OpenSSL
From Wikipedia, the free encyclopedia
| Developer: | The OpenSSL Project |
|---|---|
| Latest release: | 0.9.8d / September 29, 2006 |
| OS: | Multi-platform |
| Use: | Security library |
| License: | Apache-like unique |
| Website: | www.openssl.org |
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library (written in the C programming language) implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.
Versions are available for most Unix-like operating systems (including Solaris, Linux, Mac OS X and the four open source BSD operating systems), and also for Microsoft Windows. OpenSSL is based on SSLeay by Eric Young and Tim Hudson, development of which unofficially ended around December 1998, when Tim and Eric both moved to work for RSA Security.
Contents |
[edit] Major version releases
- OpenSSL 0.9.8 was released on July 5, 2005 announcement.
- OpenSSL 0.9.7 was released on December 31, 2002.
- OpenSSL 0.9.6 was released on September 25, 2000.
- OpenSSL 0.9.5 was released on February 28, 2000.
- OpenSSL 0.9.4 was released on August 9, 1999.
- OpenSSL 0.9.3 was released on May 25, 1999.
[edit] FIPS compliance
The Open Source Software Institute has secured a FIPS 140-2 validation (certificate number 642) for OpenSSL [1], for which the current status is also available. This is a precedent-setting validation which benefits the free software community. The source code is openly available, and the validation results can be applied to properly ported and recompiled modules:
- The OpenSSL FIPS Cryptographic Module, when generated from the identical unmodified source code, is "Vendor Affirmed" to be FIPS 140 2 compliant when running on other supported computer systems provided the conditions described in the Security Policy are met.
The validated OpenSSL FIPS source code and Object Module is available for download at the OpenSSL Project homepage[2]. The NIST validation certificate (642) can be found on the NIST FIPS 140-1 and -2 Validation List [3].
The National Institute of Standards and Technology has since changed the FIPS OpenSSL certificate #642 status to "not available". This means that the module is no longer available for procurement from the vendor, but may still be retained and used to demonstrate compliance to FIPS PUB 140-2. http://csrc.nist.gov/cryptval/140-1/1401val.htm
[edit] Misconceptions
Because of the prefix Open- on its name, OpenSSL is often associated with OpenBSD; which distributes several programs using the naming style of Open*, like OpenSSH. This is however a mistake as OpenSSL is developed completely outside of the scope of OpenBSD by The OpenSSL Project, under a different license than is commonly used by OpenBSD. Like with FreeBSD's OpenBSM, the project simply shares the goal of having an open source implementation of a valuable asset for the common good.
[edit] GPL exception
The GPL exception is a clause added to the GNU General Public License (GPL) by developers who want to use OpenSSL with their GPL licensed software. This has also been referred to as the "OpenSSL license" or the "OpenSSL exception".
An alternative to this workaround, suggested by the OpenSSL Project in their FAQ, is to provide a dual license: allow users to choose to use your program under either the GPL (without OpenSSL) or a license that is compatible with the OpenSSL license. OpenSSL itself is dual-licensed, though neither license is the GPL.[citation needed]
[edit] License incompatibilities
The GPL contains the following text in section 6 (emphasis added):
- Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.
The OpenSSL license, on the other hand, contains two sections which seem to conflict with it:
- 3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
- "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- 6. Redistributions of any form whatsoever must retain the following acknowledgment:
- "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"
The GPL contains the following text in section 3 (emphasis added):
- 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
-
- a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
-
- [subsections b and c deleted for brevity]
- The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
This is taken by some to mean that if you use OpenSSL (whose license is incompatible with the GPL) in a GPL program, they cannot be distributed together with an operating system.
[edit] The exception
Some programs that are licensed under the GPL have included an exception in order to use OpenSSL. GNU Wget uses the following:
- In addition, as a special exception, the Free Software Foundation gives permission to link the code of its release of Wget with the OpenSSL project's "OpenSSL" library (or with modified versions of it that use the same license as the "OpenSSL" library), and distribute the linked executables. You must obey the GNU General Public License in all respects for all of the code used other than "OpenSSL". If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version.
mICQ uses a slightly different exception:
- Beginning with 0.4.12, as a special exception permission is granted to link the code of this release of mICQ with the OpenSSL project's "OpenSSL" library, and distribute the linked executables. You must obey the GNU General Public License, version 2, in all respects for all of the code used other than "OpenSSL". If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version of this file.
[edit] See also
[edit] External links
- SSLeay Documentation Archive
- OpenSSL homepage
- The OpenSSL License and the GPL by Mark McLoughlin
- wget's readme file, including the GPL with exception
- mICQ COPYING file, citing the GPL and including the exception
- OpenSSL FAQ entry on interaction between the OpenSSL and GNU licenses
