Off the home page: OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style licence, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.
Regarding exportability, last I heard export restrictions had been relaxed somewhat for friendly nations. However I'm not American and do not live in the US so not sure. Check with your customs department, it can't be that hard to find out what is required. The only problem you may run into is that many of us outside the US do no accept crippled or limited code. As insecure as it is for you guys it also is for us. There is a reason afterall that the guy(s) who do security call it security. 40-64 bit keys is called "confused clear text." Nothing less than proper 128bit. On Mon, 2003-06-16 at 05:57, [EMAIL PROTECTED] wrote: > Hi, > > I have a question about distribution of software which is based on OpenSSL libraries > considering US export regulations. > > We are planning to use OpenSSL library to develop a program with functionality > similar to that of HTTPS client/server. We will be linking our code (static or > dynamic - any will do) with the OpenSSL libraries. We will not have any encryption > code of our own but only be using APIs/functions from OpenSSL. > > We are planning to create two versions of our program - one for US customers and > one for export out of US. The exportable version will only support exportable/weak > ciphers. Although it will be linking to the OpenSSL library, at runtime it will only > support key legnths which are allowed under the export control regulations. (i.e. > the OpenSSL APIs/functions will be called with restricted key legnths. I am assuming > that we can initialize OpenSSL library at startup or hard-code values in our code to > support only weak ciphers and limit the key length). > > Will this satisfy the export requirements? Is an export license or review by the > authorities required for this kind of application? > > I was told that even though our program is only supporting limited key lengths, it > can not be exported as it is linking to OpenSSL which has the logic to support > larger key lengths and strong ciphers. > > Some more info. We are a US based company and will be exporting out of US. We will > not be making any changes to OpenSSL code and our code can not be open source. > > I am sure this must be very common scenario, but haven't found any clear answers. > > Thanks > Viral > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Corey Rogers Junior System Administrator Wamco Technology Group Ltd (Barbados) #3 Mahogany Court, Wildey, St. Michael Phone: (246)437-3154 FAX: (246)228-4319 [F]or those of you who are constantly belittled by your peers for believing that Big Brother is out to get you, be assured, it is. In fact,you are probably not paranoid enough." - editorial, "Today's Technology Can Easily Track Criminals and Ex-offenders", _The_ECHO_ newspaper, Jan. 1998 CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any,is (are) for the intended recipient only (person or entity)and may contain confidential or proprietary information some or all of which may be legally privileged. Any unauthorised review, use, copy, print, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and do not in any way rely on this e-mail. If you are the intended recipient but do not wish to receive communications through this medium, please so advise the sender immediately.
signature.asc
Description: This is a digitally signed message part
