OpenSSL Blog

OpenSSL 3.0 Alpha3 Release


The OpenSSL Management Committee and the OpenSSL Technical Committee are glad to announce the third alpha release of OpenSSL 3.0.

As any alpha release, the code is still experimental and many things can still change before the feature freeze planned for the beta release. In the following weeks more alpha releases will be issued to add more functionality, polish and improve the code and fix issues.

We have been talking about the development of the next major release of OpenSSL for a while, and you can read more about it in previous blog posts and read more about the planned changes in our design document.

This release comes after three more weeks since the last alpha pre-release, and saw a number of changes: 352 files were changed, with 7117 insertions and 3567 deletions. Among these changes, we can mention, in no particular order:

  • general improvements to the built-in providers, the providers API and the internal plumbing and the provider-aware mechanisms for libssl;
  • general improvements and fixes in the CLI apps;
  • cleanup of the EC API:
    • EC_METHOD became an internal-only concept, and functions using or returning EC_METHOD arguments have been deprecated;
    • EC_POINT_make_affine() and EC_POINTs_make_affine() have been deprecated in favor of automatic internal handling of conversions when needed;
    • EC_GROUP_precompute_mult(), EC_GROUP_have_precompute_mult(), and EC_KEY_precompute_mult() have been deprecated, as such precomputation data is now rarely used;
    • EC_POINTs_mul() has been deprecated, as for cryptographic applications EC_POINT_mul() is enough.
  • the CMS API got support for CAdES-BES signature verification;
  • introduction of a new SSL_OP_IGNORE_UNEXPECTED_EOF option;
  • improvements to the RSA OAEP support;
  • FFDH support in the speed app;
  • CI: added external testing through the GOST engine;
  • fixes for various issues;
  • extended and improved test coverage;
  • additions and improvements to the documentations.

Once more, a lot of these enhancements wouldn’t have happened without the positive response of the community to previous alpha announcements. We wish to reiterate our thanks for all the feedback and the contributions from the users and developers that are testing the pre-release versions of OpenSSL, which are vital to the development process of the next release.

As a special note, I’d like to highlight in this occasion that recently the OpenSSL Management Committee published a message on the openssl-project mailing list seeking assistance from the community to take on a task related to the inclusion of X9.42 KDF into the upcoming FIPS provider in time for the FIPS validation process for OpenSSL 3.0. More details can be found in the original message.

For more details on upgrading to OpenSSL 3.0 from previous versions, as well as known issues and the status of current development, we collected specific notes on the OpenSSL wiki. We strongly encourage consulting (and contributing to) this wiki entry also to discover the most important changes in the upcoming OpenSSL 3.0 and how they might affect you and the code you maintain.

We are always keen to see oldtimers and newcomers alike proposing issues, fixes and contributions, not only in the form of code, but also for manpages and wiki documentation. At this point, it is particularly important to also make sure that the documentation for the new architecture, for the new features, and for the new deprecations and their replacements, is available, complete, up-to-date and sufficiently clear for external users. We prioritize GitHub issues and pull requests as the favourite channel for contributing to the OpenSSL 3.0 project, but any form of interaction, including on the openssl-users mailing list, is always welcome.

The feedback from the community, and your involvement in testing external applications and ENGINEs against the next version of OpenSSL and improving the documentation is crucial to the continued quality of the OpenSSL Project.