OpenSSL 1.1.1 reaches end of life for all but the well-heeled
$50k to breathe new life into its corpse. The rest of us must move on to OpenSSL 3.0
OpenSSL 1.1.1 has reached the end of its life, making a move to a later version essential for all, bar those with extremely deep pockets.
OpenSSL 1.1.1 was originally released in 2018 as a Long Term Support (LTS) version of the open-source secure communication library. At the time, the team behind it declared that it would be supported for at least five years, and so here we are. The ax has swung.
Unless, of course, you have the funds on hand to pay for a bit more support. A $50,000 annual support contract aimed at enterprises can be purchased by companies not ready to move to the next LTS version – OpenSSL 3.0 should be good until 2026.
That support contract is somewhat open-ended – OpenSSL notes that it "provides extended support for LTS releases (including 1.0.2) beyond the public EOL date for as long as it remains commercially viable to do so." It also includes security fixes.
Effectively, enterprises would be paying for OpenSSL maintainers and authors to continue working with the mouldy old code.
A move to the LTS OpenSSL 3.0 or the most recent version 3.1 – although this will only be supported until 2025 – is therefore required to continue receiving support from OpenSSL. The team noted that support periods on offer from third parties – such as operating system vendors – might differ, but this is it as far as the OpenSSL project is concerned.
Migrating to a later version of OpenSSL carries risks and hazards, and some services that rely on OpenSSL might react poorly to an update.
- Double BSD birthday bash beckons – or triple, if you count MidnightBSD 3.0
- Suspected Chinese cyber spies target unpatched SonicWall devices
- Version 252 of systemd, as expected, locks down the Linux boot process
- OpenSSL downgrades horror bug after week of panic, hype
In its migration document, the OpenSSL project notes: "Any application that currently uses an older version of OpenSSL will at the very least need to be recompiled in order to work with the new version."
The project also admitted that while the intention was that the large majority of applications would work unchanged with OpenSSL, there were no guarantees and "some changes may be required in some cases."
The impact of the retirement is not to be underestimated and will swiftly show up components that have been hardcoded to expect OpenSSL services. IoT devices, for example, spring effortlessly to mind.
The end of support, however, does not mean the component will suddenly stop working. Instead, it will become an increasingly attractive target for malware slingers as security updates stop and organizations that really should have planned for this day find themselves either exposed or witing a $50,000 check. ®