>Hi, >I have a question about distribution of software which is based on OpenSSL libraries considering US export regulations.
>We are planning to use OpenSSL library to develop a program with functionality similar to that of HTTPS client/server. We >will be linking our code (static or dynamic - any will do) with the OpenSSL libraries. We will not have any encryption code >of our own but only be using APIs/functions from OpenSSL. >We are planning to create two versions of our program - one for US customers and one for export out of US. The exportable >version will only support exportable/weak ciphers. Although it will be linking to the OpenSSL library, at runtime it will >only support key legnths which are allowed under the export control regulations. (i.e. the OpenSSL APIs/functions will be >called with restricted key legnths. I am assuming that we can initialize OpenSSL library at startup or hard-code values in >our code to support only weak ciphers and limit the key length). >Will this satisfy the export requirements? Is an export license or review by the authorities required for this kind of >application? >I was told that even though our program is only supporting limited key lengths, it can not be exported as it is linking to >OpenSSL which has the logic to support larger key lengths and strong ciphers. I believe when a cryptographic product can be used for strong AND weak cryptography, then it is being assessed as a strong crypto product. The fact that an application merely configures it to use weak ciphers is probably not enough. The library itself must reject any attempts to use strong ciphers. This means strong ciphers are excluded during compilation. This brings up a challenging question: how do you tell the crypto library when you call it from the SSL protocol code that a 128-bit RC4 key is not a full strength key but a key with only 40 bits strength where the other 88 bits are reconstructable? The key itself looks the same to the crypto library, and the key length indicates that it is a strong key. You may have to statically link the crypto code to the SSL code to solve this problem. But then no other applications can access the crypto library. >Some more info. We are a US based company and will be exporting out of US. We will not be making any changes to OpenSSL code >and our code can not be open source. >I am sure this must be very common scenario, but haven't found any clear answers. >Thanks >Viral ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
