OpenSSL source modification

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL source modification

Shamatrin Dmitriy
Hello!

I have few questions related to openssl distribution.

Let's say that I need this:


For my application to keep working.

Could someone please help me with these questions?

  1. Is that ok to apply this patch to my openssl library and ship it with application (in binary form)?
  2. Is this a license violation, if I do so?
  3. Do I need to mention my changes and share them with users?
  4. May this patch lead to issues for users of my application under any conditions? I.e. does it mean that patching openssl is a security violation?
  5. Is that possible to achieve the same result without openssl source code modification, by configuration flags.
  6. If it is not possible, is that an issue to create a pull request and propose to make these options configurable?

Please, consider that I am trying to avoid openssl source modification.

Kindly appreciate answers for my questions.

Thanks.

/Dmitriy
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL source modification

Matt Caswell-2


On 13/12/2019 16:46, Shamatrin Dmitriy wrote:

> Hello!
>
> I have few questions related to openssl distribution.
>
> Let's say that I need this:
>
> https://pastebin.com/D4Eh0i6P
>
> For my application to keep working.
>
> Could someone please help me with these questions?
>
>  1. Is that ok to apply this patch to my openssl library and ship it
>     with application (in binary form)?
>  2. Is this a license violation, if I do so?
>  3. Do I need to mention my changes and share them with users?
>  4. May this patch lead to issues for users of my application under any
>     conditions? I.e. does it mean that patching openssl is a security
>     violation?
>  5. Is that possible to achieve the same result without openssl source
>     code modification, by configuration flags.

You seem to be attempting to modify the DEFAULT OpenSSL ciphersuites by
modifying the code. Why are you doing that? Why not just change the
configured ciphersuites, e.g.

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html


In general it is best to avoid making modifications to the OpenSSL
source if possible. It is not a license violation to do so however and
there is no requirement to mention the changes to users. However, having
made a change means that *you* are responsible for maintaining it moving
forwards and checking there are no security issues - either now, or in
the future. This will mean you will have to continually update your
patch as we release new versions of OpenSSL. Unless you are a large
organisation willing to invest significant effort in maintaining your
own OpenSSL patches it is best just to use standard OpenSSL.

Matt