OpenSSL source modification

Matt Caswell matt at openssl.org
Mon Dec 16 09:50:14 UTC 2019



On 13/12/2019 16:46, Shamatrin Dmitriy wrote:
> Hello!
> 
> I have few questions related to openssl distribution.
> 
> Let's say that I need this:
> 
> https://pastebin.com/D4Eh0i6P
> 
> For my application to keep working.
> 
> Could someone please help me with these questions?
> 
>  1. Is that ok to apply this patch to my openssl library and ship it
>     with application (in binary form)?
>  2. Is this a license violation, if I do so?
>  3. Do I need to mention my changes and share them with users?
>  4. May this patch lead to issues for users of my application under any
>     conditions? I.e. does it mean that patching openssl is a security
>     violation?
>  5. Is that possible to achieve the same result without openssl source
>     code modification, by configuration flags.

You seem to be attempting to modify the DEFAULT OpenSSL ciphersuites by
modifying the code. Why are you doing that? Why not just change the
configured ciphersuites, e.g.

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html


In general it is best to avoid making modifications to the OpenSSL
source if possible. It is not a license violation to do so however and
there is no requirement to mention the changes to users. However, having
made a change means that *you* are responsible for maintaining it moving
forwards and checking there are no security issues - either now, or in
the future. This will mean you will have to continually update your
patch as we release new versions of OpenSSL. Unless you are a large
organisation willing to invest significant effort in maintaining your
own OpenSSL patches it is best just to use standard OpenSSL.

Matt


More information about the openssl-users mailing list