> Does this mean I cannot use openssl in my gpl-2.0-only program?

Correct.

> How does that work?

The GPL 2.0 and Apache-2.0 licenses contain terms which are incompatible with each other.

> Doesn't gpl-2.0-later imply that I can also take the code and use it in gpl-2.0-only?

Yes, in that case you can choose whether you use the code subject to the gpl 2.0, 3.0 or any later version. If you combine that code with some gpl-2.0-only code then you're choosing to use the first code under 2.0, and the combined work is then gpl-2.0-only.

> Is there some tldr on this topic somewhere? I'm not good with these legal things to ELI5 would be nice :/

The GNU project maintains a list of licenses and some comments about them, and conveniently categorizes them according to their GPL compatibility.

https://www.gnu.org/licenses/license-list.html

See also the chart at http://gplv3.fsf.org/dd3-faq for compatibility between the different GPL versions and variants.

> > Does this mean I cannot use openssl in my gpl-2.0-only program?

> Correct.

Wait, I've tried to do some more reading and there are some things I do not understand:

1. I've done quick search over pacman database, and there are lot of packages that are either gpl or gpl2 that link against openssl. Does that mean that archlinux should be in deep legal trouble and it needs to drop few hundred packages (including coreutils, libgit2, kmod and others). Hell, even git itself links again openssl and that is gpl-2.0-only project. Does this make git illegal?

2. Are the "legal issues" comming from gpl-2.0-only side or from the openssl side? If from the gpl-2.0-only side, cannot I just add linking exception to the license to explicitely allow linking to openssl?

It's somewhat(?) common for GPL projects to add an exemption to the license to allow it to be linked to openssl. See e.g. https://people.gnome.org/~markmc/openssl-and-the-gpl.html

In other cases, there's the "system library" argument (the GPL contains language that if a library the program links to is a "system library" the GPL "virality" doesn't extend there).

And in yet other cases, people just ignore it.

If you want to play it safe, just use GnuTLS, or Mozilla NSS.

The GPL has an exception for linking with system libraries. It's quite arguable that OpenSSL is one of them. The legal issues are coming from the GPLv2 side, yeah.

> > Does this mean I cannot use openssl in my gpl-2.0-only program?

> Correct.

Well that sucks. I guess I'll need to look into libressl.

You might also check out GnuTLS which is under the LGPL 2.1+ license. If you're using Linux it's certainly already available from your package manager.

>I guess I'll need to look into libressl.

libressl is under the original openssl license which is GPL incompatible.

If you are the copyright holder, you can put a OpenSSL exception clause in your license which allows this to work. Debian requires such a clause for GPL software to link with OpenSSL prior to this change.