Hi Warren,

You should reach out to openssl.org for information about exporting OpenSSL. While any Connect/ITUG member can technically download the software, and anyone can download the source from GitHub.com, it is up to the customer to ensure that all laws of any country involved are being followed. There are countries where it is actually illegal to import encryption software, but I cannot give you examples. ITUGLIB is "download at your own risk", so you are responsible for if you illegally download OpenSSL or package OpenSSL with your code and deliver it as a product. With my other hat on, as the provider of T1198, which has a transitive dependency on OpenSSL via git, it is the customer's responsibility to obtain the appropriate encryption software - we deliberately do not package OpenSSL with T1198 for the reasons you are citing (a.k.a. export concerns), so we leave it to the customer to worry about the legalities.

I realize this does not directly answer your question, but yes, there are export concerns you should investigate. The FTC and/or State Department in the US may be able to help you with specific export situations. If you put your software on a Play Store, there are likely terms of use of those platforms that make it your responsibility.

Good Luck,
Randall Becker
(Not an import/export lawyer)

Take a look at:
https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries

Under the table, if the country you are dealing with is not mentioned, then you are ok.

if you want to go down the rabbit hole:
https://www.govinfo.gov/content/pkg/CFR-2012-title22-vol1/pdf/CFR-2012-title22-vol1-sec126-1.pdf

gc