OpenSSL

From Wikipedia, the free encyclopedia

(Redirected from SSLeay)
Jump to: navigation, search
OpenSSL
Developer The OpenSSL Project
Latest release 0.9.8g / October 19, 2007
OS Multi-platform
Genre Security library
License Apache-like unique
Website www.openssl.org

OpenSSL is an open source implementation of the SSL and TLS protocols. The core library (written in the C programming language) implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.

Versions are available for most Unix-like operating systems (including Solaris, Linux, Mac OS X and the four open source BSD operating systems), OpenVMS and Microsoft Windows. IBM provides a port for the System i (iSeries/AS400). OpenSSL is based on SSLeay by Eric A. Young and Tim Hudson, development of which unofficially ended around December 1998, when Tim and Eric both moved to work for RSA Security.

Contents

On February 6, 2007, the Open Source Software Institute and the OpenSSL Group announced the validation for the OpenSSL FIPS Object Module under Federal Information Processing Standards (FIPS 140-2) by the Cryptographic Module Validation Program (CMVP). The FIPS validated OpenSSL module was awarded certificate 733.

This is a precedent-setting validation which benefits the free software community. The source code is openly available, and the validation results can be applied to properly ported and recompiled modules:

The validated OpenSSL FIPS source code and Object Module (tarball) is available for download at the OpenSSL Project homepage. The NIST validation certificate (733) can be found on the NIST FIPS 140-1 and -2 Validation List. OSSI has also made the Security Policy and User Guide available at the OSSI website for download and use without restriction.

Specifics on the Validated OpenSSL Object Module

For the purposes of FIPS 140-2 validation the OpenSSL Cryptographic Module v1.1.1 is defined as a specific discrete unit of binary object code generated from a specific OpenSSL source distribution. This source distribution is compiled to create a library that is used to provide a cryptographic API (Application Programming Interface) to external applications, and is compatible with a wide variety of hardware and operating system platforms.

The module was tested by the DOMUS FIPS 140-2 Cryptographic Module Testing (CMT) laboratory for two specific test platforms, HP-UX 11i and SuSE Linux version 9.0. However, the CMVP allows the re-compilation of the unmodified source software with compilers different than the listed compilers that were used for validation testing, or on operating system or general purpose computer hardware platforms which were not included as part of the validation testing. Provided that the restrictions described in the Security Policy are observed, the validation status is maintained on the new OS(s) and/or hardware without re-testing the cryptographic module for those specific platforms. A Module built in violation of the Security Policy — where the source code has been modified or the approved build procedures have not been followed — is by definition invalid and not FIPS compliant.

The OpenSSL FIPS library was designed and implemented to meet FIPS 140-2 requirements. As such, there are no special steps, other than building the binary library from the OpenSSL FIPS source distribution, and loading and initializing, required to ensure FIPS 140-2 compliant operation of the module. This process of generating the runtime application from source code is the same for all platforms and is documented in the Security Policy.

The OpenSSL FIPS library provides confidentiality, integrity, and message digest services. OpenSSL FIPS natively supports the following algorithms: DES, Triple DES, AES, RSA (for digital signatures), DH, DSA, SHA-1 and SHA-2. OpenSSL FIPS performs ANSI X9.31 compliant pseudo-random number generation.

The GPL exception is a clause added to the GNU General Public License (GPL) by developers who want to use OpenSSL with their GPL licensed software. This has also been referred to as the "OpenSSL license" or the "OpenSSL exception".

An alternative to this workaround, suggested by the OpenSSL Project in their FAQ, is to provide a dual license: allow users to choose to use your program under either the GPL (without OpenSSL) or a license that is compatible with the OpenSSL license. OpenSSL itself is dual-licensed, though neither license is the GPL [1]. The common usage of the term "dual-license" is that the user may pick which license they wish to use, however OpenSSL documentation uses the term "dual-license" to mean that both licenses apply.

The GPL, version 2, contains the following text in section 6 (emphasis added):

Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

The OpenSSL license, on the other hand, contains two sections which seem to conflict with it:

3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
6. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"

The GPL, version 2, contains the following text in section 3 (emphasis added):

3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
[subsections b and c deleted for brevity]
The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

This is taken by some to mean that if you use OpenSSL (whose license is incompatible with the GPL) in a GPL program, they cannot be distributed together with an operating system.

 The factual accuracy of this article or section may be compromised due to out-of-date information.
Please see the relevant discussion on the talk page

The new version of GPL, version 3, seems to be compatible with the OpenSSL clauses 3 and 6. This manner being able GPLv3 work linked against OpenSSL code. GPL v3 section 7 (Additional Terms) says:

Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms:
b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or
d) Limiting the use for publicity purposes of names of licensors or authors of the material; or
e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or

Some programs that are licensed under the GPL have included an exception in order to use OpenSSL. GNU Wget uses the following:

In addition, as a special exception, the Free Software Foundation gives permission to link the code of its release of Wget with the OpenSSL project's "OpenSSL" library (or with modified versions of it that use the same license as the "OpenSSL" library), and distribute the linked executables. You must obey the GNU General Public License in all respects for all of the code used other than "OpenSSL". If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version.

climm (formerly mICQ) uses a slightly different exception:

Beginning with 0.4.12, as a special exception permission is granted to link the code of this release of mICQ with the OpenSSL project's "OpenSSL" library, and distribute the linked executables. You must obey the GNU General Public License, version 2, in all respects for all of the code used other than "OpenSSL". If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version of this file.

Because of the prefix Open- on its name, OpenSSL is often associated with OpenBSD; which distributes several programs using the naming style of Open*, like OpenSSH. This is however a mistake as OpenSSL is developed completely outside of the scope of OpenBSD by The OpenSSL Project, under a different license than is commonly used by OpenBSD. Like with FreeBSD's OpenBSM, the project simply shares the goal of having an open source implementation of a valuable asset for the common good.

 Free software Portal
Cryptography Portal

Retrieved from "http://en.wikipedia.org/wiki/OpenSSL"
Advanced Search
Included Web Search Engines


Safe Search

close

Top Matching Results

Occasionally Search.com will highlight specialized results that are based on the context of your query. Examples of specialized results include specific links to news, images, or video.

Top Matching Results may highlight information from other Search.com pages, content from the CNET Network of sites, or third party content. The listings are based purely on relevance. Search.com does not receive payment for listings in this section but our partners that provide this data may get paid for listing these products.

Sponsored Links

This section contains paid listings which have been purchased by companies that want to have their sites appear for specific search terms and related content. These listings are administered, sorted and maintained by a third party and are not endorsed by Search.com.

Search Results

Search.com sends your search query to several search engines at one time and integrates the results into one list which has been sorted by relevance using Search.com's proprietary algorithm. You can customize the list of search engines included in your metasearch from the preferences.

The search engines that are used in your metasearch may allow companies to pay to have their Web sites included within the results. To view the Paid Inclusion policy for a specific search engine, please visit their Web site. Search.com does not accept payment or share revenue with any search engine partner for listings in this section.