Hi, Jan-Oliver Wagner wrote: > On Tuesday 20 March 2007 23:25, Norm Donovan wrote: >> What is the practical impact of OpenSSL being FIPS approved? Is GNU/TLS >> not FIPS approved? How does one get FIPS approval? Since Tenable must >> have removed OpenSSL from Nessus3 is Nessus3 not FIPS approved?
There is no reason immediately obvious why OpenSSL would need to be removed from Nessus3 that we are aware of, nor would I be betting that OpenSSL is not used in Nessus3. > > not sure about FIPS. IIUC, this is only relevant for USA? > > But interesting point about OpenSSL removed from Nessus3. > Probably they found another implementation they could more easily > (in legal aspects) integrate or even implemented SSL themselves. > Those advertisement clauses as OpenSSL requires are really not easy > to handle and are another good reason to get rid of OpenSSL. > At least this tells us it is doable to replace OpenSSL ;-) > For a write-up on the legal complexities involved, see http://en.wikipedia.org/wiki/OpenSSL But suffice it to say, Tenable's simple work-around is, as the authors of the software, to provide an exception to allow linking with OpenSSL. The problem is that this exception was never provided for Nessus v2 (even to this day, as far as we are aware), which leaves Nessus v2 in a state of limbo as far as legitimacy of the GPL. So, the way to solve the problem is to get the original authors to clarify to allow linking with OpenSSL, or if this permission is not provided, sidestep the issue entirely by using an alternative. Thomas _______________________________________________ Openvas-devel mailing list Openvas-devel@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
