> From: openssl-users <[hidden email]> On Behalf Of Patrick
> Sent: Thursday, 6 August, 2020 10:38
> is there a list of projects that use OpenSSL (for TLS or crypto in
> general) or that can be configured to use OpenSSL as a backend ?
There are probably some partial lists, but there certainly is not a definitive one, since I know of products which use OpenSSL but don't advertise the fact. And while it's *possible* that certain well-resourced organizations have done their best to compile comprehensive lists, but it's unlikely even those are perfectly accurate, and in any case you and I don't have access to them.
OpenSSL is very widely used. Enlyft claims they have 317844 *companies* using OpenSSL, for who knows how many products. Of course, many of those are internal use, or use in widely-used products and projects; but some significant fraction represents ISV products that depend on OpenSSL. A quick search didn't turn up any useful statistics on OpenSSL use in OSS projects. (github's dependency graph, for example, had no information.)
Anything more precise than "a whole lot" will require some real research, I suspect.
--On Thursday, August 6, 2020 1:21 PM -0700 Dan Kegel <[hidden email]>
> lists 861 packages, belonging to something like 400 projects, that depend
> on openssl....
Unfortunately, due to Debian's odd take on the OpenSSL license, many
projects that can use OpenSSL are compiled against alternative SSL
libraries, so this can miss a lot of potential applications (OpenLDAP, for
Hopefully with OpenSSL 3.0 and later, this won't be as much of an issue.
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> --On Thursday, August 6, 2020 1:21 PM -0700 Dan Kegel <[hidden email]>
>> lists 861 packages, belonging to something like 400 projects, that
>> on openssl....
> Unfortunately, due to Debian's odd take on the OpenSSL license, many
> projects that can use OpenSSL are compiled against alternative SSL
> libraries, so this can miss a lot of potential applications (OpenLDAP,
> for example).
It's not an odd take. The SSLeay license explicitly bans releasing
OpenSSL code under the GPL (as part of SSLeay's own copyleft provisions).
GPL version 2 explicitly prohibits OS bundled GPL code from linking to
OS-bundled non-GPL code, so this can be done only by violating the
So no OS distribution can include GPL 2 code using OpenSSL 1.x.x
GPL version 2 explicitly allows independently distibuted copies of GPL 2
programs to link to any OS-bundled libs, including OS-bundled OpenSSL
(this clause was intended to allow linking to stuff like the Microsoft
or Sun OS libraries)
Some GPL version 2 programs include an extra license permission to link
against OpenSSL even when those GPL version 2 programs are bundled with
> Hopefully with OpenSSL 3.0 and later, this won't be as much of an issue.
Does the Apache 2.0 license allow redistributing code under GPL 2 ?
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Soborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded