On 13/12/2019 16:46, Shamatrin Dmitriy wrote: > Hello! > > I have few questions related to openssl distribution. > > Let's say that I need this: > > https://pastebin.com/D4Eh0i6P > > For my application to keep working. > > Could someone please help me with these questions? > > 1. Is that ok to apply this patch to my openssl library and ship it > with application (in binary form)? > 2. Is this a license violation, if I do so? > 3. Do I need to mention my changes and share them with users? > 4. May this patch lead to issues for users of my application under any > conditions? I.e. does it mean that patching openssl is a security > violation? > 5. Is that possible to achieve the same result without openssl source > code modification, by configuration flags. You seem to be attempting to modify the DEFAULT OpenSSL ciphersuites by modifying the code. Why are you doing that? Why not just change the configured ciphersuites, e.g. https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html In general it is best to avoid making modifications to the OpenSSL source if possible. It is not a license violation to do so however and there is no requirement to mention the changes to users. However, having made a change means that *you* are responsible for maintaining it moving forwards and checking there are no security issues - either now, or in the future. This will mean you will have to continually update your patch as we release new versions of OpenSSL. Unless you are a large organisation willing to invest significant effort in maintaining your own OpenSSL patches it is best just to use standard OpenSSL. Matt
