OpenSSL Blog

New Website


We just went live with a new website. The design is based on the style included with Octopress; the new logo and some other important CSS tweaks were contributed by Tony Arcieri. The style is also mobile-friendly, so you can take us with you wherever you go. :) We still need a better “favicon.”

The text still needs more work. As someone on the team pointed out, “a worldwide community of volunteers that use the Internet to communicate, plan, and develop [OpenSSL]” … really?

The online manpages aren’t there yet. Our plan is to have all versions online. But if anyone has any suggestions on how to make pod2html work with our style, post a comment below.

And, more importantly, if you find any broken links, please let us know that, too!

License Agreements and Changes Are Coming


The OpenSSL license is rather unique and idiosyncratic. It reflects views from when its predecessor, SSLeay, started twenty years ago. As a further complication, the original authors were hired by RSA in 1998, and the code forked into two versions: OpenSSL and RSA BSAFE SSL-C. (See Wikipedia for discussion.) I don’t want get into any specific details, and I certainly don’t know them all.

Things have evolved since then, and open source is an important part of the landscape – the Internet could not exist without it. There are good reasons why Microsoft is a founding member of the Core Infrastructure Initiative (CII).

Our plan is to update the license to the Apache License version 2.0. We are in consultation with various corporate partners, the CII, and the legal experts at the Software Freedom Law Center. In other words, we have a great deal of expertise and interest at our fingertips.

Beyond Reformatting: More Code Cleanup


The OpenSSL source doesn’t look the same as it did a year ago. Matt posted about the big code reformatting. In this post I want review some of the other changes – these rarely affect features, but are more than involved than “just” whitespace.

Logjam, FREAK and Upcoming Changes in OpenSSL


Today, news broke of Logjam, an attack on TLS connections using Diffie-Hellman ciphersuites. To protect OpenSSL-based clients, we’re increasing the minimum accepted DH key size to 768 bits immediately in the next release, and to 1024 bits soon after. We have also made several other changes to strengthen our cryptographic defaults and have updated our tools and documentation to help servers configure Diffie-Hellman ciphersuites securely - see below for details.

Security Updates


We’ve just released security updates to OpenSSL 0.9.8, 1.0.0, 1.0.1, and 1.0.2.

These updates fix a number of Moderate and Low severity security issues in OpenSSL. They also fix one new High severity issue, CVE-2015-0291, that affects just OpenSSL 1.0.2, released in January this year. A remote attacker could use this flaw to cause unfixed servers to crash, which could lead to a denial of service attack depending on the server.

Code Reformat Finished


At the end of January we completed the OpenSSL code reformat as previously mentioned here and here. This post is intended to give you a bit more insight into exactly what we’ve done.

Source Code Reformat


We have previously announced our intention to reformat the entire codebase into a more consistent style (see our roadmap document here:

On Redesigning Our Website


So I recently asked for help with our website on Twitter. It’s been my most popular tweet. Several people have expressed an interest – thanks for that, and thanks for your support.

The goal of this post is to list the requirements. It’s definitely incomplete and will evolve over time. Post your questions and comments and help refine the list!

The New Release Strategy


Today the OpenSSL project published its Release Strategy. You can read it here. There are some really important announcements discussed in it. I’d like to spend a bit of time talking about the thinking that went into writing this strategy.

Hello World


Well, we did it. We have an OpenSSL team blog.

Powered by Octopress. Take a bit of doing to get it running.


(hello.c) download
#include <stdio.h>

main(int ac, char *av[])
    printf("Hello, world\n");
    return 0;