Following the successful OpenSSL 2023 face-to-face conference, OpenSSL has produced a draft mission & values statement. Once finalised, we intend to realign all activities of the project to ensure they reflect our agreed mission and values. Before doing so however, we would like to obtain feedback on this statement from the public, to ensure it represents all of our communities. By offering us your feedback, you will help us to ensure the OpenSSL project is run in a way that reflects the values of all of our users.

Please ensure you submit your feedback by 14th April 2023.

You can provide us with feedback either by:

• Filling in this feedback form, or
• Emailing your feedback to feedback@openssl.org

We look forward to your feedback.

The undersigned,

• Anton Arapov
• Matt Caswell
• Mark Cox
• Paul Dale
• Tamara Dale
• Tim Hudson
• Hugo Landau
• Richard Levitte
• Ales Marecek
• Tomas Mraz

Draft Mission Statement

We believe everyone should have access to security and privacy tools, whoever they are, wherever they are or whatever their personal beliefs are, as a fundamental human right.

Our Values

• We believe all our communities are important.
• We believe in the principles of open source software, not only for its inherent values but also for the transparency and accountability it provides to our security and privacy tools.
• We believe in behaving in a manner that fosters trust and confidence.
• We believe that our governance and output should be transparent and open.
• We believe that no Government, Organisation or Individual should have undue influence over the delivery of our mission.

In February 2023, the OpenSSL project held a face-to-face meeting in Queensland, Australia, which was attended by most of the project’s full-time contractors and OMC members. Amongst other subjects, the conference aimed to identify how OpenSSL can improve its governance and better execute on its mission.

We are now less than 6 months away from the End Of Life (EOL) date for the OpenSSL 1.1.1 series. Users of OpenSSL 1.1.1 should consider their options and plan any actions they might need to take.

We are thrilled to inform you that the complimentary FIPS rebranding service for our premium support customers has been extended. As part of this non-contractual benefit, premium support customers are entitled to one rebranding of any of our FIPS provider certificates per year, completely free of charge.

We are pleased to announce that the forthcoming OpenSSL 3.1 release is to be made available on 14th March 2023.

The OpenSSL Management Committee (OMC) and the OpenSSL Technical Committee (OTC) are glad to announce our first beta release of OpenSSL 3.1. We consider this to be a release candidate and as such encourage all OpenSSL users to build and test against this beta release and provide feedback.

The OpenSSL Management Committee and the OpenSSL Technical Committee are glad to announce the alpha release of OpenSSL 3.1.

UPDATE: Please note this position has been filled.

UPDATE: The application period has been extended due to the Holiday Season.

The OpenSSL Management Committee are looking for a full time Engineering Manager. Details of the role follows.

To apply please send your cover letter and resume to jobs@openssl.org by 20th January 2023.

Today we published an advisory about CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”).

Please read the advisory for specific details about these CVEs and how they might impact you. This blog post will address some common questions that we expect to be asked about these CVEs.

The configuration of supported groups in TLS servers is important to limit the resource consumption of the TLS handshakes performed by the server. This blog post should give system administrators a few useful hints on how to configure the OpenSSL library and two of the most used open source HTTP servers which use the OpenSSL library for supporting the HTTPS protocol.

UPDATE: The post was updated to mention the new CVE-2022-40735 vulnerability.