3 years, 17 alphas, 2 betas, and over 7,500 commits later, OpenSSL version 3 is here
What have we learned during that time? Quite a bit, it appears
The OpenSSL team has released version 3.0 of its eponymous secure communications library after a lengthy gestation period.
Coming nearly three years after its predecessor, version 1.1.1, the update lays claim to 17 alpha releases, two beta releases, and more than 7,500 commits. Equally significant is a near-doubling of the amount of documentation since upgrading an application to use it might not be an entirely simple process.
"OpenSSL 3.0 is a major release and not fully backwards compatible with the previous release," explained Matt Caswell of the OpenSSL Management Committee.
While most applications that used the previous incarnation will work OK and just need a recompilation (although Caswell cautioned that deprecated APIs would likely result in warnings), some apps will need changing.
And if an app is using a deprecated API, it would probably be a good idea to update it anyway as those APIs will more than likely be for the chop in a future version.
There are some substantial changes in version 3. From a technical standpoint, the most significant is the new Federal Information Processing Standards module, the paperwork for the validation of which is due to be submitted later this month. The team is going for FIPS 140-2 and expects to get its final certificate in 2022.
- NSA: We 'don't know when or even if' a quantum computer will ever be able to break today's public-key encryption
- Firefox 91 introduces cookie clearing, clutter-free printing, Microsoft single sign-on... so where are all the users?
- Google Cloud's Intrusion Detection Service attempts to make security 'invisible' but cost will be the big giveaway
- Fortinet's security appliances hit by remote code execution vulnerability
FIPS-validated cryptographic algorithms are important to have for users seeking US government work, and its omission from version 1.1.1 of OpenSSL (having been present in 1.0.2) has caused the odd headache. The new architecture of version 3.0 restores the module and introduces the "Provider" concept, where different algorithm implementations can be made available (OpenSSL 3.0 comes with five as standard, including the FIPS provider).
The other notable change is a move to the Apache License 2.0 from the OpenSSL and SSLeay licenses of old (which still apply to version 1.1.1 and earlier).
It has taken a while, but the tidying up of the code, support for the Linux kernel TLS, and move to a provider-based architecture among other enhancements are all very welcome. The number of alpha and beta releases over the years should, hopefully, mean that developers looking to make the move won't get any nasty surprises. ®