Software that uses OpenSSL

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Software that uses OpenSSL

Patrick Steuer-2
Hi,

is there a list of projects that use OpenSSL (for TLS or crypto in
general) or that can be configured to use OpenSSL as a backend ?

Best,
Patrick
Reply | Threaded
Open this post in threaded view
|

RE: Software that uses OpenSSL

Michael Wojcik
> From: openssl-users <[hidden email]> On Behalf Of Patrick
> Steuer
> Sent: Thursday, 6 August, 2020 10:38
>
> is there a list of projects that use OpenSSL (for TLS or crypto in
> general) or that can be configured to use OpenSSL as a backend ?

There are probably some partial lists, but there certainly is not a definitive one, since I know of products which use OpenSSL but don't advertise the fact. And while it's *possible* that certain well-resourced organizations have done their best to compile comprehensive lists, but it's unlikely even those are perfectly accurate, and in any case you and I don't have access to them.

OpenSSL is very widely used. Enlyft claims they have 317844 *companies* using OpenSSL, for who knows how many products. Of course, many of those are internal use, or use in widely-used products and projects; but some significant fraction represents ISV products that depend on OpenSSL. A quick search didn't turn up any useful statistics on OpenSSL use in OSS projects. (github's dependency graph, for example, had no information.)

Anything more precise than "a whole lot" will require some real research, I suspect.
Reply | Threaded
Open this post in threaded view
|

Re: Software that uses OpenSSL

Patrick Steuer-2
> Anything more precise than "a whole lot" will require some real research, I suspect.

Yes, thats my feeling as well. I hoped someone on here might have
already done research in that direction (and possibly willing to share).

My question was intended to be about notable OSS projects, sorry for not
making that clear.

To give some examples:

node.js crypto https://nodejs.org/api/crypto.html
python https://cryptography.io/en/latest/
...

I thought someone may already have put together a list with projects hat
have an OpenSSL plugin or even use it as default.

Best,
Patrick
Reply | Threaded
Open this post in threaded view
|

Re: Software that uses OpenSSL

Dan Kegel-2
On Ubuntu, the command

  apt-cache rdepends libssl1.1

lists 861 packages, belonging to something like 400 projects, that depend on openssl....


On Thu, Aug 6, 2020 at 11:43 AM Patrick Steuer <[hidden email]> wrote:
> Anything more precise than "a whole lot" will require some real research, I suspect.

Yes, thats my feeling as well. I hoped someone on here might have
already done research in that direction (and possibly willing to share).

My question was intended to be about notable OSS projects, sorry for not
making that clear.

To give some examples:

node.js crypto https://nodejs.org/api/crypto.html
python https://cryptography.io/en/latest/
...

I thought someone may already have put together a list with projects hat
have an OpenSSL plugin or even use it as default.

Best,
Patrick

Reply | Threaded
Open this post in threaded view
|

Re: Software that uses OpenSSL

Quanah Gibson-Mount


--On Thursday, August 6, 2020 1:21 PM -0700 Dan Kegel <[hidden email]>
wrote:

> lists 861 packages, belonging to something like 400 projects, that depend
> on openssl....

Unfortunately, due to Debian's odd take on the OpenSSL license, many
projects that can use OpenSSL are compiled against alternative SSL
libraries, so this can miss a lot of potential applications (OpenLDAP, for
example).

Hopefully with OpenSSL 3.0 and later, this won't be as much of an issue.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
Reply | Threaded
Open this post in threaded view
|

Re: Software that uses OpenSSL

OpenSSL - User mailing list
On 06/08/2020 22:17, Quanah Gibson-Mount wrote:

>
>
> --On Thursday, August 6, 2020 1:21 PM -0700 Dan Kegel <[hidden email]>
> wrote:
>
>> lists 861 packages, belonging to something like 400 projects, that
>> depend
>> on openssl....
>
> Unfortunately, due to Debian's odd take on the OpenSSL license, many
> projects that can use OpenSSL are compiled against alternative SSL
> libraries, so this can miss a lot of potential applications (OpenLDAP,
> for example).
>
It's not an odd take.  The SSLeay license explicitly bans releasing
OpenSSL code under the GPL (as part of SSLeay's own copyleft provisions).

GPL version 2 explicitly prohibits OS bundled GPL code from linking to
OS-bundled non-GPL code, so this can be done only by violating the
SSLeay license.

So no OS distribution can include GPL 2 code using OpenSSL 1.x.x

GPL version 2 explicitly allows independently distibuted copies of GPL 2
programs to link to any OS-bundled libs, including OS-bundled OpenSSL
(this clause was intended to allow linking to stuff like the Microsoft
or Sun OS libraries)

Some GPL version 2 programs include an extra license permission to link
against OpenSSL even when those GPL version 2 programs are bundled with
the OS.

> Hopefully with OpenSSL 3.0 and later, this won't be as much of an issue.
Does the Apache 2.0 license allow redistributing code under GPL 2 ?

>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded