From The Linux Foundation
Jump to: navigation, search

OpenSSL (SSL and Crypto) libraries


The OpenSSL candidate is a toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

This candidate is being tracked as #022 on the futures candidate tracker.

List of apps and libraries using this library

  • mailman
  • kdelibs (futures candidate, being discussed)
  • openssh (and other ssh tools, these too are future candidates.)
  • Desktop Mail applications (generalising, as all specific mail applications inside lsb are yet to be identified: FIXME)

API documentation



  • /usr/bin/openssl

Related test suites

  • in-built test scaffold available on make test

Library analysis data

!ChangeLog indicates minor changes in exported API between successive subversions. 0.9.7a -> 0.9.7h indicate fewer changes, while 0.9.7h -> 0.9.8 show deprecated API being removed.

OpenSSL versions in distributions

DistributionOpenSSL Version
SUSE Linux Enterprise Desktop 10 (i586)openssl-0.9.8a-18.4
Debian etch0.9.8b-2
Red Hat Enterprise Linux Client release 4.91 (Tikanga)openssl-0.9.8b-5
Ubuntu 6.06 LTS0.9.8a-7build1
Mandriva Linux release 2006.0 (Official) for 586openssl-0.9.7g-2.1.20060mdk
Red Hat Desktop release 4 (Nahant Update 3openssl-0.9.7a-43.8

OpenSSL stability analysis

This documents methods and data used to identify a potential OpenSSL API subset for LSB inclusion.

Potential Issues

  • Run time random number generation depends upon operating system provided /dev/urandom /dev/random or egd daemon. Without these services it might be possible to produce a LSB compliant binary that behaves differently at runtime (OpenSSL 0.9.7 and above appear to cause an abort if the system does not supply a source of randomness and the application does not itself provide random data).
  • Legal issues (both civil 'patent issues' and criminal 'is crypto even legal locally?') surrounding crypto in general make it hard to determine what algorythms can practically be used in a global context due to varrying national policies towards cryptography.
  • Programming style greatly impacts the level of ABI compatibility. If structures are treated as opaque types by the application, far greater ABI compatibility can be achieved. However, possibly for historical and legacy reasons, SSL allows many types to be publically available. It may not be possible to create a highly sophisticated OpenSSL application without using full type information since not every detail of the library is available through accessor functions, however the common case appears to be well covered with accessor functions.

Other Information



GnuTLS is preferred by some packagers as a suitable alternative as there are No Patent related issues and the package is licensed under LGPL. Debian package and legal advisors are urging (upstream) package maintainers to switch to GnuTLS to get more packages and libraries that are GPL compatible.

  • At least one person - Paul Mackay has asked for a review on GnuTLS vs openssl although he seemed very reasonable in admitting that openssl was being adopted as it was de facto being used by many distributions. There are two replies to his mail on the list (as there are no other addressing the openssl candidate on the list as is), one from Pradosh, and one much later by me (Beta).
  • one very popular package Gaim depends on GnuTLS. Maybe we need to introduce this as a separate candidate in that case.

Reading package lists... DoneBR Building dependency tree... DoneBR 151BR BR Reading package lists... DoneBR Building dependency tree... DoneBR 511BR

These inputs are from Michael Clark favoring individual candidature for GnuTLS and proposing that GnuTLS is probably not just an "alternative" to OpenSSL due to other packages depending on it.


YetAnotherSSL is dual licensed. It is doubtful whether this would ever fit the licensing criteria even if the features were found usable.


MatrixSSL has now achieved stable status. Although not widely adopted for ssl crypto functions, this too is dual licensed. Hence inclusion inside licensing criteria may be a major issue.