OpenSSL consists of two major component libraries: the secure socket library and the core cryptography library (see the second sentence here).

The core cryptography library is often used by products independently from the secure socket library, but binary and source code application scanners can’t detect this distinction because both component libraries are marked with the same OpenSSL “brand”.

The many security vulnerabilities found in the secure socket library have caused all of OpenSSL to be considered as highly insecure. Therefore, when an application scanner run by an interested party (e.g. customer, partner, acquirer) detects artifacts of OpenSSL in a product, the scanner flags the entire product as insecure even if that product only uses OpenSSL’s core cryptography library.

This has either forced the software owner to patch its version of OpenSSL even when the patch only fixes vulnerabilities in the secure socket library unused by them, or forced the owner to reimplement their product to use a different cryptography library… efforts that could instead be spent on addressing security issues that are applicable to their product.

It is time for OpenSSL to separate its core cryptography library from its secure socket library and re-brand the core cryptography library to draw the distinction necessary to avoid this busy work.