After 3 years of development work, 17 alpha releases, 2 beta releases, over 7,500 commits and contributions from over 350 different authors we have finally released OpenSSL 3.0! In addition to this there has been a large number of contributions from our users who have been actively working with the pre-release versions to test it, make sure it works in the real world and with a large array of different applications and reporting their results. I am also delighted to note that there has been a 94% increase in the amount of documentation that we have since OpenSSL 1.1.1 and an (adjusted) increase in the “lines of code” in our tests of 54%. There has never been a better demonstration of what an active and enthusiastic community we have than when you look at the statistics for the OpenSSL 3.0 development work. Thanks to everyone who has taken part - no matter how small that part was.
The OpenSSL project is fortunate to have had a number of full time engineers who worked towards OpenSSL 3.0, financed in a number of ways. We would like to extend thanks to all the companies that have support contracts with us; have sponsored specific features such as FIPS; the companies that provide sponsorship donations; and the organisations and individuals who donate through GitHub sponsors. Without your help, we would not be where we are today.
Please download OpenSSL 3.0 from here and upgrade your applications to work with it. OpenSSL 3.0 is a major release and not fully backwards compatible with the previous release. Most applications that worked with OpenSSL 1.1.1 will still work unchanged and will simply need to be recompiled (although you may see numerous compilation warnings about using deprecated APIs). Some applications may need to make changes to compile and work correctly, and many applications will need to be changed to avoid the deprecations warnings. We have put together a migration guide to describe the major differences in OpenSSL 3.0 compared to previous releases.
API functions that have been deprecated will eventually be removed from OpenSSL in some future release, so it is recommended that applications be updated to use alternative APIs to avoid these deprecated functions. Refer to the migration guide for information on alternatives.
OpenSSL 3.0 introduces a number of new concepts that application developers and users of OpenSSL should be aware of. An overview of the key concepts in libcrypto is available in the libcrypto manual page.
A key feature of OpenSSL 3.0 is the new FIPS module. Our lab is testing the module and pulling together the paperwork for our FIPS 140-2 validation now. We expect that to be submitted later this month. The final certificate is not expected to be issued until next year.
Using the new FIPS module in your applications can be as simple as making some configuration file changes, although many applications will need to make other changes. The FIPS module manual page provides information on how to use the FIPS module in your applications.
Also worthy of note is the new license. From OpenSSL 3.0 we have transitioned to the Apache License 2.0. The old “dual” OpenSSL and SSLeay licenses still apply to older versions (1.1.1 and earlier).
Please let us know how you get on with OpenSSL 3.0. If you encounter problems then please feel free to raise bug reports here.