Hi, I have a question about distribution of software which is based on OpenSSL libraries considering US export regulations.
We are planning to use OpenSSL library to develop a program with functionality similar to that of HTTPS client/server. We will be linking our code (static or dynamic - any will do) with the OpenSSL libraries. We will not have any encryption code of our own but only be using APIs/functions from OpenSSL. We are planning to create two versions of our program - one for US customers and one for export out of US. The exportable version will only support exportable/weak ciphers. Although it will be linking to the OpenSSL library, at runtime it will only support key legnths which are allowed under the export control regulations. (i.e. the OpenSSL APIs/functions will be called with restricted key legnths. I am assuming that we can initialize OpenSSL library at startup or hard-code values in our code to support only weak ciphers and limit the key length). Will this satisfy the export requirements? Is an export license or review by the authorities required for this kind of application? I was told that even though our program is only supporting limited key lengths, it can not be exported as it is linking to OpenSSL which has the logic to support larger key lengths and strong ciphers. Some more info. We are a US based company and will be exporting out of US. We will not be making any changes to OpenSSL code and our code can not be open source. I am sure this must be very common scenario, but haven't found any clear answers. Thanks Viral ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
