OpenSSL Blog

Upcoming Webinar: Getting Started With QUIC and OpenSSL

,

We are pleased to announce our upcoming webinar, Getting Started with QUIC and OpenSSL.

In this brief yet comprehensive session, we’ll dive into the basics of QUIC and guide you through implementing a simple client using the QUIC OpenSSL API. By the end of this webinar, you’ll have a solid grasp of creating a client application that connects to a server and receives data. Our demo client may be straightforward, but it serves as the perfect playground to explore and observe the QUIC protocol in action. Get ready to see QUIC in motion and discover the tools to monitor its performance effectively!

Event Details

  • Date: May 30, 2024
  • Time: 09:00 AM Pacific Time (US and Canada)
  • Location: Online (Zoom)

How to Register

To register for the webinar, click here, fill in your details, and you will receive a confirmation email with all the information you will need to join us on the day of the event. You will need to register in order to be able to attend the webinar.

OSTIF and Trail of Bits Complete Audit of OpenSSL

,

OpenSSL would like to announce the publication of the final report of a recent security audit conducted on the OpenSSL software library.

The audit was organized by the Open Source Technology Improvement Fund (OSTIF), and carried out by Trail of Bits. Special thanks to OpenSSF Project Alpha Omega for funding the effort.

OSTIF is a non-profit organisation dedicated to providing funding for security audits to open source security projects. Trail of Bits, an OSTIF partner organisation, is an experienced auditor of open source security software. Working together over the past months, OSTIF and Trail of Bits have conducted an audit of the OpenSSL software library for potential vulnerabilities or bugs.

This audit focused on the libcrypto component of OpenSSL and delivered the following outputs:

  • 24 findings with a security impact (none of which warranted allocating a CVE)
    • 4 Medium Severity
    • 6 Low Severity
    • 14 Informational
  • The development and addition of 4 fuzzers
  • A codebase maturity evaluation

Overall, the audit found that OpenSSL is defensively implemented and well tested, with an extensive testing suite already in use at the time of auditing. The audit delivered further security hardening guidance to improve its security practices and resolve identified issues.

OpenSSL would like to thank OSTIF for funding this audit and Max Ammann, Fredrik Dahlgren, Spencer Michael, Jim Miller, and Jeff Braswell from Trail of Bits for conducting a detailed and thorough audit.

The official report will be released at the end of May, and a link published to our blog.

Releases Distribution Changes

,

I’d like to give you a heads-up about some changes we’re making at OpenSSL. We’re simplifying how you can get our software, and that means we’re phasing out some older methods that don’t quite fit with the way the web works today.

QUIC Server Preview Branch Available for Testing and Feedback

,

We are pleased to announce the availability of a feature preview for our OpenSSL QUIC server functionality. This is an early technology preview which is being published to seek feedback from our communities.

This preview is now available in the feature/quic-server branch of the OpenSSL repository on GitHub. Those interested in providing early feedback on our QUIC server functionality are invited to download and build this branch.

It is important to note that this branch represents a prototype phase at this time and many aspects of the planned functionality are not yet implemented. In particular, only a very small subset of the full SSL API is currently implemented. This preview is being released to enable all of our communities to provide their feedback as part of the API design process and in order to validate our requirements prior to the finalisation of the API.

This branch is intended as a feature preview to support development and testing. It has not yet been subject to ordinary QA processes, is not yet fully RFC-conformant, and is not intended for production use.

A demo program demonstrating usage of the new server API is available here, which is the recommended starting point for those seeking to experiment with this feature preview.

Official support for server-side QUIC functionality is anticipated to be delivered in OpenSSL 3.4, which, as per our time-based releases policy, will be released no later than 31 October 2024.

As always, bug reports and issues can be filed on our issue tracker, and questions about using this feature preview can be posted on GitHub Discussions.

Comments on this release are also welcomed on GitHub Discussions, or via email to feedback@openssl.org.


Meet With OpenSSL at RSA Conference 2024

,

This year, OpenSSL will be attending RSA Conference 2024, one of the world’s largest cybersecurity events. Throughout May 6-9 in San Francisco, we are seeking to engage with our communities at RSA to better understand their needs and problems.

We look forward to meeting with RSA attendees interested in discussing OpenSSL or related fields. As such, we’d like to invite anyone attending RSA to reach out so that we can meet with them at the conference.

Anyone can book a meetup with OpenSSL at RSA using this form, or alternatively by emailing oss-rsa@openssl.org. While we are particularly interested in hearing from our current and prospective support customers, this invitation is open to anyone who wants to talk to us.

We look forward to meeting with you at RSA Conference 2024. You can also reach out to us at @OpenSSL_ during the conference.

Upcoming Webinar: Writing a TLS Client

,

We are pleased to announce our upcoming webinar, Writing a TLS Client.

In this webinar we will cover writing a simple TLS client using the OpenSSL APIs. The webinar will cover how to write an application that connects to a server and securely exchanges data using TLS using the OpenSSL API.

At the end of the webinar we will host a Q&A session, giving you the opportunity to have your questions answered by OpenSSL developers.

Event Details

  • Date: April 25, 2024
  • Time: 09:00 AM Pacific Time (US and Canada)
  • Location: Online (Zoom)

How to Register

To register for the webinar, click here, fill in your details, and you will receive a confirmation email with all the information you will need to join us on the day of the event. You will need to register in order to be able to attend the webinar.

OpenSSL 3.3 Final Release Live

,

The final release of OpenSSL 3.3 is now live. This is the first release in accordance with our adoption of biannual time-based releases. We would like to thank all those who contributed to the OpenSSL 3.3 release, without whom, OpenSSL would not be possible.

OpenSSL 3.3 delivers the following new features:

  • QUIC qlog diagnostic logging support
  • Support for the non-blocking polling of multiple QUIC connections or stream objects
  • Support for optimised generation of end-of-stream frames for QUIC connections
  • Support for disabling QUIC event processing when making API calls
  • Support for configuring QUIC idle timeout durations
  • Support for querying the size and utilisation of a QUIC stream’s write buffer
  • Support for RFC 9480 and RFC 9483 extensions to CMP
  • Ability to disable OpenSSL usage of atexit(3) at build time
  • Year 2038-compatible SSL_SESSION APIs
  • Ability to automatically derive Chinese Remainder Theorem (CRT) parameters when requested
  • Ability to ignore unknown algorithm names in TLS signature algorithm and group configuration strings
  • Ability to configure a TLS 1.3 server to prefer PSK-only key exchange during session resumption
  • Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple times with different output sizes.
  • Added exporter for CMake on Unix and Windows, alongside the pkg-config exporter.
  • And more. Please check out CHANGES.md for a full list of changes between OpenSSL 3.2 and OpenSSL 3.3.

OpenSSL 3.3 is a regular release, upon this final release a one-year Full Support period is initiated for regular releases. During this phase, bugs and security issues are addressed and fixed according to the Stable Release Updates Policy. Immediately after the Full Support phase ends, the Maintenance Support phase begins, lasting for one year. During this phase, the primary focus is on fixing security issues, although other bugs may be addressed at the discretion of OpenSSL engineering.

The next release will be OpenSSL 3.4. The release process is being managed by Neil Horman (@nhorman). Details on the release schedule can be found on the new OpenSSL Release Schedule board on GitHub.

Bug reports and issues relating to OpenSSL can be filed on our issue tracker, and questions about using OpenSSL 3.3 can be posted on GitHub Discussions.