OpenSSL 3.0: A new FIPS module, new algorithms, support for Linux Kernel TLS, and more

The OpenSSL Project has released OpenSSL 3.0, a major new stable version of the popular and widely used cryptography library.

OpenSSL 3.0

What is OpenSSL?

OpenSSL contain an open-source implementation of the SSL and TLS protocols, which provide the ability to secure communications across networks.

It is the default encryption engine for popular web, email and chat server software, VPNs, network appliances, and is used in many popular operating systems (MS WIndows, Linux, macOS, BSD, Android…) and client-side software.

The vast extent of its use was revealed when the Heartbleed bug was discovered in it in 2014.

What’s new in OpenSSL 3.0?

Before OpenSSL 3.0, the last major release of the library was v1.1.1.

A migration guide provided by the OpenSSL Project lists the newly introduced changes in detail, but as a short overview, the new release comes with:

  • A new license (Apache License v2)
  • A new FIPS module (FIPS 140-2 validation of the library is in progress, and the final certificate will likely be issued next year, the developers say)
  • A new Provider concept. “Providers collect together and make available algorithm implementations. OpenSSL 3.0 comes with 5 different providers as standard. Over time third parties may distribute additional providers that can be plugged into OpenSSL,” the migration guide explains
  • A new, “proper” HTTP(S) client
  • Support for Linux Kernel TLS
  • A variety of new algorithms
  • New APIs

“OpenSSL 3.0 is a major release and not fully backwards compatible with the previous release. Most applications that worked with OpenSSL 1.1.1 will still work unchanged and will simply need to be recompiled (although you may see numerous compilation warnings about using deprecated APIs). Some applications may need to make changes to compile and work correctly, and many applications will need to be changed to avoid the deprecations warnings,” OpenSSL committer Matt Caswell noted.

“API functions that have been deprecated will eventually be removed from OpenSSL in some future release, so it is recommended that applications be updated to use alternative APIs to avoid these deprecated functions.”

The migration guide offers instructions on how to upgrade to OpenSSL 3.0 from versions 1.1.1 and 1.0.2.

OpenSSL 3.0 can be downloaded from here.

Don't miss