about changes between 1.3.6 and 1.3.9.

A third alpha of Apache 2.0 is expected to be available next week.

Here at Apache Week we're always keen to know a little more about you so we can tailor the site to your needs. Please take a few minutes to enter the O'Reilly Network Survey. If the thought of having the site tailored specifically for your needs isn't exciting enough, there is a chance to win a prize if you complete the survey. Who said bribery never works?