Jump to content

Talk:OpenSSL

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

Licensing

[edit]

Currently the page states:

OpenSSL was dual-licensed under the OpenSSL License and the SSLeay License, which means that the terms of either licenses can be used

Dual license usually refers to the choice between licenses presented to the recipient of the software (OpenSSL in this case). However in the OpenSSl license text they refer to "double license":

The OpenSSL toolkit stays under a double license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit.

So I would argue for changing the above wikipedia text to:

OpenSSL was licensed under both the OpenSSL License and the SSLeay License, which means that the terms of both licenses most be adhered to

Hesa (talk) 13:57, 5 January 2023 (UTC)[reply]

I don't think any real difference was intended. A license for a piece of software S is a grant of the form, "If you comply with condition C, you may use S for purpose P." A dual/double license is then a statement, "If you comply with C1, you may use S for P1; and if you comply with [stronger, weaker, or incomparable] C2, you may use S for P2." The recipient still has the choice of which of the two clauses to use, depending on what they want to do, and what restrictions they are willing to accept. This gives them strictly more freedom than the combined license, "If you comply with both C1 and C2, you may use S for P1 and P2." Hqb (talk) 15:17, 5 January 2023 (UTC)[reply]
You wrote:

The recipient still has the choice of which of the two clauses to use

I read this is you're saying that the recipient has the choice of any of the two licenses (and the clauses/terms in there). If so, then I would say this is not what the OpenSSL page says. OpenSSL "double license...both the conditions of the OpenSSL License and the original SSLeay license apply". The recipient is not offered a choice between the licenses/terms/clauses. All must be complied with. Before going in to the wiki text (if/how to change) I think we need to agree on whether or not both licenses must be complied with or not. Hesa (talk) 14:59, 7 January 2023 (UTC)[reply]
Ah, I see: it's not that the original developer(s) re-released the software under a dual license, but that a new set of developers took over and added some further conditions of their own. Presumably the somewhat unusual "double license" formulation was adopted because the original license explicitly included the wording "The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GPL]." So I agree that, in this case, both sets of restrictions must be adhered to. Hqb (talk) 15:54, 7 January 2023 (UTC)[reply]
Collecting information and trying to connect the dots.
  • OpenSSL (the software), version 1.0 and earlier
    • is released under the OpenSSL license, which refers to the two licenses "OpenSSL License and the original SSLeay license".
    • OpenSSL page at spdx has the old phrasing "under a dual license, i.e. both the conditions". So someone rephrased that to "double" (as in the logical AND) to avoid the word "dual" which usually means the logical OR
  • OpenSSL (the software), version 3.0 and above
    • is released under Apache-2.0 and only that license. How they managed to switch license (rewrite the software, ask all (c) holders.... I do not know).
    • The developers did not add any restrictions to any of the license(s), they switched license from OpenSSL (really two licenses) to Apache-2.0
Hesa (talk) 23:02, 7 January 2023 (UTC)[reply]
Sounds right to me. (Except that it should probably be all the 1.x versions under the OpenSSL license, not only 1.0 and earlier.) And it seems that they did in fact (attempt to) contact all of the previous contributors in 2017 (more than 4 years before the first 3.0 release), but that the relicensing was still considered controversial by some. Hqb (talk) 10:53, 8 January 2023 (UTC)[reply]
Interesting links. Would you be able to add a bit of text and the two links above? I think they provide useful information about the OpenSSL project (as well as how a license can be changed).
Is my first initial text OK with you? Initial proposal:

OpenSSL was licensed under both the OpenSSL License and the SSLeay License, which means that the terms of both licenses most be adhered to

Hesa (talk) 16:54, 10 January 2023 (UTC)[reply]
And your point about 1.x is important. I think there's a 1.1.1s (or similar) out now, under the OpenSSL license. Can you add that? Hesa (talk) 16:55, 10 January 2023 (UTC)[reply]
I think you should just boldly go ahead and make any changes you deem appropriate. I have no particular further insights or knowledge about the matter; and if anyone objects, we can revisit any tricky points here. But I imagine that, as more as more users migrate to the 3.0 version, the 1.x licensing will become mainly of historical interest, rather than a practical concern. Hqb (talk) 18:23, 10 January 2023 (UTC)[reply]

Redundancy in ASN.1 parsing paragraph

[edit]

The section "Denial of service: ASN.1 parsing" looks like it has a redundant sentence, but the two sentences seem to be in conflict with each other. Not sure which version is more accurate. Quesoteric (talk) 07:14, 11 February 2024 (UTC)[reply]

OpenSSL with a graphical user interface

[edit]

I saw the external links "Graphical user interface for OpenSSL in the browser". Would it be interesting to have a short section listing the existing software which offer a GUI for OpenSSL? Cryptocollector (talk) 21:10, 14 March 2026 (UTC)[reply]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:OpenSSL&oldid=1343521508"