For Release: December 19, 1996 C2Net: Douglas Barnes, +1 510 986 8770, cman@c2.net UK Web: Dave Williams, +44 0113 222 0046, dwilliams@ukweb.com Thawte Consulting: Mark Shuttleworth, +27 21 975 4675, marks@thawte.com C2NET ANNOUNCES STRONGHOLD 2.0, BUNDLED THAWTE CERTIFICATES Oakland, CA -- C2Net Software, an Oakland-based security software company, announced today the beta release of Stronghold 2.0. Stronghold is currently the second most popular commercial webserver on the Unix platform, according to the Netcraft survey of webservers on the Internet. (see: http://www.netcraft.co.uk/survey/) Bundled With Thawte Certificates ================================= Additionally, C2Net and Thawte Consulting cc, a certificate authority based in South Africa, jointly announced a bundled product: a Stronghold webserver and a Thawte server certificate. The bundle will sell for $545; Stronghold alone lists at $495. Thawte's main competitor, Verisign, sells web server certificates for $290; similar certificates are $100 when purchased separately from Thawte. "We can now offer our customers the convenience of one-stop shopping when setting up a secure web site," said C2Net President Sameer Parekh. "Thawte is now poised to be a significant competitor to VeriSign, and we think that competition in this area is very healthy and will bring greater value to the entire Internet" Certificates are used for secure connections to authenticate the server to the client. People using Netscape and Microsoft browsers can connect to sites using both Thawte and VeriSign certificates because the "root certificates" for these companies come pre-loaded with the Netscape and Microsoft browsers. New Features in Version 2.0 =========================== Stronghold 2.0 is adding a number of new features users have been asking for. "We've redesigned the security interfaces and built on the new Apache 1.2 code base," commented Mark Cox, Stronghold product manager at UK Web. "Stronghold has had many productivity and performance enhancements and it is now fully compliant with the new HTTP/1.1 standard." The HTTP/1.1 standard is a significant update to HTTP/1.0, the protocol that governs how web browsers and web servers communicate. HTTP/1.1 brings many new features to the table, including improved content and language negotiation, improved persistent connections, and better recovery from interrupted transfers. (For more information on HTTP/1.1, see http://www.apacheweek.com/features/http11/) Stronghold 2.0b1 also incorporates a number of popular features from the Thawte webserver, Sioux, including more flexible directives for specifying security properties and improved certificate-based authentication. A subsequent beta version of Stronghold 2.0 will contain a full-fledged grapical configuration manager, based on the one in Sioux, as well as support for the latest version of the SSL protocol, known as SSLv3. Merged With Sioux ================= Along with the bundling agreement, Thawte and C2Net have merged their webserver products, Sioux and Stronghold. "This gives us a chance to focus more of our energy on our certificate business," said Mark Shuttleworth of Thawte Consulting. "By doing this, our two companies will be better able to compete in both the web server and certificate- issuing markets." Existing Sioux customers will be able to upgrade to the new version of Stronghold for $95. Upgrade Policy ============== Starting today, users who purchase Stronghold will be guaranteed a free upgrade to 2.0 when it gets out of beta testing. Other existing Stronghold users will probably need to pay a $95 upgrade fee, depending on when they purchased the product. Stronghold is developed outside of the United States, and is distributed within the US and Canada by C2Net (http://stronghold.c2.net/) and in the rest of the world by UK Web (http://stronghold.ukweb.com/). All versions of the product use uncompromised, full-strength cryptography. Background ========== C2Net (previously known as Community ConneXion, Inc.) is the leading provider of uncompromising security on the Internet. In addition to Stronghold (http://stronghold.c2.net/), C2Net also markets SafePassage Web Proxy (http://stronghold.ukweb.com/safepassage/), a product that allows users of popular web browsers to use full-strength cryptography worldwide. UK Web Limited is a leading Internet services company specialising in server technology, Internet security, business solutions and effective site design. They are the international distributors for both Stronghold and SafePassage products. Portions of Stronghold were developed by the Apache Group, and were taken with permission from the Apache Server http://www.apache.org/. Stronghold also includes software developed by Eric Young (eay@mincom.oz.au). Contacts ======== C2Net: Douglas Barnes, +1 510 986 8770, cman@c2.net UK Web: Dave Williams, +44 0113 222 0046, dwilliams@ukweb.com Thawte Consulting: Mark Shuttleworth, +27 21 975 4675, marks@thawte.com New with Stronghold v2.0b1 http://stronghold.c2.net/get/beta/ == Security In Stronghold 2.0b1 we've upgraded to the latest SSL and cryptography library, with a number of performance improvements, particularly in the DES implementation. The security/SSL architecture in Stronghold has been rewritten to take advantage of the Sioux source code base and the various features in Sioux. SSL client authentication has been improved. Regular expression-based matching of client certificate information to determine access control is possible. Stronghold now has an API for certificate to username mapping so that client certificates may be mapped to standard usernames. Session ID caching is now more robust. The sessiond is no longer needed, because the session ID cache is within the same address space as the server processes. == Ease of Use The Stronghold documentation has been revised and improved greatly since the last release. The 2.0b1 documentation is now three hundred pages long and will grow to include more extensive documentation for the final release. The documentation is available in both PostScript and HTML formats. The server has more command line options which provide information about the server. In particular, you can get a list of all the modules in the server or a full listing of all configuration directives that are supported by that binary. Compiling the server to add/remove new modules is also much easier. The Configure script automatically detects which operating system the server is running on and sets the compilation flags appropriately. Stronghold is now easier to install, with more verbose text during the install. Stronghold now comes with binaries for a number of useful management utilities, such as htpasswd, htdigest, and dbmmanage. == Functionality Stronghold is now compliant with HTTP/1.1, the latest in web protocol technology. Stronghold is the first commercial webserver to support HTTP/1.1. Stronghold 2.0b1 includes the lastest beta version of Apache (1.2b2), which includes a number of improvements, in addition to a large number of bugfixes. The server status page has been improved include additional information, including virtual hosts and client side certificates. The status page is also much more readable. Stronghold has a more fully-functional server-side includes mechanism, including the "eXtended Server Side Includes" SSI format. Stronghold provides server admins the ability to easily setup cookie-based user tracking so the admin can see what path through their site the users have been taking. It is now possible to restart the server and reload the configuration files without interrupting connections which are currently in progress. Stronghold is now compatible with the NCSA "Satisfy" directive for access control. CGI scripts are now "unbuffered". By unbuffering the CGI scripts it is possible to do things using normal CGI that were previously only possible using "nph". More information is available to ErrorDocument handlers about the cause of the error via the use of the ERROR_MSG environment variable. == New Bundled Modules Stronghold now bundles PHP, a very powerful language for dynamic content and database connectivity. PHP provides for database connectivity to mSQL, Postgres95, Solid, and mysql servers. Using PHP, Stronghold can now generate web pages on the fly using a very powerful C-like language for processing forms input, database queries, etc. Stronghold now bundles with SWISH/WWWWAIS search engine for indexing and searching through web sites. Stronghold now comes with the proxy module enable by default. The proxy module has also been significantly improved since the previous version. A full-featured URI rewriting language that allows server administrators to define rules for transforming URIs. Support for the DigiCash ecash protocol is now built into the server. Using this module it is possible to set up an ecash-accepting shop on the Internet without an actual account with an ecash-issuing bank. == Configurability It is now possible with Stronghold to configure the server such that user's CGI scripts are run under their own UID, with their own permissions, instead of the UID of the server, with the same permissions as the rest of the server or other CGI programs run by other users. Many directives now support regular expressions, so configuration options can be set based on regular expression matching criteria. The new <Files> container allows server adminstrators to set configuration options on a much finer basis, down to individual files in directories. Server administrators can now set environment variables based on which web browser the client is using. These environment variables can be used to deliver different web pages, or work around bugs in various different browsers. Configurable logging is now the default, and has been enhanced. It is now possible to create a number of different logfiles each with their own configurable logging format. It is also now possible to setup a virtual host which listens to more than one IP number, or more than one port. It is easier in Stronghold 2.0b1 to debug CGI scripts. The server administrator or CGI author can configure logfiles where CGI error messages and diagnostic information get stored. The entire server can protect itself from runaway CGI scripts by configuring in the resource limits for CGI that are now available in Stronghold. Server redirects are more configurable. The client can now be told whether or not a redirect is temporary, permanent, or if the requested object is completely gone. The "Options" directive is much more configurable. It's possible now using the "Options" directive to add and remove options from the current set of "Options" merely by prepending a '-' or '+' to the option name. There is now a configuration directive to set and remove HTTP headers. Using this directive various directories or various files can have custom headers attached if the server administrator wants to easily support some of the many HTTP extensions. The configuration file can include directives which are turned on or off conditionally depending on whether or not certain modules are compiled into the server.