[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

License implications of OpenSSL in a GPL v2 application

I'm the author of ike-scan, which is a GPL v2 licensed application that can optionally use the crypto functions in the OpenSSL library. I am the author and copyright holder of all the ike-scan source files which can use OpenSSL functions.

The application uses the MD5 and SHA1 hash functions from OpenSSL, and it also includes C source files for "free" versions of SHA1 (Steve Reid's sha1.c) and MD5 (L. Peter Deutsch's md5.c). The selection of whether to use the OpenSSL hash implementations or the included C hash implementations is made at configure time.

I've seen some discussion about the incompatibility between GPL v2 and the OpenSSL license, and I'd like to find out what I can do allow my application to use OpenSSL but remain licensed under GPL v2.

Firstly, I assume that providing the application is not configured with OpenSSL support, so the resultant binary does not link against the OpenSSL library, then there are no problems (please correct me if I'm wrong here). I believe that this is what the current Debian Sarge ike-scan package does. However, it's preferable to use the OpenSSL functions because they are significantly faster than the included C functions.

I've read some previous advice on debian-legal at http://lists.debian.org/debian-legal/2004/05/msg00595.html, and that answers some of my questions. However, I still have a few remaining questions:

The previous debian-legal advice mentioned above says to add the following exception text to the GPL announcement in the source code:

  In addition, as a special exception, the copyright holders give
  permission to link the code of portions of this program with the
  OpenSSL library under certain conditions as described in each
  individual source file, and distribute linked combinations
  including the two.
  You must obey the GNU General Public License in all respects
  for all of the code used other than OpenSSL.  If you modify
  file(s) with this exception, you may extend this exception to your
  version of the file(s), but you are not obligated to do so.  If you
  do not wish to do so, delete this exception statement from your
  version.  If you delete this exception statement from all source
  files in the program, then also delete it here.

1. Should this be added to every source file, or only those containing functions that can use functions from the OpenSSL library? What about header files that may define prototypes for OpenSSL functions, for example the code snippet from ike-scan.h shown below?

   #ifdef HAVE_OPENSSL
   #include <openssl/md5.h>
   #include <openssl/sha.h>
   #include "md5.h"
   #include "sha1.h"
   unsigned char *MD5(const unsigned char *, size_t, unsigned char *);
   unsigned char *SHA1(const unsigned char *, size_t, unsigned char *);

2. The text above mentions "certain conditions as described in each individual source file". Where should these conditions be mentioned? Do I need to add another comment to the source describing these conditions? If so, what would a suitable wording be?

Any help or pointers would be gratefully received.


Roy Hills

Roy Hills                                    Tel:   +44 1634 721855
NTA Monitor Ltd                              FAX:   +44 1634 721844
14 Ashford House, Beaufort Court,
Medway City Estate,                          Email: Roy.Hills@nta-monitor.com
Rochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/

Reply to: