Hi,
I'm writing to ask about OpenSSL as a dependency of Node.js and specifically RC5 encryption. We were asked today by one of our lawyers if RC5 is included in the NodeJS distribution for Windows. He understood that Node included OpenSSL and was concerned that it might also be distributing the RC5 algorithm and other patent-protected algorithms. The
OpenSSL FAQ page, for example, mentions these algorithms in passing:
Do I need patent licenses to use OpenSSL?
For information on intellectual property rights, please consult a lawyer. The OpenSSL team does not offer legal advice.
You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using
./config no-idea no-mdc2 no-rc5
Also, while I'm not very familiar with the guts of NodeJS and don't traffic at that level, if I search the GitHub repo, RC5 turns up a few times, e.g. in
this file, which appears as though it is linked in for Windows.
An issue was raised a while back that mentioned this as a concern in the context of FreeBSD and proposed removing or disabling RC5 as well as some other algorithms, but this doesn't appear to have been merged.
Anyway, that's all I've been able to find. I'm not looking for legal advice, but rather information on whether RC5 (and perhaps IDEA and MDC2 as well) are (1) distributed and (2) enabled (by default or not) in the NodeJS distribution for Windows. If so, how could we prevent their use in the code, disable them, or remove them from the distribution. If not, and you can provide a reference that I can pass on, I would be very grateful.
Thanks in advance,
Steve
...
Steve Thomas
Pittsburgh, PA