“That we remove “We strongly believe that the right to advance patches/info should not be based in any way on paid membership to some forum. You can not pay us to get security patches in advance.” from the security policy and Mark posts a blog entry to explain the change including that we have no current such service.”

At the OpenSSL Management Committee meeting earlier this month we passed the vote above to remove a section our security policy. Part of that vote was that I would write this blog post to explain why we made this change.

At each face to face meeting we aim to ensure that our policies still match the view of the current membership committee at that time, and will vote to change those that don’t.

Prior to 2018 our Security Policy used to contain a lot of background information on why we selected the policy we did, justifying it and adding lots of explanatory detail. We included details of things we’d tried before and things that worked and didn’t work to arrive at our conclusion. At our face to face meeting in London at the end of 2017 we decided to remove a lot of the background information and stick to explaining the policy simply and concisely. I split out what were the guiding principles from the policy into their own list.

OpenSSL has some full-time fellows who are paid from various revenue sources coming into OpenSSL including sponsorship and support contracts. We’ve discussed having the option in the future to allow us to share patches for security issues in advance to these support contract customers. We already share serious issues a little in advance with some OS vendors (and this is still a principle in the policy to do so), and this policy has helped ensure that the patches and advisory get an extra level of testing before being released.

Thankfully there are relatively few serious issues in OpenSSL these days; the last worse than Moderate severity being in February 2017.

In the vote text we wrote that we have “no current such service” and neither do we have any plan right now to create such a service. But we allow ourselves to consider such a possibility in the future now that this principle, which no longer represents the view of the OMC, is removed.

The following is a press release that we just put out about how finishing off our relicensing effort. For the impatient, please see https://license.openssl.org/trying-to-find to help us find the last people; we want to change the license with our next release, which is currently in Alpha, and tentatively set for May.

For background, you can see all posts in the license category.

One copy of the press release is at https://www.prnewswire.com/news-releases/openssl-seeking-last-group-of-contributors-300607162.html.

Note: This is an outdated version of this blog post. This information is now maintained in a wiki page. See here for the latest version.

The forthcoming OpenSSL 1.1.1 release will include support for TLSv1.3. The new release will be binary and API compatible with OpenSSL 1.1.0. In theory, if your application supports OpenSSL 1.1.0, then all you need to do to upgrade is to drop in the new version of OpenSSL when it becomes available and you will automatically start being able to use TLSv1.3. However there are some issues that application developers and deployers need to be aware of. In this blog post I am going to cover some of those things.

The OpenSSL OMC met last month for a two-day face-to-face meeting in London, and like previous F2F meetings, most of the team was present and we addressed a great many issues. This blog posts talks about some of them, and most of the others will get their own blog posts, or notices, later. Red Hat graciously hosted us for the two days, and both Red Hat and Cryptsoft covered the costs of their employees who attended.

One of the overall threads of the meeting was about increasing the transparency of the project. By default, everything should be done in public. We decided to try some major changes to email and such.

Today I have had great pleasure in attending the Real World Crypto 2018 conference in Zürich in order to receive the Levchin prize on behalf of the OpenSSL team.

The Levchin prize for Real World Cryptography recognises up to two groups or individuals each year who have made significant advances in the practice of cryptography and its use in real-world systems. This year one of the two recipients is the OpenSSL team. The other recipient is Hugo Krawczyk.

The team were selected by the selection committee “for dramatic improvements to the code quality of OpenSSL”. You can read the press release here.

We have worked very hard over the last few years to build an active and engaged community around the project. I am very proud of what that community has collectively achieved. Although this prize names specific individuals in the OpenSSL team, I consider ourselves to just be the custodians of the project. In a very real way this prize is for the whole community. It is fantastic to be recognised in this way.

The job is not done though. There is still much work we need to do. I am confident though that our community will work together to achieve what needs to be done.

Steve Marquess is leaving the OpenSSL project as of the 15th of November 2017.

The OpenSSL Management Committee (OMC) would like to wish him all the best for the future.

All communication that used to go to Steve Marquess directly, should now be sent to info@openssl.org in the first instance.

Thanks for your contributions to the project over the years!

For as long as I have been involved in the OpenSSL project there has been one constant presence: Steve Henson. In fact he has been a part of the project since it was founded and he is the number 1 committer of all time (by a wide margin). I recall the first few times I had any dealings with him being somewhat in awe of his encyclopaedic knowledge of OpenSSL and all things crypto. Over the years Steve has made very many significant contributions both in terms of code but also in terms of being an active member of the management team.

I am sad to have to report that Steve has decided, for personal reasons, to move on to other things. The OpenSSL Management Committee (OMC) would like to wish him all the best for the future. In recognition of his huge contributions we will be listing him as an “OMC Emeritus” on our alumni page.

Good luck Steve!

Press Coverage

There have been more articles written based on the interviews with Paul Yang from BaishanCloud, Tim Hudson, and Steve Marquess from the OpenSSL team.

• AQNIU
• TechTarget
• ScienceNet

These join the articles noted in the previous blog entry.

• FreeBuf
• Leiphone
• iTuring Press

We had been invited to spend time with the open source community in China by one of the developers - Paul Yang - who participates in the OpenSSL project. A number of the team members had communicated via email over the last year and when the suggestion was made there were enough of us willing and interested to visit China for a “tour” to make sense. So the tour was agreed as a good thing and that started the journey that lead to spending a week in China (last week as I write this on the plane on the way back to Australia).

What started out as a quick visit to one company rapidly turned into a multi-city, multi-company event - with a mixture of:

• see “China”
• visit major companies that use OpenSSL
• meet with developers who work with or contribute to OpenSSL
• a half-day presentation session with open source developers at which each member of the OpenSSL team would speak on a different topic.

Our hosts BaishanCloud put an amazing amount of effort into organising the trip - everything was planned for - from the flights, the hotels, who would meet as at the airport and what signs they would hold and what they looked like and their contact details. Nothing was left to chance.

Our arrival day came and into Shanghai flew the five of us (Matt, Richard, Steve, Tim, and finally Rich) spread out over the day and across multiple airlines and terminals. Despite the logistical challenges the BaishanCloud team made the arrival a very smooth process.

We stayed in fantastic hotels, and at each stage we had a designated guide (from the marketing team) that looked after the logistics. For Shanghai and Hangzhou it was Jane, for Shenzhen it was Shirley, and for Beijing it was Alan. We learned rapidly to simply follow their lead as everything had been planned - even the unexpected.

Paul (Yang Yang), Sean, and Jedo from the BaishanCloud engineering group also accompanied us everywhere. It was great to have the company and be able to interact over the whole trip. Their backgrounds were as different as their personalities and their individual sense of humour.
We spent a lot of time together over the week - from early starts (for the engineers) at 7am for breakfast - to late nights discussing the day, plans for the next and getting to know each other (after 10pm) - we simply kept on-the-go all the time.

Woven through the complex schedule were tours of some famous Chinese locations - Lingyin Temple in Hangzhou, Shenzhen Sarafi Park in Shenzhen, Imperial Palace / Forbidden City and Shichahai Lake in Beijing.

Our hosts did not just want us to visit people - they wanted us to experience some part of the wonderfully rich history of the Chinese people - a detailed history that goes back far beyond the recorded history of countries that we all came from.

We had many adventures along the journey but we all experienced a lot of things. As a team, we discussed the various different things from architecture, traffic, cars, culture, working hours, city layout, food, social customs, and the prices of various items. It was amazing for me to see the difference between the team members and their own cultural experiences and viewpoints changing what was seen. Those of us who had travelled and experienced other cultures simply soaked it all in and appreciated the depth and complexity of the uniquely Chinese experiences.

Discussions over dinner about the rich experience made it very clear that we saw different aspects of the experience of this deeply unique culture.

Our Hosts

Our hosts also had their own preconceived notions of what the team would like - would we be able to eat the food - could we use chopsticks (we all can and even those who had only minimal experience with chopsticks used them at every lunch or dinner), - could we eat the food (given how foreign it would be). Some of us are definitely more adventurous than others (sticking to mild food that was more familiar) but most of us eagerly tried the huge range of dishes that our hosts provided. Almost every meal we had to say “stop, no more food” as the dishes kept coming out - and with each new dish we wanted to try it - but the stomach can only fit so much food despite how interesting and tempting the dish was. It was a testament to the range of food experiences that we had that for many of the dishes we ate our engineering hosts had themselves never eaten.

By the end of the week, we all recognised many of the dishes, had definite personal preferences, and all could easily pick up individual grains of rice with chopsticks and eat without making too much of a mess on the table. Still, even at the final traditional Chinese meal together we still were exposed to dishes we hadn’t eaten before and more food then we could possibly eat. There were also concerns about whether or not we would understand their English (not a problem) - and although we had some very funny moments figuring out what some things, there was never moment where we couldn’t figure out how to communicate. Sure there are lots of strange words and phrases we use that added to the fun - but basic communication simply isn’t a problem.

The monkey riding on a chicken

One phrase that does stick in the mind is how our guide (Snow) to the forbidden city explained things in ways she knew we, as foreigners, would remember - pointing to the roof of a building she said “see what looks like a monkey riding on a chicken - that’s an immortal on a phoenix leading the procession of mythical creatures”. We saw that “monkey-riding-on-a-chicken” a lot during our time in the forbidden city. Little things like that helped frame the cultural reference and had us looking for the markers - noticing which buildings were associated with the emperor and which buildings were temples - and how important each of the buildings were relative to each other (counting the mythical creatures became second nature to fitting the importance of each building into context).

There is also a clear distinction in the Chinese people we interacted with between those who are immersed in the traditions and culture and those who are much more focused on the future. We all experience that in our own cultures and it was refreshing to see the full range of viewpoints. Some of our hosts have never before visited or experienced what was being shown to us, and we got to see how they reacted to the experience - and as expected, different things caught their interest and we had many discussions about the experience of the day over dinner each evening.

China Is Simply Not Just The Same As Back Home

We are a team, and like all teams we are made up of individuals who had very different experiences. We are shaped by our experiences and the willingness to be open to new experiences without mapping them back in term of our own cultural context is absolutely critical to getting a rich experience when learning about other cultures.

China is different (as are all cultures), Chinese engineers have different obstacles to overcome to participate in open source projects - obstacles that we as a team should be actively aware of and looking to reduce.

China’s Open Source Leaps

Open source has revolutionised China software engineering - and that open source has allowed a new generation of companies to take an amazing leap forward - with the building blocks freely available anyone with an idea and passion can turn that idea into a business - staffed from a huge pool of engineering talent - and be successful. There are innovations and engineering going on in China that equal or exceed the engineering achievements elsewhere in the world - that was clearly evident in the meetings we had with staff at various companies - from small start-ups through to massively successful major brand names.

Very few companies in the world are pure open source companies - there are unique challenges to making a successful living as an “all-open-source” company. For most companies, it is easy to import or adopt open source, it is much more difficult to contribute back to open source. The same is true in China. Getting the balance right for a company requires education and commitment from both engineering and executives in order to ensure that the benefits are understood along with the appropriate protections being in place so that the company only contributes what it expects to contribute. The concept of contribution back to the open source community is clearly at an earlier stage in China than it is in the counties of the OpenSSL team members.

How to grow this realisation is something we will be discussing further - and this goes wider to the entire open source community and it not something specific to OpenSSL.

Typical Chinese Engineering Work Days

Chinese engineers generally live a long way from the office (1-2 hour or longer journeys are common) and have to come into the office (it is rare to be able to work from home) and stay late in evening. Ending at 9pm is common. And catching up with friends and a social life seems to start around 10pm. Getting a 2am WeChat message is considered normal - nothing at all strange.

It wasn’t unusual for our host to have a full day’s work (full from our typical western point of view) and then after making sure we were heading to sleep in our rooms to then head out to catch up with friends and colleagues from the companies we had visited during the day. And then the next morning have to be up again early (very early from a Chinese engineer perspective) to make sure we had breakfast and were ready for the bus ride to whatever our destination was for the first visit of the day

Chinese Company Exhibits

The larger companies that we visited all have exhibition areas to show visitors what the company does (and how successful the company is). The larger the company the more focus there was on packing in maximum information into the exhibits. Having 20 separate displays was not unusual. These exhibits were clearly designed for both a Chinese audience and an English audience.

How many products, customers, engineers, and how much revenue and what problems the company products solve were on proud display. It was very interesting watching the reactions of the other team members who clearly hadn’t internalised the size and scope of China or the technical developments and achievements of Chinese companies. For me, having been exposed to Chinese companies before and experiencing the different scale at which they operate it was still a surprise - but much less so that to some of the others.

Open Source Presentation Day

On the Saturday (selected so that it would be easier for engineers to attend), we had a half-day presentation session. We will post the presentations in a week or two, once we are sure we have all the final presentations from both the team members and the two local speakers.

Press Coverage

There have already been at least three articles written based on the interviews with Paul Yang from BaishanCloud, Tim Hudson, and Steve Marquess from the OpenSSL team. We expect there will be many more.

• FreeBuf
• Leiphone
• iTuring Press

Fond Memories

We experienced the beautiful lakes, trees, forests, temples, art and even some music. We climbed up ancient steps, walked through buildings made long ago, and listened to stories from another century. None of this was why we came to China - but we are all grateful for the experiences that our hosts provided us and the thinking and planning that clearly went into the visit.

We all took photos - ranging from the professional camera equipment (Richard) to the cheapest phone money can buy with a tiny little screen (Steve) to the range of different smartphones the rest of us (Matt, Rich and myself) use on a daily basis. When Richard’s camera ran out of battery he switched to his phone and kept taking photos. We have so many amazing photos that will help us all remember this experience for years to come.

New Friends

I have made new friends on this trip - friends that I plan to stay in touch with now that I know what the “right” way to communicate that works when talking with China based engineers. The tools and language may be different - but there is enough in common with the goals and aspirations that we can all work together.

Over the past few years we’ve come to the realisation that there is a surprising (to us) amount of interest in OpenSSL in China. That shouldn’t have been a surprise as China is a huge technologically advanced country, but now we know better thanks to correspondence with many new Chinese contacts and the receipt of significant support from multiple Chinese donors (most notably from Smartisan.

We have accepted an invitation from BaishanCloud to visit China in person and meet with interested OpenSSL users and stakeholders in September. We’d like to thank BaishanCloud for hosting us and Paul Yang and his colleagues there for the substantial amount of work that went into arranging this trip.

Five of us (Matt Caswell, Tim Hudson, Richard Levitte, Steve Marquess and Rich Salz) will be in China from 18 September through 24 September, visiting Shanghai, Shenzhen, and Beijing. With this trip we hope to learn more about this significant portion of the open source and OpenSSL user communities, and hope to make OpenSSL more visible and accessible to that audience. Note that while not quite constituting a OpenSSL team meeting, this will be only the third time any significant number of the OpenSSL team have met in person.

We will presenting on various aspects of OpenSSL on 23 September 2017 in Beijing. An introduction to the event and a registration link are available in Chinese.

We will also be visiting Shanghai and Shenzhen earlier that week to meet with members of the open source community and OpenSSL users and stakeholders. If you can’t make it to the presentation above it may be possible to arrange to meet up with you in one of the above locations. Please drop us a line if you are interested in meeting with us.