Date sent: Tue, 05 Nov 2002 13:12:27
To: [EMAIL PROTECTED]
From: "Thomas J. Hruska" <[EMAIL PROTECTED]>
Subject: Re: OpenSSL on WIN2K
Send reply to: [EMAIL PROTECTED]
Passing out this type of advice may end up getting application
developers in a lot of hot water. The distribution of the OpenSSL
dll's has no relation to the legal requirements involving the use of
such dll's. I believe the term the US government uses for
applications that do make use of such a concept is an "open
cryptographic interface".
I have been told, but have no proof of such, the US Department of
Commerce WILL NOT approve the export of any product that uses the
OpenSSL dll's. Futher, all the applications I know of that have
export approval, which use OpenSSL, is in fact static linked to the
OpenSSL library.
It would be interesting to know if any US based application, which
has export approval, does use the OpenSSL dll's.
Ken
At 10:28 AM 11/5/2002 -0500, Oblio writeth:
>I'm not sure what these two files are, either (I think you meant
>'ssleay32.dll and libeay32.dll'). However, I've found that a number
of
>programs I have installed include versions of them, and there's a
copy in
>my system32 directory. I can give you a copy if you'd like.
>
>Can anyone else tell us where these come from, and what they do?
(And why
>the different copies on my system are different sizes?)
They usually come from pre-built sources. Technically end-users
should do
the compilation of OpenSSL for their systems and companies should not
incorporate OpenSSL into their product lines because of import and
export
regulations (legal issues just get messy in regards to cryptography
software). However, many Windows-oriented products include OpenSSL
binaries to make end-users lives easier. The downside to
distributing the
binaries is that every product that uses OpenSSL has to keep OpenSSL
updated - thus requiring additional resources that could be spent
doing
something else. Hence the reason for the Win32 OpenSSL Installation
Project. It deals with the legal issues of distributing OpenSSL,
Windows
programming/development issues, and end-user issues all at the same
time in
one convienent package.
The reason for different sizes is usually due to whatever compiler
the
company used to build the DLLs. Also, the OpenSSL DLLs may be
different
versions...and anything below v0.9.6f/0.9.6g is subject to several
serious
security-oriented issues.
Hope this helps!
Thomas J. Hruska -- [EMAIL PROTECTED]
Shining Light Productions -- "Meeting the needs of fellow
programmers"
http://www.shininglightpro.com/
______________________________________________________________________
OpenSSL Project
http://www.openssl.org
User Support Mailing List openssl-
[EMAIL PROTECTED]
Automated List Manager
[EMAIL PROTECTED]
_
Support
InterSoft International, Inc.
Voice: 888-823-1541, International 281-398-7060
Fax: 888-823-1542, International 281-560-9170
[EMAIL PROTECTED]
http://www.securenetterm.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
