20 years ago, on the 23rd December 1998, the first version of OpenSSL was released. OpenSSL was not the original name planned for the project but it was changed over just a few hours before the site went live. Let’s take a look at some of the early history of OpenSSL as some of the background has not been documented before.
Back in the late 1990’s, Eric Young and Tim Hudson were well known for their work on the open source SSLeay library. SSLeay was widely used with Apache and (then) third party SSL modules to create open source secure web servers. In 1998 they both worked for C2Net, enhancing SSLeay and the products using it. C2Net was known for its flagship product, the Stronghold web server, a packaged and compiled product built on open source software with both support and, crucially, the ability to be used world-wide with strong encryption. It seems trivial now but back then cryptography products exported from the US like web servers and browsers were hobbled to use limited weak cryptography.
Eric and Tim had decided to leave C2Net to join RSA, a creator of a commercial SSL toolkit, so the future of SSLeay was unclear. This led to the genesis of the OpenSSL project through a discussion I had with Ralf Engelschall, a fellow core Apache developer, on 14th October 1998 in San Francisco at the first ever ApacheCon. We picked up the discussion a few months later, set up a mailing list on December 16th, and invited Stephen Henson, an SSLeay expert, to participate in what we then called OpenTLS. Ben Laurie, a core Apache developer and author of Apache-SSL, also independently announced his intention to start a new version of SSLeay a couple of days later.
Ralf took the source code from the public SSLeay versions 0.8.1 and 0.9.0b and the unreleased 0.9.1b version from C2Net and imported them into the OpenTLS CVS repository. We did some cleanup work on the files, added some patches from ourselves, and added some well known patches from the community to form the 0.9.1c version.
At the very last minute, just before going public, we changed from using the OpenTLS name to OpenSSL: the upcoming TLS protocol RFC had not yet been published and the acronym was relatively unknown at that time whereas the SSL acronym was widely recognised and so using SSL in the name would help users understand the transition from using SSLeay to OpenSSL. We had fortunately reserved both domain names.
On the 23rd December 1998 we opened up the www.openssl.org site and released the OpenSSL-0.9.1c version and source code repository.
Throughout that busy week we were communicating with Ben and Stephen to align and merge our projects, and so shortly after the Christmas holiday we made the full project release announcement. The initial project team was therefore comprised of Ben Laurie, Paul Sutton, Ralf Engelschall, Stephen Henson and myself, Mark Cox. All but Stephen Henson were core developers of the Apache HTTP Server.
For the first 15 years, OpenSSL membership was mostly a small collection of individuals working on a part time basis and the membership fluctuated and changed through those years. Approximately 5 years ago we expanded the group and introduced formal policies. As of today we have a structure where a team of committers are able to review and commit changes to the code, and a management committee oversee the project. OpenSSL is funded mostly through the generous donations of sponsors. We also have paid support contracts and occasionally take on contracts to develop certain new functionality. We use this funding primarily to pay fellows to work full time on the project. The fellows maintain the infrastructure, fix bugs and security issues, review patches, and much more (you can see what they are up to from their monthly reports sent to the openssl-project mailing list). Many companies also donate staff time to work on OpenSSL.
The 20th year looks to be an exciting one, with a major change to the version number scheme, the switch to the Apache License 2.0, and a new FIPS validation project just for starters. And although all the versions of SSL are now deprecated, it’s not likely we’ll rebrand back to OpenTLS any time soon.
Picture showing OpenSSL Management Committee during a face to face meeting in front of Edinburgh Castle, November 2018. Left to right: Paul Dale, Kurt Roeckx, Richard Levitte, Matt Caswell, Mark Cox, Tim Hudson. Viktor Dukhovni (not pictured) joined us virtually.