Skip to content


Patents: the SSLeay workaround

during this ongoing European software patents thing, I was reminded of a comment I heard a while back from a pro-patent guy.

He was around in the bad old days of SSLeay‘s patent woes. SSLeay, like many cryptographic products in the 80’s and 90’s before the RSA and other patents expired, was in a legal grey area due to patent issues. To quote the ‘Is This Legal?’ section of their FAQ:

That is one of the hard questions on which there is as yet no clear answer. You need to read quite a bit of information to draw your own conclusions – and then go and talk to a lawyer. Again this document is my opinion and as such should be treated in that light – reality could be quite different to how I happen to see things :-).

In short:

  • outside the USA there should be no problems
  • inside the USA RSA hold patents over the RSA algorithms, however if you use RSAREF (which SSLeay can link to) then non-commercial use is probably okay. For commercial purposes you need to talk to RSA to license one of their toolkits (BSAFE) or come to some other licensing arrangement with them.
  • IDEA may be a problem inside Europe and RC4 inside the USA; both can be removed with a simple compile-time option or you can licence the IDEA algorithm.

Eventually, RSA relicensed their algorithms to be freely usable. Thankfully IDEA could be avoided by using alternative algorithms in the SSL transaction, so it wasn’t a biggie; most SSL users just switched it off. Finally, the RSA patent finally expired — so nowadays SSL is commonplace, and using SSL to protect security is a lot easier than it used to be.

Anyway, I’m diverging here… the relevance is this mail from Hartmut Pilch discussing the current euro-swpat proposal. He reckons even the SSLeay defense — saying ‘do not download this software in these countries unless you get these licenses’ — would not work with the current proposal:

To make this clearer: according to the CEC proposal, you still risk being sued even if you only publish a program and warn people ‘please do not execute unless you have obtained a license from XXX’.
Comments closed