OpenSSL Blog

OpenSSL 3.0 Release Candidate


The OpenSSL Management Committee (OMC) and the OpenSSL Technical Committee (OTC) are glad to announce our first beta release of OpenSSL 3.0. We consider this to be a release candidate and as such encourage all OpenSSL users to build and test against this beta release and provide feedback.

A lot of work has been going on over the last few months getting OpenSSL 3.0 ready for its final release. In fact the whole OpenSSL 3.0 development effort has been huge with many different contributions from our user base. Since we started this effort we have seen over 7000 commits to the 3.0 development branch from over 300 different authors. Thanks to everyone who has played a part in getting us to this point.

We are now nearing the finishing line and we are excited about the many new features and changes that OpenSSL 3.0 will bring. Here are some of the highlights:

  • New Licence. OpenSSL 3.0 will now be released under the standard and widely used Apache License, version 2.0 rather than the custom “dual” (where both apply) OpenSSL and SSLeay licences that was used in 1.1.1 and before.

  • New Versioning scheme. See this blog post for further details.

  • Provider based architecture. A replacement for the old “engine” interface that enables much more flexibility and the ability for third party authors to add new crypto algorithms into OpenSSL.

  • A new provider that will be undergoing validation to the FIPS 140-2 standard.

  • Fully “pluggable” TLSv1.3 groups, enabling third party authors the ability to add in new TLS key exchange/encapsulation groups via a provider.

  • New encoder and decoder support. This enables provider authors to read or write keys to/from files for algorithms that standard OpenSSL does not know about. It could also enable reading/writing to new key formats.

  • A full implementation of the Certificate Management Protocol (CMP)

  • New APIs for handling MACs (Message Authentication Codes), KDFs (Key Derivation Functions), and random numbers (EVP_RAND).

  • Integrated support for Kernel TLS

OpenSSL 3.0 is a major release, which means that the library ABI is changed requiring recompilation of all dependent applications and there are also minor API breaking changes. For most applications that need to be upgraded to work with 3.0 we expect that a simple recompile will be sufficient. However, it is likely that application developers will notice new deprecation warnings when compiling their applications. Many of the “low level” cryptographic API functions have been deprecated in preference to the higher level “EVP” APIs. For detailed guidance on how to migrate applications to work with OpenSSL 3.0, refer to our migration guide.

Please download OpenSSL 3.0 beta1 from here and let us know about any problems you encounter by opening an issue at our github page.