The release schedule is as follows:
An alpha of OpenSSL 3.3 will be made on 20 March 2024.
A beta of OpenSSL 3.3 will then be made on 29 March 2024.
The expected final release date for OpenSSL 3.3.0 is 10 April 2024. Backup release dates are 17 April 2024 and 24 April 2024.
Additional alphas and betas are not anticipated.
OpenSSL 3.3 will feature the following new features:
atexit(3)
at build timeSSL_SESSION
APIsNo further features or API changes are planned for 3.3 beyond those listed above. We will not be accepting any additional features for 3.3; any unmerged feature PRs will now be considered for 3.4.
The release process of OpenSSL 3.3 will be managed by Neil Horman (@nhorman). Details on the release schedule can be found on the new OpenSSL Release Schedule board on GitHub.
The release of the subsequent feature release, OpenSSL 3.4, will occur no later than 31 October 2024.
In the February 2023 face-to-face meeting we decided to create the OpenSSL Working Group in an effort to be more efficient at addressing and executing on decisions made.
The WG was formed as an initiative to include more people into the OpenSSL decision making process and organize a place where OMC members, engineering, management, paid team members, and invited third parties all meet together and tackle urgent issues together and in a timely manner.
As a result we have been able to for the first time ever in the history of OpenSSL come close to hitting a committed release date, we had initially aimed for an October release and we got it out in early November. Now as we have moved on to a time-based release schedule, the Working Group has been keeping us on track to have our April release date.
Other things the Working Group has guided the project on include:
To get a more in-depth look into what the Working Group is working on every week please take a look at our public project board where we track almost every issue publicly, minus a couple items that require privacy. The working group has proven instrumental in increasing trust and confidence in the project by making sure decisions are made in a timely manner so that the OpenSSL Project can gain a reputation of being a reliable and sustainable open source project.
If you have any questions or concerns please contact us at feedback@openssl.org
]]>NetApp’s sponsorship brings valuable resources to OpenSSL, enabling the project to accelerate development, conduct thorough security audits, and ensure ongoing maintenance and support. In return, NetApp gains access to cutting-edge cryptographic technologies, contributing to the enhancement of its own security solutions and reinforcing its position as a leader in data management.
This teamwork shows how powerful it can be when companies invest in the tools that keep our online world secure. As NetApp and OpenSSL work together, they’re not just making their own projects better – they’re inspiring others to join in and make the whole online community stronger.
Contact us at feedback@openssl.org or on GitHub Discussions if you have any questions or comments.
]]>Why Attend? Empower Yourself: Gain practical skills to implement OpenSSL in your projects. Community Engagement: Connect with a community of security-conscious individuals.
Save the Date: 📅 Date: Feb 06, 2024 🕒 Time: 08:00 AM Pacific Time (US and Canada 📍 Location: https://zoom.us/webinar/register/WN_GWqOVe4FRZC-IctgLzmpBQ
Secure your spot now and embark on a journey to unlock the secrets of OpenSSL. Don’t miss this opportunity to enhance your cybersecurity knowledge. Register today and stay one step ahead in safeguarding your digital assets!
]]>The OpenSSL 3.0.9 maintenance release fixed the Low severity security issue CVE-2023-1255 which affects the FIPS module when running on ARM 64 bit platforms. For this reason the 3.0.9 version was submitted for validation and the updated FIPS certificate is now available.
For more information on the resolved CVEs specific to the FIPS provider, please visit our FIPS and CVEs news page.
]]>This in no way impacts our existing FIPS 140-2 certificate which remains valid and will be maintained until its sunset date in September 2026.
You can see the official listing for the submission in the modules in process list (scroll down to the “OpenSSL FIPS Provider” entry from “The OpenSSL Project”).
The algorithm certificates are also available.
The following platforms have been tested:
Operating System | Processor |
---|---|
Debian 11.5 | Intel i7 |
FreeBSD 13.1 | Intel i7 |
macOS 11.5.2 | Apple M1 |
macOS 11.5.2 | Intel i7 |
Ubuntu Linux 22.04.1 Server | Intel i7 |
Windows 10 | Intel i7 |
The next step is waiting for the CMVP review. It is likely to be months until a reviewer is assigned.
Once the certificate is issued, premium support customers will be able to take advantage of our no cost rebrand offer for this certificate in addition to the 3.0 certificate.
It isn’t possible to provide a timeframe in which we can be certain the CMVP review process will be complete. It is expected to take many months.
]]>What to Expect:
Tutorial Series: Get ready for in-depth tutorials covering a wide range of topics, from OpenSSL basics to advanced usage scenarios. Whether you’re a seasoned developer or just starting, our tutorials will cater to all skill levels.
Security Insights: Stay informed about the latest in cybersecurity with our security-focused videos. Explore best practices, industry trends, and the evolving landscape of digital security.
Subscribe Now: Be among the first to experience the excitement by subscribing to our YouTube channel: @OpenSSL_.
Launch Video: To kick things off, we’ve uploaded all the presentations from our most recent Provider Workshops Users and Authors Track. Watch them here and let us know your thoughts in the comments!
Get Involved: We want this channel to be a collaborative space where the community actively participates. Share your thoughts, suggestions, and ideas for future videos in the comments section or reach out to us at feedback@openssl.org.
Stay Connected: Follow us on Twitter and LinkedIn for real-time updates and announcements related to the YouTube channel.
We are incredibly excited about this new venture and can’t wait to embark on this journey of knowledge sharing and community engagement with all of you. Thank you for your continued support!
Happy watching!
]]>To express our gratitude to the incredible community that has supported us throughout the years, we are hosting an exclusive T-Shirt Giveaway! The first 75 people to participate will receive a limited edition OpenSSL 25th-anniversary T-shirt as a token of our appreciation.
How to Participate:
Fill out the entry form with your full name, phone, email, address, and shirt size so we can verify your participation and send you your t-shirt.
Giveaway Details:
Prize: Limited edition OpenSSL 25th-anniversary T-shirt. Quantity: The first 75 participants who complete all the steps. Deadline: Submissions open December 20, 2023 and close January 30, 2024 or when we hit 75 participants.
Winners Announcement:
We will notify the recipient via email. Make sure to keep an eye on your inbox and follow us for updates!
Thank you for being a vital part of the OpenSSL journey. Your continued support has made OpenSSL what it is today, and we are excited to celebrate this milestone with you.
Here’s to 25 years of open-source excellence and many more to come!
Contact us at feedback@openssl.org if you have any questions or comments
]]>The Authors Track will cover how to write your own OpenSSL provider. This session will assume some basic knowledge about what OpenSSL providers are and how to use them (such as might be obtained from attending the “Users Track” session). It will be split into 4 separate presentations by OpenSSL Engineers. There will be opportunities to ask questions after each talk, as well as at the end where there will be an open forum for any questions or feedback not covered by the individual presentations.
Learn more and register in advance for the workshop here (please choose the time zone that works best for you):
Session 1: Americas and EMEA Time Zone
When: Dec 11, 2023 04:00 PM Universal Time UTC Register in advance for this webinar: https://zoom.us/webinar/register/WN_2UqTPnrxQjyUJOzUxOj77w
Session 2: APAC Time Zone
When: Dec 12, 2023 07:00 AM Universal Time UTC Register in advance for this webinar: https://zoom.us/webinar/register/WN_LNFArIEmQmqbmiLdSuOdOA
After registering, you will receive a confirmation email containing information about joining the webinar.
Contact us at feedback@openssl.org or on GitHub Discussions if you have any questions or comments
]]>The Users Track will cover how to use OpenSSL providers. It will be split into 3 separate presentations by OpenSSL Engineers. There will be opportunities to ask questions after each talk, as well as at the end where there will be an open forum for any questions or feedback not covered by the individual presentations.
Learn more and register in advance for the workshop here(please choose the time zone that works best for you):
APAC Time Zone:
When: Dec 6, 2023 07:00 AM Universal Time UTC Register in advance: https://zoom.us/webinar/register/WN_8ZPx5nkpTEG1fYLWH-StbQ
Americas and EMEA Time Zone:
When: Dec 7, 2023 04:00 PM Universal Time UTC Register in advance: https://zoom.us/webinar/register/WN_jta40RLSTTei9OF8CINjCA
After registering, you will receive a confirmation email containing information about joining the webinar.
Stay tuned for news about part two of the OpenSSL Providers Workshop: Authors Track.
Contact us at feedback@openssl.org or on GitHub Discussions if you have any questions or comments
]]>A complete summary of the major new features and significant changes in OpenSSL 3.2 can be found in the NEWS file; a more detailed list of changes in OpenSSL 3.2 can be found in the CHANGES file on GitHub.
Users interested in using the new QUIC functionality are encouraged to read the README file for QUIC, which provides links to relevant documentation and example code.
OpenSSL 3.2.0 can be downloaded as a source tarball here or obtained from our release tag on GitHub. Checksums and release signatures may be found on the Downloads page.
The next feature release after OpenSSL 3.2 will be OpenSSL 3.3, which will be released no later than 30 April 2024. This release is expected to include QUIC server support. The determination of what other features will be shipped in OpenSSL 3.3 is ongoing and will be decided by our recently announced Release Steering Committee.
We would like to thank all of our users and communities for their continued use and support of OpenSSL. OpenSSL 3.2.0 represents the product of over two years of development work, comprising over 4,000 commits and contributions from over 300 different authors. This release would not be possible without the innumerable bug reports, pull requests, code reviews and feedback we continue to receive from our community.
We would also like to extend our thanks to all of the organisations who have supported the development of OpenSSL 3.2 financially, whether by holding a support contract with us or by sponsoring OpenSSL. These organisations provide a sustainable income source for the project, and continue to enable us to fund consultants to work full time for the OpenSSL project. Over 60% of commits in the past year were funded by the OpenSSL project itself, thanks to our support customers and sponsors.
As always, bug reports and issues relating to OpenSSL can be filed on our issue tracker, and questions about using OpenSSL 3.2 can be posted on GitHub Discussions.
Comments on this release are also welcomed on GitHub Discussions, or via email to feedback@openssl.org.
Due to a small number of bugs which have been identified by the ongoing use of fuzzing, the OpenSSL Project has made the decision to postpone the final release of OpenSSL 3.2 by at least a week. While we have promptly fixed all bugs presently identified by fuzzing, to ensure the quality of OpenSSL 3.2, we do not intend to make the final release until all issues identified by fuzzing have been addressed and no new issues are found for one week. As a result, we have pushed the full release of OpenSSL 3.2 to the 23rd November 2023. Please stay tuned to our blog for more details on the matter.
In the meantime, the OpenSSL 3.2 Beta is currently available. We encourage all OpenSSL users to build and test against the beta release and provide feedback.
OpenSSL 3.2 will be our last release before we transition to a time-based release schedule on a 6-month cadence, with regular feature releases in October and April each year.
A complete summary of the major new features and significant changes in OpenSSL 3.2 can be found in the NEWS file; a more detailed list of changes in OpenSSL 3.2 can be found in the CHANGES file on GitHub.
Please download OpenSSL 3.2 beta1 from here and let us know about any problems you encounter by opening an issue at our GitHub page.
Feedback from the community and your involvement in testing external applications against the next version of OpenSSL is crucial to the continued quality of the OpenSSL releases. Please get in touch with us at feedback@openssl.org or on GitHub Discussions
]]>In the meantime the OpenSSL 3.2 Beta is currently available. We encourage all OpenSSL users to build and test against the beta release and provide feedback.
OpenSSL 3.2 will be our last release before we transition to a time-based release schedule on a 6-month cadence, with regular feature releases in October and April each year.
A complete summary of the major new features and significant changes in OpenSSL 3.2 can be found in the NEWS file; a more detailed list of changes in OpenSSL 3.2 can be found in the CHANGES file on GitHub.
Please download OpenSSL 3.2 beta1 from here and let us know about any problems you encounter by opening an issue at our github page.
Feedback from the community and your involvement in testing external applications against the next version of OpenSSL is crucial to the continued quality of the OpenSSL releases. Please contact us at feedback@openssl.org or on GitHub Discussions
]]>The code for OpenSSL 3.2 is now functionally complete and at the time of the beta release there were no outstanding known regressions that need to be fixed before the final release. A lot of work has been going on over the last few months getting OpenSSL 3.2 ready for its final release and we want to send thanks to everyone who has helped us.
Our plans for issuing the final release have been postponed. We now plan to release by the end of November 2023. Following this, we will transition to a time-based release schedule on a 6-month cadence, with regular feature releases in October and April each year.
We are nearing the finishing line and are excited about the many new features and changes that OpenSSL 3.2 will bring. Here are some of the highlights:
A complete summary of the major new features and significant changes in OpenSSL 3.2 can be found in the NEWS file; a more detailed list of changes in OpenSSL 3.2 can be found in the CHANGES file on GitHub.
Please download OpenSSL 3.2 beta1 from here and let us know about any problems you encounter by opening an issue at our github page.
Feedback from the community, and your involvement in testing external applications against the next version of OpenSSL is crucial to the continued quality of the OpenSSL releases, please contact us at feedback@openssl.org or on GitHub Discussions
]]>Raw Public Keys are a cryptographic mechanism used in public key infrastructure (PKI) systems. They are a way of representing a public key without the associated digital certificate, which contains additional information like the owner’s identity, expiration date, and digital signatures from a certificate authority. This makes Raw Public Keys more lightweight and efficient, especially in resource-constrained environments.
RFC 7250, published by the Internet Engineering Task Force (IETF), defines the use of Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols. The primary goal of this RFC is to facilitate secure communication by enabling the use of Raw Public Keys as an alternative to traditional X.509 certificates.
RFC 7250 and Raw Public Keys are a significant step forward in the field of internet security, particularly in resource-constrained and latency-sensitive environments. While they offer a more efficient and streamlined approach to secure communications, they also come with their own set of challenges. As the adoption of Raw Public Keys continues to grow, it’s essential for developers, network administrators, and security experts to understand and implement them effectively, keeping in mind the security and privacy implications. This evolution in cryptography and security protocols marks another milestone in making the internet a safer place for all.
If you have any questions please feel free to contact us at feedback@openssl.org
]]>Hybrid Public Key Encryption (HPKE) is a cryptographic protocol defined in RFC 9180 (Request for Comments) that aims to provide a flexible and secure way to perform public key encryption in various scenarios. HPKE combines the security of public key encryption with the flexibility of using different key exchange methods and encryption schemes. This protocol is designed to be used in a wide range of applications, including securing communications over the internet and other networked environments.
Implementing HPKE in OpenSSL will help ensure that your public key encryption solution is both effective and reliable for securing data in various applications and environments for the following reasons:
Overall, HPKE is a versatile and secure public key encryption protocol that can be used in a wide range of applications and scenarios, providing confidentiality and authenticity for data exchanged over the internet and other networked environments. Its flexibility and support for various encryption methods make it a valuable tool in the realm of modern cryptography.
If you have any questions or comments please email us at feedback@openssl.org
]]>The Importance of FIPS Compliance
The Federal Information Processing Standards (FIPS) are a set of standards and guidelines established by the National Institute of Standards and Technology (NIST) in the United States. FIPS was developed as an effort to create acceptable industry standards for use in the federal government. Now FIPS is both a US and Canadian government standard that specifies minimum security requirements for hardware, software, and firmware solutions handling sensitive government information or collaborating with government entities.
OpenSSL and FIPS: A Continuing Journey
version 3.0.9 for all of our platforms.
This is in coordination since the start of September. It will hopefully move to finalization soon.
Review Pending: this is just waiting to get a reviewer and typically takes a few months. This is generally the longest phase.
In Review: there is a reviewer looking at the module & the documentation
Coordination: this is a back and forth between the reviewer and our lab. Typically the lab passes most of the questions about the module to us and deals with the documentation. This takes weeks per iteration and the number of iterations is unknown.
Finalization: a fast paperwork only stage.
Significance of OpenSSL’s FIPS Commitement
By sharing our FIPS 140 plans with our community, we are sharing OpenSSL’s dedication to represent a forward-thinking approach to cryptographic security, ensuring that OpenSSL remains a trusted choice for those looking to secure their data in a world of persistent cyber threats. This ongoing journey signifies a commitment to not only meet today’s security standards but also to prepare for the challenges of tomorrow.
If you have any questions or comments please feel free to contact us at feedback@openssl.org
]]>The tutorials are collected in the new “OpenSSL Guide”. Read the [introduction] to the guide in the main pages section of our website. It is also included as part of the 3.2 release itself.
The guide walks you through the OpenSSL libraries (libcrypto and libssl) and explains core concepts any developer using the libraries needs to understand. This will also be useful to people familiar with developing applications for older versions of the OpenSSL libraries (i.e. 1.1.1 or earlier) and want to understand how OpenSSL 3 works.
At this stage the guide focuses on the steps necessary to develop an OpenSSL client using TLS or QUIC. We hope to expand the guide in the future to cover server side development and other aspects of OpenSSL development. There are many code samples accompanying the guide to illustrate what needs to be done. These code samples are also available as stand-alone C files in the demos/guide
sub-directory of the OpenSSL 3.2 release.
The guide covers both blocking and non-blocking clients, and the key differences between writing a QUIC client compared to a TLS client. It also explains how to use the “multi-stream” capabilities that QUIC provides.
Please take a look and let us know what you think. You can contact us via email at feedback@openssl.org.
If you have any questions about how to write OpenSSL applications you can ask them via our [GitHub Discussions area].
If you spot any issues in the tutorials, or have suggestions for improvements, please feel free to [raise an issue]. — introduction [GitHub Discussions area]: https://github.com/openssl/openssl/discussions [raise an issue]: https://github.com/openssl/openssl/issues/new/choose
]]>Please see our previous blog post for a list of all of the exciting new features that are contained in the upcoming 3.2 release.
Thank you to all the people that downloaded and tested OpenSSL 3.2 Alpha 1. We have updated Alpha 2 to incorporate numerous fixes for issues reported to us by the community as a result of our Alpha 1 release.
A complete summary of the major new features and significant changes in OpenSSL 3.2 can be found in the NEWS file; a more detailed list of changes in OpenSSL 3.2 can be found in the CHANGES file on GitHub.
This is an alpha release and is intended for development and testing purposes; it should not be used for production use. Users should expect minor bugs. Reports of interoperability issues with other QUIC implementations, or any other bug reports, are greatly appreciated and can be filed on our issue tracker. Questions about using OpenSSL 3.2 can be posted in our new GitHub Discussions area, as can feedback regarding our new QUIC functionality and APIs.
OpenSSL 3.2 Alpha 2 can be downloaded as a source tarball here or obtained from our release tag on GitHub. Checksums and release signatures may be found on the Downloads page.
Users interested in using the new QUIC functionality are encouraged to look at some of the following resources:
doc/designs/ddd
.For further questions or comments email feedback@openssl.org.
As you may know the OpenSSL Project recently attended ICMC 23 where we were given the opportunity to update our peers about the rapid fundamental changes the project has gone through in 2023.
To summarize here are the key takeaways from our presentation:
Key takeaway 1 : Adopted a Mission and Values statement
“We believe everyone should have access to security and privacy tools, whoever they are, wherever they are or whatever their personal beliefs are, as a fundamental human right”
The OpenSSL Project adopted an official Mission and Values statement in February 2023. Mission and values are the bedrock of any organization, and by clearly establishing ours we are ensuring all future endeavors will be in support of our mission and values.
Key takeaway 2 : Project Dashboard
To further our commitment to transparency, we’ve introduced a Project Dashboard. This provides a clear view of our tasks, priorities, and the project’s direction. The dashboard will bridge the gap between OpenSSL’s internal workings and offer key insights into our decision-making process. Refer to the Project Board Handbook for more information.
Key takeaway 3 : Time Based Release Policy
We’re transitioning to time-based releases. This shift ensures predictability, allowing our users and developers to plan better and benefit from timely updates. The releases will be scheduled every April and October.
Key takeaway 4 : Release Steering Committee
One of our major initiatives is the introduction of the Release Steering Committee. Comprising both internal and external members, this committee ensures diverse perspectives shape OpenSSL’s direction. The Release Steering Committee symbolizes OpenSSL’s commitment to inclusivity and diverse perspectives. By inviting external members, the committee ensures a balanced approach to guiding OpenSSL’s direction.
Key takeaway 5 : Be Part of Our Journey
Community is the heart of open source software, and it is the heart of OpenSSL. We invite everyone to be a part of our journey. From joining our committees to participating in discussions, there are numerous ways to collaborate with us.
We have an open invitation for the community to share thoughts, concerns, and suggestions at feedback@openssl.org
Key takeaway 6 : Bigger and Better!
As testament to our growth and the increasing interest in our project, we’re thrilled to announce that we’ve expanded our team. This includes almost doubling our core engineers and introducing new roles to better serve our community.
Key takeaway 7 : OpenSSL 3.2 and beyond!
We are eager to share our future plans with you. OpenSSL 3.2 is in the late stages of development, with the final release happening in October. The key new feature for this release is the introduction of QUIC MVP, a full fledged QUIC client with easy to use API for libSSL users.
Features for OpenSSL 3.3 and beyond have yet to be approved by the Release Steering Committee, however here is a list of possible new features to look for:
If you have any questions or comments please contact us at feedback@openssl.org
]]>