[Openvas-devel] Start: replacing OpenSSL by GNU/TLS
lists at securityspace.com
Fri Mar 23 15:16:56 CET 2007
Jan-Oliver Wagner wrote:
> On Tuesday 20 March 2007 23:25, Norm Donovan wrote:
>> What is the practical impact of OpenSSL being FIPS approved? Is GNU/TLS
>> not FIPS approved? How does one get FIPS approval? Since Tenable must
>> have removed OpenSSL from Nessus3 is Nessus3 not FIPS approved?
There is no reason immediately obvious why OpenSSL would need
to be removed from Nessus3 that we are aware of, nor would I
be betting that OpenSSL is not used in Nessus3.
> not sure about FIPS. IIUC, this is only relevant for USA?
> But interesting point about OpenSSL removed from Nessus3.
> Probably they found another implementation they could more easily
> (in legal aspects) integrate or even implemented SSL themselves.
> Those advertisement clauses as OpenSSL requires are really not easy
> to handle and are another good reason to get rid of OpenSSL.
> At least this tells us it is doable to replace OpenSSL ;-)
For a write-up on the legal complexities involved, see
But suffice it to say, Tenable's simple work-around is, as
the authors of the software, to provide an exception
to allow linking with OpenSSL. The problem is that this
exception was never provided for Nessus v2 (even to this
day, as far as we are aware), which leaves Nessus v2 in
a state of limbo as far as legitimacy of the GPL.
So, the way to solve the problem is to get the original
authors to clarify to allow linking with OpenSSL, or if this
permission is not provided, sidestep the issue entirely by
using an alternative.
More information about the Openvas-devel