OpenSSL Library

OpenSSL 4.0 Final Release - Live

Tue, 14 Apr 2026 00:00:00 +0000

The final release of OpenSSL 4.0 is now live. We would like to thank all those who contributed to the OpenSSL 4.0 release, without whom the OpenSSL Library would not be possible.

ASN1_STRING type is now opaque

Mon, 13 Apr 2026 00:00:00 +0000

Previous posts about the upcoming OpenSSL 4.0 release:

Summary

The ASN1_STRING structure can no longer be accessed directly. Instead, accessor functions must be used.

While these accessor functions have been available since OpenSSL 1.0.1, this change is being made now to enable future work improving X509 memory efficiency. Requiring accessor functions will allow ASN1 strings to be stored as pointers to data in read only memory instead of making duplicate copies.

OpenSSL Release Announcement for 3.6.2, 3.5.6, 3.4.5, 3.3.7, 3.0.20, 1.1.1zg and 1.0.2zp

Tue, 07 Apr 2026 00:00:00 +0000

Release Announcement for OpenSSL Library 3.6.2, 3.5.6, 3.4.5, 3.3.7, 3.0.20, 1.1.1zg and 1.0.2zp

The OpenSSL Project team announces the release of new versions of our open-source toolkit for SSL/TLS.

The OpenSSL Library no longer includes SSLv3

Tue, 07 Apr 2026 00:00:00 +0000

Previous posts about the upcoming OpenSSL 4.0 release:

Summary

Secure Sockets Layer version 3.0 (SSLv3) was deprecated in RFC 7568. SSLv3 was disabled at build-time in OpenSSL 1.0.2h by default. As of OpenSSL 4.0, SSLv3 support has been removed altogether.

In addition, OpenSSL no longer supports the SSLv2 Client Hello.

OpenSSL 4.0 Beta Release Announcement

Tue, 24 Mar 2026 00:00:00 +0000

The OpenSSL Project is pleased to announce that OpenSSL 4.0 Beta1 pre-release is available, adding significant functionality to the OpenSSL Library.

OpenSSL release signing key expiration extended

Mon, 16 Mar 2026 00:00:00 +0000

The expiration date of the OpenSSL release signing key with fingerprint BA5473A2B0587B07FB27CF2D216094DFD0CB81EF has been extended from 08 Apr 2026 to 14 Jun 2026.

Only the key expiration date has changed. The signing key itself remains the same.

The updated public key is available at: https://keys.openpgp.org/search?q=BA5473A2B0587B07FB27CF2D216094DFD0CB81EF

The OpenSSL Library now supports Encrypted Client Hello (ECH)

Wed, 11 Mar 2026 00:00:00 +0000

Previous posts about the upcoming OpenSSL 4.0 release:

Summary

The OpenSSL Library now supports Encrypted Client Hello (ECH) specified in RFC 9849, which was published this month. Applications that implement this standard will be able to encrypt sensitive information that is currently transmitted in plaintext in the TLS 1.3 handshake. In particular, ECH can protect the client’s target server name from being revealed to third parties.

The OpenSSL Library no longer registers an atexit function

Tue, 10 Mar 2026 00:00:00 +0000

Previous posts about features removed from OpenSSL 4.0:

Summary

The OPENSSL_cleanup() function is no longer registered to be called upon the termination of the process. This means the OpenSSL Library does not automatically free resources so the operating system reclaims them when an application exits.

For most users, this will have no impact since the memory is freed one way or the other.

OpenSSL 4.0 Alpha Repository Freeze Approaching

Wed, 18 Feb 2026 00:00:00 +0000

The OpenSSL Project is announcing the upcoming release of OpenSSL 4.0 Alpha, scheduled for March 10, 2026. As a result, the repository will be frozen before the release on February 24, 2026.

Custom method functions removed from the OpenSSL Library

Tue, 03 Feb 2026 00:00:00 +0000

Following on from the removal of ENGINE code, deprecated functions for creating or modifying custom METHODS will be removed from OpenSSL 4.0.

Summary

For a complete list of deprecated functions removed in OpenSSL 4.0, please see the ossl-removed-api documentation. They are divided into the following pull requests:

Custom ciphers methods (EVP_CIPHER_meth_*) were removed in PR #29299.
Custom message digest methods (EVP_MD_meth_*) were removed in PR #29366.
Custom private key methods (EVP_PKEY_meth_*) were removed in PR #29384.
Custom private key Abstract Syntax Notation One methods (EVP_PKEY_asn1_*) were removed in PR #29405. (These functions were deprecated in OpenSSL 3.6.)

Instead of using these methods, developers are encouraged to use the provider framework.

OpenSSL Release Announcement for 3.6.1, 3.5.5, 3.4.4, 3.3.6, 3.0.19, 1.1.1ze and 1.0.2zn

Tue, 27 Jan 2026 00:00:00 +0000

Release Announcement for OpenSSL Library 3.6.1, 3.5 5, 3.4.4, 3.3.6, 3.0.19, 1.1.1ze and 1.0.2zn

The OpenSSL Project team announces the release of new versions of our open-source toolkit for SSL/TLS.

ENGINE code removed from the OpenSSL Library

Thu, 18 Dec 2025 00:00:00 +0000

OpenSSL 4.0, to be released in April 2026, is the first major release since 3.0 which replaced the ENGINE interface with Providers. Removing ENGINEs is a primary goal of this major release and this post describes the change agreed to by both the OpenSSL Corporation and OpenSSL Foundation.

Summary

All symbols defined in openssl/engine.h have been removed from the shared library in OpenSSL 4.0. Applications that use the ENGINE API will fail to compile using the default build settings. This behavior matches what happens in previous versions when building OpenSSL with the no-engine configuration option with current versions. Up-to-date applications should not include openssl/engine.h at all.

Vote now for the Foundation Business Advisory Committee

Tue, 16 Dec 2025 00:00:00 +0000

The voting from the Foundation BAC has been extended through December 21. If you want to participate in the future of the OpenSSL Foundation, please join the communities site and vote for your representative.

The currently running elections are:

For details about how the election works, please consult the Foundation Election Guide.

OpenSSL Library is moving to clang-format

Fri, 28 Nov 2025 00:00:00 +0000

The OpenSSL Library would like to modernise and streamline development processes, especially to ensure effective code review and make the project easier for contributors to contribute to.

As part of this effort, we will be making some changes to our coding style guidelines and adopting clang-format using the WebKit C coding style as enforced by clang-format. We will transition to using clang-format to check pre-submissions and ensure code follows the format portions of the style guide before PRs are reviewed.

OpenSSL 3.2 End Of Life

Tue, 25 Nov 2025 00:00:00 +0000

OpenSSL 3.2 series has reached its End of Life (EOL). As such it will no longer receive publicly available security fixes.

Contributors to the OpenSSL Library (September 2025)

Mon, 27 Oct 2025 00:00:00 +0000

September has come and gone, so it’s past time to recognize new contributors to the OpenSSL Library:

author	date	PR
xiaoloudongfeng	2025-09-02	fix length of digestinfo_sm3_der
Pkeane22	2025-09-07	Fixed typo
LuiginoC	2025-09-10	crypto/evp/bio_ok.c:Integer Overflow in BIO_f_reliable record parser leads to Out-of-Bounds Read
ritesh006	2025-09-11	doc: clarify SSL_SESSION_get0_hostname notes
jedenastka	2025-09-11	Fix cipher protocol ID type in docs
leesugil	2025-09-14	FIPS 186-5 auxiliary prime length check condition updated (Fixed #28526)
rodeka	2025-09-16	crypto/ml_dsa: fix public_from_private() error path to return failure
jonathimer	2025-09-18	Add Linux Foundation Health Score badge to README
bleeqer	2025-09-29	ts_conf: fix memory leak in TS_CONF_set_policies

Here are more details on a sample of these pull requests.

We Celebrate the Success of the Inaugural OpenSSL Conference in Prague

Thu, 23 Oct 2025 00:00:00 +0000

The OpenSSL Corporation and the OpenSSL Foundation celebrate the success of the inaugural OpenSSL Conference, held in Prague, October 7-9. This was the first time in the history of the OpenSSL Project that the full community met in person. Developers, legal experts, and users from academics, committers, distributions, individuals, large businesses, and small businesses came together to discuss project direction, share experience, and collaborate on the future of secure digital communication.

Foundation Business Advisory Committee election

Wed, 15 Oct 2025 00:00:00 +0000

Believe it or not, it’s time to start the election process for the 2026 Foundation Business Advisory Committee (FBAC). Advisory committees play a critical role in the governance of the OpenSSL Foundation. This committee focuses on the strategic direction of the OpenSSL Foundation and our mission.

Each of the six communities (Academics, Committers, Distributions, Individuals, Large Businesses and Small Businesses) will have a representative who will serve for one year. In addition to a monthly meeting, representatives also lead discussions on the Communities platform and generally promote the OpenSSL Mission.

Lightship Security and the OpenSSL Corporation Submit OpenSSL 3.5.4 for FIPS 140-3 Validation

Thu, 09 Oct 2025 00:00:00 +0000

Lightship Security, an Applus+ Laboratories company and accredited cryptographic security test laboratory, and the OpenSSL Corporation, the co-maintainer of the OpenSSL Library, announce the submission of OpenSSL version 3.5.4 to the Cryptographic Module Validation Program (CMVP) for FIPS 140-3 validation.

This submission confirms that the code is complete and that all included algorithms have successfully passed NIST testing and independent laboratory review. The final CMVP review and certificate issuance remain as the last step in the process.

Release Announcement for OpenSSL 3.6.0

Wed, 01 Oct 2025 00:00:00 +0000

The final release of OpenSSL 3.6 is now live. We would like to thank all those who contributed to the OpenSSL 3.6 release, without whom the OpenSSL Library would not be possible.

OpenSSL Release Announcement for 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.1.1zd and 1.0.2zm

Tue, 30 Sep 2025 00:00:00 +0000

Release Announcement for OpenSSL Library 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.1.1zd and 1.0.2zm

The OpenSSL Project team announces the release of new versions of our open-source toolkit for SSL/TLS.

Contributors to the OpenSSL Library (August 2025)

Thu, 18 Sep 2025 00:00:00 +0000

Among the 91 PRs approved in August, 6 were from people who hadn’t contributed to OpenSSL’s code base until now.

author	date	PR
zl523856	2025-08-03	[RISC-V] Further optimization for AES-128-CBC decryption performance
ChillerDragon	2025-08-04	Improve english in endian comment
ritoban23	2025-08-13	Fix potential null pointer dereference in pkey_dh_derive
vkryl	2025-08-15	Android: Enable 16 KB ELF alignment for `arm64-v8a` and `x86_64` platforms
itot1198	2025-08-18	Remove unnecessary fetch-depth in GitHub Actions workflow
Leonabcd123	2025-08-28	Fixed typo

zl523856 started by submitting an issue that asking about the proposed change. The pull request includes some assembly code that improves the performance of the AES-128-CBC decryption algorithm on the RISC-V architecture. It’s not the sort of code that just anyone can write. Open source projects, such as OpenSSL, can benefit from one-time contributions of expertise. In turn, anyone who uses OpenSSL or products that include the library also benefit. It’s a beautiful thing.

Openssl 3.5.3 Release Announcement

Tue, 16 Sep 2025 00:00:00 +0000

Release Announcement for OpenSSL Library 3.5.3

The OpenSSL Project team announces the release of new versions of our open-source toolkit for SSL/TLS.

OpenSSL 3.6 Beta Release Announcement

Tue, 16 Sep 2025 00:00:00 +0000

The OpenSSL Project is pleased to announce that OpenSSL 3.6 Beta1 pre-release is available, adding significant functionality to the OpenSSL Library.

OpenSSL 3.6 Alpha Release Announcement

Tue, 02 Sep 2025 00:00:00 +0000

The OpenSSL Project is pleased to announce that OpenSSL 3.6 Alpha1 pre-release is released and adding significant new functionality to OpenSSL Library.

Contributors to the OpenSSL Library (July 2025)

Fri, 08 Aug 2025 00:00:00 +0000

In July, 58 pull requests were approved for merge into the OpenSSL Library code base. There were also four people who contributed code for the first time:

yzpgryx provided a fix to support the SM2 PEM format with matching tests.
caolanm designated an unchanging structure to be constant.
igus68 found a good first issue and fixed it. Before this fix, the OpenSSL cryptographic library would accept a certificate revocation list that was invalid according to the X.509 Public Key Infrastructure specification. Fun fact: Igor Ustinov represents the Individuals community on the Foundation Technical Advisory Committee and this is his first pull request. And he’s on a roll with another pull request that addresses an issue with the help wanted label.
Saurabh825 corrected the order of options for the asn1parse command.

So far in the development cycle of OpenSSL 3.6, the plurality of changes come from developers paid by either the OpenSSL Corporation or Foundation. But individual contributions continue to make up a large proportion of commits (41%) and overall changes (28%). Additionally individual committers also have done 18.5% of reviews so far.

Early Bird Registration is Now Open for the OpenSSL Conference 2025

Fri, 01 Aug 2025 00:00:00 +0000

Early Bird registration is now open for the inaugural OpenSSL Conference, taking place from October 7 to 9, 2025, in Prague, Czech Republic. Take advantage of exclusive Early Bird rates and secure your spot now!

Join the global community of cryptographers, open-source innovators, security experts, and thought leaders who shape the future of secure communications. The OpenSSL Conference promises to be a landmark event, uniting diverse perspectives from across technical, enterprise, academic, and regulatory fields.

OpenSSL Library 3.6 Upcoming Release Announcement

Tue, 29 Jul 2025 00:00:00 +0000

The freeze date for OpenSSL 3.6 Alpha is rapidly approaching. If you have a feature ready, please ensure that your associated PRs are posted, reviewed, and ready to be merged before the include/exclude decision date (Tuesday, August 5, 2025) and merged before the repository freeze date (Tuesday, August 19, 2025). Otherwise, the feature will be postponed until the next release.

Contributors to the OpenSSL Library (June 2025)

Thu, 10 Jul 2025 00:00:00 +0000

Every month the OpenSSL Library receives code in the form of pull requests (PR) to GitHub. In June, 64 of those PRs were merged into the default branch of the repository thus becoming a part of the OpenSSL Library code base. Some of those changes came from developers paid by either the OpenSSL Foundation or the OpenSSL Corporation. Some of the changes come from developers who work for another company. And some, ~40% so far in 2025, come from individuals.

There's still time to share your story

Thu, 03 Jul 2025 00:00:00 +0000

Recently we opened a short survey for people to share their OpenSSL stories. We’ve already heard from people who use OpenSSL to:

Analyze QUIC traffic.
Secure school cafeteria point of sale (POS) systems.
Protect letters sent digitally to a printer before they are sent physically, on paper, via the postal system.
Generate a JSON Web Token (JWT) from a PEM (Privacy Enhanced Mail) file without depending on a third party.
Support software that depends on OpenSSL.

Openssl Release Announcement for 3.5.1, 3.4.2, 3.3.4, 3.2.5, and 3.0.17

Tue, 01 Jul 2025 00:00:00 +0000

Release Announcement for OpenSSL Library 3.5.1, 3.4.2, 3.3.4, 3.2.5, and 3.0.17

The OpenSSL Project team announces the release of new versions of our open-source toolkit for SSL/TLS.

CVEs fixed in 3.5.1:

CVE-2025-4575 - LOW - Fix x509 application adds trusted use instead of rejected use. All other releases contain miscellaneous minor bug fixes. For details of the changes, refer to the release notes for versions 3.0, 3.2, 3.3, 3.4, and 3.5.

Specific notes on upgrading from previous versions are available in the OpenSSL Migration Guide.

OpenSSL Foundation is hiring Software Engineer (C Developer)

Thu, 19 Jun 2025 00:00:00 +0000

Please note that we are no longer accepting new applications for this position.

OpenSSL Foundation is seeking a talented and motivated Software Engineer (C Developer) to contribute to the development and maintenance of the widely-used OpenSSL open-source cryptographic library.

Share your user story

Sun, 01 Jun 2025 00:00:00 +0000

If you’re reading this blog post, you probably don’t need us to tell you how essential, widespread, and important the OpenSSL Library is. While our open source model means that everyone is freely able to use these tools, it also means we here at the OpenSSL Foundation don’t actually know all the great stories of how these tools are being used.

We’re looking for real stories of how the OpenSSL Library benefits your end users.

Deadline Extended: More Time to Submit Your Proposal for the OpenSSL Conference 2025

Fri, 30 May 2025 00:00:00 +0000

The OpenSSL Conference 2025 is extending its Call for Papers (CFP) deadline to June 22, 2025.

We understand that the best proposals often come from teams deep in the trenches of real-world security work. You now have additional time to craft and submit the talk, panel, or workshop that challenges assumptions, advances cryptographic innovation, drives and shapes the future of secure communications.

Brno May 2025: Hosting OpenSSL Projects and Corporation BAC Members for Alignment and Connection

Fri, 23 May 2025 00:00:00 +0000

Pictured here from left to right: Štefan Kremeň (Support Manager), Peter Gutmann (cryptlib), Hana Andersen (Marcom Manager), Shayne Jones (cryptlib), Kajal Sapkota (MarCom Specialist), Kateřina Míčová (Business Admin), Daniela Kellnerová (MarCom Specialist), Norbert Pócs (Software Engineer), Tomáš Vávra (Engineering & Standards Mgr.), Anton Arapov (Operations Manager), Tim Hudson (Corporation President), Matt Caswell (Foundation President), Tomáš Mráz (Foundation Public Support and Security Manager), James Bourne (FireDaemon Technologies), Jaroslav Řezník (Red Hat), David Hook (Bouncy Castle), Billy Bob Brumley (RIT)

From May 14–16, the OpenSSL Corporation hosted a face-to-face working session in Brno, Czech Republic. The meeting was designed to bring together participants from the OpenSSL Projects and convene in an in-person meeting of the Corporation’s Business Advisory Committee (BAC). The OpenSSL Foundation was invited to join on Wednesday and Thursday in the broader conversations with the OpenSSL Projects.

This was the first time these groups gathered in person in this configuration. The sessions served as an opportunity to strengthen working relationships, align on shared priorities, and focus on strategic coordination across the ecosystem.

The OpenSSL Corporation and the OpenSSL Foundation Launch Distinguished Contributor Awards with OpenSSL 3.5 Honorees

Tue, 20 May 2025 00:00:00 +0000

The OpenSSL Corporation and the OpenSSL Foundation are launching the Distinguished Contributor Awards, a new programme formally recognising exceptional technical contributions to each OpenSSL Library release. These awards highlight individuals who drive critical advancements and demonstrate technical leadership in the evolution of the OpenSSL Library.

Call for Papers Deadline Approaching – Don’t Miss Your Shot to Speak at the OpenSSL Conference 2025!

Thu, 15 May 2025 00:00:00 +0000

Dates: October 7–9, 2025 Location: Prague, Czech Republic Submission Deadline: May 31, 2025

The OpenSSL Conference 2025 is accepting proposals for talks, panels, and workshops. This inaugural event will bring together developers, researchers, security engineers, compliance professionals, and policy experts working across open-source and commercial domains. While the OpenSSL Library remains central to modern cryptography, this conference is designed to support the broader community in building secure systems and advancing internet trust.

We are looking for speakers who can share real-world experiences, technical innovations, and practical insights that contribute to the field of security and cryptographic infrastructure.

Technical Advisory Committees Election Results

Mon, 12 May 2025 00:00:00 +0000

The OpenSSL Corporation and the OpenSSL Foundation certify the results of the Technical Advisory Committee (TAC) elections. After a thorough nomination and voting process, the OpenSSL community has selected a group of distinguished individuals to provide guidance and advice to the OpenSSL Library.

Nomination Deadline Extended: Technical Advisory Committees

Mon, 14 Apr 2025 00:00:00 +0000

The nomination period for the Technical Advisory Committees (TACs) has been extended. The new deadline is Sunday, April 27, 2025.

Take advantage of the extended timeline to submit thoughtful nominations — and play an active role in shaping the future of the OpenSSL Library. Your voice matters!

OpenSSL 3.5 Final Release - Live

Tue, 08 Apr 2025 00:00:00 +0000

The final release of OpenSSL 3.5 is now live. We would like to thank all those who contributed to the OpenSSL 3.5 release, without whom the OpenSSL Library would not be possible.

Join Us at the OpenSSL Conference in Prague – October 7 to 9, 2025 - Share Your Expertise and Shape the Future of Secure Communications

Wed, 02 Apr 2025 00:00:00 +0000

The OpenSSL Corporation and the OpenSSL Foundation are pleased to announce the OpenSSL Conference 2025, taking place from October 7 to 9, 2025, in the historic city of Prague, Czech Republic. This premier event brings together a global community of cryptography experts, legal professionals, and open-source enthusiasts dedicated to advancing cryptography and secure communications for three days of in-depth discussions, insights, and networking.

Thank You for Joining Our Live Q&A Session on Technical Advisory Committees

Thu, 27 Mar 2025 00:00:00 +0000

On March 24 and 25, 2025, we hosted two live Q&A sessions to discuss the formation and role of the new Technical Advisory Committees (TACs) concerning the OpenSSL Library. These sessions featured:

Tim Hudson, President of the OpenSSL Corporation (Session 1)
Matt Caswell, President of the OpenSSL Foundation (Sessions 1 and 2)
Anton Arapov, Operations Director of the OpenSSL Corporation (Session 2)
Hana Andersen, Marcom Manager of the OpenSSL Corporation (both sessions)
Moderated by Kajal Sapkota

These interactive webinars offered our community the opportunity to ask questions and better understand the purpose and structure of the TACs.

OpenSSL 3.5 Beta Release Announcement

Tue, 25 Mar 2025 00:00:00 +0000

The OpenSSL Project is pleased to announce that OpenSSL 3.5 Beta1 pre-release is released and adding significant new functionality to the OpenSSL Library.

Do Not Miss Our Technical Advisory Committee Q&A Sessions - Get Involved!

Thu, 20 Mar 2025 00:00:00 +0000

Thank you to everyone who registered and to those who went the extra mile to nominate candidates for the Technical Advisory Committees of the OpenSSL Corporation and OpenSSL Foundation.

Join Us in Forming the Technical Advisory Committees (TACs)

Fri, 14 Mar 2025 00:00:00 +0000

The OpenSSL Corporation (primarily focused on commercial communities) and the OpenSSL Foundation (primarily focused on non-commercial communities) are pleased to announce the formation of the Technical Advisory Committees (TACs) to provide expert guidance and strategic direction for our technical initiatives. This marks a significant milestone, and we need dedicated individuals to help shape their future.

OpenSSL 3.5 Alpha Release Announcement

Wed, 12 Mar 2025 00:00:00 +0000

The OpenSSL Project is pleased to announce that OpenSSL 3.5 Alpha1 pre-release is released and adding significant new functionality to OpenSSL Library.

OpenSSL 3.1.2: FIPS 140-3 Validated

Tue, 11 Mar 2025 00:00:00 +0000

The OpenSSL Corporation is pleased to announce that OpenSSL version 3.1.2 has achieved FIPS 140-3 validation, signifying its compliance with the rigorous cryptographic module security requirements set forth by the National Institute of Standards and Technology (NIST). This accomplishment marks a significant milestone in reinforcing trusted, standards-based encryption for organizations operating in regulated environments, including government agencies, healthcare institutions, and financial services.

OpenSSL 3.5 Alpha Repository Freeze Approaching

Sun, 02 Mar 2025 00:00:00 +0000

The OpenSSL Project is announcing the upcoming release of OpenSSL 3.5 Alpha, scheduled for March 11, 2025. As a result, the repository will be frozen before the release on March 6, 2025.

The included features can be found in the OpenSSL 3.5 Feature Go/No-Go Decision blog post.

OpenSSL 3.5 will be the next long term stable (LTS) release

Thu, 20 Feb 2025 00:00:00 +0000

We are pleased to announce that OpenSSL 3.5 will be the next long term stable (LTS) release. Per OpenSSL’s LTS policy, 3.5 will be supported until April 8, 2030.

The previous LTS (OpenSSL 3.0) will continue to be fully supported until September 7, 2025 and receive security fixes until September 7, 2026. Projects that currently depend on 3.0 are strongly encouraged to switch to OpenSSL 3.5 once it has been released.

In addition, the OpenSSL Corporation and Foundation have agreed to designate an LTS every two years. That means there will be an LTS release in April of 2027, another in 2029, and so on. As always, each LTS will be supported for 5 years with the final year’s support being security patches only. For more information, please see the OpenSSL Library Roadmap.

OpenSSL 3.5 Feature Branch Merge – Go/No-Go Decisions

Wed, 12 Feb 2025 00:00:00 +0000

We’re introducing a streamlined process for deciding which new features make it into each OpenSSL Library release. This involves two layers of readiness checks—technical and business—to help ensure features are both technically sound and well-aligned with the broader needs of the communities. For OpenSSL 3.5, the OpenSSL Technical Committee (OTC) has advised on technical readiness, and the Business Advisory Committee has advised on business readiness.

The go/no-go decisions ensure we merge well-vetted features into the main codebase for OpenSSL 3.5, complementing OpenSSL Library’s existing review process.

OpenSSL 3.5: Upcoming Release Announcement

Tue, 04 Feb 2025 00:00:00 +0000

The freeze date for OpenSSL 3.5 Alpha is rapidly approaching. If you have a feature on the planning page, please ensure that your associated PRs are posted, reviewed, and ready to be merged before the include/exclude decision date (Tuesday, February 11, 2025) and merged before the repository freeze date (Tuesday, February 25, 2025). Otherwise, the feature will be postponed until the next release.

Important dates

Feature branches include/exclude decision date: February 11, 2025
Feature branches merge: February 18, 2025
Repository freeze date: February 25, 2025
Alpha release date: March 11, 2025
Beta release date: March 25, 2025
Release date: April 8, 2025

Current highlights of the feature list planned for 3.5 include:

QUIC server - QUIC (RFC 9000 - Quick UDP Internet Connections) is a protocol intended to deliver faster, secure communication for Internet applications. Standardized as RFC 9000, QUIC operates over UDP.
ML-KEM - Module Lattice Based Key Encapsulation Mechanism (FIPS 203), a post-quantum cryptography algorithm for key encapsulation for secure key exchange.
ML-DSA - Module Lattice Based Digital Signature Algorithm (FIPS 204), a post-quantum cryptography algorithm for signature generation and verification for proof of authenticity and non-repudiation.
SLH-DSA - Stateless Hash Based Digital Signature Algorithm (FIPS 205), a post-quantum cryptography algorithm for signature generation and verification for proof of authenticity and non-repudiation.

If you have any questions or comments regarding the OpenSSL 3.5 release contact us at [email protected]">[email protected].

OpenSSL Position and Plans on Private Key Formats for the ML-KEM and ML-DSA Post-quantum (PQ) Algorithms

Tue, 21 Jan 2025 00:00:00 +0000

The anticipated future arrival of cryptographically relevant quantum computers (CRQCs), that could undermine the algorithms that underlie the currently most widely used public key algorithms (ECDHE, ECDSA, DH and RSA), has led to the development and recent standardisation of new “post-quantum” (PQ) algorithms, that are believed to not be vulnerable to CRQC attack.

Two of the first algorithms standardized are ML-KEM (for key agreement) and ML-DSA (for digital signatures). These algorithms are standardized by NIST in FIPS 203 and FIPS 204. These define the algorithm parameters and how to correctly perform the necessary mathematical operations, but do not define such details as data formats for public and private keys. Those details were left to other standards organisations, such as the IETF.

Introducing Jon Ericson

Fri, 17 Jan 2025 00:00:00 +0000

From the very beginning of the project, OpenSSL has depended on a community of experts to enable secure and private communication. It’s safe to say that without volunteers contributing code, tests and documentation, we wouldn’t have the modern internet. In order to preserve and grow that ecosystem, the OpenSSL Foundation has brought in Jon Ericson as its first Communities Manager.

Jon began his programming career as an intern at the US National Weather Service where he designed software to test instruments for the Automated Surface Observing System (ASOS). He continued as a programmer at the Jet Propulsion Laboratory (JPL) with the Shuttle Radar Topography Mission (SRTM) ground-data team. When that project ended, he managed data processing for the Tropospheric Emission Spectrometer (TES) mission which collected global atmospheric data from heliosynchronous orbit. Along the way he participated in open source projects such as Perl and Emacs via Usenet groups and mailing lists.

Connect with us at FOSDEM

Thu, 16 Jan 2025 00:00:00 +0000

The OpenSSL Foundation will be attending FOSDEM in Brussels, Belgium on 1-2 February 2025, and we’d like to connect with you!

The Free and Open Source Developers’ European Meeting (FOSDEM) is a volunteer-organized event to promote the widespread use of free and open source software. The conference includes 1,001 events across two days, taking place in 40 rooms on the ULB Solbosch Campus. There is no fee to participate and attend.

OpenSSL Foundation publishes first ever annual report

Mon, 23 Dec 2024 00:00:00 +0000

The OpenSSL Foundation is pleased to share its Annual Report for fiscal year 2024, covering the period of August 1, 2023 through July 31, 2024. This public document is a first for the Foundation, reflecting a renewed commitment to transparency with our communities and the sponsors and donors whose contributions provide critical financial support.

One year ago, we celebrated the 25th anniversary of OpenSSL, marking the release of version 0.9.1c on December 23, 1998, and it seemed fitting to share this Annual Report today, on OpenSSL’s 26th birthday. So much has changed over those 26 years, but our reliance on our community of committers, contributors, and funders has not. We greatly appreciate the many contributions of many types that keep OpenSSL strong and secure and hope you enjoy reading about all that we achieved together.

Foundation BAC Distributions seat

Thu, 19 Dec 2024 00:00:00 +0000

As previously communicated the recent election for the Distributions seat on the Foundation BAC resulted in a tie between Dmitry Belyavsky (Red Hat) and John Haxby (Oracle). As a result we will be re-running this election in early January with just these two candidates. Voting will open on 3rd January 2025 and will close on 10th January 2025.

The “Distributions” community includes maintainers of operating systems or significant packages that integrate OpenSSL Foundation and OpenSSL Corporation projects. If you are involved in an OpenSSL distribution then we encourage you to sign up to the community and vote in the second round of the election in January.

Announcing the Results of the Business Advisory Committee Elections

Tue, 17 Dec 2024 00:00:00 +0000

Upon certification of the election results by the Election Committee, the OpenSSL Foundation and the OpenSSL Corporation are pleased to announce the official results of the Business Advisory Committee (BAC) elections. After a thorough nomination and voting process, the OpenSSL community has selected a group of distinguished individuals to provide guidance and advice to OpenSSL.

Newly Elected Members

The following candidates have been elected to serve on the Business Advisory Committee:

OpenSSL Foundation BAC Members

Re-opening donation opportunities to OpenSSL Foundation

Wed, 11 Dec 2024 00:00:00 +0000

The OpenSSL Foundation is pleased to announce that we are reopening the opportunity for individuals to financially support our work through donations on Github Sponsors. Individual contributions of time, expertise, and financial support have always been critical to our ability to keep improving the OpenSSL software library, and we are excited to once again welcome financial contributions at all levels.

Business Advisory Committees Elections Are Now Open - Vote for Your Community Representative

Fri, 06 Dec 2024 00:00:00 +0000

Thank you to everyone who registered, as well as those who took the extra step to nominate candidates, for the Business Advisory Committees of the OpenSSL Foundation and OpenSSL Corporation. We are now at the final step - voting - which is essential to complete the process.

Start Date: December 5, 2024
Deadline for Voting: December 15, 2024 11:59pm Pacific Time (US/ Canada)

Election Committee

The Election Committee is composed of the directors of the OpenSSL Foundation and the OpenSSL Corporation. This marks the first inaugural Election Committee, tasked with overseeing and managing the election processes across various communities. The committee is dedicated to ensuring that voting is conducted fairly, transparently, and in alignment with the established rules and procedures.

Nominations Remain Open Until Wednesday, December 4, 2024 - Based on Your Feedback!

Wed, 27 Nov 2024 00:00:00 +0000

Thank you to everyone who attended our Q&A sessions about the formation of Business Advisory Committees. We received valuable input from our communities, including requests to allow more time for nominations.

We have heard you, and we would like to announce that:

The nomination period has been extended until Wednesday, December 4, 2024.
The election period starts on Thursday, December 5, 2024 and ends on Sunday, December 15, 2024. You can change your vote up to the end of the election period.

This extension provides additional time to ensure everyone has the opportunity to nominate the individuals who can best represent the community’ s view and needs.

Websites mirrors

Tue, 26 Nov 2024 00:00:00 +0000

To align with our mission, we have provisioned mirrors for our websites, hosted through our chosen CDN vendor:

These mirrors are accessible in locations where our original websites might be blocked.

Upcoming Webinar - Working with X.509 Keys and Certificates

Fri, 08 Nov 2024 00:00:00 +0000

Advance Your Skills in X.509 Certificate Management with OpenSSL

Date: Nov 21, 2024
Time: 04:00 PM Eastern Time (US and Canada)
Duration: 1 hour
Location: Online Webinar (link to be provided upon registration)
Register Here

Are you looking to deepen your understanding of X.509 keys and certificates or sharpen your command-line skills?

Join us for a comprehensive webinar on X.509 certificate management led by Viktor Dukhovni, an OpenSSL Software Engineer. This session covers essential concepts and hands-on techniques using OpenSSL’s command-line tools.

OpenSSL Forms Business Advisory Committees - Shape the Future - Join Now!

Wed, 30 Oct 2024 00:00:00 +0000

The OpenSSL Foundation (primarily focused on non-commercial communities) and the OpenSSL Corporation (primarily focused on commercial communities) are pleased to announce the formation of Business Advisory Committees (BAC), inviting our communities - Distributions, Committers, Small Businesses, Large Businesses, Individuals, and Academics - to actively engage in shaping the future of OpenSSL. These advisory bodies are critical in enhancing our governance structure, ensuring that the decisions reflect the diverse stakeholders involved and that our Mission and Values stay aligned with the community’s needs.

OpenSSL 3.4 Final Release Live

Tue, 22 Oct 2024 00:00:00 +0000

The final release of OpenSSL 3.4 is now live. We would like to thank all those who contributed to the OpenSSL 3.4 release, without whom OpenSSL would not be possible.

OpenSSL delivers the following significant new features:

Support for Integrity only cipher suites (RFC 9150)
JITTER RNG support via statically linked jitterentropy library
RFC 5755 Attribute Certificate support
FIPS indicators in support of FIPS 140-3 validation
Improved Base64 BIO input handling and error reporting
XOF Digest size reporting improvements
Windows Registry key-based directory lookup
Support for several X509v3 extensions
Support for position independent executables in the openssl app to support address space layout randomization

Please see the CHANGES.md file in the release for a full list of changes since OpenSSL 3.3

OpenSSL is hiring Communities Manager

Tue, 22 Oct 2024 00:00:00 +0000

Please note that we are no longer accepting new applications for this position.

OpenSSL is hiring for a Communities Manager to join our team.

Introducing Amy Parker

Mon, 07 Oct 2024 00:00:00 +0000

OpenSSL welcomes Amy Parker as the newest member of the OpenSSL Foundation team. Amy joins us in the newly created position of Chief Funding Officer, a fundraising role focused on revenue generation through corporate sponsorship and other charitable/non-commercial contributions. Funds raised will help the Foundation continue to deliver on its mission of providing security and privacy tools to everyone, everywhere.

A strategic leader with more than twenty years of senior-level fundraising experience, Amy has worked for prestigious educational and cultural institutions including the Wikimedia Foundation, Smithsonian Institution, The New York Public Library, and the University of North Carolina at Chapel Hill. She has been part of several record-setting fundraising campaigns, including the Smithsonian’s first-ever comprehensive campaign, which raised over $1.8 billion, and the $2 billion Carolina First Campaign, which was one of the 5 largest campaigns in US higher education at the time.

OpenSSL 3.4 beta released

Mon, 07 Oct 2024 00:00:00 +0000

OpenSSL 3.4 beta 1 has now been made available.

Our beta releases are considered feature complete for the release, meaning that between now and the final release, only bug fixes are expected (if any). Notable features of this release are available in NEWS.md within the source tarball.

Beta releases are provided to our communities for testing and feedback purposes. If you use OpenSSL, and particularly if you intend to upgrade to OpenSSL 3.4 when it is released, we strongly encourage you to download this beta release, and test it within whatever quality control mechanisms you have, providing feedback via our GitHub issue page at http://github.com/openssl/openssl/issues, so that we can address any shortcomings prior to the final release

OpenSSL Corporation's Silver Sponsorship at ICMC 2024 - A Retrospective

Fri, 27 Sep 2024 00:00:00 +0000

OpenSSL Corporation’s participation as a Silver Sponsor at the International Cryptographic Module Conference (ICMC) 18^th - 20^th September 2024 marked an important milestone in our continued commitment to advancing cryptographic technologies. As a critical player in secure communication, OpenSSL’s involvement highlighted our dedication to fostering collaboration, innovation, and security within the cryptographic community.

ICMC 2024 provided a valuable platform for industry leaders to engage in key discussions surrounding cryptographic standards, challenges, and innovations. Through our sponsorship, OpenSSL contributed to critical dialogues on post-quantum cryptography, regulatory compliance, and developing secure, open-source cryptographic solutions.

Lightship Security Partnership with OpenSSL

Wed, 18 Sep 2024 00:00:00 +0000

OpenSSL is sharing Lightship Security’s latest press release, highlighting the new partnership with the OpenSSL Corporation. Read the full release below:

Lightship Security, an Applus+ Laboratories company and a leading cryptographic security test lab, announces its agreement with the OpenSSL Corporation to provide FIPS 140-3 validation services for the OpenSSL cryptographic library.

The OpenSSL Corporation provides commercial support for users of the OpenSSL Library, a critical component of secure communications in enterprise technologies.

Performance benchmarks dashboard

Tue, 17 Sep 2024 00:00:00 +0000

We would like to announce the release of the OpenSSL Performance Benchmarks Dashboard, designed to track the impact of code changes on performance. The key focus of this dashboard is relative performance so we can assess how various code modifications affect OpenSSL’s performance across versions. This helps ensure that we’re aware of any potential performance impacts in advance, allowing us to maintain or improve efficiency with each update.

You can explore the dashboard here: OpenSSL Performance Benchmarks Dashboard. Additionally, it can be conveniently accessed from the main menu of this site under the “Resources” section.

Post-Quantum Algorithms in OpenSSL

Tue, 17 Sep 2024 00:00:00 +0000

Recently NIST published a number of post-quantum algorithm standards (ML-KEM, ML-DSA, and SLH-DSA). With these new NIST publications, OpenSSL is now prepared for implementation.

We’ve recently been receiving a lot of questions about these new standards so we wanted to make our position clear:

We intend to implement support for these algorithms in our providers in a future version of OpenSSL
We are currently putting together our project plans for this, stay tuned for more information regarding timeline
We invite qualified and skilled individuals to help us implement these algorithms and integrate them into OpenSSL in accordance with our standards and policies.

From early 2022 a research project made available a test vehicle enabling TLS1.3 and X.509 support for many pre-standard and other experimental post-quantum algorithms via the OpenSSL provider interface, called oqs-provider. Its primary author and maintainer (Michael Baentsch) has now joined the OpenSSL team with the goal to support an efficient, secure, smooth and seamless integration of the now standardised post-quantum algorithms from NIST into the OpenSSL code base. Many lessons learnt from the process of building and integrating oqs-provider into downstream applications will be applied to this process.

OpenSSL 3.4 alpha released

Tue, 10 Sep 2024 00:00:00 +0000

OpenSSL 3.4 alpha 1 has now been made available.

Our Alpha releases are considered feature complete for the release, meaning that between now and the final release, only bug fixes are expected (if any). Notable features of this release are available in CHANGES.md within the source tarball.

Alpha releases are provided to our communities for testing and feedback purposes. If you use OpenSSL, and particularly if you intend to upgrade to OpenSSL 3.4 when it is released, we strongly encourage you to download this alpha release, and test it within whatever quality control mechanisms you have, providing feedback via our GitHub issue page at http://github.com/openssl/openssl/issues, so that we can address any shortcomings prior to the final release

OpenSSL considering TLS 1.0/1.1 deprecation

Tue, 10 Sep 2024 00:00:00 +0000

Recently, OpenSSL proposed the deprecation of TLS 1.0/1.1 and solicited community feedback on the idea.

Feedback on the proposal was generally split down the middle, with half of the respondents indicating immediate depreciation with near-term removal was acceptable, while the remainder of the respondents with affirmative opinions noted that they represent, or know of products whose environment disallowed updating to TLS1.2 or later, and would need to re-enable the deprecated features for the foreseeable future.

Join Our Webinar on Debugging OpenSSL Applications

Fri, 30 Aug 2024 00:00:00 +0000

Debugging is a crucial aspect of developing and maintaining reliable software. However, debugging can become particularly challenging when applications incorporate diverse and complex components like OpenSSL. This webinar is designed to help you navigate these complexities.

Webinar Details

Date: September 11, 2024
Time: 09:00 AM Pacific Time (US and Canada)
Platform: Zoom
Topic: Debugging OpenSSL Applications

Registration Link: Click here to register

What to Expect

Internal Debugging Tools: Learn about the facilities OpenSSL provides to help you gain visibility into its internal behavior, allowing for more effective troubleshooting.
External Diagnostic Tools: Explore additional tools that can be integrated with OpenSSL to diagnose and resolve more intricate issues.

For professionals dealing with OpenSSL, mastering these debugging techniques is essential to ensuring the stability and security of their applications.

Join OpenSSL at the ICMC 2024 - Visit Our Exhibit Booth!

Tue, 20 Aug 2024 00:00:00 +0000

OpenSSL is pleased to announce its participation as a Silver Sponsor at the upcoming International Cryptographic Module Conference (ICMC) 2024, taking place from 18^th to 20^thSeptember. Visit our booth and attend our presentations to discover how we can help each other.

Event Details

Conference Name: International Cryptographic Module Conference
Dates: 18^th - 20^th September 2024
Location: DoubleTree by Hilton, San Jose, California
Our Booth Number: 102

OpenSSL 3.4 Alpha release approaching

Fri, 16 Aug 2024 13:00:00 +0000

The freeze date for OpenSSL 3.4 Alpha is rapidly approaching.

Alpha freeze approaching

The freeze date for OpenSSL 3.4 Alpha is rapidly approaching. Planned features are viewable on our 3.4 Planning page. If you have a feature on the planning page, please ensure that your associated PRs are posted, reviewed, and merged prior to the freeze date (Friday, Aug 30, 2024), or it will be postponed until the next release.

New Governance Structure and New Projects under the Mission

Wed, 24 Jul 2024 11:00:00 +0000

As part of our ongoing journey, OpenSSL is evolving to provide more opportunities for engagement that more effectively align with our mission statement and promote our values. OpenSSL is implementing various mechanisms to foster greater community involvement and enable our communities to play a key and active role in the decision-making process.

New Governance Framework

OpenSSL has two independent, co-equal organizations to support the OpenSSL Mission:

The OpenSSL Foundation primarily focuses on non-commercial communities.
The OpenSSL Corporation primarily focuses on commercial communities.

This balanced approach ensures that both entities can operate independently and make decisions autonomously.

OpenSSL is hiring - Fundraiser

Wed, 24 Jul 2024 00:00:00 +0000

Note that this position has now been filled and we are no longer accepting applications

OpenSSL is hiring for a Fundraiser to join our team

We are seeking a Fundraiser to join our team. As a Fundraiser at OpenSSL, you will play a vital role in sustaining critical components of internet infrastructure that enable secure communications around the world. In addition to your fundraising role, you must align with and uphold our core values and mission in your every day professional activities. This role will require you to have strong networks and relationships with our various sponsors, customers and communities in order to help us identify and bring on board new sponsors for our project as well as maintain our existing ones. You will also hold significant responsibility for developing our sponsorship and fundraising program in order to ensure that our sponsors are getting good value from their engagement with us whilst at the same time maximizing the resources available to OpenSSL to further develop and expand.

Join Our Exclusive Webinar on Performance Tuning with OpenSSL

Thu, 18 Jul 2024 13:00:00 +0000

Secure communication is vital in today’s digital world, but it sometimes slows down your applications. We invite you to an insightful webinar on optimizing application performance using OpenSSL. This session is designed for individuals seeking to enhance the security and efficiency of their applications.

Webinar Details

Date: August 1, 2024
Time: 09:00 AM Pacific Time (US and Canada)
Platform: Zoom
Topic: Performance Tuning with OpenSSL

Registration Link: Click here to register

OpenSSL mailing lists are moving to Google Groups

Wed, 17 Jul 2024 13:00:00 +0000

We are announcing a change in how communication and collaboration will take place within the OpenSSL community. Effective August 1st, 2024, the OpenSSL mailing lists will migrate to Google Groups. This transition is designed to streamline communication channels and simplify our infrastructure.

Why the change?

Over the years, the combintation of Postfix and Mailman has served us well, but it’s time to move on and explore better options. Google Groups offers several advantages that align with our goals:

Large issue cleanup in OpenSSL

Tue, 25 Jun 2024 16:00:00 +0000

OpenSSL is cleaning up its issue backlog

Whats going on?

Recently, some may have noticed issues (particularly old ones) in the openssl repository have received an update, having the ‘inactive’ label applied to them with a comment indicating that they will be closed at the end of the 3.4 development cycle. OpenSSL currently has almost 2000 outstanding issues in its issue list, many of which have been sitting idle for multiple years. In an effort to better plan and schedule work for the OpenSSL development team, it has become increasingly clear that, to do so efficiently, the issue list must be reduced, so as to better identify those issues which are impacting the larger user base more visibly for planning purposes.

New OpenSSL patch releases available

Tue, 04 Jun 2024 16:00:00 +0000

New OpenSSL patch releases are available

Soliciting input regarding a potential hardening effort

Mon, 03 Jun 2024 20:00:00 +0000

OpenSSL is soliciting input on a hardening effort for our library. The details can be found here: https://github.com/openssl/openssl/discussions/24321

Upcoming Webinar: Getting Started with QUIC and OpenSSL

Tue, 28 May 2024 16:00:00 +0000

We are pleased to announce our upcoming webinar, Getting Started with QUIC and OpenSSL.

In this brief yet comprehensive session, we’ll dive into the basics of QUIC and guide you through implementing a simple client using the QUIC OpenSSL API. By the end of this webinar, you’ll have a solid grasp of creating a client application that connects to a server and receives data. Our demo client may be straightforward, but it serves as the perfect playground to explore and observe the QUIC protocol in action. Get ready to see QUIC in motion and discover the tools to monitor its performance effectively!

OSTIF and Trail of Bits Complete Audit of OpenSSL

Thu, 02 May 2024 16:00:00 +0000

OpenSSL would like to announce the publication of the final report of a recent security audit conducted on the OpenSSL software library.

Releases distribution changes

Tue, 30 Apr 2024 16:00:00 +0000

I’d like to give you a heads-up about some changes we’re making at OpenSSL. We’re simplifying how you can get our software, and that means we’re phasing out some older methods that don’t quite fit with the way the web works today.

QUIC server preview branch available for testing and feedback

Tue, 16 Apr 2024 13:45:00 +0000

We are pleased to announce the availability of a feature preview for our OpenSSL QUIC server functionality. This is an early technology preview which is being published to seek feedback from our communities.

This preview is now available in the feature/quic-server branch of the OpenSSL repository on GitHub. Those interested in providing early feedback on our QUIC server functionality are invited to download and build this branch.

It is important to note that this branch represents a prototype phase at this time and many aspects of the planned functionality are not yet implemented. In particular, only a very small subset of the full SSL API is currently implemented. This preview is being released to enable all of our communities to provide their feedback as part of the API design process and in order to validate our requirements prior to the finalisation of the API.

Upcoming Webinar: Writing a TLS Client

Mon, 15 Apr 2024 09:00:00 +0000

We are pleased to announce our upcoming webinar, Writing a TLS Client.

OpenSSL 3.3 Final Release Live

Wed, 10 Apr 2024 12:00:00 +0000

The final release of OpenSSL 3.3 is now live. This is the first release in accordance with our adoption of biannual time-based releases. We would like to thank all those who contributed to the OpenSSL 3.3 release, without whom, OpenSSL would not be possible.

OpenSSL 3.3 delivers the following new features:

QUIC qlog diagnostic logging support
Support for the non-blocking polling of multiple QUIC connections or stream objects
Support for optimised generation of end-of-stream frames for QUIC connections
Support for disabling QUIC event processing when making API calls
Support for configuring QUIC idle timeout durations
Support for querying the size and utilisation of a QUIC stream’s write buffer
Support for RFC 9480 and RFC 9483 extensions to CMP
Ability to disable OpenSSL usage of atexit(3) at build time
Year 2038-compatible SSL_SESSION APIs
Ability to automatically derive Chinese Remainder Theorem (CRT) parameters when requested
Ability to ignore unknown algorithm names in TLS signature algorithm and group configuration strings
Ability to configure a TLS 1.3 server to prefer PSK-only key exchange during session resumption
Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple times with different output sizes.
Added exporter for CMake on Unix and Windows, alongside the pkg-config exporter.
And more. Please check out CHANGES.md for a full list of changes between OpenSSL 3.2 and OpenSSL 3.3.

OpenSSL 3.3 is a regular release, upon this final release a one-year Full Support period is initiated for regular releases. During this phase, bugs and security issues are addressed and fixed according to the Stable Release Updates Policy. Immediately after the Full Support phase ends, the Maintenance Support phase begins, lasting for one year. During this phase, the primary focus is on fixing security issues, although other bugs may be addressed at the discretion of OpenSSL engineering.

Celebrating 25 Years of OpenSSL

Wed, 03 Apr 2024 06:00:00 +0000

We are pleased to announce that we have successfully distributed nearly 100 limited edition T-shirts commemorating the 25th anniversary of OpenSSL’s existence.

We appreciate the support of all our communities, users, individual contributors and support customers, without which we would not be able to continue our mission and deliver on our open source values. These continue to drive the success and evolution of OpenSSL, and we couldn’t be more appreciative.

OpenSSL 3.3 Beta Release Live

Tue, 02 Apr 2024 07:00:00 +0000

The beta release of OpenSSL 3.3 is now live. This release is in accordance with our adoption of biannual time-based releases. As this is a beta release, we consider this to be a release candidate and as such encourage all OpenSSL users to build and test against this beta release and provide feedback. It represents the second step in our planned release of OpenSSL 3.3. To view the full 3.3 release schedule please refer to this blog.

OpenSSL at FOSDEM 24

Thu, 28 Mar 2024 06:00:00 +0000

This year, we had the privilege of participating in FOSDEM for the first time. This offered us an opportunity to engage with the open source community at the conference, share our insights, and learn from the vast pool of knowledge that FOSDEM brings together.

FOSDEM, short for Free and Open Source Software Developers’ European Meeting, is an event that brings together thousands of open source developers, enthusiasts, and professionals from around the world. It’s a festival of knowledge, with workshops, talks, and sessions covering a myriad of topics from software development and security to hardware innovation and beyond.

Upcoming Webinar: Writing Your First OpenSSL Application

Fri, 22 Mar 2024 09:00:00 +0000

We are thrilled to announce our upcoming webinar, Writing Your First OpenSSL Application.

This webinar is designed to take you from an understanding of basic cryptography concepts to writing your first secure application using OpenSSL. It’s the perfect starting point for anyone looking to dive into the world of secure application development. Here’s what we’ll cover:

Define the use cases for which OpenSSL can be used
How to find documentation to learn how to use OpenSSL in applications
How to write applications using OpenSSL
How to test and verify functionality of OpenSSL applications
How to identify and fix bugs in OpenSSL applications
Q&A Session: Have your questions answered by our OpenSSL experts. This is a great opportunity to clear up any doubts and gain additional insights.

By the end of this presentation, the audience should be able to match their application needs to OpenSSL library features, find documentation to explain how to leverage those features, create applications using OpenSSL, and learn how to detect and understand errors that may arise.

OpenSSL 3.3 Alpha Release Live

Fri, 22 Mar 2024 07:00:00 +0000

The Alpha release of OpenSSL 3.3 is now live. This release is in accordance with our adoption of biannual time-based releases. As this is an alpha release, it is intended for development and testing purposes. It represents the first step in our planned release of OpenSSL 3.3. To view the full 3.3 release schedule please refer to this blog.

OpenSSL 3.3 will feature the following new features:

QUIC qlog diagnostic logging support
Support for the non-blocking polling of multiple QUIC connection or stream objects
Support for optimised generation of end-of-stream frames for QUIC connections
Support for disabling QUIC event processing when making API calls
Support for configuring QUIC idle timeout durations
Support for querying the size and utilisation of a QUIC stream’s write buffer
RCU lock infrastructure for performance enhancements
Support for RFC 9480 and RFC 9483 extensions to CMP
Ability to disable OpenSSL usage of atexit(3) at build time
Year 2038-compatible SSL_SESSION APIs
Ability to automatically derive Chinese Remainder Theorem (CRT) parameters when requested
Ability to ignore unknown algorithm names in TLS signature algorithm and group configuration strings
Ability to configure a TLS 1.3 server to prefer PSK-only key exchange during session resumption

No further features or API changes are planned for 3.3 beyond those listed above. We will not be accepting any additional features for 3.3; any unmerged feature PRs will now be considered for 3.4.

OpenSSL 3.3 alpha release date announced

Tue, 12 Mar 2024 18:00:00 +0000

We are pleased to announce our schedule for the April release of OpenSSL 3.3. In accordance with our adoption of biannual time-based releases following the release of OpenSSL 3.2, this will be our first time-based release.

The release schedule is as follows:

An alpha of OpenSSL 3.3 will be made on 20 March 2024.
A beta of OpenSSL 3.3 will then be made on 29 March 2024.
The expected final release date for OpenSSL 3.3.0 is 10 April 2024. Backup release dates are 17 April 2024 and 24 April 2024.

NetApp and OpenSSL: Teaming Up for More Secure Internet

Thu, 08 Feb 2024 16:00:00 +0000

Exciting news in the world of online security! NetApp, an intelligent data infrastructure company, is now a Gold Sponsor of OpenSSL, showing their strong support for making the internet a safer place for everyone.

NetApp’s sponsorship brings valuable resources to OpenSSL, enabling the project to accelerate development, conduct thorough security audits, and ensure ongoing maintenance and support. In return, NetApp gains access to cutting-edge cryptographic technologies, contributing to the enhancement of its own security solutions and reinforcing its position as a leader in data management.

Upcoming Getting Started with OpenSSL Webinar

Tue, 23 Jan 2024 16:00:00 +0000

In the fast-paced world of cybersecurity, the ability to secure digital assets is paramount. We’re excited to announce our upcoming webinar, “Getting Started with OpenSSL,” which is designed to provide attendee’s with a solid foundation in using OpenSSL to enhance the security of their applications and systems. Join us for this webinar and learn all about OpenSSL’s purpose, features, and components.

Why Attend? Empower Yourself: Gain practical skills to implement OpenSSL in your projects. Community Engagement: Connect with a community of security-conscious individuals.

OpenSSL FIPS provider 3.0.9 validated

Tue, 23 Jan 2024 08:00:00 +0000

The OpenSSL project is pleased to announce an update to its FIPS 140-2 certificate #4282. The certificate now validates the FIPS provider built from the 3.0.8 and 3.0.9 releases.

OpenSSL 3.1 FIPS Module has been submitted for validation

Thu, 04 Jan 2024 07:00:00 +0000

On 2023-12-29 we have submitted our FIPS 140-3 validation report to NIST’s Cryptographic Module Validation Program (CMVP).

This in no way impacts our existing FIPS 140-2 certificate which remains valid and will be maintained until its sunset date in September 2026.

OpenSSL's Official Youtube Channel

Thu, 21 Dec 2023 10:00:00 +0000

We are thrilled to announce a major leap forward in our efforts to connect with the community and share valuable insights—OpenSSL now has its own YouTube channel! As a significant milestone in our commitment to transparency, education, and open-source collaboration, this channel will serve as a hub for engaging content, tutorials, and updates straight from the heart of OpenSSL.

What to Expect:

Tutorial Series: Get ready for in-depth tutorials covering a wide range of topics, from OpenSSL basics to advanced usage scenarios. Whether you’re a seasoned developer or just starting, our tutorials will cater to all skill levels.

OpenSSL 25 Year Anniversary T-Shirt Giveaway

Wed, 20 Dec 2023 10:00:00 +0000

We are thrilled to announce a special celebration in honor of OpenSSL’s 25th anniversary! Two and a half decades of commitment to security, reliability, and open-source collaboration have made OpenSSL an indispensable tool in the world of digital communication.

To express our gratitude to the incredible community that has supported us throughout the years, we are hosting an exclusive T-Shirt Giveaway! The first 75 people to participate will receive a limited edition OpenSSL 25th-anniversary T-shirt as a token of our appreciation.

OpenSSL Providers Workshop: Authors Track

Tue, 05 Dec 2023 10:00:00 +0000

Part two of the OpenSSL Providers Workshop is next week! We have divided the workshop into two tracks the Users Track and the Authors Track. Please join us next week for part two of the workshop: Live OpenSSL Providers Workshop: Authors Track. As with the Users Track, we will be hosting two sessions of the Authors Track at different times to allow people from different time zones to be able to join our workshops live.

OpenSSL Providers Workshop: Users Track

Wed, 29 Nov 2023 10:00:00 +0000

The long anticipated OpenSSL Providers Workshop is finally here! We have divided the workshop into two tracks the Users Track and the Authors Track. Please join us next week for part one of the workshop: Live OpenSSL Providers Workshop: Users Track. Due to world wide interest, we will be hosting two sessions of the Users Track at different times to allow people from different time zones to be able to join our workshops live.

OpenSSL announces final release of OpenSSL 3.2.0

Thu, 23 Nov 2023 14:00:00 +0000

We are pleased to announce the immediate availability of OpenSSL 3.2.0. OpenSSL 3.2.0 is the first General Availability release of the OpenSSL 3.2 release line, and incorporates a number of new features, including:

Client-side QUIC support, including support for multiple streams (RFC 9000)
Certificate compression in TLS (RFC 8879), including support for zlib, zstd and Brotli
Deterministic ECDSA (RFC 6979)
Support for Ed25519ctx, Ed25519ph and Ed448ph (RFC 8032) in addition to existing support for Ed25519 and Ed448
AES-GCM-SIV (RFC 8452)
Argon2 (RFC 9106) and supporting thread pool functionality
HPKE (RFC 9180)
The ability to use raw public keys in TLS (RFC 7250)
TCP Fast Open (RFC 7413) support, where supported by the OS
Support for provider-based pluggable signature schemes in TLS, enabling third-party post-quantum and other algorithm providers to use those algorithms with TLS
Support for Brainpool curves in TLS 1.3
SM4-XTS
Support for using the Windows system certificate store as a source of trusted root certificates. This is not yet enabled by default and must be activated using an environment variable. This is likely to become enabled by default in a future feature release.

OpenSSL 3.2 Final Release Postponed

Fri, 17 Nov 2023 10:00:00 +0000

As part of the OpenSSL project’s commitment to deliver a secure and high quality cryptography toolkit, we routinely apply fuzzing to the OpenSSL codebase, which searches automatically for potential bugs in upcoming OpenSSL releases. This fuzzing process runs continuously and on an ongoing basis and as such, bugs can be identified by our fuzzing infrastructure at any time.

Due to a small number of bugs which have been identified by the ongoing use of fuzzing, the OpenSSL Project has made the decision to postpone the final release of OpenSSL 3.2 by at least a week. While we have promptly fixed all bugs presently identified by fuzzing, to ensure the quality of OpenSSL 3.2, we do not intend to make the final release until all issues identified by fuzzing have been addressed and no new issues are found for one week. As a result, we have pushed the full release of OpenSSL 3.2 to the 23rd November 2023. Please stay tuned to our blog for more details on the matter.

Expected OpenSSL 3.2 Release Date

Wed, 08 Nov 2023 13:00:00 +0000

The OpenSSL Project is excited to announce that OpenSSL 3.2 is expected to be fully released on 16th November, 2023.

In the meantime the OpenSSL 3.2 Beta is currently available. We encourage all OpenSSL users to build and test against the beta release and provide feedback.

OpenSSL 3.2 will be our last release before we transition to a time-based release schedule on a 6-month cadence, with regular feature releases in October and April each year.

OpenSSL 3.2 Release Candidate

Thu, 26 Oct 2023 13:00:00 +0000

The OpenSSL Project is excited to announce our first beta release of OpenSSL 3.2. We consider this to be a release candidate and as such encourage all OpenSSL users to build and test against this beta release and provide feedback.

The code for OpenSSL 3.2 is now functionally complete and at the time of the beta release there were no outstanding known regressions that need to be fixed before the final release. A lot of work has been going on over the last few months getting OpenSSL 3.2 ready for its final release and we want to send thanks to everyone who has helped us.

OpenSSL Adds Support for Raw Public Key (RFC7250)

Fri, 20 Oct 2023 13:00:00 +0000

Raw Public Keys have emerged as a component for securing communications between clients and servers. Raw Public Keys, as defined in RFC 7250, play a role in ensuring the confidentiality, integrity, and authenticity of data exchanged over the web. As a result OpenSSL will be adding support for Raw Public Keys in the upcoming OpenSSL 3.2.

Raw Public Keys are a cryptographic mechanism used in public key infrastructure (PKI) systems. They are a way of representing a public key without the associated digital certificate, which contains additional information like the owner’s identity, expiration date, and digital signatures from a certificate authority. This makes Raw Public Keys more lightweight and efficient, especially in resource-constrained environments.

Implementing HPKE in OpenSSL 3.2

Wed, 18 Oct 2023 13:00:00 +0000

The upcoming OpenSSL 3.2 will be implementing Hybrid Public Key Encryption (HPKE) into the library.

Hybrid Public Key Encryption (HPKE) is a cryptographic protocol defined in RFC 9180 (Request for Comments) that aims to provide a flexible and secure way to perform public key encryption in various scenarios. HPKE combines the security of public key encryption with the flexibility of using different key exchange methods and encryption schemes. This protocol is designed to be used in a wide range of applications, including securing communications over the internet and other networked environments.

Implementing HPKE in OpenSSL will help ensure that your public key encryption solution is both effective and reliable for securing data in various applications and environments for the following reasons:

OpenSSL FIPS 140 Update

Thu, 12 Oct 2023 13:00:00 +0000

In the ever-evolving landscape of cybersecurity, staying ahead of potential threats is crucial. The OpenSSL project has been at the forefront of cryptographic security for decades, providing a robust toolkit that enables encryption, decryption, and other cryptographic functions. In the continuous pursuit of enhancing security and regulatory compliance, we want to share our updated ambitious FIPS (Federal Information Processing Standards) plans.

New OpenSSL Tutorials for OpenSSL 3.2 Release

Mon, 09 Oct 2023 12:00:00 +0000

We will be releasing a series of new tutorials in the upcoming OpenSSL 3.2 release to help new users of OpenSSL get a quick start on developing applications using the OpenSSL libraries. They will also be helpful to users wanting to try out the new client side QUIC capabilities.

OpenSSL 3.2 Alpha 2 released

Tue, 03 Oct 2023 16:00:00 +0000

OpenSSL 3.2 Alpha 2 has recently been released.

Please see our previous blog post for a list of all of the exciting new features that are contained in the upcoming 3.2 release.

OpenSSL 1.1.1 End Of Life

Mon, 11 Sep 2023 00:00:00 +0000

OpenSSL 1.1.1 series has reached its End of Life (EOL). As such it will no longer receive publicly available security fixes.

OpenSSL announces OpenSSL 3.2 Alpha 1

Thu, 07 Sep 2023 10:55:00 +0100

We are pleased to announce the immediate availability of OpenSSL 3.2 Alpha 1. This release incorporates a number of new features, most notably:

Client-side QUIC support, including support for multiple streams (RFC 9000)
Certificate compression in TLS (RFC 8879), including support for zlib, zstd and Brotli
Deterministic ECDSA (RFC 6979)
Support for Ed25519ctx, Ed25519ph, Ed448 and Ed448ph (RFC 8032) in addition to existing support for Ed25519
AES-GCM-SIV (RFC 8452)
Argon2 (RFC 9106) and supporting thread pool functionality
HPKE (RFC 9180)
The ability to use raw public keys in TLS (RFC 7250)
TCP Fast Open (RFC 7413) support, where supported by the OS
Support for provider-based pluggable signature schemes in TLS, enabling third-party post-quantum algorithm providers to use these algorithms with TLS
Support for Brainpool curves in TLS 1.3
SM4-XTS
Support for using the Windows system certificate store as a source of trusted root certificates. This is not yet enabled by default and must be activated using an environment variable. This is likely to become enabled by default in a future feature release.

OpenSSL announces imminent release of OpenSSL 3.2 Alpha 1

Tue, 05 Sep 2023 11:35:00 +0100

OpenSSL is pleased to announce the imminent release of OpenSSL 3.2 Alpha 1 on the 7th September 2023.

As this will be an alpha release, it is intended for development and testing purposes. It represents the first step in our planned release of OpenSSL 3.2.

Depending on the outcome of the alpha process, we hope to make a beta release as soon as two weeks after Alpha 1 is released. When we do move to beta, this will represent a feature freeze. Therefore, no new feature PRs will be accepted into the 3.2 branch after this.

OpenSSL Updates: A Few Steps Forward

Mon, 28 Aug 2023 00:00:00 +0200

At OpenSSL, we’re always learning and taking small steps, informed by both fresh ideas and the feedback we receive. Today, we’d like to share a couple of updates we hope will make things clearer and more collaborative for our community.

These updates are part of our effort to align more closely with, and live by, our Mission and Values.

OpenSSL statement on the recent Intel/AMD Downfall/Inception vulnerabilities

Tue, 15 Aug 2023 08:55:00 +0000

Last week marked the public announcement of the Downfall vulnerability in Intel CPUs and the Inception vulnerability in AMD CPUs. Both of these are microarchitectural side-channel attacks allowing an attacker with unprivileged execution on the same physical core as a victim process to extract confidential information from that process.

This blog post provides information and advice for users of OpenSSL. Specifically, it provides information on how users of OpenSSL may be affected by these vulnerabilities, and advice for users of OpenSSL on mitigation strategies.

Face-to-face meetings: OTC and Committers

Mon, 24 Jul 2023 04:00:00 +0200

From June 19-21, OpenSSL had a face-to-face event in Brno, Czech Republic, for OTC members and contributors. The event provided a valuable platform for productive meetings and discussions. The gathering brought together prominent individuals from the OpenSSL community, fostering robust and enlightening exchanges. This event served as a crucial opportunity for introspection and future planning, encouraging open dialogue on various facets of the OpenSSL project.

Face-to-face meetings: OTC and Committers, Day 3

Mon, 24 Jul 2023 03:00:00 +0200

Discussions were held about introducing a new time-based release policy for OpenSSL. This policy aims to improve the predictability of release schedules and content. Part of this discussion also touched on how to effectively plan and assess feature readiness before each release.
To enhance project management, the use of feature branches for more complex features was suggested. This idea was paired with the proposal to establish clearly defined criteria for the review and approval of code.
As part of improving decision-making within the project, dialogues were carried out on how to best select features for inclusion. The proposal to establish a review body, focused on making these decisions and prioritizing features, was also put forward.
Inspired by Apache’s practices, improvements to the existing security policy were considered and discussed.
As part of addressing the project’s technical debt, suggestions were made to discuss infallible locking and mandatory atomics. The goal was to streamline locking mechanisms and reduce code complexity.
Tomas Mraz and Dmitry Belyavsky held personal sessions where they discussed different approaches. Tomas delved into the approach of using decoupled low-level crypto libraries, while Belyavsky considered the potential for incorporating more pluggable elements within OpenSSL.
Richard Levitte highlighted several areas of technical debt that need addressing. These included issues with composite algorithm names, the functionality of Password-Based Encryption (PBE), and AlgorithmIdentifier parameters. He also proposed potential solutions to these identified issues.

Face-to-face meetings: OTC and Committers, Day 2

Mon, 24 Jul 2023 02:00:00 +0200

The OpenSSL project has some performance issues. These need to be addressed by setting performance standards and testing before making changes. The team has agreed to prioritize this process.
Technical debt is another problem that needs to be dealt with. The proposed solutions are:
- Setting performance targets.
- Improving inefficient data structures.
The team also discussed ways to improve engagement with the community, including:
- Updating the current outdated communication channels.
- Revamping the website.
- Creating a separate space for user queries and software issues.
- Starting to use GitHub Discussions for better communication.
Supporting different OpenSSL versions poses challenges. The team also discussed how to manage Long Term Support (LTS) releases.
When talking about the QUIC protocol, several points were emphasized:
- Its development is crucial.
- Features need to be prioritized.
- It’s important to gather feedback early.
- There was agreement to turn on QUIC by default in the next release.
Nicola Tuveri pointed out that the BIGNUM issue needs to be addressed. He suggested setting aside dedicated resources to work on it.
Code reviews are essential for maintaining the quality of the project. Documentation should be easy to understand and useful for users. The team stressed its importance.
The error API has some problems. These were discussed along with potential solutions.

Face-to-face meetings: OTC and Committers, Day 1

Mon, 24 Jul 2023 01:00:00 +0200

The OTC retrospective highlighted the need for diversity and improved communication.
- A proposal for a Special Interest Group (SiG) model was made.
- The necessity for regular communication with communities was identified.
- A need for reevaluation of membership criteria was highlighted.
The team acknowledged the presence of technical debt in OpenSSL. Challenges like code redundancy and inconsistent APIs were noted within OpenSSL. Refactoring was seen as a potential solution to these OpenSSL challenges.
Updates and improvements to the Certificate Management Protocol (CMP) were discussed. Focus was placed on interoperability and testing within the CMP.
Red Hat engineers shared their journey towards FIPS compliance. Their approach to security vulnerabilities was discussed.
Solutions for managing parameters and configurations were examined.
The challenge of accessing entropy sources was discussed. A proposition to enhance randomness providers was made.
The implementation of Post-Quantum Cryptography was also discussed. Focus was put on compatibility between OQS and OpenSSL in the future.
Red Hat presented several significant issues, including confirmed bugs. There was also a discussion on features needing careful consideration by Red Hat.
The experience of writing a PKCS#11 provider emphasized the need for better documentation. The need for more supportive resources for writing a PKCS#11 provider was also discussed.

Who writes OpenSSL?

Mon, 17 Jul 2023 08:30:00 +0000

For a meeting last week I wanted to show how much of OpenSSL is being written by people paid to do so by their employers, and how much was from individuals in their own time. And it turns out most of OpenSSL is written by people paid to do so. This is crucial to understanding the critical role that corporations provide to Open Source projects such as OpenSSL.

OpenSSL adopts Mission & Values Statement

Tue, 04 Jul 2023 08:00:00 +0000

After extensive feedback from our communities, OpenSSL is pleased to announce that we have formally adopted the Mission and Values Statement, and will now be aligning our activities to support these.

You can view our new Mission and Values Statment here.

We would like to extend our sincere thanks to all those who provided feedback to us. We have reviewed all the comments and responses, which showed that a clear majority (around 70%) agreed on OpenSSL adopting the Mission and Values Statement. It was really beneficial to hear from our various communities and we will continue to seek out your feedback in the future.

OpenSSL 1.1.1 End Of Life Approaching

Thu, 15 Jun 2023 05:00:00 +0000

OpenSSL 1.1.1 series will reach End of Life (EOL) on 11th September 2023. Users of OpenSSL 1.1.1 should consider their options and plan any actions they might need to take.

Rebranded OpenSSL FIPS certificates issued

Thu, 01 Jun 2023 01:00:00 +0000

The OpenSSL project is pleased to announce that the first of the rebranded FIPS 140-2 certificates, available exclusively to our Premium Support Customers, have been officially issued by the CMVP. With this significant milestone achieved, we anticipate a smooth and ongoing rollout of the remaining and future rebrandings. If your company desires a rebranded FIPS 140-2 validation certificate bearing your organisation’s name, obtaining one is a straightforward task: simply secure a premium support contract with the project and ask for a rebranded certificate.

OpenSSL FIPS provider 3.0.8 validated

Mon, 29 May 2023 00:00:00 +0000

The OpenSSL project is pleased to announce a major update to its FIPS 140-2 certificate #4282. The certificate now validates the FIPS provider built from the 3.0.8 release.

OpenSSL extends feedback on draft mission & values statement

Thu, 04 May 2023 09:50:00 +1000

OpenSSL would like to thank everyone who has provided feedback on our draft mission & values statement. The response has been great, and the feedback is really important to us. We are working through those responses.

We’d like to get even more feedback so we are extending the response period until 19th May 2023. If you haven’t already provided feedback to us, please do so by:

Filling in this feedback form, or
Emailing your feedback to [email protected]">[email protected]

As a small incentive we will be randomly selecting 10 responders out of everyone who has provided feedback and the lucky ones will receive an OpenSSL T-shirt. (Yes this includes those who have already responded to us).

OpenSSL seeks feedback on draft mission & values statement

Fri, 31 Mar 2023 08:31:00 +0000

Following the successful OpenSSL 2023 face-to-face conference, OpenSSL has produced a draft mission & values statement. Once finalised, we intend to realign all activities of the project to ensure they reflect our agreed mission and values. Before doing so however, we would like to obtain feedback on this statement from the public, to ensure it represents all of our communities. By offering us your feedback, you will help us to ensure the OpenSSL project is run in a way that reflects the values of all of our users.

OpenSSL 1.1.1 End Of Life

Tue, 28 Mar 2023 11:00:00 +0000

We are now less than 6 months away from the End Of Life (EOL) date for the OpenSSL 1.1.1 series. Users of OpenSSL 1.1.1 should consider their options and plan any actions they might need to take.

OpenSSL FIPS Update and Expansion of Rebranding Offer

Wed, 15 Mar 2023 08:00:00 +0000

We are thrilled to inform you that the complimentary FIPS rebranding service for our premium support customers has been extended. As part of this non-contractual benefit, premium support customers are entitled to one rebranding of any of our FIPS provider certificates per year, completely free of charge.

OpenSSL 3.1 Final Release

Tue, 07 Mar 2023 12:00:00 +0000

We are pleased to announce that the forthcoming OpenSSL 3.1 release is to be made available on 14th March 2023.

OpenSSL 3.1 Release Candidate

Wed, 21 Dec 2022 11:00:00 +0000

The OpenSSL Management Committee (OMC) and the OpenSSL Technical Committee (OTC) are glad to announce our first beta release of OpenSSL 3.1. We consider this to be a release candidate and as such encourage all OpenSSL users to build and test against this beta release and provide feedback.

OpenSSL 3.1 alpha release

Fri, 02 Dec 2022 08:00:00 +0000

The OpenSSL Management Committee and the OpenSSL Technical Committee are glad to announce the alpha release of OpenSSL 3.1.

CVE-2022-3786 and CVE-2022-3602: X.509 Email address buffer overflows

Tue, 01 Nov 2022 15:00:00 +0000

Today we published an advisory about CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”).

Please read the advisory for specific details about these CVEs and how they might impact you. This blog post will address some common questions that we expect to be asked about these CVEs.

Configuring supported TLS groups in OpenSSL

Fri, 21 Oct 2022 11:00:00 +0000

The configuration of supported groups in TLS servers is important to limit the resource consumption of the TLS handshakes performed by the server. This blog post should give system administrators a few useful hints on how to configure the OpenSSL library and two of the most used open source HTTP servers which use the OpenSSL library for supporting the HTTPS protocol.

UPDATE: The post was updated to mention the new CVE-2022-40735 vulnerability.

RIPEMD160 and the legacy provider

Tue, 18 Oct 2022 09:07:50 +0200

With the release of OpenSSL 3.0 and the new provider architecture, some algorithms that were considered legacy by the OpenSSL team at the time were moved to the legacy provider, to be loaded optionally by those wishing to still use any of said algorithms.

FIPS 140-3 Plans

Fri, 30 Sep 2022 10:00:00 +0000

The OpenSSL Management Committee (OMC) on behalf of the OpenSSL Project is pleased to announce that the project is partnering with KeyPair Consulting and Acumen Security to validate OpenSSL to meet the requirements of the FIPS 140-3 standard.

OpenSSL Presentation at ICMC22 Conference

Wed, 21 Sep 2022 12:00:00 +0000

After 2 years of forced covid break, OpenSSL once again presented at the ICMC22 conference. The conference was a very pleasant meet-up of the community around cryptography and cryptographic modules. There were a lot of insights, feedback, and discussions around IT security. OpenSSL gave a talk on the Current Status of OpenSSL.

OpenSSL 3.0 FIPS 140-2 Free Rebranding Offer

Wed, 14 Sep 2022 12:00:00 +0000

OpenSSL is celebrating our FIPS 140-2 certification with a special offer for our Premium Support Customers by providing access to a free rebranding of the OpenSSL 3.0 FIPS 140-2 certificate.

See FIPS 140-2 Certificate here

OpenSSL FIPS 140-2 validation certificate issued

Wed, 24 Aug 2022 12:00:00 +0000

The OpenSSL Management Committee on behalf of the OpenSSL Project is pleased to announce that the OpenSSL 3.0 FIPS Provider has had its FIPS 140-2 validation certificate issued by NIST & CSE.

Spectre and Meltdown Attacks against OpenSSL

Fri, 13 May 2022 00:00:00 +0000

The OpenSSL Technical Committee (OTC) was recently made aware of several potential attacks against the OpenSSL libraries which might permit information leakage via the Spectre attack.¹ Although there are currently no known exploits for the Spectre attacks identified, it is plausible that some of them might be exploitable.

Local side channel attacks, such as these, are outside the scope of our security policy, however the project generally does introduce mitigations when they are discovered. In this case, the OTC has decided that these attacks will not be mitigated by changes to the OpenSSL code base. The full reasoning behind this is given below.

Starting the QUIC design

Fri, 03 Dec 2021 12:00:00 +0000

The OTC recently agreed a new design process that needs to be followed for future releases. See here for details. Moving forward designs for significant features should be captured and stored alongside the documentation in our main source code repository and updated if necessary during the development process.

OpenSSL Update

Thu, 25 Nov 2021 14:00:00 +0000

The OpenSSL community is a diverse group, ranging from those that use applications that depend on OpenSSL (effectively end-users) to operating system distributions, application developers, embedded devices, layered security libraries, and cryptographic algorithm and protocol researchers. Each of these subsets of our community have different needs and different priorities.

Making changes to OpenSSL technical policies more open

Fri, 12 Nov 2021 10:00:00 +0000

The OpenSSL Technical Committee decided to have a more formal but also a more open process on establishing changes to OpenSSL technical policies and other technical decisions made by the OpenSSL Technical Committee. We would like to invite the broad community of OpenSSL developers and users to participate in our decision making process.

Community Maintainers: How to get support for your platform

Mon, 08 Nov 2021 08:15:00 +0000

OpenSSL 3.0 FIPS Module has been submitted for validation

Wed, 22 Sep 2021 18:00:00 +0000

Following on from the recent announcement that OpenSSL 3.0 has been released, we have now also submitted our FIPS 140-2 validation report to NIST’s Cryptographic Module Validation Program (CMVP).

Old Let's Encrypt root certificate expiration and OpenSSL 1.0.2

Mon, 13 Sep 2021 08:00:00 +0000

The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

OpenSSL 3.0 has been released!

Tue, 07 Sep 2021 14:00:00 +0000

After 3 years of development work, 17 alpha releases, 2 beta releases, over 7,500 commits and contributions from over 350 different authors we have finally released OpenSSL 3.0! In addition to this there has been a large number of contributions from our users who have been actively working with the pre-release versions to test it, make sure it works in the real world and with a large array of different applications and reporting their results. I am also delighted to note that there has been a 94% increase in the amount of documentation that we have since OpenSSL 1.1.1 and an (adjusted) increase in the “lines of code” in our tests of 54%. There has never been a better demonstration of what an active and enthusiastic community we have than when you look at the statistics for the OpenSSL 3.0 development work. Thanks to everyone who has taken part - no matter how small that part was.

OpenSSL 3.0 Release Candidate

Thu, 17 Jun 2021 14:20:00 +0000

The OpenSSL Management Committee (OMC) and the OpenSSL Technical Committee (OTC) are glad to announce our first beta release of OpenSSL 3.0. We consider this to be a release candidate and as such encourage all OpenSSL users to build and test against this beta release and provide feedback.

OpenSSL 3.0 alpha7 release

Tue, 20 Oct 2020 19:00:00 +0000

The OpenSSL Management Committee (OMC) and the OpenSSL Technical Committee (OTC) are glad to announce the seventh alpha release of OpenSSL 3.0.

OpenSSL 3.0 alpha4 release

Thu, 25 Jun 2020 19:00:00 +0000

The OpenSSL Management Committee and the OpenSSL Technical Committee are glad to announce the fourth alpha release of OpenSSL 3.0.

OpenSSL 3.0 alpha3 release

Fri, 05 Jun 2020 12:00:00 +0000

The OpenSSL Management Committee and the OpenSSL Technical Committee are glad to announce the third alpha release of OpenSSL 3.0.

OpenSSL 3.0 alpha2 release

Sat, 16 May 2020 12:00:00 +0000

The OpenSSL Management Committee and the OpenSSL Technical Committee are glad to announce the second alpha release of OpenSSL 3.0.

Security Policy Update on prenotifications

Tue, 12 May 2020 09:00:00 +0000

We’re planning to extend who we prenotify of any future High and Critical security issues.

OpenSSL 3.0 alpha1 release

Thu, 23 Apr 2020 12:00:00 +0000

The OpenSSL Management Committee and the OpenSSL Technical Committee are glad to announce the first alpha release of OpenSSL 3.0.

QUIC and OpenSSL

Mon, 17 Feb 2020 12:00:00 +0000

QUIC is a new protocol which the IETF talks about as A UDP-Based Multiplexed and Secure Transport, and has attracted a lot of attention lately. The OpenSSL Management Committee (OMC) have followed the development with interest, and we feel that we owe it to the community to say where we stand on this, and on the inclusion of support for this protocol in our libraries.

Update on 3.0 Development, FIPS and 1.0.2 EOL

Thu, 07 Nov 2019 16:00:00 +0000

We have previously talked about our plans for OpenSSL 3.0 and FIPS support here. This blog post will give an update about what has been happening since then.

Face to Face: Committer's Day

Thu, 23 May 2019 17:15:00 +0000

At the Face to Face meeting held on the occasion of the ICMC19 Conference in Vancouver, a novelty was introduced: For the last day of the meeting all committers were invited to participate, either personally or remotely via video conference.

New Committers

Mon, 20 May 2019 12:00:00 +0000

Following on from our additions to the committers last year, the OpenSSL Management Committee has now added four new Committers.

OpenSSL 3.0 and FIPS update

Wed, 13 Feb 2019 10:30:00 +0000

As mentioned in a previous blog post, OpenSSL team members met with various representatives of the FIPS sponsor organisations back in September last year to discuss design and planning for the new FIPS module development project.

Since then there has been much design work taking place and we are now able to publish the draft design documentation. You can read about how we see the longer term architecture of OpenSSL changing in the future here and you can read about our specific plans for OpenSSL 3.0 (our next release which will include a FIPS validated module) here.

Celebrating 20 years of OpenSSL

Thu, 20 Dec 2018 12:00:00 +0000

20 years ago, on the 23rd December 1998, the first version of OpenSSL was released. OpenSSL was not the original name planned for the project but it was changed over just a few hours before the site went live. Let’s take a look at some of the early history of OpenSSL as some of the background has not been documented before.

The Holy Hand Grenade of Antioch

Wed, 28 Nov 2018 12:00:00 +0000

The OpenSSL Management Committee has been looking at the versioning scheme that is currently in use. Over the years we’ve received plenty of feedback about the “uniqueness” of this scheme, and it does cause some confusion for some users. We would like to adopt a more typical version numbering approach.

The current versioning scheme has this format:

MAJOR.MINOR.FIX[PATCH]

The new scheme will have this format:

MAJOR.MINOR.PATCH

In practical terms our “letter” patch releases become patch numbers and “fix” is dropped from the concept. In future, API/ABI compatibility will only be guaranteed for the same MAJOR version number. Previously we guaranteed API/ABI compatibility across the same MAJOR.MINOR combination. This more closely aligns with the expectations of users who are familiar with semantic versioning. We are not at this stage directly adopting semantic versioning because it would mean changing our current LTS policies and practices.

FIPS 140-2: Forward progress

Tue, 25 Sep 2018 12:00:00 +0000

The OpenSSL Management Committee (OMC) on behalf of the OpenSSL Project would like to formally express its thanks to the following organisations for agreeing to sponsor the next FIPS validation effort: Akamai Technologies, Blue Cedar, NetApp, Oracle, VMware.

Four weeks ago, the OpenSSL team gathered with many of the organisations sponsoring the next FIPS module for a face-to-face meeting in Brisbane, Australia.

We got a great deal accomplished during that week. Having most of the fips-sponsor organisations in the same location helps ensure that we are all on the same page for the decisions we need to make going forward.

OpenSSL 1.1.1 is released

Tue, 11 Sep 2018 12:00:00 +0000

After two years of work we are excited to be releasing our latest version today - OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we are committing to support it for at least five years.

OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been made from over 200 individual contributors since the release of OpenSSL 1.1.0. These statistics just illustrate the amazing vitality and diversity of the OpenSSL community. The contributions didn’t just come in the form of commits though. There has been a great deal of interest in this new version so thanks needs to be extended to the large number of users who have downloaded the beta releases to test them out and report bugs.

New OMC member and new Committers

Wed, 22 Aug 2018 12:00:00 +0000

We first announced last year the OpenSSL Management Committee and separate Committers groups aimed at enabling greater involvement from the community.

We have now added a new OMC member and two new committers.

New LTS Release

Fri, 18 May 2018 06:00:00 +0000

Back around the end of 2014 we posted our release strategy. This was the first time we defined support timelines for our releases, and added the concept of an LTS (long-term support) release. At our OMC meeting earlier this month, we picked our next LTS release. This post walks through that announcement, and tries to explain all the implications of it.

Changing the guiding principles in our Security Policy

Wed, 16 May 2018 21:00:00 +0000

“That we remove “We strongly believe that the right to advance patches/info should not be based in any way on paid membership to some forum. You can not pay us to get security patches in advance.” from the security policy and Mark posts a blog entry to explain the change including that we have no current such service.”

At the OpenSSL Management Committee meeting earlier this month we passed the vote above to remove a section our security policy. Part of that vote was that I would write this blog post to explain why we made this change.

Seeking Last Group of Contributors

Thu, 01 Mar 2018 06:00:00 +0000

The following is a press release that we just put out about how finishing off our relicensing effort. For the impatient, please see https://license.openssl.org/trying-to-find to help us find the last people; we want to change the license with our next release, which is currently in Alpha, and tentatively set for May.

For background, you can see all posts in the license tag.

One copy of the press release is at https://www.prnewswire.com/news-releases/openssl-seeking-last-group-of-contributors-300607162.html.

Using TLS1.3 with OpenSSL

Thu, 08 Feb 2018 12:00:00 +0100

Note: This is an outdated version of this blog post. This information is now maintained in a wiki page. See here for the latest version.

The forthcoming OpenSSL 1.1.1 release will include support for TLSv1.3. The new release will be binary and API compatible with OpenSSL 1.1.0. In theory, if your application supports OpenSSL 1.1.0, then all you need to do to upgrade is to drop in the new version of OpenSSL when it becomes available and you will automatically start being able to use TLSv1.3. However there are some issues that application developers and deployers need to be aware of. In this blog post I am going to cover some of those things.

Early access to security issues for support customers?

Wed, 07 Feb 2018 09:00:00 +0000

At the face to face last year we discussed future funding models, and we are exploring a range of possible options. One suggestion raised was we could sell more support contracts and give those support contract users patches for security issues in advance.

But before we can even discuss this as an option we would have to change our public stance. Our security policy since 2014 has stated we would not do this and currently reads:

Another Face to Face: Email changes and crypto policy

Thu, 18 Jan 2018 01:00:00 +0000

The OpenSSL OMC met last month for a two-day face-to-face meeting in London, and like previous F2F meetings, most of the team was present and we addressed a great many issues. This blog posts talks about some of them, and most of the others will get their own blog posts, or notices, later. Red Hat graciously hosted us for the two days, and both Red Hat and Cryptsoft covered the costs of their employees who attended.

One of the overall threads of the meeting was about increasing the transparency of the project. By default, everything should be done in public. We decided to try some major changes to email and such.

OpenSSL wins the Levchin prize

Wed, 10 Jan 2018 19:00:00 +0000

Today I have had great pleasure in attending the Real World Crypto 2018 conference in Zürich in order to receive the Levchin prize on behalf of the OpenSSL team.

The Levchin prize for Real World Cryptography recognises up to two groups or individuals each year who have made significant advances in the practice of cryptography and its use in real-world systems. This year one of the two recipients is the OpenSSL team. The other recipient is Hugo Krawczyk.

Steve Marquess

Fri, 27 Oct 2017 01:00:00 +0000

Steve Marquess is leaving the OpenSSL project as of the 15th of November 2017.

The OpenSSL Management Committee (OMC) would like to wish him all the best for the future.

All communication that used to go to Steve Marquess directly, should now be sent to [email protected]">[email protected] in the first instance.

Thanks for your contributions to the project over the years!

Steve Henson

Tue, 24 Oct 2017 01:00:00 +0000

For as long as I have been involved in the OpenSSL project there has been one constant presence: Steve Henson. In fact he has been a part of the project since it was founded and he is the number 1 committer of all time (by a wide margin). I recall the first few times I had any dealings with him being somewhat in awe of his encyclopaedic knowledge of OpenSSL and all things crypto. Over the years Steve has made very many significant contributions both in terms of code but also in terms of being an active member of the management team.

Seven days and four cities in China

Thu, 28 Sep 2017 01:00:00 +0000

We had been invited to spend time with the open source community in China by one of the developers - Paul Yang - who participates in the OpenSSL project. A number of the team members had communicated via email over the last year and when the suggestion was made there were enough of us willing and interested to visit China for a “tour” to make sense. So the tour was agreed as a good thing and that started the journey that lead to spending a week in China (last week as I write this on the plane on the way back to Australia).

FIPS 140-2: Thanks and Farewell to SafeLogic

Thu, 17 Aug 2017 16:00:00 +0000

We’ve had a change in the stakeholder aspect of this new FIPS 140 validation effort. The original sponsor, SafeLogic, with whom we jump-started this effort a year ago and who has worked with us since then, is taking a well-deserved bow due to a change in circumstances. Supporting this effort has been quite a strain for a relatively small company, but SafeLogic has left us in a fairly good position. Without SafeLogic we wouldn’t have made it this far, and while I don’t anticipate any future SafeLogic involvement with this effort from this point on, I remain enormously grateful to SafeLogic and CEO Ray Potter for taking on such a bold and ambitious venture.

Random thoughts

Sat, 12 Aug 2017 20:00:00 +0000

The next release will include a completely overhauled version of the random number facility, the RAND API. The default RAND method is now based on a Deterministic Random Bit Generator (DRBG) implemented according to the NIST recommendation 800-90A. We have also edited the documentation, allowed finer-grained configuration of how to seed the generator, and updated the default seeding mechanisms.

There will probably be more changes before the release is made, but they should be comparatively minor.

Read on for more details.

FIPS 140-2: And so it begins

Tue, 25 Jul 2017 20:00:00 +0000

It’s been almost a year since plans for a new FIPS 140 validation were first announced. Several factors have led to this long delay. For one, we chose to focus our limited manpower resources on higher priority objectives such as the TLS 1.3 implementation. SafeLogic has also experienced difficulties in obtaining the funding for their intended sponsorship; potential sponsors can [email protected]">contact them directly.

With TLS 1.3 now done (pending only a final TLS 1.3 specification) we’re now in a position to turn our attention to the new FIPS module, and just in the nick of time Oracle has pledged enough funding to get us off to a good start. With financial support from the Linux Foundation Core Infrastructure Initiative temporarily interrupted, leaving a team member with no income, that funding eases the pressure to seek new long term employment.

Removing some code

Sat, 17 Jun 2017 12:00:00 +0000

This is another update on our effort to re-license the OpenSSL software. Our previous post in March was about the launch of our effort to reach all contributors, with the hope that they would support this change.

So far, about 40% of the people have responded. For a project that is as old as OpenSSL (including its predecessor, SSLeay, it’s around 20 years) that’s not bad. We’ll be continuing our efforts over the next couple of months to contact everyone.

Of those people responding, the vast majority have been in favor of the license change – less then a dozen objected. This post describes what we’re doing about those and how we came to our conclusions. The goal is to be very transparent and open with our processes.

New Committers

Tue, 13 Jun 2017 12:00:00 +0000

We announced back in October that we would be changing from a single OpenSSL Project Team to having an OpenSSL management committee and a set of committers which we planned to expand to enable the greater involvement from the community.

Now that we have in place committer guidelines, we have invited the first set of external (non-OMC) community members to become committers and they have each accepted the invitation.

Using TLS1.3 with OpenSSL

Thu, 04 May 2017 12:00:00 +0100

Note: This is an outdated version of this blog post. This information is now maintained in a wiki page. See here for the latest version.

Licensing Update

Wed, 22 Mar 2017 12:00:00 +0000

The following is a press release that we just released, with the cooperation and financial support of the Core Infrastructure Initiative and the Linux Foundation.

In the next few days we’ll start sending out email to all contributors asking them to approve the change. In the meantime, you can visit the licensing website and search for your name and request the email. If you have changed email addresses, or want to raise other issues about the license change, please email [email protected]">[email protected]. You can also post general issues to [email protected]">[email protected].

We are grateful to all the contributors who have contributed to OpenSSL and look forward to their help and support in this effort.

The official press release can be found at the CII website. The rest of this post is a copy:

OpenSSL and Threads

Tue, 21 Feb 2017 11:00:00 +0000

This post talks about OpenSSL and threads. In particular, using OpenSSL in multi-threaded applications. It traces through the history, explains what was changed for the 1.1.0 release, and will hopefully provide some guidance to developers.

While none of the behaviors have really changed, and therefore none of this should be new information, the documentation has not been as clear as it could, or should, be. Therefore, some readers might be surprised by what’s in this post.

In short, OpenSSL has always, and only, supported the concept of locking an object and sometimes it locks its internal objects. Read on for more details.

Project Bylaws

Mon, 13 Feb 2017 12:00:00 +0000

Last October, the OpenSSL Project team had a face to face meeting. We talked about many topics but one of them was that, in recent years, we have seen much more involvement from the community and that we would like to encourage that further. For example, there are a number of people in the community who we know and trust. We would like those people to get involved more and make it easier for them to contribute. We decided to introduce the concept of a “committer” (borrowed from the Apache concept): someone who has the ability to commit code to our source code repository but without necessarily having to become a full team member. This might be seen as a stepping-stone for someone who aspires to full team membership, or simply as an easier way of contributing for those that don’t. Those people could help with our review process (i.e., their reviews would count towards approval) - which might help us keep on top of the github issues and pull request queues.

OCAP audit of OpenSSL

Thu, 15 Dec 2016 01:00:00 +0000

The audit took place during 2015 in two phases while the OpenSSL project was working on the development of the (now released) 1.1.0 version. We chose to audit the “master” branch of the code as it stood at the time. OpenSSL 1.1.0 has made some extensive internal changes, most notably in libssl with the new state machine code, as well as the new packet parsing code. We wanted the audit team to review that code to give us confidence that what we were delivering was sound.

Face to Face: Roadmap and platform updates

Mon, 24 Oct 2016 01:00:00 +0000

This is another in the series of posts about decisions we made at our face-to-face meeting a couple of weeks ago.

We updated the project roadmap.

I think the most important news here, is that our next release will include TLS 1.3. Our current plan is that this will be 1.1.1, which means that it is API-compatible with the current 1.1.0 release. This is really only possible because of the work we did on making most of the structure internals opaque. Also, since we are doing all of our work in public on our GitHub repository, we hope that the entire community will be able to “follow along at home” and help us improve the code. There will be more, much more, to say about this later.

Face to Face: Goodbye RT, hello GitHub

Wed, 12 Oct 2016 01:00:00 +0000

Last week, the OpenSSL dev team had another face-to-face meeting. It was a week of “mosts”: most of the team flew in for most of the week, and most of it was funded by the CII/LF

We got a great deal accomplished during that week. We do many things by vote, and having everyone in the room to talk not only beats email all to hell, but it ensures that we’re all on the same page for the decisions we make. Sure, not everything was a unanimous decision, but none were decided by narrow margins.

In this post I’m going to talk about two important decisions.

The SWEET32 issue, CVE-2016-2183

Wed, 24 Aug 2016 23:16:00 +0000

Today, Karthik Bhargavan and Gaetan Leurent from Inria have unveiled a new attack on Triple-DES, SWEET32, Birthday attacks on 64-bit block ciphers in TLS and OpenVPN. It has been assigned CVE-2016-2183.

This post gives a bit of background and describes what OpenSSL is doing. For more details, see their website.

FIPS 140-2: Once more unto the breach

Wed, 20 Jul 2016 19:00:00 +0000

The last post on this topic sounded a skeptical note on the prospects for a new FIPS 140 validated module for OpenSSL 1.1 and beyond. That post noted a rather improbable set of prerequisites for a new validation attempt; ones I thought only a governmental sponsor could meet (as was the case for the five previous open source based validations).

Multiple commercial vendors have offered to fund (very generously in some cases) a new validation effort under terms that would guarantee them a proprietary validation, while not guaranteeing an open source based validation. At one point we actually came close to closing a deal that would have funded an open source based validation attempt in exchange for a limited period of exclusivity; a reasonable trade-off in my opinion. But, I eventually concluded that was too risky given an uncertain reception by the FIPS validation bureaucracy, and we decided to wait for a “white knight” sponsor that might never materialize.

Undefined Pointer Arithmetic

Mon, 27 Jun 2016 17:00:00 +0000

In commits a004e72b9 (1.0.2) and 6f35f6deb (1.0.1) we released a fix for CVE-2016-2177. The fix corrects a common coding idiom present in OpenSSL 1.0.2 and OpenSSL 1.0.1 which actually relies on a usage of pointer arithmetic that is undefined in the C specification. The problem does not exist in master (OpenSSL 1.1.0) which refactored this code some while ago. This usage could give rise to a low severity security issue in certain unusual scenarios. The OpenSSL security policy (https://openssl-library.org/policies/general/security-policy/) states that we publish low severity issues directly to our public repository, and they get rolled up into the next release whenever that happens. The rest of this blog post describes the problem in a little more detail, explains the scenarios where a security issue could arise and why this issue has been rated as low severity.

An OpenSSL user's guide to DROWN

Tue, 01 Mar 2016 14:59:00 +0000

Today, an international group of researchers unveiled DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), aka CVE-2016-0800, a novel cross-protocol attack that uses SSLv2 handshakes to decrypt TLS sessions.

Over the past weeks, the OpenSSL team worked closely with the researchers to determine the exact impact of DROWN on OpenSSL and devise countermeasures to protect our users. Today’s OpenSSL release makes it impossible to configure a TLS server in such a way that it is vulnerable to DROWN.

Poly1305 revised

Mon, 15 Feb 2016 22:16:22 +0100

Poly1305 implementations are characterized by several parameters:

radix or base of inputs representation, or how many digits represent the 130-bit value the algorithm operates on;
vectorization factor, or how many input blocks are processed per [loop] iteration and in parallel;
floating-point vs. integer/scalar arithmetic;

Engine Building Lesson 2: An Example MD5 Engine

Mon, 23 Nov 2015 22:19:30 +0100

Coming back after a month and two weeks, it’s time to resume with the next engine lesson, this time building an engine implementing a digest.

It doesn’t matter much what digest algorithm we choose. Being lazy, I’ve chosen one with a well defined reference implementation, MD5 (reference implementation is found in RFC 1321)

Engine building lesson 1: A minimum useless engine

Thu, 08 Oct 2015 05:41:20 +0200

In this lesson, we’re going to explore minimalism, in this case in the form of the most minimal engine possible (without obfuscating it).

The least boilerplate code for an engine looks like this:

#include <openssl/engine.h>

IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN()

This example isn’t complete, it will not compile. However, it contains the absolute minimum required for those module to even be recognised as an OpenSSL engine.

Engine school, a path to writing standalone engines

Wed, 07 Oct 2015 23:32:00 +0000

For the longest time, it seems that people have wanted to have their diverse engines bundled with the OpenSSL source, as if there was no other way to build it or distribute it.

Nothing could be further from the truth. Also, having the engine for some hardware bundled with the OpenSSL source presents a maintainance problem, and the better solution is for those who have an engine to maintain theḿ themselves.

New severity level, "Critical"

Mon, 28 Sep 2015 12:10:00 +0000

We’ve just added a new severity level called “critical severity” to our security policy. When we first introduced the policy, over a year ago, we just had three levels, “Low”, “Moderate”, and “High”. So why did we add “Critical” and why are we not using someone else’s standard definitions?

After introducing the new policy we started giving everyone a headsup when we were due to release OpenSSL updates that included security fixes. The headsup doesn’t contain any details of the issues being fixed apart from the maximum severity level and a date a few days in the future.

FIPS 140-2: It's not dead, it's resting

Wed, 02 Sep 2015 14:00:00 +0000

Some of you may have noticed that the upcoming 1.1 release doesn’t include any FIPS support. That omission is not by choice; it was forced on us by circumstances and will hopefully not be permanent.

The v2.0 OpenSSL FIPS module is compatible with the 1.0.x releases, in particular the 1.0.2 “LTS” release that will be supported through 2019. It has proven very popular, used both directly by hundreds of software vendors and indirectly as a model for copycat “private label” validations.

OpenSSL Security: A Year in Review

Tue, 01 Sep 2015 12:47:00 +0000

Over the last 10 years, OpenSSL has published advisories on over 100 vulnerabilities. Many more were likely silently fixed in the early days, but in the past year our goal has been to establish a clear public record.

In September 2014, the team adopted a security policy that defines how we handle vulnerability reports. One year later, I’m very happy to conclude that our policy is enforced, and working well.

Our policy divides vulnerabilities into three categories, and defines actions for each category: we use the severity ranking to balance the need to get the fix out fast with the burden release upgrades put on our consumers.

New website

Sat, 15 Aug 2015 14:00:00 +0000

We just went live with a new website. The design is based on the style included with Octopress; the new logo and some other important CSS tweaks were contributed by Tony Arcieri. The style is also mobile-friendly, so you can take us with you wherever you go. :) We still need a better “favicon.”

The text still needs more work. As someone on the team pointed out, “a worldwide community of volunteers that use the Internet to communicate, plan, and develop [OpenSSL]” … really?

License Agreements and changes are coming

Sat, 01 Aug 2015 09:00:00 +0000

The OpenSSL license is rather unique and idiosyncratic. It reflects views from when its predecessor, SSLeay, started twenty years ago. As a further complication, the original authors were hired by RSA in 1998, and the code forked into two versions: OpenSSL and RSA BSAFE SSL-C. (See Wikipedia for discussion.) I don’t want get into any specific details, and I certainly don’t know them all.

Things have evolved since then, and open source is an important part of the landscape – the Internet could not exist without it. There are good reasons why Microsoft is a founding member of the Core Infrastructure Initiative (CII).

Our plan is to update the license to the Apache License version 2.0. We are in consultation with various corporate partners, the CII, and the legal experts at the Software Freedom Law Center. In other words, we have a great deal of expertise and interest at our fingertips.

Beyond reformatting: More code cleanup

Tue, 28 Jul 2015 13:20:00 +0000

The OpenSSL source doesn’t look the same as it did a year ago. Matt posted about the big code reformatting. In this post I want review some of the other changes – these rarely affect features, but are more than involved than “just” whitespace.

Logjam, FREAK and upcoming changes in OpenSSL

Wed, 20 May 2015 18:12:00 +0000

Today, news broke of Logjam, an attack on TLS connections using Diffie-Hellman ciphersuites. To protect OpenSSL-based clients, we’re increasing the minimum accepted DH key size to 768 bits immediately in the next release, and to 1024 bits soon after. We have also made several other changes to strengthen our cryptographic defaults and have updated our tools and documentation to help servers configure Diffie-Hellman ciphersuites securely - see below for details.

Security Updates

Thu, 19 Mar 2015 14:00:00 +0000

We’ve just released security updates to OpenSSL 0.9.8, 1.0.0, 1.0.1, and 1.0.2.

These updates fix a number of Moderate and Low severity security issues in OpenSSL. They also fix one new High severity issue, CVE-2015-0291, that affects just OpenSSL 1.0.2, released in January this year. A remote attacker could use this flaw to cause unfixed servers to crash, which could lead to a denial of service attack depending on the server.

Code Reformat Finished

Wed, 11 Feb 2015 13:45:00 +0000

At the end of January we completed the OpenSSL code reformat as previously mentioned here and here. This post is intended to give you a bit more insight into exactly what we’ve done.

Source Code Reformat

Mon, 05 Jan 2015 14:36:25 +0000

We have previously announced our intention to reformat the entire codebase into a more consistent style (see our roadmap document here: https://www.openssl.org/policies/roadmap.html)

On redesigning our website

Sun, 28 Dec 2014 19:00:00 +0000

So I recently asked for help with our website on Twitter. It’s been my most popular tweet. Several people have expressed an interest – thanks for that, and thanks for your support.

The goal of this post is to list the requirements. It’s definitely incomplete and will evolve over time. Post your questions and comments and help refine the list!

The new Release Strategy

Tue, 23 Dec 2014 23:16:00 +0000

Today the OpenSSL project published its Release Strategy. You can read it here. There are some really important announcements discussed in it. I’d like to spend a bit of time talking about the thinking that went into writing this strategy.

Hello World

Fri, 19 Dec 2014 20:00:00 +0000

Well, we did it. We have an OpenSSL team blog.

Whew.

#include <stdio.h>

int
main(int ac, char *av[])
{
    printf("Hello, world\n");
    return 0;
}

Authorised Trademark Register

Mon, 01 Jan 0001 00:00:00 +0000

Requestor Name	Date Decided	Approved/Declined	Reason for Decision	Approval Type	Approved Usage
OpenSSL Validation Services, Inc.	TBA	Approved	while not affiliated with the OpenSSL project has historical rights to use the OpenSSL trademark.	License Agreement	full usage
ExampleOrg	2022-11-25	Approved	Beneficial to OSSL to involved with this organisaiton	Written Authorisation	Including “based on OpenSSL” in their Super Services product

Branch Policy

Mon, 01 Jan 0001 00:00:00 +0000

The openssl repository contains the following maintained branches:

The default development branch

Any type (bug fix, feature, refactoring, …) of pull requests is allowed.
The development of the next minor or major release happens there. API/ABI breaking changes are allowed on this branch only if the next release will be a major release.
Any changes merged to this branch must be ported to the future major and future minor branches if they are applicable. This can be done by directly cherry-picking the changes when merging if there are no conflicts. By this we must ensure that no features or bug fixes are unintentionally lost in future major or minor releases.

The supported release branches

The development of the next patch releases of supported stable releases happens there.
According to stable release update policy only bug fixes and documentation changes are allowed.
By exception given by the OpenSSL Foundation or the OpenSSL Corporation also other types of pull requests can be merged.
Bug fix and documentation pull requests must be always merged to the latest branch where the bug or documentation deficiency is present including the future major and minor branches. It can be then merged (backported or directly cherry-picked) to all older branches where the deficiency is present.

A future major branch

The development of a future major release happens there. Implicitly it means that any API/ABI breaking changes are allowed but the OpenSSL Foundation or the OpenSSL Corporation can (and usually will) limit the extent of the breakage allowed.
Major features are allowed. Examples of a major feature: A completely new implementation of a protocol. New API for pluggable crypto modules.
Major refactoring is allowed. Examples of major refactoring: Splitting libcrypto into multiple hierarchically dependent libraries.
There might be no future major branch if the currently developed release is a major release and there are no changes accepted for a future major release yet.
All changes specifically targetting this branch instead of the default development branch must be approved by the OpenSSL Foundation or OpenSSL Corporation.

A future minor branch

The development of the minor release that is supposed to be released after the release currently being developed at the default development branch happens there.
No API/ABI breaking changes are allowed.
No major features are allowed unless explicitly acked by the OpenSSL Foundation or the OpenSSL Corporation as targeted for the minor release.
No major refactoring is allowed.
Any changes (features, bug-fixes, documentation, …) done on the future minor branch must be ported or directly cherry-picked to the future major branch if applicable.
Exceptions are possible for example when we are removing deprecated functionality in the future major branch.
There might be no future minor branch when the expected future release would be a major release or there are no changes accepted for a future minor release yet.
All changes specifically targetting this branch instead of the default development branch must be approved by the OpenSSL Foundation or the OpenSSL Corporation.

Branch and tag naming

The branch where the development of the next release is happening is called openssl-x.y where x is the current major version number and y is the version number of the release being developed. This is the default branch of the repository.

Changelog

Mon, 01 Jan 0001 00:00:00 +0000

When a release is created, that branch is forked off, and its changelog is also forked. For example, none of the changes after 0.9.8n appear in the other logs, because 1.0.0 was created after that release and before 0.9.8o. Any changes that are merged across branches, however, should have an entry in each branch’s changelog.

This is the changelog for the master branch, the one that is currently in active development. The markdown version of this document is available here: CHANGES.md

Code of Conduct

Mon, 01 Jan 0001 00:00:00 +0000

The OpenSSL community consists primarily, although not solely, of its online presence in mailing lists and activities such as the blog postings and comments, the GitHub repository, and so on. These outlets are managed by the the Foundation and the Corporation.

We strive to be an open and inclusive community where anyone can contribute. Contributions should be judged on their own merits; we don’t care about your gender identity, race, political beliefs, age, or similar attributes.

Community

Mon, 01 Jan 0001 00:00:00 +0000

OpenSSL library source is maintained by a team of committers. We operate under a set of project bylaws and ask everyone to follow our code of conduct.

There are many ways you can join the community and contribute. The “getting started” page has some ideas. We maintain several mailing lists. Anyone can join, but you must be a member of a list to post to it. We have a public wiki that anyone with a GitHub account can edit. We have a team blog, where members of the development team will occasionally post.

Community Support

Mon, 01 Jan 0001 00:00:00 +0000

For community based support you can use the openssl-users mailing list or github discussion pages.

You can also purchase commercial support contacts.

Contact Information

Mon, 01 Jan 0001 00:00:00 +0000

The OpenSSL Software Foundation (OSF) represents the OpenSSL project in most legal capacities including contributor license agreements, managing donations, and so on. It is a Delaware (US) non-profit corporation with its own bylaws.

OpenSSL Software Services (OSS) also represents the OpenSSL project, for Support Contracts, and as the Vendor of Record for NIST Cryptographic Module #1747 (This is an open-source validation of FIPS-140 based on OpenSSL). It is a Delaware (US) corporation with its own bylaws.

Contact us

Mon, 01 Jan 0001 00:00:00 +0000

OpenSSL Software Foundation Inc
Web: https://openssl.foundation
Email: [email protected]">[email protected]
OpenSSL Software Services Inc
Web: https://openssl-corporation.org
Email: [email protected]">[email protected]

Feel free to reach out to us with your questions or for more information. We look forward to assisting you!

Contributor Agreements

Mon, 01 Jan 0001 00:00:00 +0000

Every non-trivial contribution needs to be covered by a signed Contributor License Agreement (CLA) from all original authors. We have modelled our policy based on the practice of the Apache Software Foundation. You can see their CLA policy here. Our policy is:

OpenSSL requires that all non-trivial contributors of ideas, code, or documentation complete, sign, and submit (via email, or postal mail) an Individual Contributor License Agreement (ICLA). The purpose of this agreement is to clearly define the terms under which intellectual property has been contributed to OpenSSL and thereby allow us to defend the project should there be a legal dispute regarding the software at some future time.

Current platforms

Mon, 01 Jan 0001 00:00:00 +0000

Current primary platforms

Target	O/S	Architecture	Toolchain
linux-x86_64	Ubuntu Server 20.04	x86_64	gcc 9
linux-generic64	Ubuntu Server 20.04	x86_64	gcc 9
linux-x86	Debian 11	x86	gcc 10
linux-generic32	Debian 11	x86	gcc 10
BSD-x86_64	FreeBSD 13.0	x86_64	Clang 11
VC-WIN64A	Windows 10	x86_64	Visual Studio 2019 Community Edition
VC-WIN32	Windows 10	x86	Visual Studio 2019 Community Edition
mingw64	Windows 10	x86_64	MinGW (64 bit) and MSYS2
darwin64-x86_64	Mac OS Big Sur (11)	x86_64	Apple clang 13
darwin64-arm64	Mac OS Big Sur (11)	AArch64 (M1)	Apple clang 12

Current secondary platforms

Target		O/S		Architecture		Toolchain		Nominated Committer(s)		Nominated Community Maintainer(s)
linux-aarch64		Linux		AArch64		gcc		@tom-cosgrove-arm		@zorrorffm @xkqian

Current community platforms

Target	O/S	Architecture	Toolchain	Nominated Community Member(s)
nonstop-nsx	NonStop OSS L21.06	x86_64 ilp32	c99	@rsbeckerca
nonstop-nsx_put	NonStop OSS L21.06	x86_64 ilp32 PUT	c99	@rsbeckerca
nonstop-nsx_64	NonStop OSS L21.06	x86_64 lp64	c99	@rsbeckerca
nonstop-nsx_64_put	NonStop OSS L21.06	x86_64 lp64 PUT	c99	@rsbeckerca
nonstop-nsx_spt	NonStop OSS L21.06	x86_64 ilp32 SPT	c99	@rsbeckerca
nonstop-nsx_spt_floss	NonStop OSS L21.06	x86_64 ilp32 SPT FLOSS	c99	@rsbeckerca
nonstop-nsv	NonStop OSS L21.06	x86_64 ilp32	c99	@rsbeckerca
nonstop-nse	NonStop OSS J06.22	ia64 ilp32	c99	@rsbeckerca
nonstop-nse_put	NonStop OSS J06.22	ia64 ilp32 PUT	c99	@rsbeckerca
nonstop-nse_64	NonStop OSS J06.22	ia64 lp64	c99	@rsbeckerca
nonstop-nse_64_put	NonStop OSS J06.22	ia64 lp64 PUT	c99	@rsbeckerca
nonstop-nse_spt	NonStop OSS J06.22	ia64 ipl32 SPT	c99	@rsbeckerca
nonstop-nse_spt_floss	NonStop OSS J06.22	ia64 ipl32 SPT FLOSS	c99	@rsbeckerca
linux64-loongarch64	Linux	loongarch64	gcc	@shipujin
BSD-armv4	FreeBSD	armv4	LLVM	@pkubaj
BSD-ppc	FreeBSD	ppc	LLVM	@pkubaj
BSD-ppc64	FreeBSD	ppc64	LLVM	@pkubaj
BSD-ppc64le	FreeBSD	ppc64le	LLVM	@pkubaj
BSD-riscv64	FreeBSD	riscv64	LLVM	@pkubaj
solaris64-x86_64-gcc	Solaris	x86_64	gcc	@tio-checo @darrenmoffat
solaris64-x86_64-cc	Solaris	x86_64	Sun C	@tio-checo @darrenmoffat
solaris64-sparcv9-gcc	Solaris	Sparc V9 64 bit	gcc	@tio-checo @darrenmoffat
solaris64-sparcv9-cc	Solaris	Sparc V9 64 bit	Sun C	@tio-checo @darrenmoffat
linux64-s390x	Linux	s390x	gcc	@holger-dengler @ifranzki
hurd-x86	Hurd	x86	gcc	@sthibaul
hurd-x86_64	Hurd	x86_64	gcc	@sthibaul
ios-xcrun	iOS	armv7	Apple clang 12	@fwh-dc
ios64-xcrun	iOS	aarch64	Apple clang 12	@fwh-dc
iossimulator-xcrun	iOS Simulator	x86_64 or aarch64	Apple clang 12	@fwh-dc
iossimulator-arm64-xcrun	iOS Simulator	aarch64	Apple clang 12	@fwh-dc
iphoneos-cross	iOS	?	Apple clang 12	@fwh-dc
ios-cross	iOS	armv7	Apple clang 12	@fwh-dc
ios64-cross	iOS	aarch64	Apple clang 12	@fwh-dc
linux-ppc64le	Linux	ppc64 little endian	gcc	@dannytsen @erichte-ibm @naynajain
linux64-riscv64	Linux	riscv64	gcc	@ZenithalHourlyRate
linux32-riscv32	Linux	riscv32	gcc	@ZenithalHourlyRate
aix-gcc	AIX	ppc32	gcc	@sanumesh
aix64-gcc	AIX	ppc64	gcc	@sanumesh
aix64-gcc-as	AIX	ppc64	gcc as directive	@sanumesh
aix-cc	AIX	ppc32	IBM xlc	@sanumesh
aix64-cc	AIX	ppc64	IBM xlc	@sanumesh
aix-clang	AIX	ppc32	IBM openxl clang	@sanumesh
aix64-clang	AIX	ppc64	IBM openxl clang	@sanumesh
BC-64	Windows 10/11	x86_64	Embarcaderoclang	@GermanAizek

Current unadopted platforms

Target	O/S	Architecture	Toolchain
vms-x86_64	OpenVMS 9.2	x86_64	VSI C 7.5
vms-ia64	OpenVMS 8.4	ia64	VSI C 7.4
vms-ia64-p32	OpenVMS 8.4	ia64	VSI C 7.4 ¹
vms-ia64-p64	OpenVMS 8.4	ia64	VSI C 7.4 ²
vms-alpha	OpenVMS 8.4	alpha	VSI C 7.4
vms-alpha-p32	OpenVMS 8.4	alpha	VSI C 7.4 ¹
vms-alpha-p64	OpenVMS 8.4	alpha	VSI C 7.4 ²
vos-gcc	VOS	??	gcc
solaris-x86-gcc	Solaris	x86	gcc
solaris-sparcv7-gcc	Solaris	Sparc V7	gcc
solaris-sparcv8-gcc	Solaris	Sparc V8	gcc
solaris-sparcv9-gcc	Solaris	Sparc V9 32 bit	gcc
solaris-sparcv7-cc	Solaris	Sparc V7	Sun C
solaris-sparcv8-cc	Solaris	Sparc V8	Sun C
solaris-sparcv9-cc	Solaris	Sparc V9 32 bit	Sun C
irix-mips3-gcc	Irix 6.x	mips64 n32	gcc
irix-mips3-cc	Irix 6.x	mips64 n32	??
irix64-mips4-gcc	Irix 6.x	mips64 n64	gcc
irix64-mips4-cc	Irix 6.x	mips64 n64	??
hpux-parisc-gcc	HP-UX	parisc	gcc
hpux-parisc1_1-gcc	HP-UX	parisc 1.1 32 bit	gcc
hpux64-parisc2-gcc	HP-UX	parisc 2.0 64 bit	gcc
hpux-parisc-cc	HP-UX	parisc	??
hpux-parisc1_1-cc	HP-UX	parisc 1.0 32 bit	??
hpux64-parisc2-cc	HP-UX	parisc 2.0 64 bit	??
hpux-ia64-cc	HP-UX	IA64 32 bit	??
hpux64-ia64-cc	HP-UX	IA64 64 bit	??
hpux-ia64-gcc	HP-UX	IA64 32 bit	gcc
hpux64-ia64-gcc	HP-UX	IA64 64 bit	gcc
MPE/iX-gcc	MPE/iX	parisc?	gcc
tru64-alpha-gcc	Tru64	alpha	gcc
tru64-alpha-cc	Tru64	alpha	??
linux-ppc	Linux	ppc32	gcc
linux-ppc64	Linux	ppc64 big endian	gcc
linux-armv4	Linux	armv4	gcc
linux-arm64ilp32	Linux	aarch64-ilp32	gcc
linux-mips32	Linux	mips32 o32	gcc
linux-mips64	Linux	mips64 n32	gcc
linux64-mips64	Linux	mips64 64 bit	gcc
linux-x86-clang	Linux	x86	clang
linux-x86_64-clang	Linux	x86_64	clang
linux-x32	Linux	x86_64 x32	gcc
linux-ia64	Linux	ia64	gcc
linux32-s390x	Linux	s390x 31 bit	gcc
linux-sparcv8	Linux	sparc v8	gcc
linux-sparcv9	Linux	sparc v9 32 bit	gcc
linux64-sparcv9	Linux	sparc v9 64 bit	gcc
linux-alpha-gcc	Linux	alpha	gcc
linux-c64xplus	Linux	c64xplus	gcc
linux-c64xplus	Linux	c64xplus	gcc
BSD-x86	FreeBSD / OpenBSD / NetBSD / ?	x86 a.out	??
BSD-x86-elf	FreeBSD / OpenBSD / NetBSD / ?	x86 elf	??
BSD-sparcv8	?	Sparc v8	??
BSD-sparcv9	?	Sparc v9 32 bit	??
BSD-ia64	?	IA64	??
BSD-x86_64	OpenBSD / NetBSD / ?	x86_64	??
bsdi-elf-gcc	BSDi	??	??
unixware-2.0	unixware 2.0	??	??
unixware-2.1	unixware 2.1	??	??
unixware-7	unixware 7	x86	??
unixware-7-gcc	unixware 7	x86	gcc
sco5-cc	Open Server 5?	x86	??
sco5-gcc	Open Server 5?	x86	gcc
BS2000-OSD	BS2000/OSD	??	??
VC-WIN64I	Windows XP / Windows Server 2008?	ia64	Visual C
VC-CE	Windows CE	x86 / armv4?	Visual C
VC-WIN64A-masm	Windows 10	x86	Visual C with masm
mingw	Windows 10?	x86	gcc
UEFI-x86	UEFI	x86	??
UEFI-x86_64	UEFI	x86_64	??
UWIN	UWIN	x86
Cygwin-x86	Windows 10	x86	gcc
Cygwin-x86_64	Windows 10	x86_64	gcc
darwin-ppc	MacOS?	ppc32
darwin64-ppc	MacOS?	ppc64
darwin-i386	MacOS?	x86
darwin-i386	MacOS?	x86
vxworks-ppc60x	vxworks	ppc32
vxworks-ppcgen	vxworks	ppc32
vxworks-ppc405	vxworks	ppc32 405
vxworks-ppc750	vxworks	ppc32 750
vxworks-ppc860	vxworks	ppc32 860
vxworks-simlinux	vxworks	x86?
vxworks-mips	vxworks	mips32 o32
uClinux-dist	uClinux	?	gcc
uClinux-dist64	uClinux	?	gcc
android-arm	android	armv4
android-arm64	android	aarch64
android-mips	android	mips32 o32
android-mips64	android	mips64
android-x86	android	x86
android-x86_64	android	x86_64
BC-32	Windows 10?	x86	Borland C, C++ Builder?
DJGPP	DOS?	x86?	djgpp
haiku-x86	Haiku	x86	gcc?
haiku-x86_64	Haiku	x86_64	gcc?
nonstop-nsx_g	NonStop Guardian	x86_64 ilp32
nonstop-nsx_g_tandem	NonStop Guardian	x86_64 ilp32
nonstop-nse_g	NonStop Guardian	ia64 ipl32
nonstop-nse_g_tandem	NonStop Guardian	ia64 ipl32
OS390-Unix	zOS	s390
VC-WIN32-ONECORE	Windows OneCore	x86	Visual C
VC-WIN64A-ONECORE	Windows OneCore	x86_64	Visual C
VC-WIN32-ARM	Windows OneCore	arm	Visual C
VC-WIN64-ARM	Windows OneCore	aarch64	Visual C
VC-WIN32-UWP	Windows UWP	x86	Visual C
VC-WIN64A-UWP	Windows UWP	x86_64	Visual C
VC-ARM-UWP	Windows UWP	arm	Visual C
VC-ARM64-UWP	Windows UWP	aarch64	Visual C
aix-cc-solib	AIX	ppc32	IBM xlc
aix64-cc-solib	AIX	ppc64	IBM xlc

[VMS] 32 bit pointer build ↩︎ ↩︎

CVEs and the FIPS provider

Mon, 01 Jan 0001 00:00:00 +0000

After the release of OpenSSL 3.0.0, several CVEs have been identified and resolved. While the majority of these vulnerabilities are unrelated to the validated FIPS providers, a few of them are applicable. This table lists all of the CVEs issued since the FIPS providers’ releases and their relevance to it:

CVE ID	Fixed	FIPS?	Notes
CVE-2024-13176	3.0.16 3.1.8 3.2.4 3.3.3 3.4.1	yes	Timing side channel in ECDSA signature computations. Workaround: Avoid using the module for ECDSA signatures where an attacker can be running in the same datacenter.
CVE-2024-12797	3.0.16 3.1.8 3.2.4 3.3.3 3.4.1	no
CVE-2024-9143	3.0.16 3.1.8 3.2.4 3.3.3 3.4.0	no
CVE-2024-6119	3.0.15 3.1.7 3.2.3 3.3.2	no
CVE-2024-5535	3.0.15 3.1.7 3.2.3 3.3.2	no
CVE-2024-4741	3.0.14 3.1.6 3.2.2 3.3.1	no
CVE-2024-4603	3.0.14 3.1.6 3.2.2 3.3.1	yes	EVP_PKEY_public_check() can take a long time. Workaround: First check the value returned by EVP_PKEY_get_bits() and reject too large keys.
CVE-2024-2511	3.0.14 3.1.6 3.2.2	no
CVE-2024-0727	3.0.13 3.1.5 3.2.1	no
CVE-2023-6237	3.0.13 3.1.5 3.2.1	yes	EVP_PKEY_public_check() can take a long time. Workaround: First check the value returned by EVP_PKEY_get_bits() and reject too large keys.
CVE-2023-6129	3.0.13 3.1.5 3.2.1	no
CVE-2023-5678	3.0.13 3.1.5	no
CVE-2023-5363	3.0.12 3.1.4	no
CVE-2023-4807	3.0.11 3.1.3	no
			Release of 3.1.2 FIPS provider
CVE-2023-3817	3.0.10 3.1.2	no
CVE-2023-3446	3.0.10 3.1.2	no
CVE-2023-2975	3.0.10 3.1.2	no
			Release of 3.0.9 FIPS provider
CVE-2023-2650	3.0.9 3.1.1	no
CVE-2023-1255	3.0.9 3.1.1	yes	Possible denial of service on Arm 64 (aarch64) using AES XTS mode
CVE-2023-0466	3.0.9 3.1.1	no
CVE-2023-0465	3.0.9 3.1.1	no
CVE-2023-0464	3.0.9 3.1.1	no
			Release of 3.0.8 FIPS provider
CVE-2023-0401	3.0.8	no
CVE-2023-0286	3.0.8	no
CVE-2023-0217	3.0.8	yes	DSA public key checks (but not from TLS)
CVE-2023-0216	3.0.8	no
CVE-2023-0215	3.0.8	no
CVE-2022-4450	3.0.8	no
CVE-2022-4304	3.0.8	yes	Timing side channel in RSA
CVE-2022-4203	3.0.8	no
CVE-2022-3996	3.0.8	no
CVE-2022-3786	3.0.7	no
CVE-2022-3602	3.0.7	no
CVE-2022-3358	3.0.6	no
CVE-2022-2274	3.0.5	no	Bug introduced in 3.0.4 which isn’t validated
CVE-2022-2097	3.0.5	no	Architecture (x86) is not part of validation
CVE-2022-2068	3.0.4	no
CVE-2022-1473	3.0.3	no
CVE-2022-1434	3.0.3	no
CVE-2022-1343	3.0.3	no
CVE-2022-1292	3.0.3	no
CVE-2022-0778	3.0.2	maybe	Difficult to encounter inside FIPS boundary
CVE-2021-4160	3.0.1	no	Architecture (MIPS) is not part of validation
CVE-2021-4044	3.0.1	no
			Release of 3.0.0 FIPS provider

Design Process Policy

Mon, 01 Jan 0001 00:00:00 +0000

Objectives

The objective of the design process is to increase the quality of the software engineering process. The production of design documents confers the following benefits:

Prior to implementation, the present understanding of the problem domain is documented in a readily accessible fashion. The understanding of other OpenSSL contributors is enhanced, as is their ability to identify any potential issues in the design, or to make related code contributions.
After implementation, the design document serves as documentation of the architectural and design decisions and rationale which served as the basis for the implementation of the relevant functionality. This is beneficial both to contributors who wish to understand the relevant code, or evolve the implementation, but also to contributors who wish to implement related functionality or understand non-obvious rationales behind given design decisions.

Distributions

Mon, 01 Jan 0001 00:00:00 +0000

The OpenSSL project does not endorse or recommend any specific binary distribution, third party engine, or third party provider.

An informal list of third party distributions can be found on the wiki.

FAQ

Mon, 01 Jan 0001 00:00:00 +0000

Who controls the OpenSSL Library?

The Foundation primarily focuses on non-commercial communities and the Corporation primarily focuses on commercial communities. Decisions about the OpenSSL Library are made on a co-equal basis where the Foundation and the Corporation can operate independently and make decisions autonomously

Who controls the OpenSSL Mission?

The Foundation and the Corporation both operate under the OpenSSL Mission and are responsible for any updates or changes to the Mission.

The library is huge, and it is a struggle to know where to start. What introductory materials do you have?

Feature Branch Approval Policy

Mon, 01 Jan 0001 00:00:00 +0000

The Time-based Release Policy defines a regular twice-a-year schedule for new OpenSSL versions. In the case of large features that cannot reasonably be implemented and reviewed within a single PR there is a risk that only an incomplete or incorrect implementation of the feature will be merged to the master branch by the time a feature freeze occurs for the next release.

To avoid this problem feature branches can be used. A feature branch is simply a branch in the main git repository that can be used as a target branch for PRs related to a single new feature.

Getting Started as a Contributor

Mon, 01 Jan 0001 00:00:00 +0000

We’re always looking for people who want to help out. Here are some tips to getting started. First, get familiar with the information on this page, and the links to the side. In particular, you should look at the discussion pages. There are also Mailing Lists you can join.

Here are some ideas:

Review and comment on the pull requests on GitHub.
You can find pull requests -- patches that people have suggested -- at https://github.com/openssl/openssl/pulls. Reviewing and commenting on these is helpful and can be a good way to learn your way around the code.
Look through the OpenSSL issues on GitHub.
You can find issues that people have opened at https://github.com/openssl/openssl/issues. Sometimes there are open tickets that can be related, it would be good to cross-reference them (so somebody working on one, sees the other). Commentary on the issues is also good. Even just commenting that you think an issue is important is very useful!
Help update the documentation.
The documentation has gotten better, but there are still many API's that are not documented. Write a POD page, or report bugs in existing pages. It’s probably better to do a whole bunch of minor edits in one submission.
Write some test cases.
Simple stand-alone test programs that exercise various APIs are very useful, and can usually be added to our perl-based test framework pretty easily. Tests of the command-line program are also important, and can be handled by the same framework but might require a bit more digging. We welcome all new test efforts!
Follow Contributing Steps.
See the details in CONTRIBUTING.md and then contribute a change to the documentation or software, by opening a pull request.

Git Repository

Mon, 01 Jan 0001 00:00:00 +0000

The OpenSSL software is developed using a Git repository. Access to the origin repository is private and all users other than committers access the repository via our downstream clone on GitHub, at https://github.com/openssl/openssl on GitHub. This repository is updated with every commit and is accessible through multiple protocols.

Use the following command to clone the git repository including all available branches and tags:

$ git clone https://github.com/openssl/openssl.git
OR
$ git clone [email protected]:openssl/openssl.git

Access to specific branches is possible via the standard branch and checkout commands. See the discussion of branch naming below for more information.

Glossary of OpenSSL terms

Mon, 01 Jan 0001 00:00:00 +0000

This is a glossary of terms, it does not include any formal definitions of the included terms. It does, however, link to the formal definition where appropriate. In the event in a conflict between this glossary and the formal definition, the formal definition is always canonical.

ABI

Application binary interface

An ABI compatible release allows a shared library to be replaced with a new version or for applications to be relinked against the new library with the expectation that everything will run.

Legal Disclaimer

Mon, 01 Jan 0001 00:00:00 +0000

Export/import and/or use of cryptography software, cryptographic hooks, or technical details about cryptography may be restricted in some parts of the world.
It is your responsibility to determine the legal status of your usage or participation.

License

Mon, 01 Jan 0001 00:00:00 +0000

OpenSSL is covered by one of two licenses, depending on which release is involved. In all cases, there is a file named LICENSE in the top-level of the release. Copies can also be found here.

For the 3.0 release, and later releases derived from that, the Apache License v2 applies. This also applies to the git “master” branch.

For any release made before OpenSSL 3.0 (namely the 1.1.1, 1.1.0, 1.0.2, and all prior releases including those not currently supported), the dual OpenSSL and SSLeay license applies. Note that this is also true for any updates to those releases – the “letter suffix” – no matter when they are made. It also applies to the git branches for all those releases, and to any public forks that have not rebased to master (or 3.0).

List of Committers

Mon, 01 Jan 0001 00:00:00 +0000

The current list of committers is listed below. These are the people who can commit changes to the OpenSSL source tree, with appropriate code reviews. Their deliberations can be found on the OpenSSL Community platform.

Committers

Name	GitHub
Alicja Kario	tomato42
Bernd Edlinger	bernd-edlinger
David von Oheimb	DDvO
Dmitry Belyavsky	beldmit
Eugene Syromiatnikov	esyr
Frederik Wedel-Heinen	fwh-dc
Kurt Roeckx	kroeckx
Matt Caswell	mattcaswell
Neil Horman	nhorman
Nikola Pajkovsky	npajkovsky
Norbert Pocs	jogme
Paul Dale	paulidale
Paul Yang	InfoHunter
Richard Levitte	levitte
Sasha Nedvedicky	Sashan
Shane Lontis	slontis
Simo Sorce	simo5
Tim Hudson	t-j-h
Todd Short	tmshort
Tom Cosgrove	tom-cosgrove-arm
Tomas Mraz	t8m
Viktor Dukhovni	vdukhovni

Mailing Lists

Mon, 01 Jan 0001 00:00:00 +0000

You’ll need to be a member of the list to post to it. Anything you post to a list, including the E-mail address you posted from, will be sent to and seen by all other members of the list. Here are the mailing lists we run:

List	Description
openssl-announce	Official Project Announcements; low-volume read-only.
openssl-project	Discussion about the organization and structure of the project itself. Moderated.
openssl-commits	Commits to the source repository and build results; read-only.
openssl-users	Any questions about building, using, etc., OpenSSL itself.

openssl-announce subscription form

Management

Mon, 01 Jan 0001 00:00:00 +0000

The OpenSSL library project is managed co-equally by the Foundation and Corporation in conjuction with our various committees and communities.

OpenSSL Software Foundation Inc
Web: https://openssl.foundation
Email: [email protected]">[email protected]
OpenSSL Software Services Inc
Web: https://openssl-corporation.org
Email: [email protected]">[email protected]

Feel free to reach out to us with your questions or for more information. We look forward to assisting you!

Old 0.9.x releases

Mon, 01 Jan 0001 00:00:00 +0000

Filename	Size	Release	Checksums
openssl-0.9.8zh.tar.gz	3.6MiB	03 Dec 2015	(MD5)(PGP)(SHA1)(SHA256)
openssl-0.9.8zg.tar.gz	3.6MiB	11 Jun 2015	(MD5)(PGP)(SHA1)
openssl-0.9.8zf.tar.gz	3.6MiB	19 Mar 2015	(MD5)(PGP)(SHA1)
openssl-0.9.8ze.tar.gz	3.6MiB	15 Jan 2015	(MD5)(PGP)(SHA1)
openssl-0.9.8zd.tar.gz	3.6MiB	08 Jan 2015	(MD5)(PGP)(SHA1)
openssl-0.9.8zc.tar.gz	3.6MiB	15 Oct 2014	(MD5)(PGP)(SHA1)
openssl-0.9.8zb.tar.gz	3.6MiB	06 Aug 2014	(MD5)(PGP)(SHA1)
openssl-0.9.8za.tar.gz	3.6MiB	05 Jun 2014	(MD5)(PGP)(SHA1)
openssl-0.9.8y.tar.gz	3.6MiB	05 Feb 2013	(MD5)(PGP)(SHA1)
openssl-0.9.8x.tar.gz	3.6MiB	10 May 2012	(MD5)(PGP)(SHA1)
openssl-0.9.8w.tar.gz	3.6MiB	23 Apr 2012	(MD5)(PGP)(SHA1)
openssl-0.9.8v.tar.gz	3.6MiB	19 Apr 2012	(MD5)(PGP)(SHA1)
openssl-0.9.8u.tar.gz	3.6MiB	12 Mar 2012	(MD5)(PGP)(SHA1)
openssl-0.9.8t.tar.gz	3.6MiB	18 Jan 2012	(MD5)(PGP)(SHA1)
openssl-0.9.8s.tar.gz	3.6MiB	04 Jan 2012	(MD5)(PGP)(SHA1)
openssl-0.9.8r.tar.gz	3.6MiB	08 Feb 2011	(MD5)(PGP)(SHA1)
openssl-0.9.8q.tar.gz	3.6MiB	02 Dec 2010	(MD5)(PGP)(SHA1)
openssl-0.9.8p.tar.gz	3.6MiB	16 Nov 2010	(MD5)(PGP)(SHA1)
openssl-0.9.8o.tar.gz	3.6MiB	01 Jun 2010	(MD5)(PGP)(SHA1)
openssl-0.9.8n.tar.gz	3.6MiB	24 Mar 2010	(MD5)(PGP)(SHA1)
openssl-0.9.8m.tar.gz	3.6MiB	25 Feb 2010	(MD5)(PGP)(SHA1)
openssl-0.9.8m-beta1.tar.gz	3.6MiB	20 Jan 2010	(MD5)(PGP)(SHA1)
openssl-0.9.8l.tar.gz	4.0MiB	05 Nov 2009	(MD5)(PGP)(SHA1)
openssl-0.9.8k.tar.gz	3.7MiB	25 Mar 2009	(MD5)(PGP)(SHA1)
openssl-0.9.8j.tar.gz	3.6MiB	07 Jan 2009	(MD5)(PGP)(SHA1)
openssl-0.9.8i.tar.gz	3.3MiB	15 Sep 2008	(MD5)(PGP)(SHA1)
openssl-0.9.8h.tar.gz	3.3MiB	28 May 2008	(MD5)(PGP)(SHA1)
openssl-0.9.8g.tar.gz	3.2MiB	19 Oct 2007	(MD5)(PGP)(SHA1)
openssl-0.9.8f.tar.gz	3.2MiB	11 Oct 2007	(MD5)(PGP)(SHA1)
openssl-0.9.7m.tar.gz	3.2MiB	23 Feb 2007	(MD5)(PGP)(SHA1)
openssl-0.9.8e.tar.gz	3.2MiB	23 Feb 2007	(MD5)(PGP)(SHA1)
openssl-0.9.7l.tar.gz	3.1MiB	28 Sep 2006	(MD5)(PGP)(SHA1)
openssl-0.9.8d.tar.gz	3.2MiB	28 Sep 2006	(MD5)(PGP)(SHA1)
openssl-0.9.8c.tar.gz	3.2MiB	05 Sep 2006	(MD5)(PGP)(SHA1)
openssl-0.9.7k.tar.gz	3.1MiB	05 Sep 2006	(MD5)(PGP)(SHA1)
openssl-0.9.7j.tar.gz	3.1MiB	04 May 2006	(MD5)(PGP)(SHA1)
openssl-0.9.8b.tar.gz	3.1MiB	04 May 2006	(MD5)(PGP)(SHA1)
openssl-0.9.7i.tar.gz	3.1MiB	14 Oct 2005	(MD5)(PGP)(SHA1)
openssl-0.9.8a.tar.gz	3.1MiB	11 Oct 2005	(MD5)(PGP)(SHA1)
openssl-0.9.7h.tar.gz	3.1MiB	11 Oct 2005	(MD5)(PGP)(SHA1)
openssl-0.9.8.tar.gz	3.1MiB	05 Jul 2005	(MD5)(PGP)(SHA1)
openssl-0.9.7g.tar.gz	3.0MiB	11 Apr 2005	(MD5)(PGP)(SHA1)
openssl-0.9.7f.tar.gz	3.0MiB	22 Mar 2005	(MD5)(PGP)(SHA1)
openssl-0.9.7e.tar.gz	2.9MiB	25 Oct 2004	(MD5)(PGP)(SHA1)
openssl-0.9.7d.tar.gz	2.7MiB	17 Mar 2004	(MD5)(PGP)(SHA1)
openssl-0.9.6m.tar.gz	2.1MiB	17 Mar 2004	(MD5)(PGP)(SHA1)
openssl-0.9.6l.tar.gz	2.1MiB	04 Nov 2003	(MD5)(PGP)(SHA1)
openssl-0.9.6k.tar.gz	2.1MiB	30 Sep 2003	(MD5)(PGP)(SHA1)
openssl-0.9.7c.tar.gz	2.7MiB	30 Sep 2003	(MD5)(PGP)(SHA1)
openssl-0.9.7b.tar.gz	2.7MiB	10 Apr 2003	(MD5)(PGP)(SHA1)
openssl-0.9.6j.tar.gz	2.1MiB	10 Apr 2003	(MD5)(PGP)(SHA1)
openssl-0.9.6i.tar.gz	2.1MiB	19 Feb 2003	(MD5)(PGP)(SHA1)
openssl-0.9.7a.tar.gz	2.6MiB	19 Feb 2003	(MD5)(PGP)(SHA1)
openssl-0.9.7.tar.gz	2.6MiB	30 Dec 2002	(MD5)(PGP)(SHA1)
openssl-0.9.6.tar.gz	2.0MiB	10 Oct 2000	(MD5)(PGP)(SHA1)

Old 1.0.0 releases

Mon, 01 Jan 0001 00:00:00 +0000

Filename	Size	Release	Checksums
openssl-1.0.0t.tar.gz	3.9MiB	03 Dec 2015	(MD5)(PGP)(SHA1)(SHA256)
openssl-1.0.0s.tar.gz	3.9MiB	11 Jun 2015	(MD5)(PGP)(SHA1)
openssl-1.0.0r.tar.gz	3.9MiB	19 Mar 2015	(MD5)(PGP)(SHA1)
openssl-1.0.0q.tar.gz	3.8MiB	15 Jan 2015	(MD5)(PGP)(SHA1)
openssl-1.0.0p.tar.gz	3.8MiB	08 Jan 2015	(MD5)(PGP)(SHA1)
openssl-1.0.0o.tar.gz	3.8MiB	15 Oct 2014	(MD5)(PGP)(SHA1)
openssl-1.0.0n.tar.gz	3.8MiB	06 Aug 2014	(MD5)(PGP)(SHA1)
openssl-1.0.0m.tar.gz	3.9MiB	05 Jun 2014	(MD5)(PGP)(SHA1)
openssl-1.0.0l.tar.gz	3.9MiB	06 Jan 2014	(MD5)(PGP)(SHA1)
openssl-1.0.0k.tar.gz	3.9MiB	06 Feb 2013	(MD5)(PGP)(SHA1)
openssl-1.0.0j.tar.gz	3.9MiB	10 May 2012	(MD5)(PGP)(SHA1)
openssl-1.0.0i.tar.gz	3.9MiB	19 Apr 2012	(MD5)(PGP)(SHA1)
openssl-1.0.0h.tar.gz	3.9MiB	12 Mar 2012	(MD5)(PGP)(SHA1)
openssl-1.0.0g.tar.gz	3.9MiB	18 Jan 2012	(MD5)(PGP)(SHA1)
openssl-1.0.0f.tar.gz	3.9MiB	04 Jan 2012	(MD5)(PGP)(SHA1)
openssl-1.0.0e.tar.gz	3.9MiB	06 Sep 2011	(MD5)(PGP)(SHA1)
openssl-1.0.0d.tar.gz	3.8MiB	08 Feb 2011	(MD5)(PGP)(SHA1)
openssl-1.0.0c.tar.gz	3.8MiB	02 Dec 2010	(MD5)(PGP)(SHA1)
openssl-1.0.0b.tar.gz	3.8MiB	16 Nov 2010	(MD5)(PGP)(SHA1)
openssl-1.0.0a.tar.gz	3.8MiB	01 Jun 2010	(MD5)(PGP)(SHA1)
openssl-1.0.0.tar.gz	3.8MiB	29 Mar 2010	(MD5)(PGP)(SHA1)
openssl-1.0.0-beta5.tar.gz	3.8MiB	20 Jan 2010	(MD5)(PGP)(SHA1)
openssl-1.0.0-beta4.tar.gz	3.8MiB	10 Nov 2009	(MD5)(PGP)(SHA1)
openssl-1.0.0-beta3.tar.gz	3.8MiB	15 Jul 2009	(MD5)(PGP)(SHA1)
openssl-1.0.0-beta2.tar.gz	3.8MiB	21 Apr 2009	(MD5)(PGP)(SHA1)
openssl-1.0.0-beta1.tar.gz	3.8MiB	01 Apr 2009	(MD5)(PGP)(SHA1)

Old 1.0.1 releases

Mon, 01 Jan 0001 00:00:00 +0000

Filename	Size	Release	Checksums
openssl-1.0.1u.tar.gz	4.4MiB	22 Sep 2016	(PGP)(SHA1)(SHA256)
openssl-1.0.1t.tar.gz	4.3MiB	03 May 2016	(PGP)(SHA1)(SHA256)
openssl-1.0.1s.tar.gz	4.3MiB	01 Mar 2016	(PGP)(SHA1)(SHA256)
openssl-1.0.1r.tar.gz	4.3MiB	28 Jan 2016	(PGP)(SHA1)(SHA256)
openssl-1.0.1q.tar.gz	4.3MiB	03 Dec 2015	(PGP)(SHA1)(SHA256)
openssl-1.0.1p.tar.gz	4.3MiB	09 Jul 2015	(PGP)(SHA1)(SHA256)
openssl-1.0.1o.tar.gz	4.3MiB	12 Jun 2015	(PGP)(SHA1)(SHA256)
openssl-1.0.1n.tar.gz	4.3MiB	11 Jun 2015	(PGP)(SHA1)(SHA256)
openssl-1.0.1m.tar.gz	4.3MiB	19 Mar 2015	(PGP)(SHA1)(SHA256)
openssl-1.0.1l.tar.gz	4.2MiB	15 Jan 2015	(PGP)(SHA1)(SHA256)
openssl-1.0.1k.tar.gz	4.2MiB	08 Jan 2015	(PGP)(SHA1)(SHA256)
openssl-1.0.1j.tar.gz	4.2MiB	15 Oct 2014	(PGP)(SHA1)(SHA256)
openssl-1.0.1i.tar.gz	4.2MiB	06 Aug 2014	(PGP)(SHA1)(SHA256)
openssl-1.0.1h.tar.gz	4.3MiB	05 Jun 2014	(PGP)(SHA1)(SHA256)
openssl-1.0.1g.tar.gz	4.3MiB	07 Apr 2014	(PGP)(SHA1)(SHA256)
openssl-1.0.1f.tar.gz	4.3MiB	06 Jan 2014	(PGP)(SHA1)(SHA256)
openssl-1.0.1e.tar.gz	4.3MiB	11 Feb 2013	(PGP)(SHA1)(SHA256)
openssl-1.0.1d.tar.gz	4.3MiB	05 Feb 2013	(PGP)(SHA1)(SHA256)
openssl-1.0.1c.tar.gz	4.3MiB	10 May 2012	(PGP)(SHA1)(SHA256)
openssl-1.0.1b.tar.gz	4.3MiB	26 Apr 2012	(PGP)(SHA1)(SHA256)
openssl-1.0.1a.tar.gz	4.3MiB	19 Apr 2012	(PGP)(SHA1)(SHA256)
openssl-1.0.1.tar.gz	4.2MiB	14 Mar 2012	(PGP)(SHA1)(SHA256)
openssl-1.0.1-beta3.tar.gz	4.2MiB	23 Feb 2012	(PGP)(SHA1)(SHA256)
openssl-1.0.1-beta2.tar.gz	4.2MiB	19 Jan 2012	(PGP)(SHA1)(SHA256)
openssl-1.0.1-beta1.tar.gz	4.2MiB	03 Jan 2012	(PGP)(SHA1)(SHA256)

Old 1.0.2 releases

Mon, 01 Jan 0001 00:00:00 +0000

Filename	Size	Release	Checksums
openssl-1.0.2u.tar.gz	5.1MiB	20 Dec 2019	(PGP)(SHA1)(SHA256)
openssl-1.0.2t.tar.gz	5.1MiB	10 Sep 2019	(PGP)(SHA1)(SHA256)
openssl-1.0.2s.tar.gz	5.1MiB	28 May 2019	(PGP)(SHA1)(SHA256)
openssl-1.0.2r.tar.gz	5.1MiB	26 Feb 2019	(PGP)(SHA1)(SHA256)
openssl-1.0.2q.tar.gz	5.1MiB	20 Nov 2018	(PGP)(SHA1)(SHA256)
openssl-1.0.2p.tar.gz	5.1MiB	14 Aug 2018	(PGP)(SHA1)(SHA256)
openssl-1.0.2o.tar.gz	5.1MiB	27 Mar 2018	(PGP)(SHA1)(SHA256)
openssl-1.0.2n.tar.gz	5.1MiB	07 Dec 2017	(PGP)(SHA1)(SHA256)
openssl-1.0.2m.tar.gz	5.1MiB	02 Nov 2017	(PGP)(SHA1)(SHA256)
openssl-1.0.2l.tar.gz	5.1MiB	25 May 2017	(PGP)(SHA1)(SHA256)
openssl-1.0.2k.tar.gz	5.1MiB	26 Jan 2017	(PGP)(SHA1)(SHA256)
openssl-1.0.2j.tar.gz	5.1MiB	26 Sep 2016	(PGP)(SHA1)(SHA256)
openssl-1.0.2i.tar.gz	5.1MiB	22 Sep 2016	(PGP)(SHA1)(SHA256)
openssl-1.0.2h.tar.gz	5.0MiB	03 May 2016	(PGP)(SHA1)(SHA256)
openssl-1.0.2g.tar.gz	5.0MiB	01 Mar 2016	(PGP)(SHA1)(SHA256)
openssl-1.0.2f.tar.gz	5.0MiB	28 Jan 2016	(PGP)(SHA1)(SHA256)
openssl-1.0.2e.tar.gz	5.0MiB	03 Dec 2015	(MD5)(PGP)(SHA1)(SHA256)
openssl-1.0.2d.tar.gz	5.1MiB	09 Jul 2015	(MD5)(PGP)(SHA1)(SHA256)
openssl-1.0.2c.tar.gz	5.0MiB	12 Jun 2015	(MD5)(PGP)(SHA1)(SHA256)
openssl-1.0.2b.tar.gz	5.0MiB	11 Jun 2015	(MD5)(PGP)(SHA1)(SHA256)
openssl-1.0.2a.tar.gz	5.0MiB	19 Mar 2015	(MD5)(PGP)(SHA1)(SHA256)
openssl-1.0.2.tar.gz	5.0MiB	22 Jan 2015	(MD5)(PGP)(SHA1)(SHA256)
openssl-1.0.2-beta3.tar.gz	4.9MiB	25 Sep 2014	(MD5)(PGP)(SHA1)(SHA256)
openssl-1.0.2-beta2.tar.gz	4.6MiB	22 Jul 2014	(MD5)(PGP)(SHA1)(SHA256)
openssl-1.0.2-beta1.tar.gz	4.7MiB	24 Feb 2014	(MD5)(PGP)(SHA1)(SHA256)

Old 1.1.0 releases

Mon, 01 Jan 0001 00:00:00 +0000

Filename	Size	Release	Checksums
openssl-1.1.0l.tar.gz	5.0MiB	10 Sep 2019	(PGP)(SHA1)(SHA256)
openssl-1.1.0k.tar.gz	5.0MiB	28 May 2019	(PGP)(SHA1)(SHA256)
openssl-1.1.0j.tar.gz	5.2MiB	20 Nov 2018	(PGP)(SHA1)(SHA256)
openssl-1.1.0i.tar.gz	5.2MiB	14 Aug 2018	(PGP)(SHA1)(SHA256)
openssl-1.1.0h.tar.gz	5.2MiB	27 Mar 2018	(PGP)(SHA1)(SHA256)
openssl-1.1.0g.tar.gz	5.2MiB	02 Nov 2017	(PGP)(SHA1)(SHA256)
openssl-1.1.0f.tar.gz	5.0MiB	25 May 2017	(PGP)(SHA1)(SHA256)
openssl-1.1.0e.tar.gz	5.0MiB	16 Feb 2017	(PGP)(SHA1)(SHA256)
openssl-1.1.0d.tar.gz	5.0MiB	26 Jan 2017	(PGP)(SHA1)(SHA256)
openssl-1.1.0c.tar.gz	4.9MiB	10 Nov 2016	(PGP)(SHA1)(SHA256)
openssl-1.1.0b.tar.gz	4.9MiB	26 Sep 2016	(PGP)(SHA1)(SHA256)
openssl-1.1.0a.tar.gz	4.9MiB	22 Sep 2016	(PGP)(SHA1)(SHA256)
openssl-1.1.0.tar.gz	4.9MiB	25 Aug 2016	(PGP)(SHA1)(SHA256)
openssl-1.1.0-pre3.tar.gz	4.8MiB	15 Feb 2016	(PGP)(SHA1)(SHA256)
openssl-1.1.0-pre2.tar.gz	4.7MiB	14 Jan 2016	(PGP)(SHA1)(SHA256)
openssl-1.1.0-pre1.tar.gz	4.8MiB	10 Dec 2015	(PGP)(SHA1)(SHA256)

Old 1.1.1 releases

Mon, 01 Jan 0001 00:00:00 +0000

Filename	Size	Release	Checksums
openssl-1.1.1w.tar.gz	9.4MiB	12 Sep 2023	(PGP)(SHA1)(SHA256)
openssl-1.1.1v.tar.gz	9.4MiB	01 Aug 2023	(PGP)(SHA1)(SHA256)
openssl-1.1.1u.tar.gz	9.4MiB	30 May 2023	(PGP)(SHA1)(SHA256)
openssl-1.1.1t.tar.gz	9.4MiB	07 Feb 2023	(PGP)(SHA1)(SHA256)
openssl-1.1.1s.tar.gz	9.4MiB	01 Nov 2022	(PGP)(SHA1)(SHA256)
openssl-1.1.1q.tar.gz	9.4MiB	05 Jul 2022	(PGP)(SHA1)(SHA256)
openssl-1.1.1p.tar.gz	9.4MiB	21 Jun 2022	(PGP)(SHA1)(SHA256)
openssl-1.1.1o.tar.gz	9.4MiB	03 May 2022	(PGP)(SHA1)(SHA256)
openssl-1.1.1n.tar.gz	9.4MiB	15 Mar 2022	(PGP)(SHA1)(SHA256)
openssl-1.1.1m.tar.gz	9.4MiB	14 Dec 2021	(PGP)(SHA1)(SHA256)
openssl-1.1.1l.tar.gz	9.4MiB	24 Aug 2021	(PGP)(SHA1)(SHA256)
openssl-1.1.1k.tar.gz	9.4MiB	25 Mar 2021	(PGP)(SHA1)(SHA256)
openssl-1.1.1j.tar.gz	9.4MiB	16 Feb 2021	(PGP)(SHA1)(SHA256)
openssl-1.1.1i.tar.gz	9.4MiB	08 Dec 2020	(PGP)(SHA1)(SHA256)
openssl-1.1.1h.tar.gz	9.4MiB	22 Sep 2020	(PGP)(SHA1)(SHA256)
openssl-1.1.1g.tar.gz	9.3MiB	21 Apr 2020	(PGP)(SHA1)(SHA256)
openssl-1.1.1f.tar.gz	9.3MiB	31 Mar 2020	(PGP)(SHA1)(SHA256)
openssl-1.1.1e.tar.gz	9.3MiB	17 Mar 2020	(PGP)(SHA1)(SHA256)
openssl-1.1.1d.tar.gz	8.4MiB	10 Sep 2019	(PGP)(SHA1)(SHA256)
openssl-1.1.1c.tar.gz	8.5MiB	28 May 2019	(PGP)(SHA1)(SHA256)
openssl-1.1.1b.tar.gz	7.8MiB	26 Feb 2019	(PGP)(SHA1)(SHA256)
openssl-1.1.1a.tar.gz	8.0MiB	20 Nov 2018	(PGP)(SHA1)(SHA256)
openssl-1.1.1.tar.gz	8.0MiB	11 Sep 2018	(PGP)(SHA1)(SHA256)
openssl-1.1.1-pre9.tar.gz	8.0MiB	21 Aug 2018	(PGP)(SHA1)(SHA256)
openssl-1.1.1-pre8.tar.gz	7.9MiB	20 Jun 2018	(PGP)(SHA1)(SHA256)
openssl-1.1.1-pre7.tar.gz	7.9MiB	29 May 2018	(PGP)(SHA1)(SHA256)
openssl-1.1.1-pre6.tar.gz	7.9MiB	01 May 2018	(PGP)(SHA1)(SHA256)
openssl-1.1.1-pre5.tar.gz	7.9MiB	17 Apr 2018	(PGP)(SHA1)(SHA256)
openssl-1.1.1-pre4.tar.gz	7.9MiB	03 Apr 2018	(PGP)(SHA1)(SHA256)
openssl-1.1.1-pre3.tar.gz	6.2MiB	20 Mar 2018	(PGP)(SHA1)(SHA256)
openssl-1.1.1-pre2.tar.gz	6.2MiB	27 Feb 2018	(PGP)(SHA1)(SHA256)
openssl-1.1.1-pre1.tar.gz	6.1MiB	15 Feb 2018	(PGP)(SHA1)(SHA256)

Old 3.0 releases

Mon, 01 Jan 0001 00:00:00 +0000

Filename	Size	Release	Checksums
openssl-3.0.19.tar.gz	14.6MiB	27 Jan 2026	(PGP)(SHA1)(SHA256)
openssl-3.0.18.tar.gz	14.6MiB	30 Sep 2025	(PGP)(SHA1)(SHA256)
openssl-3.0.17.tar.gz	14.6MiB	01 Jul 2025	(PGP)(SHA1)(SHA256)
openssl-3.0.16.tar.gz	14.6MiB	11 Feb 2025	(PGP)(SHA1)(SHA256)
openssl-3.0.15.tar.gz	14.6MiB	03 Sep 2024	(PGP)(SHA1)(SHA256)
openssl-3.0.14.tar.gz	14.6MiB	04 Jun 2024	(PGP)(SHA1)(SHA256)
openssl-3.0.13.tar.gz	14.6MiB	30 Jan 2024	(PGP)(SHA1)(SHA256)
openssl-3.0.12.tar.gz	14.5MiB	24 Oct 2023	(PGP)(SHA1)(SHA256)
openssl-3.0.11.tar.gz	14.5MiB	19 Sep 2023	(PGP)(SHA1)(SHA256)
openssl-3.0.10.tar.gz	14.5MiB	01 Aug 2023	(PGP)(SHA1)(SHA256)
openssl-3.0.9.tar.gz	14.5MiB	30 May 2023	(PGP)(SHA1)(SHA256)
openssl-3.0.8.tar.gz	14.4MiB	07 Feb 2023	(PGP)(SHA1)(SHA256)
openssl-3.0.7.tar.gz	14.4MiB	01 Nov 2022	(PGP)(SHA1)(SHA256)
openssl-3.0.5.tar.gz	14.4MiB	05 Jul 2022	(PGP)(SHA1)(SHA256)
openssl-3.0.4.tar.gz	14.4MiB	21 Jun 2022	(PGP)(SHA1)(SHA256)
openssl-3.0.3.tar.gz	14.4MiB	03 May 2022	(PGP)(SHA1)(SHA256)
openssl-3.0.2.tar.gz	14.3MiB	15 Mar 2022	(PGP)(SHA1)(SHA256)
openssl-3.0.1.tar.gz	14.3MiB	14 Dec 2021	(PGP)(SHA1)(SHA256)
openssl-3.0.0.tar.gz	14.3MiB	07 Sep 2021	(PGP)(SHA1)(SHA256)
openssl-3.0.0-beta2.tar.gz	14.2MiB	29 Jul 2021	(PGP)(SHA1)(SHA256)
openssl-3.0.0-beta1.tar.gz	14.2MiB	17 Jun 2021	(PGP)(SHA1)(SHA256)
openssl-3.0.0-alpha17.tar.gz	13.9MiB	20 May 2021	(PGP)(SHA1)(SHA256)
openssl-3.0.0-alpha16.tar.gz	13.8MiB	06 May 2021	(PGP)(SHA1)(SHA256)
openssl-3.0.0-alpha15.tar.gz	13.8MiB	22 Apr 2021	(PGP)(SHA1)(SHA256)
openssl-3.0.0-alpha14.tar.gz	13.7MiB	08 Apr 2021	(PGP)(SHA1)(SHA256)
openssl-3.0.0-alpha13.tar.gz	13.6MiB	11 Mar 2021	(PGP)(SHA1)(SHA256)
openssl-3.0.0-alpha12.tar.gz	13.5MiB	18 Feb 2021	(PGP)(SHA1)(SHA256)
openssl-3.0.0-alpha11.tar.gz	13.5MiB	28 Jan 2021	(PGP)(SHA1)(SHA256)
openssl-3.0.0-alpha10.tar.gz	13.4MiB	07 Jan 2021	(PGP)(SHA1)(SHA256)
openssl-3.0.0-alpha9.tar.gz	13.4MiB	26 Nov 2020	(PGP)(SHA1)(SHA256)
openssl-3.0.0-alpha8.tar.gz	13.4MiB	05 Nov 2020	(PGP)(SHA1)(SHA256)
openssl-3.0.0-alpha7.tar.gz	13.4MiB	15 Oct 2020	(PGP)(SHA1)(SHA256)
openssl-3.0.0-alpha6.tar.gz	13.3MiB	06 Aug 2020	(PGP)(SHA1)(SHA256)
openssl-3.0.0-alpha5.tar.gz	13.3MiB	16 Jul 2020	(PGP)(SHA1)(SHA256)
openssl-3.0.0-alpha4.tar.gz	13.2MiB	25 Jun 2020	(PGP)(SHA1)(SHA256)
openssl-3.0.0-alpha3.tar.gz	9.2MiB	04 Jun 2020	(PGP)(SHA1)(SHA256)
openssl-3.0.0-alpha2.tar.gz	9.2MiB	15 May 2020	(PGP)(SHA1)(SHA256)
openssl-3.0.0-alpha1.tar.gz	9.1MiB	23 Apr 2020	(PGP)(SHA1)(SHA256)

Old 3.1 releases

Mon, 01 Jan 0001 00:00:00 +0000

Filename	Size	Release	Checksums
openssl-3.1.8.tar.gz	15.0MiB	11 Feb 2025	(PGP)(SHA1)(SHA256)
openssl-3.1.7.tar.gz	15.0MiB	03 Sep 2024	(PGP)(SHA1)(SHA256)
openssl-3.1.6.tar.gz	14.9MiB	04 Jun 2024	(PGP)(SHA1)(SHA256)
openssl-3.1.5.tar.gz	14.9MiB	30 Jan 2024	(PGP)(SHA1)(SHA256)
openssl-3.1.4.tar.gz	14.8MiB	24 Oct 2023	(PGP)(SHA1)(SHA256)
openssl-3.1.3.tar.gz	14.8MiB	19 Sep 2023	(PGP)(SHA1)(SHA256)
openssl-3.1.2.tar.gz	14.8MiB	01 Aug 2023	(PGP)(SHA1)(SHA256)
openssl-3.1.1.tar.gz	14.8MiB	30 May 2023	(PGP)(SHA1)(SHA256)
openssl-3.1.0.tar.gz	14.8MiB	14 Mar 2023	(PGP)(SHA1)(SHA256)
openssl-3.1.0-beta1.tar.gz	14.8MiB	21 Dec 2022	(PGP)(SHA1)(SHA256)
openssl-3.1.0-alpha1.tar.gz	14.6MiB	01 Dec 2022	(PGP)(SHA1)(SHA256)

Old 3.2 releases

Mon, 01 Jan 0001 00:00:00 +0000

Filename	Size	Release	Checksums
openssl-3.2.6.tar.gz	17.0MiB	30 Sep 2025	(PGP)(SHA1)(SHA256)
openssl-3.2.5.tar.gz	17.0MiB	01 Jul 2025	(PGP)(SHA1)(SHA256)
openssl-3.2.4.tar.gz	17.0MiB	11 Feb 2025	(PGP)(SHA1)(SHA256)
openssl-3.2.3.tar.gz	16.9MiB	03 Sep 2024	(PGP)(SHA1)(SHA256)
openssl-3.2.2.tar.gz	16.9MiB	04 Jun 2024	(PGP)(SHA1)(SHA256)
openssl-3.2.1.tar.gz	16.9MiB	30 Jan 2024	(PGP)(SHA1)(SHA256)
openssl-3.2.0.tar.gz	16.9MiB	23 Nov 2023	(PGP)(SHA1)(SHA256)
openssl-3.2.0-beta1.tar.gz	16.8MiB	26 Oct 2023	(PGP)(SHA1)(SHA256)
openssl-3.2.0-alpha2.tar.gz	16.8MiB	28 Sep 2023	(PGP)(SHA1)(SHA256)
openssl-3.2.0-alpha1.tar.gz	16.7MiB	07 Sep 2023	(PGP)(SHA1)(SHA256)

Old 3.3 releases

Mon, 01 Jan 0001 00:00:00 +0000

Filename	Size	Release	Checksums
openssl-3.3.7.tar.gz	17.2MiB	07 Apr 2026	(PGP)(SHA1)(SHA256)
openssl-3.3.6.tar.gz	17.2MiB	27 Jan 2026	(PGP)(SHA1)(SHA256)
openssl-3.3.5.tar.gz	17.3MiB	30 Sep 2025	(PGP)(SHA1)(SHA256)
openssl-3.3.4.tar.gz	17.3MiB	01 Jul 2025	(PGP)(SHA1)(SHA256)
openssl-3.3.3.tar.gz	17.3MiB	11 Feb 2025	(PGP)(SHA1)(SHA256)
openssl-3.3.2.tar.gz	17.2MiB	03 Sep 2024	(PGP)(SHA1)(SHA256)
openssl-3.3.1.tar.gz	17.2MiB	04 Jun 2024	(PGP)(SHA1)(SHA256)
openssl-3.3.0.tar.gz	17.2MiB	09 Apr 2024	(PGP)(SHA1)(SHA256)
openssl-3.3.0-beta1.tar.gz	17.2MiB	29 Mar 2024	(PGP)(SHA1)(SHA256)
openssl-3.3.0-alpha1.tar.gz	17.2MiB	20 Mar 2024	(PGP)(SHA1)(SHA256)

Old 3.4 releases

Mon, 01 Jan 0001 00:00:00 +0000

Filename	Size	Release	Checksums
openssl-3.4.4.tar.gz	17.4MiB	27 Jan 2026	(PGP)(SHA1)(SHA256)
openssl-3.4.3.tar.gz	17.5MiB	30 Sep 2025	(PGP)(SHA1)(SHA256)
openssl-3.4.2.tar.gz	17.5MiB	01 Jul 2025	(PGP)(SHA1)(SHA256)
openssl-3.4.1.tar.gz	17.5MiB	11 Feb 2025	(PGP)(SHA1)(SHA256)
openssl-3.4.0.tar.gz	17.5MiB	22 Oct 2024	(PGP)(SHA1)(SHA256)
openssl-3.4.0-beta1.tar.gz	17.5MiB	07 Oct 2024	(PGP)(SHA1)(SHA256)
openssl-3.4.0-alpha1.tar.gz	17.5MiB	05 Sep 2024	(PGP)(SHA1)(SHA256)

Old 3.5 releases

Mon, 01 Jan 0001 00:00:00 +0000

Filename	Size	Release	Checksums
openssl-3.5.5.tar.gz	50.6MiB	27 Jan 2026	(PGP)(SHA1)(SHA256)
openssl-3.5.4.tar.gz	50.7MiB	30 Sep 2025	(PGP)(SHA1)(SHA256)
openssl-3.5.3.tar.gz	50.7MiB	16 Sep 2025	(PGP)(SHA1)(SHA256)
openssl-3.5.2.tar.gz	50.7MiB	05 Aug 2025	(PGP)(SHA1)(SHA256)
openssl-3.5.1.tar.gz	50.7MiB	01 Jul 2025	(PGP)(SHA1)(SHA256)
openssl-3.5.0.tar.gz	50.7MiB	08 Apr 2025	(PGP)(SHA1)(SHA256)
openssl-3.5.0-beta1.tar.gz	50.7MiB	25 Mar 2025	(PGP)(SHA1)(SHA256)
openssl-3.5.0-alpha1.tar.gz	50.7MiB	12 Mar 2025	(PGP)(SHA1)(SHA256)

Old 3.6 releases

Mon, 01 Jan 0001 00:00:00 +0000

Filename	Size	Release	Checksums
openssl-3.6.1.tar.gz	52.3MiB	27 Jan 2026	(PGP)(SHA1)(SHA256)
openssl-3.6.0.tar.gz	52.4MiB	01 Oct 2025	(PGP)(SHA1)(SHA256)
openssl-3.6.0-beta1.tar.gz	52.4MiB	16 Sep 2025	(PGP)(SHA1)(SHA256)
openssl-3.6.0-alpha1.tar.gz	52.4MiB	02 Sep 2025	(PGP)(SHA1)(SHA256)

Old 4.0 releases

Mon, 01 Jan 0001 00:00:00 +0000

Filename	Size	Release	Checksums
openssl-4.0.0-beta1.tar.gz	52.5MiB	24 Mar 2026	(PGP)(SHA1)(SHA256)
openssl-4.0.0-alpha1.tar.gz	52.5MiB	10 Mar 2026	(PGP)(SHA1)(SHA256)

Old fips releases

Mon, 01 Jan 0001 00:00:00 +0000

Filename	Size	Release	Checksums
openssl-fips-ecp-2.0.16.tar.gz	1.4MiB	31 Aug 2017	(PGP)(SHA1)(SHA256)
openssl-fips-ecp-2.0.15.tar.gz	1.4MiB	30 Aug 2017	(PGP)(SHA1)(SHA256)
openssl-fips-ecp-2.0.14.tar.gz	1.4MiB	16 Feb 2017	(PGP)(SHA1)(SHA256)
openssl-fips-ecp-2.0.13.tar.gz	1.4MiB	14 Nov 2016	(PGP)(SHA1)(SHA256)
openssl-fips-ecp-2.0.12.tar.gz	1.4MiB	15 Feb 2016	(PGP)(SHA1)(SHA256)
openssl-fips-ecp-2.0.11.tar.gz	1.4MiB	15 Feb 2016	(PGP)(SHA1)(SHA256)
openssl-fips-ecp-2.0.10.tar.gz	1.4MiB	15 Feb 2016	(MD5)(PGP)(SHA1)(SHA256)
openssl-fips-ecp-2.0.9.tar.gz	1.3MiB	14 May 2015	(MD5)(PGP)(SHA1)
openssl-fips-ecp-2.0.8.tar.gz	1.3MiB	24 Oct 2014	(MD5)(PGP)(SHA1)
openssl-fips-ecp-2.0.7.tar.gz	1.4MiB	11 Jul 2014	(MD5)(PGP)(SHA1)
openssl-fips-ecp-2.0.6.tar.gz	1.3MiB	12 May 2014	(MD5)(PGP)(SHA1)
openssl-fips-ecp-2.0.4.tar.gz	1.4MiB	16 Dec 2013	(MD5)(PGP)(SHA1)
openssl-fips-ecp-2.0.5.tar.gz	1.4MiB	16 Dec 2013	(MD5)(PGP)(SHA1)
openssl-fips-ecp-2.0.3.tar.gz	1.4MiB	10 Apr 2013	(MD5)(PGP)(SHA1)
openssl-fips-ecp-2.0.2.tar.gz	1.4MiB	10 Apr 2013	(MD5)(PGP)(SHA1)
openssl-fips-ecp-2.0.1.tar.gz	1.4MiB	04 Oct 2012	(MD5)(PGP)(SHA1)

Old Releases

Mon, 01 Jan 0001 00:00:00 +0000

Here are the old releases.

Legalities

OMC

Mon, 01 Jan 0001 00:00:00 +0000

OpenSSL Management Committee

The OpenSSL Management Committee represents the official voice of the project. All official OMC decisions are taken on the basis of a vote.

The current OMC consists of (in alphabetical order):

Name	Email	Locale	PGP Key ID
Anton Arapov	[email protected]">[email protected]	CZ	134C 02E8 1388 9057 DA2F 3FDB EDDD 4C5D AA14 9BBE
Matt Caswell	[email protected]">[email protected]	UK	8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491
Tim Hudson	[email protected]">[email protected]	AU	C1F3 3DD8 CE1D 4CC6 13AF 14DA 9195 C482 41FB F7DD
Richard Levitte	[email protected]">[email protected]	SE	7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C
Kurt Roeckx	[email protected]">[email protected]	BE	E5E5 2560 DD91 C556 DDBD A5D0 2064 C536 41C2 5E5D

Names with an (I) are currently inactive as defined in our bylaws.

OMC Alumni

Mon, 01 Jan 0001 00:00:00 +0000

OpenSSL Management Committee - Alumni

We gratefully acknowledge the contributions of the following alumni (who were previously in the OMC, or a team member or founder prior to creation of the OMC):

Name		Locale
Mark J. Cox		UK
Paul Dale		AU
Viktor Dukhovni		US
Dr. Stephen Henson (OMC Emeritus)		UK
Lutz Jänicke		DE
Emilia Käsper		CH
Ben Laurie		UK
Steve Marquess		US
Bodo Möller		CH
Andy Polyakov		SE
Rich Salz		US
Geoff Thorpe		QC

We also respectfully remember Ulf Möller who is no longer with us.

OpenSSL 1.1.1 Series Release Notes

Mon, 01 Jan 0001 00:00:00 +0000

The major changes and known issues for the 1.1.1 branch of the OpenSSL toolkit are summarised below. The contents reflect the current state of the NEWS file inside the git repository. More details can be found in the ChangeLog.

Major changes between OpenSSL 1.1.1v and OpenSSL 1.1.1w [11 Sep 2023]

Fix POLY1305 MAC implementation corrupting XMM registers on Windows (CVE-2023-4807)

Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023]

Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
Fix DH_check() excessive time with over sized modulus (CVE-2023-3446)

Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023]

Mitigate for very slow OBJ_obj2txt() performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465)
Limited the number of nodes created in a policy tree ([CVE-2023-0464])

Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]

Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215)
Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450)
Fixed Timing Oracle in RSA Decryption (CVE-2022-4304)

Major changes between OpenSSL 1.1.1r and OpenSSL 1.1.1s [1 Nov 2022]

Fixed a regression introduced in OpenSSL 1.1.1r not refreshing the certificate data to be signed before signing the certificate.

Major changes between OpenSSL 1.1.1q and OpenSSL 1.1.1r [11 Oct 2022]

Added a missing header for memcmp that caused compilation failure on some platforms

Major changes between OpenSSL 1.1.1p and OpenSSL 1.1.1q [5 Jul 2022]

Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms (CVE-2022-2097)

Major changes between OpenSSL 1.1.1o and OpenSSL 1.1.1p [21 Jun 2022]

Fixed additional bugs in the c_rehash script which was not properly sanitising shell metacharacters to prevent command injection (CVE-2022-2068)

Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022]

Fixed a bug in the c_rehash script which was not properly sanitising shell metacharacters to prevent command injection (CVE-2022-1292)

Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]

Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever for non-prime moduli (CVE-2022-0778)

Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]

None

Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021]

Fixed an SM2 Decryption Buffer Overflow (CVE-2021-3711)
Fixed various read buffer overruns processing ASN.1 strings (CVE-2021-3712)

Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021]

Fixed a problem with verifying a certificate chain when using the X509_V_FLAG_X509_STRICT flag (CVE-2021-3450)
Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client (CVE-2021-3449)

Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]

Fixed a NULL pointer deref in the X509_issuer_and_serial_hash() function (CVE-2021-23841)
Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks
Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions (CVE-2021-23840)
Fixed SRP_Calc_client_key so that it runs in constant time

Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]

Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)

Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020]

Disallow explicit curve parameters in verifications chains when X509_V_FLAG_X509_STRICT is used
Enable ‘MinProtocol’ and ‘MaxProtocol’ to configure both TLS and DTLS contexts
Oracle Developer Studio will start reporting deprecation warnings

Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020]

Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967)

Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020]

Revert the unexpected EOF reporting via SSL_ERROR_SSL

Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020]

Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (CVE-2019-1551)
Properly detect unexpected EOF while reading in libssl and report it via SSL_ERROR_SSL

Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019]

Fixed a fork protection issue (CVE-2019-1549)
Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)
For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters
Compute ECC cofactors if not provided during EC_GROUP construction (CVE-2019-1547)
Early start up entropy quality from the DEVRANDOM seed source has been improved for older Linux systems
Correct the extended master secret constant on EBCDIC systems
Use Windows installation paths in the mingw builds (CVE-2019-1552)
Changed DH_check to accept parameters with order q and 2q subgroups
Significantly reduce secure memory usage by the randomness pools
Revert the DEVRANDOM_WAIT feature for Linux systems

Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [28 May 2019]

Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)

Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [26 Feb 2019]

Change the info callback signals for the start and end of a post-handshake message exchange in TLSv1.3.
Fix a bug in DTLS over SCTP. This breaks interoperability with older versions of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2.

Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]

Timing vulnerability in DSA signature generation (CVE-2018-0734)
Timing vulnerability in ECDSA signature generation (CVE-2018-0735)

Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018]

Support for TLSv1.3 added (see https://wiki.openssl.org/index.php/TLS1.3 for further important information). The TLSv1.3 implementation includes:
Fully compliant implementation of RFC8446 (TLSv1.3) on by default
Early data (0-RTT)
Post-handshake authentication and key update
Middlebox Compatibility Mode
TLSv1.3 PSKs
Support for all five RFC8446 ciphersuites
RSA-PSS signature algorithms (backported to TLSv1.2)
Configurable session ticket support
Stateless server support
Rewrite of the packet construction code for “safer” packet handling
Rewrite of the extension handling code
Complete rewrite of the OpenSSL random number generator to introduce the following capabilities
The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1.
Support for multiple DRBG instances with seed chaining.
There is a public and private DRBG instance.
The DRBG instances are fork-safe.
Keep all global DRBG instances on the secure heap if it is enabled.
The public and private DRBG instance are per thread for lock free operation
Support for various new cryptographic algorithms including:
SHA3
SHA512/224 and SHA512/256
EdDSA (both Ed25519 and Ed448) including X509 and TLS support
X448 (adding to the existing X25519 support in 1.1.0)
Multi-prime RSA
SM2
SM3
SM4
SipHash
ARIA (including TLS support)
Significant Side-Channel attack security improvements
Add a new ClientHello callback to provide the ability to adjust the SSL object at an early stage.
Add ‘Maximum Fragment Length’ TLS extension negotiation and support
A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects.
Move the display of configuration data to configdata.pm.
Allow GNU style “make variables” to be used with Configure.
Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes
Rewrite of devcrypto engine

OpenSSL 3.0 Series Release Notes

Mon, 01 Jan 0001 00:00:00 +0000

The major changes and known issues for the 3.0 branch of the OpenSSL toolkit are summarised below. The contents reflect the current state of the NEWS file inside the git repository. More details can be found in the ChangeLog.

Major changes between OpenSSL 3.0.19 and OpenSSL 3.0.20 [7 Apr 2026]

OpenSSL 3.0.20 is a security patch release. The most severe CVE fixed in this release is Moderate.

This release incorporates the following bug fixes and mitigations:

OpenSSL 3.1 Series Release Notes

Mon, 01 Jan 0001 00:00:00 +0000

The major changes and known issues for the 3.1 branch of the OpenSSL toolkit are summarised below. The contents reflect the current state of the NEWS file inside the git repository. More details can be found in the ChangeLog.

Major changes between OpenSSL 3.1.7 and OpenSSL 3.1.8 [11 Feb 2025]

OpenSSL 3.1.8 is a security patch release. The most severe CVE fixed in this release is Low.

This release incorporates the following bug fixes and mitigations:

OpenSSL 3.2 Series Release Notes

Mon, 01 Jan 0001 00:00:00 +0000

The major changes and known issues for the 3.2 branch of the OpenSSL toolkit are summarised below. The contents reflect the current state of the NEWS file inside the git repository. More details can be found in the ChangeLog.

Major changes between OpenSSL 3.2.5 and OpenSSL 3.2.6 [30 Sep 2025]

OpenSSL 3.2.6 is a security patch release. The most severe CVE fixed in this release is Moderate.

This release incorporates the following bug fixes and mitigations:

OpenSSL 3.3 Series Release Notes

Mon, 01 Jan 0001 00:00:00 +0000

The major changes and known issues for the 3.3 branch of the OpenSSL toolkit are summarised below. The contents reflect the current state of the NEWS file inside the git repository.

More details can be found in the ChangeLog.

Major changes between OpenSSL 3.3.6 and OpenSSL 3.3.7 [7 Apr 2026]

OpenSSL 3.3.7 is a security patch release. The most severe CVE fixed in this release is Moderate.

This release incorporates the following bug fixes and mitigations:

OpenSSL 3.4 Series Release Notes

Mon, 01 Jan 0001 00:00:00 +0000

The major changes and known issues for the 3.4 branch of the OpenSSL toolkit are summarised below. The contents reflect the current state of the NEWS file inside the git repository.

More details can be found in the ChangeLog.

Major changes between OpenSSL 3.4.4 and OpenSSL 3.4.5 [7 Apr 2026]

OpenSSL 3.4.5 is a security patch release. The most severe CVE fixed in this release is Moderate.

This release incorporates the following bug fixes and mitigations:

OpenSSL 3.5 Series Release Notes

Mon, 01 Jan 0001 00:00:00 +0000

The major changes and known issues for the 3.5 branch of the OpenSSL toolkit are summarised below. The contents reflect the current state of the NEWS file inside the git repository.

More details can be found in the ChangeLog.

Major changes between OpenSSL 3.5.5 and OpenSSL 3.5.6 [7 Apr 2026]

OpenSSL 3.5.6 is a security patch release. The most severe CVE fixed in this release is Moderate.

This release incorporates the following bug fixes and mitigations:

OpenSSL 3.6 Series Release Notes

Mon, 01 Jan 0001 00:00:00 +0000

The major changes and known issues for the 3.6 branch of the OpenSSL toolkit are summarised below. The contents reflect the current state of the NEWS file inside the git repository.

More details can be found in the ChangeLog.

Major changes between OpenSSL 3.6.1 and OpenSSL 3.6.2 [7 Apr 2026]

OpenSSL 3.6.2 is a security patch release. The most severe CVE fixed in this release is Moderate.

This release incorporates the following bug fixes and mitigations:

OpenSSL coding style

Mon, 01 Jan 0001 00:00:00 +0000

This document describes the coding style for the OpenSSL project. It is derived from the Linux kernel coding style.

This guide is not distributed as part of OpenSSL itself. Since it is derived from the Linux Kernel Coding Style, it is distributed under the terms of the kernel license.

Coding style is all about readability and maintainability using commonly available tools. OpenSSL coding style is simple. Avoid tricky expressions.

OpenSSL documentation policy

Mon, 01 Jan 0001 00:00:00 +0000

This document describes the code documentation and commenting requirements for the OpenSSL project.

The project’s documentation is all about making the libraries and tools more accessible to our users and making the code more maintainable. This policy applies to new submissions, existing code is below par and will be gradually improved.

Chapter 1: Command line commands and arguments

All new or modified arguments to the commands must be documented in the doc/man1 directory. This documentation is in POD format.

OpenSSL Library Bylaws

Mon, 01 Jan 0001 00:00:00 +0000

This document defines the bylaws under which the OpenSSL Library Project operates. It defines the different project roles, how they contribute to the project, and how project decisions are made.

Roles and Responsibilities

Users

Users include any individual or organization that downloads, installs, compiles, or uses the OpenSSL Library via the libraries or the applications produced by the project. This includes OpenSSL-library-based derivatives such as patched versions of the OpenSSL Library provided through OS distributions, often known as “downstream” versions.

OpenSSL release versioning policy

Mon, 01 Jan 0001 00:00:00 +0000

This document describes the release versioning scheme used by the OpenSSL project from version 3.0.0 onwards. It also details the level of ABI and API compatibility each version represents.

Note: All examples herein are illustrative and do not constitute part of the versioning policy.

The version scheme consists a triple of numbers: major.minor.patch.

For example, the version 3.0.1 has a major version of 3, a minor version of 0 and a patch version of 1.

Our Mission and Values

Mon, 01 Jan 0001 00:00:00 +0000

Mission Statement

We believe everyone should have access to security and privacy tools, whoever they are, wherever they are or whatever their personal beliefs are, as a fundamental human right.

Our Values

We believe all our communities are important.
We believe in the principles of open source software, not only for its inherent values but also for the transparency and accountability it provides to our security and privacy tools.
We believe in behaving in a manner that fosters trust and confidence.

Our Supporters

Mon, 01 Jan 0001 00:00:00 +0000

Thank you!

The OpenSSL Foundation is grateful to all of our supporters, whose contributions make our work possible. These dedicated supporters share our vision of a safer and more secure digital world and have put their financial backing behind it.

Premier Supporters

Premier Supporters have committed $100,000 and above, which represents a significant impact on our ability to fulfill our mission and plan for the future.

Code Protectors

The Code Protectors are corporate associates whose sponsorship gifts fund the OpenSSL Foundation’s most critical daily operations.

Platform Policy

Mon, 01 Jan 0001 00:00:00 +0000

Platforms are classified as “primary”, “secondary”, “community” and “unadopted”. Support for a new platform should only be added if it is being adopted as a primary, secondary or community platform.

Current platforms

Primary

Definition: A platform that is regularly tested through project CI on a project owned and managed system.

New Pull Requests (PRs) should not be merged unless the primary platforms are showing as “green” in CI. If the CI breaks for a branch (such as for a stable version or master) then it should be fixed as a priority.

Policy for Accepting Assembler Optimisations

Mon, 01 Jan 0001 00:00:00 +0000

New assembler optimisations for any algorithm having a C based implementation in any provider are always acceptable (subject to standard review procedures) for all platforms in the master branch.

New assembler optimisations are never acceptable for any platform or provider in a stable release branch.

Updates to existing assembler optimisations in a stable release branch are only acceptable where such updates would be allowed under the stable release update policy.

Where assembler optimisations are acceptable they should be implemented using perlasm.

Policy for OpenSSL Committers

Mon, 01 Jan 0001 00:00:00 +0000

Who is a committer?

OpenSSL committers are contributors who have commit access to the OpenSSL source code repository. Committers review and commit their own patches as well as those of other contributors.

How to become a committer?

Commit access is granted by the OpenSSL Foundation or the OpenSSL Corporation directors.

We welcome contributors who become domain experts in some part of the library (for example, low-level crypto) as well as generalists who contribute to all areas of the codebase. All committers share the responsibility for the overall health of the project: aside from contributing quality features, committers are team players who fix bugs, address open issues, review community contributions, and improve tests and documentation. Committers are also shepherds of the OpenSSL community and its code of conduct.

Policy on API compatibility in minor releases

Mon, 01 Jan 0001 00:00:00 +0000

The public API of the OpenSSL libraries is defined as functions, macros, data structure declarations, typedefs, and data variables in header files in the include/openssl subdirectory of the source tree and include/openssl subdirectory of the build tree.

No changes to existing public API functions and data are permitted. This includes, but is not limited to:

constification of arguments;
changing void returns to int returns;
changing a macro to a function and
corrections of spelling.

Only API additions are allowed in minor releases.

Release and Advisory Timeline

Mon, 01 Jan 0001 00:00:00 +0000

Here is a timeline of all OpenSSL releases and security advisories.

Date	Content
14 Apr 2026	OpenSSL 4.0.0
07 Apr 2026	OpenSSL 3.6.2
07 Apr 2026	OpenSSL 3.5.6
07 Apr 2026	OpenSSL 3.4.5
07 Apr 2026	OpenSSL 3.3.7
07 Apr 2026	OpenSSL 3.0.20
07 Apr 2026	Security Advisory Incorrect Failure Handling in RSA KEM RSASVE Encapsulation (CVE-2026-31790) Out-of-bounds Read in AES-CFB-128 on X86-64 with AVX-512 Support (CVE-2026-28386) Potential Use-after-free in DANE Client Code (CVE-2026-28387) NULL Pointer Dereference When Processing a Delta CRL (CVE-2026-28388) Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo (CVE-2026-28389) Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo (CVE-2026-28390) Heap Buffer Overflow in Hexadecimal Conversion (CVE-2026-31789)
24 Mar 2026	OpenSSL 4.0.0-beta1
13 Mar 2026	Security Advisory OpenSSL TLS 1.3 server may choose unexpected key agreement group (CVE-2026-2673)
10 Mar 2026	OpenSSL 4.0.0-alpha1
27 Jan 2026	OpenSSL 3.6.1
27 Jan 2026	OpenSSL 3.5.5
27 Jan 2026	OpenSSL 3.4.4
27 Jan 2026	OpenSSL 3.3.6
27 Jan 2026	OpenSSL 3.0.19
27 Jan 2026	Security Advisory Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187) Stack buffer overflow in CMS (Auth)EnvelopedData parsing (CVE-2025-15467) NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (CVE-2025-15468) “openssl dgst” one-shot codepath silently truncates inputs >16MB (CVE-2025-15469) TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199) Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160) Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418) Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419) Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420) NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421) Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795) ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)
01 Oct 2025	OpenSSL 3.6.0
30 Sep 2025	OpenSSL 3.5.4
30 Sep 2025	OpenSSL 3.4.3
30 Sep 2025	OpenSSL 3.3.5
30 Sep 2025	OpenSSL 3.2.6
30 Sep 2025	OpenSSL 3.0.18
30 Sep 2025	Security Advisory Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230) Timing side-channel in SM2 algorithm on 64 bit ARM (CVE-2025-9231) Out-of-bounds read in HTTP client no_proxy handling (CVE-2025-9232)
16 Sep 2025	OpenSSL 3.5.3
16 Sep 2025	OpenSSL 3.6.0-beta1
02 Sep 2025	OpenSSL 3.6.0-alpha1
05 Aug 2025	OpenSSL 3.5.2
01 Jul 2025	OpenSSL 3.5.1
01 Jul 2025	OpenSSL 3.4.2
01 Jul 2025	OpenSSL 3.3.4
01 Jul 2025	OpenSSL 3.2.5
01 Jul 2025	OpenSSL 3.0.17
22 May 2025	Security Advisory The x509 application adds trusted use instead of rejected use (CVE-2025-4575)
08 Apr 2025	OpenSSL 3.5.0
25 Mar 2025	OpenSSL 3.5.0-beta1
12 Mar 2025	OpenSSL 3.5.0-alpha1
11 Feb 2025	OpenSSL 3.4.1
11 Feb 2025	OpenSSL 3.3.3
11 Feb 2025	OpenSSL 3.2.4
11 Feb 2025	OpenSSL 3.1.8
11 Feb 2025	OpenSSL 3.0.16
11 Feb 2025	Security Advisory RFC7250 handshakes with unauthenticated servers don’t abort as expected (CVE-2024-12797)
20 Jan 2025	Security Advisory Timing side-channel in ECDSA signature computation (CVE-2024-13176)
22 Oct 2024	OpenSSL 3.4.0
16 Oct 2024	Security Advisory Low-level invalid GF(2^m) parameters lead to OOB memory access (CVE-2024-9143)
07 Oct 2024	OpenSSL 3.4.0-beta1
05 Sep 2024	OpenSSL 3.4.0-alpha1
03 Sep 2024	OpenSSL 3.3.2
03 Sep 2024	OpenSSL 3.2.3
03 Sep 2024	OpenSSL 3.1.7
03 Sep 2024	OpenSSL 3.0.15
03 Sep 2024	Security Advisory Possible denial of service in X.509 name checks (CVE-2024-6119)
27 Jun 2024	Security Advisory SSL_select_next_proto buffer overread (CVE-2024-5535)
04 Jun 2024	OpenSSL 3.3.1
04 Jun 2024	OpenSSL 3.2.2
04 Jun 2024	OpenSSL 3.1.6
04 Jun 2024	OpenSSL 3.0.14
28 May 2024	Security Advisory Use After Free with SSL_free_buffers (CVE-2024-4741)
16 May 2024	Security Advisory Excessive time spent checking DSA keys and parameters (CVE-2024-4603)
09 Apr 2024	OpenSSL 3.3.0
08 Apr 2024	Security Advisory Unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511)
29 Mar 2024	OpenSSL 3.3.0-beta1
20 Mar 2024	OpenSSL 3.3.0-alpha1
30 Jan 2024	OpenSSL 3.2.1
30 Jan 2024	OpenSSL 3.1.5
30 Jan 2024	OpenSSL 3.0.13
25 Jan 2024	Security Advisory PKCS12 Decoding crashes (CVE-2024-0727)
15 Jan 2024	Security Advisory Excessive time spent checking invalid RSA public keys (CVE-2023-6237)
09 Jan 2024	Security Advisory POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129)
23 Nov 2023	OpenSSL 3.2.0
06 Nov 2023	Security Advisory Excessive time spent in DH check / generation with large Q parameter value (CVE-2023-5678)
26 Oct 2023	OpenSSL 3.2.0-beta1
24 Oct 2023	OpenSSL 3.1.4
24 Oct 2023	OpenSSL 3.0.12
24 Oct 2023	Security Advisory Incorrect cipher key & IV length processing (CVE-2023-5363)
28 Sep 2023	OpenSSL 3.2.0-alpha2
19 Sep 2023	OpenSSL 3.1.3
19 Sep 2023	OpenSSL 3.0.11
12 Sep 2023	OpenSSL 1.1.1w
08 Sep 2023	Security Advisory POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807)
07 Sep 2023	OpenSSL 3.2.0-alpha1
01 Aug 2023	OpenSSL 3.1.2
01 Aug 2023	OpenSSL 3.0.10
01 Aug 2023	OpenSSL 1.1.1v
31 Jul 2023	Security Advisory Excessive time spent checking DH q parameter value (CVE-2023-3817)
19 Jul 2023	Security Advisory Excessive time spent checking DH keys and parameters (CVE-2023-3446)
14 Jul 2023	Security Advisory AES-SIV implementation ignores empty associated data entries (CVE-2023-2975)
30 May 2023	OpenSSL 3.1.1
30 May 2023	OpenSSL 3.0.9
30 May 2023	OpenSSL 1.1.1u
30 May 2023	Security Advisory Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)
20 Apr 2023	Security Advisory Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255)
28 Mar 2023	Security Advisory Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465) Certificate policy check not enabled (CVE-2023-0466)
22 Mar 2023	Security Advisory Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464)
14 Mar 2023	OpenSSL 3.1.0
07 Feb 2023	OpenSSL 1.1.1t
07 Feb 2023	OpenSSL 3.0.8
07 Feb 2023	Security Advisory X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) Timing Oracle in RSA Decryption (CVE-2022-4304) X.509 Name Constraints Read Buffer Overflow (CVE-2022-4203) Use-after-free following BIO_new_NDEF (CVE-2023-0215) Double free after calling PEM_read_bio_ex (CVE-2022-4450) Invalid pointer dereference in d2i_PKCS7 functions (CVE-2023-0216) NULL dereference validating DSA public key (CVE-2023-0217) NULL dereference during PKCS7 data verification (CVE-2023-0401)
21 Dec 2022	OpenSSL 3.1.0-beta1
13 Dec 2022	Security Advisory X.509 Policy Constraints Double Locking (CVE-2022-3996)
01 Dec 2022	OpenSSL 3.1.0-alpha1
01 Nov 2022	OpenSSL 1.1.1s
01 Nov 2022	OpenSSL 3.0.7
01 Nov 2022	Security Advisory X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602) X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)
11 Oct 2022	OpenSSL 3.0.6
11 Oct 2022	OpenSSL 1.1.1r
11 Oct 2022	Security Advisory Using a Custom Cipher with NID_undef may lead to NULL encryption (CVE-2022-3358)
05 Jul 2022	OpenSSL 3.0.5
05 Jul 2022	OpenSSL 1.1.1q
05 Jul 2022	Security Advisory Heap memory corruption with RSA private key operation (CVE-2022-2274) AES OCB fails to encrypt some bytes (CVE-2022-2097)
21 Jun 2022	OpenSSL 3.0.4
21 Jun 2022	OpenSSL 1.1.1p
21 Jun 2022	Security Advisory The c_rehash script allows command injection (CVE-2022-2068)
03 May 2022	OpenSSL 3.0.3
03 May 2022	OpenSSL 1.1.1o
03 May 2022	Security Advisory The c_rehash script allows command injection (CVE-2022-1292) OCSP_basic_verify may incorrectly verify the response signing certificate (CVE-2022-1343) Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434) Resource leakage when decoding certificates and keys (CVE-2022-1473)
15 Mar 2022	OpenSSL 3.0.2
15 Mar 2022	OpenSSL 1.1.1n
15 Mar 2022	Security Advisory Infinite loop in BN_mod_sqrt() reachable when parsing certificates (CVE-2022-0778)
28 Jan 2022	Security Advisory BN_mod_exp may produce incorrect results on MIPS (CVE-2021-4160)
14 Dec 2021	OpenSSL 1.1.1m
14 Dec 2021	OpenSSL 3.0.1
14 Dec 2021	Security Advisory Invalid handling of X509_verify_cert() internal errors in libssl (CVE-2021-4044)
07 Sep 2021	OpenSSL 3.0.0
24 Aug 2021	OpenSSL 1.1.1l
24 Aug 2021	Security Advisory SM2 Decryption Buffer Overflow (CVE-2021-3711) Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
29 Jul 2021	OpenSSL 3.0.0-beta2
17 Jun 2021	OpenSSL 3.0.0-beta1
20 May 2021	OpenSSL 3.0.0-alpha17
06 May 2021	OpenSSL 3.0.0-alpha16
22 Apr 2021	OpenSSL 3.0.0-alpha15
08 Apr 2021	OpenSSL 3.0.0-alpha14
25 Mar 2021	OpenSSL 1.1.1k
25 Mar 2021	Security Advisory CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450) NULL pointer deref in signature_algorithms processing (CVE-2021-3449)
11 Mar 2021	OpenSSL 3.0.0-alpha13
18 Feb 2021	OpenSSL 3.0.0-alpha12
16 Feb 2021	OpenSSL 1.1.1j
16 Feb 2021	Security Advisory Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841) Incorrect SSLv2 rollback protection (CVE-2021-23839) Integer overflow in CipherUpdate (CVE-2021-23840)
28 Jan 2021	OpenSSL 3.0.0-alpha11
07 Jan 2021	OpenSSL 3.0.0-alpha10
08 Dec 2020	OpenSSL 1.1.1i
08 Dec 2020	Security Advisory EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)
26 Nov 2020	OpenSSL 3.0.0-alpha9
05 Nov 2020	OpenSSL 3.0.0-alpha8
15 Oct 2020	OpenSSL 3.0.0-alpha7
22 Sep 2020	OpenSSL 1.1.1h
09 Sep 2020	Security Advisory Raccoon Attack (CVE-2020-1968)
06 Aug 2020	OpenSSL 3.0.0-alpha6
16 Jul 2020	OpenSSL 3.0.0-alpha5
25 Jun 2020	OpenSSL 3.0.0-alpha4
04 Jun 2020	OpenSSL 3.0.0-alpha3
15 May 2020	OpenSSL 3.0.0-alpha2
23 Apr 2020	OpenSSL 3.0.0-alpha1
21 Apr 2020	OpenSSL 1.1.1g
21 Apr 2020	Security Advisory Segmentation fault in SSL_check_chain (CVE-2020-1967)
31 Mar 2020	OpenSSL 1.1.1f
17 Mar 2020	OpenSSL 1.1.1e
20 Dec 2019	OpenSSL 1.0.2u
06 Dec 2019	Security Advisory rsaz_512_sqr overflow bug on x86_64 (CVE-2019-1551)
10 Sep 2019	OpenSSL 1.1.1d
10 Sep 2019	OpenSSL 1.1.0l
10 Sep 2019	OpenSSL 1.0.2t
10 Sep 2019	Security Advisory ECDSA remote timing attack (CVE-2019-1547) Fork Protection (CVE-2019-1549) Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)
30 Jul 2019	Security Advisory Windows builds with insecure path defaults (CVE-2019-1552)
28 May 2019	OpenSSL 1.0.2s
28 May 2019	OpenSSL 1.1.0k
28 May 2019	OpenSSL 1.1.1c
06 Mar 2019	Security Advisory ChaCha20-Poly1305 with long nonces (CVE-2019-1543)
26 Feb 2019	OpenSSL 1.1.1b
26 Feb 2019	OpenSSL 1.0.2r
26 Feb 2019	Security Advisory 0-byte record padding oracle (CVE-2019-1559)
20 Nov 2018	OpenSSL 1.1.1a
20 Nov 2018	OpenSSL 1.1.0j
20 Nov 2018	OpenSSL 1.0.2q
12 Nov 2018	Security Advisory Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
30 Oct 2018	Security Advisory Timing vulnerability in DSA signature generation (CVE-2018-0734)
29 Oct 2018	Security Advisory Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
11 Sep 2018	OpenSSL 1.1.1
21 Aug 2018	OpenSSL 1.1.1-pre9
14 Aug 2018	OpenSSL 1.1.0i
14 Aug 2018	OpenSSL 1.0.2p
20 Jun 2018	OpenSSL 1.1.1-pre8
12 Jun 2018	Security Advisory Client DoS due to large DH parameter (CVE-2018-0732)
29 May 2018	OpenSSL 1.1.1-pre7
01 May 2018	OpenSSL 1.1.1-pre6
17 Apr 2018	OpenSSL 1.1.1-pre5
16 Apr 2018	Security Advisory Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
03 Apr 2018	OpenSSL 1.1.1-pre4
27 Mar 2018	OpenSSL 1.1.0h
27 Mar 2018	OpenSSL 1.0.2o
27 Mar 2018	Security Advisory Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739) Incorrect CRYPTO_memcmp on HP-UX PA-RISC (CVE-2018-0733) rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
20 Mar 2018	OpenSSL 1.1.1-pre3
27 Feb 2018	OpenSSL 1.1.1-pre2
15 Feb 2018	OpenSSL 1.1.1-pre1
07 Dec 2017	OpenSSL 1.0.2n
07 Dec 2017	Security Advisory Read/write after SSL object in error state (CVE-2017-3737) rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
02 Nov 2017	OpenSSL 1.1.0g
02 Nov 2017	OpenSSL 1.0.2m
02 Nov 2017	Security Advisory bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
31 Aug 2017	OpenSSL fips-2.0.16
30 Aug 2017	OpenSSL fips-2.0.15
28 Aug 2017	Security Advisory Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
25 May 2017	OpenSSL 1.1.0f
25 May 2017	OpenSSL 1.0.2l
16 Feb 2017	OpenSSL 1.1.0e
16 Feb 2017	OpenSSL fips-2.0.14
16 Feb 2017	Security Advisory Encrypt-Then-Mac renegotiation crash (CVE-2017-3733)
26 Jan 2017	OpenSSL 1.1.0d
26 Jan 2017	OpenSSL 1.0.2k
26 Jan 2017	Security Advisory Truncated packet could crash via OOB read (CVE-2017-3731) Bad (EC)DHE parameters cause a client crash (CVE-2017-3730) BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) Montgomery multiplication may produce incorrect results (CVE-2016-7055)
14 Nov 2016	OpenSSL fips-2.0.13
10 Nov 2016	OpenSSL 1.1.0c
10 Nov 2016	Security Advisory ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054) CMS Null dereference (CVE-2016-7053) Montgomery multiplication may produce incorrect results (CVE-2016-7055)
26 Sep 2016	OpenSSL 1.1.0b
26 Sep 2016	OpenSSL 1.0.2j
26 Sep 2016	Security Advisory Fix Use After Free for large message sizes (CVE-2016-6309) Missing CRL sanity check (CVE-2016-7052)
22 Sep 2016	OpenSSL 1.1.0a
22 Sep 2016	OpenSSL 1.0.2i
22 Sep 2016	OpenSSL 1.0.1u
22 Sep 2016	Security Advisory OCSP Status Request extension unbounded memory growth (CVE-2016-6304) SSL_peek() hang on empty record (CVE-2016-6305) SWEET32 Mitigation (CVE-2016-2183) OOB write in MDC2_Update() (CVE-2016-6303) Malformed SHA512 ticket DoS (CVE-2016-6302) OOB write in BN_bn2dec() (CVE-2016-2182) OOB read in TS_OBJ_print_bio() (CVE-2016-2180) Pointer arithmetic undefined behaviour (CVE-2016-2177) Constant time flag not preserved in DSA signing (CVE-2016-2178) DTLS buffered message DoS (CVE-2016-2179) DTLS replay protection DoS (CVE-2016-2181) Certificate message OOB reads (CVE-2016-6306) Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307) Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308)
25 Aug 2016	OpenSSL 1.1.0
04 Aug 2016	OpenSSL 1.1.0-pre6
03 May 2016	OpenSSL 1.0.2h
03 May 2016	OpenSSL 1.0.1t
03 May 2016	Security Advisory Memory corruption in the ASN.1 encoder (CVE-2016-2108) Padding oracle in AES-NI CBC MAC check (CVE-2016-2107) EVP_EncodeUpdate overflow (CVE-2016-2105) EVP_EncryptUpdate overflow (CVE-2016-2106) ASN.1 BIO excessive memory allocation (CVE-2016-2109) EBCDIC overread (CVE-2016-2176)
19 Apr 2016	OpenSSL 1.1.0-pre5
16 Mar 2016	OpenSSL 1.1.0-pre4
01 Mar 2016	OpenSSL 1.0.2g
01 Mar 2016	OpenSSL 1.0.1s
01 Mar 2016	Security Advisory Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) Double-free in DSA code (CVE-2016-0705) Memory leak in SRP database lookups (CVE-2016-0798) BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797) Fix memory issues in BIO_*printf functions (CVE-2016-0799) Side channel attack on modular exponentiation (CVE-2016-0702) Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703) Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
15 Feb 2016	OpenSSL fips-2.0.10
15 Feb 2016	OpenSSL fips-2.0.11
15 Feb 2016	OpenSSL fips-2.0.12
15 Feb 2016	OpenSSL 1.1.0-pre3
28 Jan 2016	OpenSSL 1.0.2f
28 Jan 2016	OpenSSL 1.0.1r
28 Jan 2016	Security Advisory DH small subgroups (CVE-2016-0701) SSLv2 doesn’t block disabled ciphers (CVE-2015-3197) An update on DHE man-in-the-middle protection (Logjam)
14 Jan 2016	OpenSSL 1.1.0-pre2
10 Dec 2015	OpenSSL 1.1.0-pre1
03 Dec 2015	OpenSSL 1.0.2e
03 Dec 2015	OpenSSL 1.0.1q
03 Dec 2015	OpenSSL 1.0.0t
03 Dec 2015	OpenSSL 0.9.8zh
03 Dec 2015	Security Advisory BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193) Certificate verify crash with missing PSS parameter (CVE-2015-3194) X509_ATTRIBUTE memory leak (CVE-2015-3195) Race condition handling PSK identify hint (CVE-2015-3196) Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)
09 Jul 2015	OpenSSL 1.0.2d
09 Jul 2015	OpenSSL 1.0.1p
09 Jul 2015	Security Advisory Alternative chains certificate forgery (CVE-2015-1793)
12 Jun 2015	OpenSSL 1.0.2c
12 Jun 2015	OpenSSL 1.0.1o
11 Jun 2015	OpenSSL 1.0.2b
11 Jun 2015	OpenSSL 1.0.1n
11 Jun 2015	OpenSSL 1.0.0s
11 Jun 2015	OpenSSL 0.9.8zg
11 Jun 2015	Security Advisory DHE man-in-the-middle protection (Logjam) Malformed ECParameters causes infinite loop (CVE-2015-1788) Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) PKCS7 crash with missing EnvelopedContent (CVE-2015-1790) CMS verify infinite loop with unknown hash function (CVE-2015-1792) Race condition handling NewSessionTicket (CVE-2015-1791) Invalid free in DTLS (CVE-2014-8176)
14 May 2015	OpenSSL fips-2.0.9
19 Mar 2015	OpenSSL 1.0.2a
19 Mar 2015	OpenSSL 1.0.1m
19 Mar 2015	OpenSSL 1.0.0r
19 Mar 2015	OpenSSL 0.9.8zf
19 Mar 2015	Security Advisory OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) Multiblock corrupted pointer (CVE-2015-0290) Segmentation fault in DTLSv1_listen (CVE-2015-0207) Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) Segmentation fault for invalid PSS parameters (CVE-2015-0208) ASN.1 structure reuse memory corruption (CVE-2015-0287) PKCS7 NULL pointer dereferences (CVE-2015-0289) Base64 decode (CVE-2015-0292) DoS via reachable assert in SSLv2 servers (CVE-2015-0293) Empty CKE with client auth and DHE (CVE-2015-1787) Handshake with unseeded PRNG (CVE-2015-0285) Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)
22 Jan 2015	OpenSSL 1.0.2
15 Jan 2015	OpenSSL 1.0.1l
15 Jan 2015	OpenSSL 1.0.0q
15 Jan 2015	OpenSSL 0.9.8ze
08 Jan 2015	OpenSSL 1.0.1k
08 Jan 2015	OpenSSL 1.0.0p
08 Jan 2015	OpenSSL 0.9.8zd
08 Jan 2015	Security Advisory DTLS segmentation fault in dtls1_get_record (CVE-2014-3571) DTLS memory leak in dtls1_buffer_record (CVE-2015-0206) no-ssl3 configuration sets method to NULL (CVE-2014-3569) ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572) RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) DH client certificates accepted without verification [Server] (CVE-2015-0205) Certificate fingerprints can be modified (CVE-2014-8275) Bignum squaring may produce incorrect results (CVE-2014-3570)
24 Oct 2014	OpenSSL fips-2.0.8
15 Oct 2014	OpenSSL 0.9.8zc
15 Oct 2014	OpenSSL 1.0.0o
15 Oct 2014	OpenSSL 1.0.1j
15 Oct 2014	Security Advisory SRTP Memory Leak (CVE-2014-3513) Session Ticket Memory Leak (CVE-2014-3567) SSL 3.0 Fallback protection Build option no-ssl3 is incomplete (CVE-2014-3568)
25 Sep 2014	OpenSSL 1.0.2-beta3
06 Aug 2014	OpenSSL 1.0.1i
06 Aug 2014	OpenSSL 1.0.0n
06 Aug 2014	OpenSSL 0.9.8zb
06 Aug 2014	Security Advisory Information leak in pretty printing functions (CVE-2014-3508) Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139) Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509) Double Free when processing DTLS packets (CVE-2014-3505) DTLS memory exhaustion (CVE-2014-3506) DTLS memory leak from zero-length fragments (CVE-2014-3507) OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510) OpenSSL TLS protocol downgrade attack (CVE-2014-3511) SRP buffer overrun (CVE-2014-3512)
22 Jul 2014	OpenSSL 1.0.2-beta2
11 Jul 2014	OpenSSL fips-2.0.7
05 Jun 2014	OpenSSL 0.9.8za
05 Jun 2014	OpenSSL 1.0.0m
05 Jun 2014	OpenSSL 1.0.1h
05 Jun 2014	Security Advisory SSL/TLS MITM vulnerability (CVE-2014-0224) DTLS recursion flaw (CVE-2014-0221) DTLS invalid fragment vulnerability (CVE-2014-0195) SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) Anonymous ECDH denial of service (CVE-2014-3470)
12 May 2014	OpenSSL fips-2.0.6
07 Apr 2014	OpenSSL 1.0.1g
07 Apr 2014	Security Advisory TLS heartbeat read overrun (CVE-2014-0160)
24 Feb 2014	OpenSSL 1.0.2-beta1
06 Jan 2014	OpenSSL 1.0.1f
06 Jan 2014	OpenSSL 1.0.0l
16 Dec 2013	OpenSSL fips-2.0.5
16 Dec 2013	OpenSSL fips-2.0.4
10 Apr 2013	OpenSSL fips-2.0.2
10 Apr 2013	OpenSSL fips-2.0.3
11 Feb 2013	OpenSSL 1.0.1e
06 Feb 2013	OpenSSL 1.0.0k
05 Feb 2013	OpenSSL 0.9.8y
05 Feb 2013	OpenSSL 1.0.1d
05 Feb 2013	Security Advisory SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169) TLS 1.1 and 1.2 AES-NI crash (CVE-2012-2686) OCSP invalid key DoS issue (CVE-2013-0166)
19 Oct 2012	OpenSSL fips-2.0-pl1
04 Oct 2012	OpenSSL fips-2.0.1
10 May 2012	OpenSSL 0.9.8x
10 May 2012	OpenSSL 1.0.0j
10 May 2012	OpenSSL 1.0.1c
10 May 2012	Security Advisory Invalid TLS/DTLS record attack (CVE-2012-2333)
26 Apr 2012	OpenSSL 1.0.1b
24 Apr 2012	Security Advisory ASN1 BIO incomplete fix (CVE-2012-2131)
23 Apr 2012	OpenSSL 0.9.8w
19 Apr 2012	OpenSSL 1.0.0i
19 Apr 2012	OpenSSL 0.9.8v
19 Apr 2012	OpenSSL 1.0.1a
19 Apr 2012	Security Advisory ASN1 BIO vulnerability (CVE-2012-2110)
14 Mar 2012	OpenSSL 1.0.1
12 Mar 2012	OpenSSL 0.9.8u
12 Mar 2012	OpenSSL 1.0.0h
12 Mar 2012	Security Advisory CMS and S/MIME Bleichenbacher attack (CVE-2012-0884)
23 Feb 2012	OpenSSL 1.0.1-beta3
19 Jan 2012	OpenSSL 1.0.1-beta2
18 Jan 2012	OpenSSL 0.9.8t
18 Jan 2012	OpenSSL 1.0.0g
18 Jan 2012	OpenSSL fips-2.0
18 Jan 2012	OpenSSL fips-2.0-rc9
18 Jan 2012	Security Advisory DTLS DoS attack (CVE-2012-0050)
04 Jan 2012	OpenSSL 1.0.0f
04 Jan 2012	OpenSSL 0.9.8s
04 Jan 2012	Security Advisory DTLS Plaintext Recovery Attack (CVE-2011-4108) Double-free in Policy Checks (CVE-2011-4109) Uninitialized SSL 3.0 Padding (CVE-2011-4576) Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577) SGC Restart DoS Attack (CVE-2011-4619) Invalid GOST parameters DoS Attack (CVE-2012-0027)
03 Jan 2012	OpenSSL 1.0.1-beta1
03 Jan 2012	OpenSSL fips-2.0-rc8
12 Dec 2011	OpenSSL fips-2.0-rc7
04 Dec 2011	OpenSSL fips-2.0-rc6
25 Nov 2011	OpenSSL fips-2.0-rc5
19 Nov 2011	OpenSSL fips-2.0-rc4
18 Nov 2011	OpenSSL fips-2.0-rc3
09 Nov 2011	OpenSSL fips-2.0-rc2
26 Oct 2011	OpenSSL fips-2.0-rc1
25 Sep 2011	OpenSSL fips-1.2.1
25 Sep 2011	OpenSSL fips-1.2.2
25 Sep 2011	OpenSSL fips-1.2.3
06 Sep 2011	OpenSSL 1.0.0e
06 Sep 2011	Security Advisory CRL verification vulnerability in OpenSSL TLS ephemeral ECDH crashes in OpenSSL
08 Feb 2011	OpenSSL 0.9.8r
08 Feb 2011	OpenSSL 1.0.0d
08 Feb 2011	Security Advisory OCSP stapling vulnerability in OpenSSL
02 Dec 2010	OpenSSL 1.0.0c
02 Dec 2010	OpenSSL 0.9.8q
02 Dec 2010	Security Advisory OpenSSL Ciphersuite Downgrade Attack OpenSSL JPAKE validation error
16 Nov 2010	OpenSSL 1.0.0b
16 Nov 2010	OpenSSL 0.9.8p
16 Nov 2010	Security Advisory TLS extension parsing race condition.
01 Jun 2010	OpenSSL 1.0.0a
01 Jun 2010	OpenSSL 0.9.8o
01 Jun 2010	Security Advisory Invalid ASN1 module definition for CMS. Invalid Return value check in pkey_rsa_verifyrecover
29 Mar 2010	OpenSSL 1.0.0
24 Mar 2010	OpenSSL 0.9.8n
24 Mar 2010	Security Advisory “Record of death” vulnerability in OpenSSL 0.9.8f through 0.9.8m
25 Feb 2010	OpenSSL 0.9.8m
20 Jan 2010	OpenSSL 1.0.0-beta5
20 Jan 2010	OpenSSL 0.9.8m-beta1
11 Nov 2009	Security Advisory Man-in-the-middle Renegotiation Attack
10 Nov 2009	OpenSSL 1.0.0-beta4
05 Nov 2009	OpenSSL 0.9.8l
15 Jul 2009	OpenSSL 1.0.0-beta3
21 Apr 2009	OpenSSL 1.0.0-beta2
01 Apr 2009	OpenSSL 1.0.0-beta1
25 Mar 2009	OpenSSL 0.9.8k
25 Mar 2009	Security Advisory ASN1 printing crash Incorrect Error Checking During CMS verification. Invalid ASN1 clearing check
07 Jan 2009	OpenSSL 0.9.8j
07 Jan 2009	Security Advisory Incorrect checks for malformed signatures
15 Sep 2008	OpenSSL 0.9.8i
28 May 2008	OpenSSL 0.9.8h
19 Oct 2007	OpenSSL 0.9.8g
11 Oct 2007	OpenSSL 0.9.8f
05 Oct 2007	OpenSSL fips-1.2.0
23 Feb 2007	OpenSSL 0.9.8e
23 Feb 2007	OpenSSL 0.9.7m
28 Sep 2006	OpenSSL 0.9.8d
28 Sep 2006	OpenSSL 0.9.7l
28 Sep 2006	Security Advisory ASN.1 Denial of Service Attacks (CVE-2006-2937, CVE-2006-2940) SSL_get_shared_ciphers() buffer overflow (CVE-2006-3738) SSLv2 Client Crash (CVE-2006-4343)
05 Sep 2006	OpenSSL 0.9.7k
05 Sep 2006	OpenSSL 0.9.8c
05 Sep 2006	Security Advisory RSA Signature Forgery (CVE-2006-4339)
04 May 2006	OpenSSL 0.9.8b
04 May 2006	OpenSSL 0.9.7j
07 Feb 2006	OpenSSL FIPS.1.0
14 Oct 2005	OpenSSL 0.9.7i
11 Oct 2005	OpenSSL 0.9.7h
11 Oct 2005	OpenSSL 0.9.8a
11 Oct 2005	Security Advisory Potential SSL 2.0 Rollback (CAN-2005-2969)
05 Jul 2005	OpenSSL 0.9.8
21 Jun 2005	OpenSSL 0.9.8-beta6
13 Jun 2005	OpenSSL 0.9.8-beta5
06 Jun 2005	OpenSSL 0.9.8-beta4
30 May 2005	OpenSSL 0.9.8-beta3
24 May 2005	OpenSSL 0.9.8-beta2
19 May 2005	OpenSSL 0.9.8-beta1
11 Apr 2005	OpenSSL 0.9.7g
22 Mar 2005	OpenSSL 0.9.7f
25 Oct 2004	OpenSSL 0.9.7e
17 Mar 2004	OpenSSL 0.9.6m
17 Mar 2004	OpenSSL engine-0.9.6m
17 Mar 2004	OpenSSL 0.9.7d
17 Mar 2004	Security Advisory 1. Null-pointer assignment during SSL handshake 2. Out-of-bounds read affects Kerberos ciphersuites
04 Nov 2003	OpenSSL 0.9.6l
04 Nov 2003	OpenSSL engine-0.9.6l
04 Nov 2003	Security Advisory Denial of Service in ASN.1 parsing
30 Sep 2003	OpenSSL 0.9.7c
30 Sep 2003	OpenSSL 0.9.6k
30 Sep 2003	OpenSSL engine-0.9.6k
10 Apr 2003	OpenSSL 0.9.6j
10 Apr 2003	OpenSSL 0.9.7b
10 Apr 2003	OpenSSL engine-0.9.6j
19 Mar 2003	Security Advisory Klima-Pokorny-Rosa attack on RSA in SSL/TLS
17 Mar 2003	Security Advisory Timing-based attacks on RSA keys
19 Feb 2003	OpenSSL 0.9.7a
19 Feb 2003	OpenSSL 0.9.6i
19 Feb 2003	OpenSSL engine-0.9.6i
19 Feb 2003	Security Advisory Timing-based attacks on SSL/TLS with CBC encryption
30 Dec 2002	OpenSSL 0.9.7
17 Dec 2002	OpenSSL 0.9.7-beta6
06 Dec 2002	OpenSSL 0.9.7-beta5
05 Dec 2002	OpenSSL 0.9.6h
05 Dec 2002	OpenSSL engine-0.9.6h
19 Nov 2002	OpenSSL 0.9.7-beta4
09 Aug 2002	OpenSSL 0.9.6g
09 Aug 2002	OpenSSL engine-0.9.6g
08 Aug 2002	OpenSSL 0.9.6f
08 Aug 2002	OpenSSL engine-0.9.6f
30 Jul 2002	OpenSSL 0.9.6e
30 Jul 2002	OpenSSL engine-0.9.6e
30 Jul 2002	OpenSSL 0.9.7-beta3
16 Jun 2002	OpenSSL 0.9.7-beta2
01 Jun 2002	OpenSSL 0.9.7-beta1
09 May 2002	OpenSSL 0.9.6d
09 May 2002	OpenSSL engine-0.9.6d
17 Apr 2002	OpenSSL 0.9.6d-beta1
17 Apr 2002	OpenSSL engine-0.9.6d-beta1
15 Feb 2002	OpenSSL engine-0.9.6c
21 Dec 2001	OpenSSL 0.9.6c
09 Jul 2001	OpenSSL 0.9.6b
09 Jul 2001	OpenSSL engine-0.9.6b
05 Apr 2001	OpenSSL engine-0.9.6a
05 Apr 2001	OpenSSL 0.9.6a
30 Mar 2001	OpenSSL 0.9.6a-beta3
30 Mar 2001	OpenSSL engine-0.9.6a-beta3
21 Mar 2001	OpenSSL 0.9.6a-beta2
21 Mar 2001	OpenSSL engine-0.9.6a-beta2
13 Mar 2001	OpenSSL 0.9.6a-beta1
13 Mar 2001	OpenSSL engine-0.9.6a-beta1
10 Oct 2000	OpenSSL 0.9.6
10 Oct 2000	OpenSSL 0.9.6-beta1
10 Oct 2000	OpenSSL 0.9.6-beta2
24 Sep 2000	OpenSSL engine-0.9.6
21 Sep 2000	OpenSSL 0.9.6-beta3
21 Sep 2000	OpenSSL engine-0.9.6-beta3
17 Sep 2000	OpenSSL engine-0.9.6-beta2
11 Sep 2000	OpenSSL engine-0.9.6-beta1
25 May 2000	OpenSSL 0.9.5
01 Apr 2000	OpenSSL 0.9.5a
23 Mar 2000	OpenSSL 0.9.5a-beta2
20 Mar 2000	OpenSSL 0.9.5a-beta1
27 Feb 2000	OpenSSL 0.9.5beta2
24 Feb 2000	OpenSSL 0.9.5beta1
09 Aug 1999	OpenSSL 0.9.4
29 May 1999	OpenSSL 0.9.3a
24 May 1999	OpenSSL 0.9.3
23 May 1999	OpenSSL 0.9.3beta2
20 May 1999	OpenSSL 0.9.3beta1
22 Mar 1999	OpenSSL 0.9.2b
23 Dec 1998	OpenSSL 0.9.1c
21 Dec 1998	OpenSSL SSLeay.0.8.1b
21 Dec 1998	OpenSSL SSLeay.0.9.0b
21 Dec 1998	OpenSSL SSLeay.0.9.1b

Release Requirements Policy

Mon, 01 Jan 0001 00:00:00 +0000

The OpenSSL project team creates the following 5 types of OpenSSL software releases:

alpha (pre-)releases
beta (pre-)releases
major releases
minor releases
patch releases

This policy defines the requirements on the state of a branch in the source tree that must be met before a release from that branch can be done.

Alpha Pre-releases

As this is just a preview release for testing things that have been worked on in the development branch, the requirements are minimal.

Release Strategy

Mon, 01 Jan 0001 00:00:00 +0000

First issued 23 December 2014

Last modified 17 December 2025

From 3.0.0 and above, the OpenSSL versioning scheme uses the format: MAJOR.MINOR.PATCH

With this format, API/ABI compatibility will be guaranteed for the same MAJOR version number.

MAJOR: API/ABI incompatible changes will increase this number
MINOR: API/ABI compatible feature releases will change this
PATCH: Bug fix releases will increment this number. We also allow backporting of accessor functions in these releases.

This approximately aligns with the expectations of users who are familiar with semantic versioning. However, we have not adopted semantic versioning in the strict sense of its rules, because it would mean changing our current LTS policies and practices.

Search

Mon, 01 Jan 0001 00:00:00 +0000

Security advisory list (json)

Mon, 01 Jan 0001 00:00:00 +0000

Security advisory list (txt)

Mon, 01 Jan 0001 00:00:00 +0000

Security Policy

Mon, 01 Jan 0001 00:00:00 +0000

Reporting security issues

If you wish to report a possible security issue in OpenSSL please notify us.

Issue triage

Notifications are received by the OpenSSL Security Response Team (SRT) designated by the OpenSSL Foundation and the OpenSSL Corporation directors.

We engage resources within the OpenSSL Foundation and the OpenSSL Corporation to start the investigation and prioritisation. We may work in private with individuals who are not part of the SRT as well as other organisations where we believe this can help with the issue investigation, resolution, or testing.

Sponsorship and Donations

Mon, 01 Jan 0001 00:00:00 +0000

The OpenSSL project relies on funding to maintain and improve OpenSSL. You can support the OpenSSL project financially with the purchase of a support contract, or by a sponsorship donation. We can accept smaller sponsorship donations via GitHub Sponsors. We do not have a PayPal account. Please do not donate to any PayPal account claiming to be associated with us! Please note that the OpenSSL Software Foundation (OSF) is incorporated in the the state of Delaware, United States, as a non-profit corporation. It does not qualify as a tax-exempt charitable organisation under Section 501(c)(3) of the U.S. Internal Revenue Code.

Stable Release Updates Policy

Mon, 01 Jan 0001 00:00:00 +0000

This policy covers allowed changes on release branches.

Definitions

A stable release is a series beginning with a major or minor release that is not a pre-release, and all its updates.

A patch release is an update within a stable release.

A public interface is any function, structure or macro declared in a public header file.

A bug fix is a fix of functionality of the libraries, modules, applications, or the build system that (all or any items might apply):

Testing Policy

Mon, 01 Jan 0001 00:00:00 +0000

This applies to all stable and development branches of the main code repository.

Within this policy functional behaviour means what the system does, i.e. given a set of inputs it will produce a set of outputs. This does not include how the system does it. For example refactoring or performance improvements do not affect functional behaviour.

Except where noted below:

All Pull Requests adding new functionality to the applications, libraries, providers or engines must include suitable tests.
All Pull Requests fixing a functional behaviour defect in the applications, libraries, providers or engines must include a test for that defect.

Pull Requests that do not change the functional behaviour of the applications, libraries, providers or engines do not require tests to be added. For example the following types of changes do not require tests:

Thank you for your ICLA submission

Mon, 01 Jan 0001 00:00:00 +0000

A confirmation email has been sent to the address you provided, containing a link to review and sign the agreement. Please check your inbox (and spam folder). If you don’t receive it within 10 minutes, feel free to contact support at [email protected]">[email protected].

Thanks!

Mon, 01 Jan 0001 00:00:00 +0000

We’d like to thank the following individuals and organizations who contribute to the OpenSSL project.

rsync.net for providing free backup storage.
The following organizations who contribute staff time to work on the project (alphabetically): Akamai, Cryptsoft, Google, Oracle, Red Hat, Siemens, and Softing.

Time-based Release Policy

Mon, 01 Jan 0001 00:00:00 +0000

This policy outlines the systematic process followed for the time-based release of the OpenSSL software library. The approach aims to deliver regular, predictable updates and innovations to users while maintaining optimal workflow and efficient resource management within the OpenSSL organisation.

This document covers the release schedule and the various phases that comprise our release cycle: planning, release definition, development, and release stages including alpha, beta, and final release. It also outlines the support lifecycle following each release.

Trademark Policy

Mon, 01 Jan 0001 00:00:00 +0000

Last modified 2024-10-08

Purpose

OpenSSL is committed to promoting the use of its open-source software. While open-source software is generally free to download and modify, the use of open-source software does not include the right to use OpenSSL Trademarks.

The Trademark Policy (The Policy) aims to protect and ensure consistent usage of the OpenSSL Trademarks and to clarify when and how OpenSSL Trademarks may be used.

The Policy aims to:

Vulnerabilities

Mon, 01 Jan 0001 00:00:00 +0000

Vulnerabilities 0.9.6

Mon, 01 Jan 0001 00:00:00 +0000

Vulnerabilities 0.9.7

Mon, 01 Jan 0001 00:00:00 +0000

Vulnerabilities 0.9.8

Mon, 01 Jan 0001 00:00:00 +0000

Vulnerabilities 1.0.0

Mon, 01 Jan 0001 00:00:00 +0000

Vulnerabilities 1.0.1

Mon, 01 Jan 0001 00:00:00 +0000

Vulnerabilities 1.0.2

Mon, 01 Jan 0001 00:00:00 +0000

Vulnerabilities 1.1.0

Mon, 01 Jan 0001 00:00:00 +0000

Vulnerabilities 1.1.1

Mon, 01 Jan 0001 00:00:00 +0000

Vulnerabilities 3.0

Mon, 01 Jan 0001 00:00:00 +0000

Vulnerabilities 3.1

Mon, 01 Jan 0001 00:00:00 +0000

Vulnerabilities 3.2

Mon, 01 Jan 0001 00:00:00 +0000

Vulnerabilities 3.3

Mon, 01 Jan 0001 00:00:00 +0000

Vulnerabilities 3.4

Mon, 01 Jan 0001 00:00:00 +0000

Vulnerabilities 3.5

Mon, 01 Jan 0001 00:00:00 +0000

Vulnerabilities 3.6

Mon, 01 Jan 0001 00:00:00 +0000