Blog

Nominations Remain Open Until Wednesday, December 4, 2024 - Based on Your Feedback!

Thank you to everyone who attended our Q&A sessions about the formation of Business Advisory Committees. We received valuable input from our communities, including requests to allow more time for nominations. We have heard you, and we would like to announce that: The nomination period has been extended until Wednesday, December 4, 2024. The election period starts on Wednesday, December 5, 2024 and ends on Sunday, December 15, 2024. You can change your vote up to the end of the election period. More ...

OpenSSL Holds Inaugural OpenSSL Projects Meeting

The OpenSSL Foundation and the OpenSSL Corporation are pleased to announce the successful conclusion of the inaugural meeting with Bouncy Castle and cryptlib, two newly integrated projects under the OpenSSL Mission. This meeting represents a pivotal step in the evolution of OpenSSL’s governance structure, as outlined in the recent organizational changes, and reflects a deepened commitment to advancing privacy and security. Bouncy Castle and cryptlib reaffirmed their alignment with the OpenSSL Mission and Values. More ...

OpenSSL Business Advisory Committee Q&A Session

Thank you to everyone who registered, as well as to those who took the extra step to nominate candidates, for the Business Advisory Committees of the OpenSSL Foundation and OpenSSL Corporation. We invite you to attend our Q&A session, designed to address your questions. We encourage you to join the session and gain valuable insights about the nomination and election process, the role of the Business Advisory Committee, and how you can participate in shaping OpenSSL’s future. More ...

Upcoming Webinar - Working with X.509 Keys and Certificates

Advance Your Skills in X.509 Certificate Management with OpenSSL Date: Nov 21, 2024 Time: 04:00 PM Eastern Time (US and Canada) Duration: 1 hour Location: Online Webinar (link to be provided upon registration) Register Here Are you looking to deepen your understanding of X.509 keys and certificates or sharpen your command-line skills? Join us for a comprehensive webinar on X.509 certificate management led by Viktor Dukhovni, an OpenSSL Software Engineer. This session covers essential concepts and hands-on techniques using OpenSSL’s command-line tools. More ...

OpenSSL Forms Business Advisory Committees - Shape the Future - Join Now!

The OpenSSL Foundation (primarily focused on non-commercial communities) and the OpenSSL Corporation (primarily focused on commercial communities) are pleased to announce the formation of Business Advisory Committees (BAC), inviting our communities - Distributions, Committers, Small Businesses, Large Businesses, Individuals, and Academics - to actively engage in shaping the future of OpenSSL. These advisory bodies are critical in enhancing our governance structure, ensuring that the decisions reflect the diverse stakeholders involved and that our Mission and Values stay aligned with the community’s needs. More ...

OpenSSL 3.4 Final Release Live

The final release of OpenSSL 3.4 is now live. We would like to thank all those who contributed to the OpenSSL 3.4 release, without whom OpenSSL would not be possible. OpenSSL delivers the following significant new features: Support for Integrity only cipher suites (RFC 9150) JITTER RNG support via statically linked jitterentropy library RFC 5755 Attribute Certificate support FIPS indicators in support of FIPS 140-3 validation Improved Base64 BIO input handling and error reporting XOF Digest size reporting improvements Windows Registry key-based directory lookup Support for several X509v3 extensions Support for position independent executables in the openssl app to support address space layout randomization Please see the CHANGES. More ...

OpenSSL is hiring Communities Manager

Please note that we are no longer accepting new applications for this position.

OpenSSL is hiring for a Communities Manager to join our team.

More ...

Introducing Amy Parker

OpenSSL welcomes Amy Parker as the newest member of the OpenSSL Foundation team. Amy joins us in the newly created position of Chief Funding Officer, a fundraising role focused on revenue generation through corporate sponsorship and other charitable/non-commercial contributions. Funds raised will help the Foundation continue to deliver on its mission of providing security and privacy tools to everyone, everywhere. A strategic leader with more than twenty years of senior-level fundraising experience, Amy has worked for prestigious educational and cultural institutions including the Wikimedia Foundation, Smithsonian Institution, The New York Public Library, and the University of North Carolina at Chapel Hill. More ...

OpenSSL 3.4 beta released

OpenSSL 3.4 beta 1 has now been made available. Our beta releases are considered feature complete for the release, meaning that between now and the final release, only bug fixes are expected (if any). Notable features of this release are available in NEWS.md within the source tarball. Beta releases are provided to our communities for testing and feedback purposes. If you use OpenSSL, and particularly if you intend to upgrade to OpenSSL 3. More ...

OpenSSL Corporation's Silver Sponsorship at ICMC 2024 - A Retrospective

OpenSSL Corporation’s participation as a Silver Sponsor at the International Cryptographic Module Conference (ICMC) 18th - 20th September 2024 marked an important milestone in our continued commitment to advancing cryptographic technologies. As a critical player in secure communication, OpenSSL’s involvement highlighted our dedication to fostering collaboration, innovation, and security within the cryptographic community. ICMC 2024 provided a valuable platform for industry leaders to engage in key discussions surrounding cryptographic standards, challenges, and innovations. More ...

Lightship Security Partnership with OpenSSL

OpenSSL is sharing Lightship Security’s latest press release, highlighting the new partnership with the OpenSSL Corporation. Read the full release below: Lightship Security, an Applus+ Laboratories company and a leading cryptographic security test lab, announces its agreement with the OpenSSL Corporation to provide FIPS 140-3 validation services for the OpenSSL cryptographic library. The OpenSSL Corporation provides commercial support for users of the OpenSSL Library, a critical component of secure communications in enterprise technologies. More ...

Post-Quantum Algorithms in OpenSSL

Recently NIST published a number of post-quantum algorithm standards (ML-KEM, ML-DSA, and SLH-DSA). With these new NIST publications, OpenSSL is now prepared for implementation. We’ve recently been receiving a lot of questions about these new standards so we wanted to make our position clear: We intend to implement support for these algorithms in our providers in a future version of OpenSSL We are currently putting together our project plans for this, stay tuned for more information regarding timeline We invite qualified and skilled individuals to help us implement these algorithms and integrate them into OpenSSL in accordance with our standards and policies. More ...

OpenSSL 3.4 alpha released

OpenSSL 3.4 alpha 1 has now been made available. Our Alpha releases are considered feature complete for the release, meaning that between now and the final release, only bug fixes are expected (if any). Notable features of this release are available in CHANGES.md within the source tarball. Alpha releases are provided to our communities for testing and feedback purposes. If you use OpenSSL, and particularly if you intend to upgrade to OpenSSL 3. More ...

OpenSSL considering TLS 1.0/1.1 deprecation

Recently, OpenSSL proposed the deprecation of TLS 1.0/1.1 and solicited community feedback on the idea. Feedback on the proposal was generally split down the middle, with half of the respondents indicating immediate depreciation with near-term removal was acceptable, while the remainder of the respondents with affirmative opinions noted that they represent, or know of products whose environment disallowed updating to TLS1.2 or later, and would need to re-enable the deprecated features for the foreseeable future. More ...

Join Our Webinar on Debugging OpenSSL Applications

Debugging is a crucial aspect of developing and maintaining reliable software. However, debugging can become particularly challenging when applications incorporate diverse and complex components like OpenSSL. This webinar is designed to help you navigate these complexities. Webinar Details: Date: September 11, 2024 Time: 09:00 AM Pacific Time (US and Canada) Platform: Zoom Topic: Debugging OpenSSL Applications Registration Link: Click here to register What to Expect: Internal Debugging Tools: Learn about the facilities OpenSSL provides to help you gain visibility into its internal behavior, allowing for more effective troubleshooting. More ...

Join OpenSSL at the ICMC 2024 - Visit Our Exhibit Booth!

OpenSSL is pleased to announce its participation as a Silver Sponsor at the upcoming International Cryptographic Module Conference (ICMC) 2024, taking place from 18th to 20th September. Visit our booth and attend our presentations to discover how we can help each other. Event Details: Conference Name: International Cryptographic Module Conference Dates: 18th - 20th September 2024 Location: DoubleTree by Hilton, San Jose, California Our Booth Number: 102 About the ICMC The ICMC is a leading event in the cryptographic community, bringing together experts from around the world to discuss the latest trends, innovations and challenges in cryptographic modules. More ...

OpenSSL 3.4 Alpha release approaching

The freeze date for OpenSSL 3.4 Alpha is rapidly approaching. Alpha freeze approaching The freeze date for OpenSSL 3.4 Alpha is rapidly approaching. Planned features are viewable on our 3.4 Planning page. If you have a feature on the planning page, please ensure that your associated PRs are posted, reviewed, and merged prior to the freeze date (Friday, Aug 30, 2024), or it will be postponed until the next release. More ...

New Governance Structure and New Projects under the Mission

As part of our ongoing journey, OpenSSL is evolving to provide more opportunities for engagement that more effectively align with our mission statement and promote our values. OpenSSL is implementing various mechanisms to foster greater community involvement and enable our communities to play a key and active role in the decision-making process. New Governance Framework OpenSSL has two independent, co-equal organizations to support the OpenSSL Mission: The OpenSSL Foundation primarily focuses on non-commercial communities. More ...

OpenSSL is hiring - Fundraiser

Note that this position has now been filled and we are no longer accepting applications OpenSSL is hiring for a Fundraiser to join our team We are seeking a Fundraiser to join our team. As a Fundraiser at OpenSSL, you will play a vital role in sustaining critical components of internet infrastructure that enable secure communications around the world. In addition to your fundraising role, you must align with and uphold our core values and mission in your every day professional activities. More ...

OpenSSL is hiring

OpenSSL is hiring for a mid level engineer to join our team

More ...

Meet with OpenSSL at RSA Conference 2024

This year, OpenSSL will be attending RSA Conference 2024, one of the world’s largest cybersecurity events. Throughout May 6-9 in San Francisco, we are seeking to engage with our communities at RSA to better understand their needs and problems.

More ...

Face-to-Face 2024 Australia

The OpenSSL Project has returned from spending a week in February sequestered in the beautiful Australian outback discussing the past, current, and future state of the project. This in-person meeting brought together the project’s paid resources and the management committee. Our goal for this meeting was to chart the course for OpenSSL’s future, tackle current challenges, and note our collective achievements. Three project members were unable to participate in person and joined the meetings remotely. More ...

Celebrating 25 Years of OpenSSL

We are pleased to announce that we have successfully distributed nearly 100 limited edition T-shirts commemorating the 25th anniversary of OpenSSL’s existence. We appreciate the support of all our communities, users, individual contributors and support customers, without which we would not be able to continue our mission and deliver on our open source values. These continue to drive the success and evolution of OpenSSL, and we couldn’t be more appreciative. More ...

OpenSSL at FOSDEM 24

This year, we had the privilege of participating in FOSDEM for the first time. This offered us an opportunity to engage with the open source community at the conference, share our insights, and learn from the vast pool of knowledge that FOSDEM brings together. ![Photo of OpenSSL FOSDEM 2024 attendees] (/images/blog/FOSDEM_24.jpg) FOSDEM, short for Free and Open Source Software Developers’ European Meeting, is an event that brings together thousands of open source developers, enthusiasts, and professionals from around the world. More ...

OpenSSL Working Group Update

As many of you are aware we have undergone a lot of internal organisation changes within the OpenSSL Project in the last couple of years, one of the key changes being the introduction of the OpenSSL Working Group. In the February 2023 face-to-face meeting we decided to create the OpenSSL Working Group in an effort to be more efficient at addressing and executing on decisions made. The WG was formed as an initiative to include more people into the OpenSSL decision making process and organize a place where OMC members, engineering, management, paid team members, and invited third parties all meet together and tackle urgent issues together and in a timely manner. More ...

NetApp and OpenSSL: Teaming Up for More Secure Internet

Exciting news in the world of online security! NetApp, an intelligent data infrastructure company, is now a Gold Sponsor of OpenSSL, showing their strong support for making the internet a safer place for everyone. NetApp’s sponsorship brings valuable resources to OpenSSL, enabling the project to accelerate development, conduct thorough security audits, and ensure ongoing maintenance and support. In return, NetApp gains access to cutting-edge cryptographic technologies, contributing to the enhancement of its own security solutions and reinforcing its position as a leader in data management. More ...

OpenSSL's Official Youtube Channel

We are thrilled to announce a major leap forward in our efforts to connect with the community and share valuable insights—OpenSSL now has its own YouTube channel! As a significant milestone in our commitment to transparency, education, and open-source collaboration, this channel will serve as a hub for engaging content, tutorials, and updates straight from the heart of OpenSSL. What to Expect: Tutorial Series: Get ready for in-depth tutorials covering a wide range of topics, from OpenSSL basics to advanced usage scenarios. More ...

OpenSSL 25 Year Anniversary T-Shirt Giveaway

We are thrilled to announce a special celebration in honor of OpenSSL’s 25th anniversary! Two and a half decades of commitment to security, reliability, and open-source collaboration have made OpenSSL an indispensable tool in the world of digital communication. To express our gratitude to the incredible community that has supported us throughout the years, we are hosting an exclusive T-Shirt Giveaway! The first 75 people to participate will receive a limited edition OpenSSL 25th-anniversary T-shirt as a token of our appreciation. More ...

OpenSSL Project Update at ICMC 23

![] (/images/blog/ICMC23_Group_Photo.jpg “ICMC 23 Group Photo”)

As you may know the OpenSSL Project recently attended ICMC 23 where we were given the opportunity to update our peers about the rapid fundamental changes the project has gone through in 2023.

To summarize here are the key takeaways from our presentation:

More ...

OpenSSL at ICMC 23

As a part of our mission to be more open and engaged with our community, OpenSSL is pleased to announce we will be attending the International Cryptographic Module Conference 2023 or ICMC 2023 in Ottawa, Canada this week. ICMC 23 is building on a decade of cybersecurity thought leadership as the industry faces widespread changes and emerging threats in commercial cryptography.

More ...

Changes to OMC Membership

The OpenSSL Management Committee (OMC) represents the official voice of the project and is ultimately responsible for all decisions regarding management and strategic direction of the project. You may have already seen the recent blog post about Mark Cox leaving the OMC. Following on from that we are delighted to announce that Anton Arapov, our engineering manager, has now joined the OMC. You can check our website for the full list of members. More ...

Mark Cox moves to OpenSSL alumni

This is the end of an era for OpenSSL with the last of the original founders of the project passing on the torch to the current leadership of the project for the next phase of its evolution.

More ...

OpenSSL Updates: A Few Steps Forward

At OpenSSL, we’re always learning and taking small steps, informed by both fresh ideas and the feedback we receive. Today, we’d like to share a couple of updates we hope will make things clearer and more collaborative for our community.

These updates are part of our effort to align more closely with, and live by, our Mission and Values.

More ...

OpenSSL Finances

We recently published our mission statement and values which included that our governance should be transparent. We’ve not really talked much about how we’re financed and where the money goes, so let’s make a start on changing that. A little background for clarity: The OpenSSL project has two companies, registered in the USA.https://openssl-corporation.org/support/ The first, OpenSSL Software Foundation, is a non-profit organisation that is used to hold the copyrights, trademarks, as well as things like the contributor license agreements (CLA). More ...

OpenSSL is looking to contract a full-time Community Engagement Leader / Evangelist

UPDATE: Please note this position has been filled.

Job Description

We are seeking a passionate, tech-savvy individual to act as a Community Engagement Leader for the OpenSSL project. The ideal candidate will be responsible for fostering and enhancing connections between various communities around OpenSSL, facilitating fruitful discussions, spreading awareness about the project, and driving engagement and contributions. An essential aspect of this role is alignment with our core values and mission, as we expect these principles to be reflected in your day-to-day professional activities. Beyond community engagement, this role also involves collecting and contributing valuable insights to the project’s roadmap, making it an integral part of the project’s continuous growth and improvement.

This is a remote position with travel required, approximately up to 15% of working time. Given the global nature of the project, we require flexibility in accommodating various time zones outside of conventional business hours. We are seeking candidates located specifically within the Europe and North America.

To apply please send your resume to jobs@openssl.org by 17th August 2023.

Applications will be reviewed on a rolling basis. Only candidates selected for interviews will be contacted.

More ...

Who writes OpenSSL?

For a meeting last week I wanted to show how much of OpenSSL is being written by people paid to do so by their employers, and how much was from individuals in their own time. And it turns out most of OpenSSL is written by people paid to do so. This is crucial to understanding the critical role that corporations provide to Open Source projects such as OpenSSL.

More ...

OpenSSL adopts Mission & Values Statement

After extensive feedback from our communities, OpenSSL is pleased to announce that we have formally adopted the Mission and Values Statement, and will now be aligning our activities to support these. You can view our new Mission and Values Statment here. We would like to extend our sincere thanks to all those who provided feedback to us. We have reviewed all the comments and responses, which showed that a clear majority (around 70%) agreed on OpenSSL adopting the Mission and Values Statement. More ...

OpenSSL extends feedback on draft mission & values statement

OpenSSL would like to thank everyone who has provided feedback on our draft mission & values statement. The response has been great, and the feedback is really important to us. We are working through those responses. We’d like to get even more feedback so we are extending the response period until 19th May 2023. If you haven’t already provided feedback to us, please do so by: Filling in this feedback form, or Emailing your feedback to feedback@openssl. More ...

Meet Anton Arapov: The Latest Addition to the OpenSSL Team

We are thrilled to announce that Anton Arapov has joined the OpenSSL team! Anton brings a wealth of experience to the project, having previously worked on the Linux kernel, telecom core services, and cloud infrastructure management software as an engineering and project manager. He’s deeply committed to open-source software and will undoubtedly propel the OpenSSL project forward with his expertise and knowledge.

More ...

OpenSSL seeks feedback on draft mission & values statement

Following the successful OpenSSL 2023 face-to-face conference, OpenSSL has produced a draft mission & values statement. Once finalised, we intend to realign all activities of the project to ensure they reflect our agreed mission and values. Before doing so however, we would like to obtain feedback on this statement from the public, to ensure it represents all of our communities. By offering us your feedback, you will help us to ensure the OpenSSL project is run in a way that reflects the values of all of our users. More ...

OpenSSL Face-to-Face Conference 2023

[Photo of OpenSSL F2F 2023 attendees]

In February 2023, the OpenSSL project held a face-to-face meeting in Queensland, Australia, which was attended by most of the project’s full-time contractors and OMC members. Amongst other subjects, the conference aimed to identify how OpenSSL can improve its governance and better execute on its mission.

More ...

OpenSSL is looking for a full time Administrator and Manager

The OpenSSL Management Committee are looking to hire a full time Administrator and Manager. Details of the role follow.

To apply please send your cover letter and resume to jobs@openssl.org by 20th September 2020.

More ...

Security Policy Update on prenotifications

We’re planning to extend who we prenotify of any future High and Critical security issues.

More ...

QUIC and OpenSSL

QUIC is a new protocol which the IETF talks about as A UDP-Based Multiplexed and Secure Transport, and has attracted a lot of attention lately. The OpenSSL Management Committee (OMC) have followed the development with interest, and we feel that we owe it to the community to say where we stand on this, and on the inclusion of support for this protocol in our libraries.

More ...

Update on 3.0 Development, FIPS and 1.0.2 EOL

We have previously talked about our plans for OpenSSL 3.0 and FIPS support here. This blog post will give an update about what has been happening since then.

More ...

Face to Face: Committer's Day

At the Face to Face meeting held on the occasion of the ICMC19 Conference in Vancouver, a novelty was introduced: For the last day of the meeting all committers were invited to participate, either personally or remotely via video conference.

More ...

OpenSSL 3.0 and FIPS update

As mentioned in a previous blog post, OpenSSL team members met with various representatives of the FIPS sponsor organisations back in September last year to discuss design and planning for the new FIPS module development project.

Since then there has been much design work taking place and we are now able to publish the draft design documentation. You can read about how we see the longer term architecture of OpenSSL changing in the future here and you can read about our specific plans for OpenSSL 3.0 (our next release which will include a FIPS validated module) here.

More ...

Celebrating 20 years of OpenSSL

20 years ago, on the 23rd December 1998, the first version of OpenSSL was released. OpenSSL was not the original name planned for the project but it was changed over just a few hours before the site went live. Let’s take a look at some of the early history of OpenSSL as some of the background has not been documented before.

More ...

The Holy Hand Grenade of Antioch

The OpenSSL Management Committee has been looking at the versioning scheme that is currently in use. Over the years we’ve received plenty of feedback about the “uniqueness” of this scheme, and it does cause some confusion for some users. We would like to adopt a more typical version numbering approach. The current versioning scheme has this format: MAJOR.MINOR.FIX[PATCH] The new scheme will have this format: MAJOR.MINOR.PATCH In practical terms our “letter” patch releases become patch numbers and “fix” is dropped from the concept. More ...

FIPS 140-2: Forward progress

The OpenSSL Management Committee (OMC) on behalf of the OpenSSL Project would like to formally express its thanks to the following organisations for agreeing to sponsor the next FIPS validation effort: Akamai Technologies, Blue Cedar, NetApp, Oracle, VMware.

Four weeks ago, the OpenSSL team gathered with many of the organisations sponsoring the next FIPS module for a face-to-face meeting in Brisbane, Australia.

We got a great deal accomplished during that week. Having most of the fips-sponsor organisations in the same location helps ensure that we are all on the same page for the decisions we need to make going forward.

More ...

OpenSSL 1.1.1 is released

After two years of work we are excited to be releasing our latest version today - OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we are committing to support it for at least five years.

OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been made from over 200 individual contributors since the release of OpenSSL 1.1.0. These statistics just illustrate the amazing vitality and diversity of the OpenSSL community. The contributions didn’t just come in the form of commits though. There has been a great deal of interest in this new version so thanks needs to be extended to the large number of users who have downloaded the beta releases to test them out and report bugs.

More ...

New OMC member and new Committers

We first announced last year the OpenSSL Management Committee and separate Committers groups aimed at enabling greater involvement from the community.

We have now added a new OMC member and two new committers.

More ...

New LTS Release

Back around the end of 2014 we posted our release strategy. This was the first time we defined support timelines for our releases, and added the concept of an LTS (long-term support) release. At our OMC meeting earlier this month, we picked our next LTS release. This post walks through that announcement, and tries to explain all the implications of it.

More ...

Seeking Last Group of Contributors

The following is a press release that we just put out about how finishing off our relicensing effort. For the impatient, please see https://license.openssl.org/trying-to-find to help us find the last people; we want to change the license with our next release, which is currently in Alpha, and tentatively set for May.

For background, you can see all posts in the license tag.

One copy of the press release is at https://www.prnewswire.com/news-releases/openssl-seeking-last-group-of-contributors-300607162.html.

More ...

Another Face to Face: Email changes and crypto policy

The OpenSSL OMC met last month for a two-day face-to-face meeting in London, and like previous F2F meetings, most of the team was present and we addressed a great many issues. This blog posts talks about some of them, and most of the others will get their own blog posts, or notices, later. Red Hat graciously hosted us for the two days, and both Red Hat and Cryptsoft covered the costs of their employees who attended.

One of the overall threads of the meeting was about increasing the transparency of the project. By default, everything should be done in public. We decided to try some major changes to email and such.

More ...

OpenSSL wins the Levchin prize

Today I have had great pleasure in attending the Real World Crypto 2018 conference in Zürich in order to receive the Levchin prize on behalf of the OpenSSL team. The Levchin prize for Real World Cryptography recognises up to two groups or individuals each year who have made significant advances in the practice of cryptography and its use in real-world systems. This year one of the two recipients is the OpenSSL team. More ...

More China press coverage

Press Coverage There have been more articles written based on the interviews with Paul Yang from BaishanCloud, Tim Hudson, and Steve Marquess from the OpenSSL team. AQNIU TechTarget ScienceNet These join the articles noted in the previous blog entry. FreeBuf Leiphone iTuring Press

Seven days and four cities in China

We had been invited to spend time with the open source community in China by one of the developers - Paul Yang - who participates in the OpenSSL project. A number of the team members had communicated via email over the last year and when the suggestion was made there were enough of us willing and interested to visit China for a “tour” to make sense. So the tour was agreed as a good thing and that started the journey that lead to spending a week in China (last week as I write this on the plane on the way back to Australia). More ...

OpenSSL goes to China

Over the past few years we’ve come to the realisation that there is a surprising (to us) amount of interest in OpenSSL in China. That shouldn’t have been a surprise as China is a huge technologically advanced country, but now we know better thanks to correspondence with many new Chinese contacts and the receipt of significant support from multiple Chinese donors (most notably from Smartisan. We have accepted an invitation from BaishanCloud to visit China in person and meet with interested OpenSSL users and stakeholders in September. More ...

FIPS 140-2: Thanks and Farewell to SafeLogic

We’ve had a change in the stakeholder aspect of this new FIPS 140 validation effort. The original sponsor, SafeLogic, with whom we jump-started this effort a year ago and who has worked with us since then, is taking a well-deserved bow due to a change in circumstances. Supporting this effort has been quite a strain for a relatively small company, but SafeLogic has left us in a fairly good position. Without SafeLogic we wouldn’t have made it this far, and while I don’t anticipate any future SafeLogic involvement with this effort from this point on, I remain enormously grateful to SafeLogic and CEO Ray Potter for taking on such a bold and ambitious venture. More ...

FIPS 140-2: And so it begins

It’s been almost a year since plans for a new FIPS 140 validation were first announced. Several factors have led to this long delay. For one, we chose to focus our limited manpower resources on higher priority objectives such as the TLS 1.3 implementation. SafeLogic has also experienced difficulties in obtaining the funding for their intended sponsorship; potential sponsors can contact them directly. With TLS 1.3 now done (pending only a final TLS 1. More ...

New Committers

We announced back in October that we would be changing from a single OpenSSL Project Team to having an OpenSSL management committee and a set of committers which we planned to expand to enable the greater involvement from the community.

Now that we have in place committer guidelines, we have invited the first set of external (non-OMC) community members to become committers and they have each accepted the invitation.

More ...

Licensing Update

The following is a press release that we just released, with the cooperation and financial support of the Core Infrastructure Initiative and the Linux Foundation.

In the next few days we’ll start sending out email to all contributors asking them to approve the change. In the meantime, you can visit the licensing website and search for your name and request the email. If you have changed email addresses, or want to raise other issues about the license change, please email license@openssl.org. You can also post general issues to openssl-users@openssl.org.

We are grateful to all the contributors who have contributed to OpenSSL and look forward to their help and support in this effort.

The official press release can be found at the CII website. The rest of this post is a copy:

More ...

Project Bylaws

Last October, the OpenSSL Project team had a face to face meeting. We talked about many topics but one of them was that, in recent years, we have seen much more involvement from the community and that we would like to encourage that further. For example, there are a number of people in the community who we know and trust. We would like those people to get involved more and make it easier for them to contribute. We decided to introduce the concept of a “committer” (borrowed from the Apache concept): someone who has the ability to commit code to our source code repository but without necessarily having to become a full team member. This might be seen as a stepping-stone for someone who aspires to full team membership, or simply as an easier way of contributing for those that don’t. Those people could help with our review process (i.e., their reviews would count towards approval) - which might help us keep on top of the github issues and pull request queues.

More ...

Face to Face: Roadmap and platform updates

This is another in the series of posts about decisions we made at our face-to-face meeting a couple of weeks ago. We updated the project roadmap. I think the most important news here, is that our next release will include TLS 1.3. Our current plan is that this will be 1.1.1, which means that it is API-compatible with the current 1.1.0 release. This is really only possible because of the work we did on making most of the structure internals opaque. More ...

FIPS 140-2: Once more unto the breach

The last post on this topic sounded a skeptical note on the prospects for a new FIPS 140 validated module for OpenSSL 1.1 and beyond. That post noted a rather improbable set of prerequisites for a new validation attempt; ones I thought only a governmental sponsor could meet (as was the case for the five previous open source based validations).

Multiple commercial vendors have offered to fund (very generously in some cases) a new validation effort under terms that would guarantee them a proprietary validation, while not guaranteeing an open source based validation. At one point we actually came close to closing a deal that would have funded an open source based validation attempt in exchange for a limited period of exclusivity; a reasonable trade-off in my opinion. But, I eventually concluded that was too risky given an uncertain reception by the FIPS validation bureaucracy, and we decided to wait for a “white knight” sponsor that might never materialize.

More ...

New severity level, "Critical"

We’ve just added a new severity level called “critical severity” to our security policy. When we first introduced the policy, over a year ago, we just had three levels, “Low”, “Moderate”, and “High”. So why did we add “Critical” and why are we not using someone else’s standard definitions? After introducing the new policy we started giving everyone a headsup when we were due to release OpenSSL updates that included security fixes. More ...

FIPS 140-2: It's not dead, it's resting

Some of you may have noticed that the upcoming 1.1 release doesn’t include any FIPS support. That omission is not by choice; it was forced on us by circumstances and will hopefully not be permanent. The v2.0 OpenSSL FIPS module is compatible with the 1.0.x releases, in particular the 1.0.2 “LTS” release that will be supported through 2019. It has proven very popular, used both directly by hundreds of software vendors and indirectly as a model for copycat “private label” validations. More ...

OpenSSL Security: A Year in Review

Over the last 10 years, OpenSSL has published advisories on over 100 vulnerabilities. Many more were likely silently fixed in the early days, but in the past year our goal has been to establish a clear public record. In September 2014, the team adopted a security policy that defines how we handle vulnerability reports. One year later, I’m very happy to conclude that our policy is enforced, and working well. More ...

License Agreements and changes are coming

The OpenSSL license is rather unique and idiosyncratic. It reflects views from when its predecessor, SSLeay, started twenty years ago. As a further complication, the original authors were hired by RSA in 1998, and the code forked into two versions: OpenSSL and RSA BSAFE SSL-C. (See Wikipedia for discussion.) I don’t want get into any specific details, and I certainly don’t know them all.

Things have evolved since then, and open source is an important part of the landscape – the Internet could not exist without it. There are good reasons why Microsoft is a founding member of the Core Infrastructure Initiative (CII).

Our plan is to update the license to the Apache License version 2.0. We are in consultation with various corporate partners, the CII, and the legal experts at the Software Freedom Law Center. In other words, we have a great deal of expertise and interest at our fingertips.

More ...

Logjam, FREAK and upcoming changes in OpenSSL

Today, news broke of Logjam, an attack on TLS connections using Diffie-Hellman ciphersuites. To protect OpenSSL-based clients, we’re increasing the minimum accepted DH key size to 768 bits immediately in the next release, and to 1024 bits soon after. We have also made several other changes to strengthen our cryptographic defaults and have updated our tools and documentation to help servers configure Diffie-Hellman ciphersuites securely - see below for details.

More ...