License implications of OpenSSL in a GPL v2 application
I'm the author of ike-scan, which is a GPL v2 licensed application that can
optionally use the crypto functions in the OpenSSL library. I am the author
and copyright holder of all the ike-scan source files which can use OpenSSL
The application uses the MD5 and SHA1 hash functions from OpenSSL, and it
also includes C source files for "free" versions of SHA1 (Steve Reid's
sha1.c) and MD5 (L. Peter Deutsch's md5.c). The selection of whether to
use the OpenSSL hash implementations or the included C hash implementations
is made at configure time.
I've seen some discussion about the incompatibility between GPL v2 and the
OpenSSL license, and I'd like to find out what I can do allow my
application to use OpenSSL but remain licensed under GPL v2.
Firstly, I assume that providing the application is not configured with
OpenSSL support, so the resultant binary does not link against the OpenSSL
library, then there are no problems (please correct me if I'm wrong
here). I believe that this is what the current Debian Sarge ike-scan
package does. However, it's preferable to use the OpenSSL functions
because they are significantly faster than the included C functions.
I've read some previous advice on debian-legal at
http://lists.debian.org/debian-legal/2004/05/msg00595.html, and that
answers some of my questions. However, I still have a few remaining questions:
The previous debian-legal advice mentioned above says to add the following
exception text to the GPL announcement in the source code:
In addition, as a special exception, the copyright holders give
permission to link the code of portions of this program with the
OpenSSL library under certain conditions as described in each
individual source file, and distribute linked combinations
including the two.
You must obey the GNU General Public License in all respects
for all of the code used other than OpenSSL. If you modify
file(s) with this exception, you may extend this exception to your
version of the file(s), but you are not obligated to do so. If you
do not wish to do so, delete this exception statement from your
version. If you delete this exception statement from all source
files in the program, then also delete it here.
1. Should this be added to every source file, or only those containing
functions that can use functions from the OpenSSL library? What about
header files that may define prototypes for OpenSSL functions, for example
the code snippet from ike-scan.h shown below?
unsigned char *MD5(const unsigned char *, size_t, unsigned char *);
unsigned char *SHA1(const unsigned char *, size_t, unsigned char *);
2. The text above mentions "certain conditions as described in each
individual source file". Where should these conditions be mentioned? Do I
need to add another comment to the source describing these conditions? If
so, what would a suitable wording be?
Any help or pointers would be gratefully received.
Roy Hills Tel: +44 1634 721855
NTA Monitor Ltd FAX: +44 1634 721844
14 Ashford House, Beaufort Court,
Medway City Estate, Email: Roy.Hills@nta-monitor.com
Rochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/