The OpenSSL Project has returned from spending a week in February sequestered in the beautiful Australian outback discussing the past, current, and future state of the project. This in-person meeting brought together the project’s paid resources and the management committee. Our goal for this meeting was to chart the course for OpenSSL’s future, tackle current challenges, and note our collective achievements. Three project members were unable to participate in person and joined the meetings remotely.

In the 2023 in-person meeting, the project unanimously agreed on a mission and values statement that reflects not only our desire for greater transparency and community engagement, but our commitment to organizational independence, and to our core mission of making secure communications available to everyone. We have achieved many things in 2023 including:

• OpenSSL 3.2 released in November 2023
• Added 7 new full-time resources working on the project
• Creation of regular webinars such as the providers workshops
• Adoption of time-based releases

At this year’s meeting we revisited our mission and values statement, have reconfirmed our belief in the statement, and are now hard at work making sure the mission and values are reflected in all aspects of the project. Keeping that in mind, a recurring theme that was discussed was the importance of community engagement. OpenSSL thrives because of its community, and we explored new strategies to encourage participation and contribution. Stay tuned for further communication from us regarding new initiatives to promote community interaction.

Beyond the sessions, the meeting was a valuable opportunity for team members, many of whom work remotely, to connect in person. These moments of connection are invaluable, strengthening the bonds within the project resources and reinvigorating our collective passion for the project.

Please stay tuned for updates on our progress and how you can contribute to the future of OpenSSL.

The 2024 Face-to-Face meeting was highly productive and we are all eager to see what the future holds for the project. Until next time, keep your data safe and your connections secure.

Please enjoy photos from the meeting.

We are pleased to announce that we have successfully distributed nearly 100 limited edition T-shirts commemorating the 25th anniversary of OpenSSL’s existence.

We appreciate the support of all our communities, users, individual contributors and support customers, without which we would not be able to continue our mission and deliver on our open source values. These continue to drive the success and evolution of OpenSSL, and we couldn’t be more appreciative.

For those who received an anniversary T-shirt, feel free to share a picture of yourself wearing the T-shirt and tag us on social media @openssl_! Thank you once again for celebrating this significant milestone with us.

The beta release of OpenSSL 3.3 is now live. This release is in accordance with our adoption of biannual time-based releases. As this is a beta release, we consider this to be a release candidate and as such encourage all OpenSSL users to build and test against this beta release and provide feedback. It represents the second step in our planned release of OpenSSL 3.3. To view the full 3.3 release schedule please refer to this blog.

The code for OpenSSL 3.3 is now functionally complete and we expect the final release to occur on schedule. We would also like to thank all those who contributed to the OpenSSL 3.3 release, without which as ever OpenSSL would not be possible.

OpenSSL 3.3 will feature the following new features:

• QUIC qlog diagnostic logging support
• Support for the non-blocking polling of multiple QUIC connections or stream objects
• Support for optimised generation of end-of-stream frames for QUIC connections
• Support for disabling QUIC event processing when making API calls
• Support for configuring QUIC idle timeout durations
• Support for querying the size and utilisation of a QUIC stream’s write buffer
• Support for RFC 9480 and RFC 9483 extensions to CMP
• Ability to disable OpenSSL usage of atexit(3) at build time
• Year 2038-compatible SSL_SESSION APIs
• Ability to automatically derive Chinese Remainder Theorem (CRT) parameters when requested
• Ability to ignore unknown algorithm names in TLS signature algorithm and group configuration strings
• Ability to configure a TLS 1.3 server to prefer PSK-only key exchange during session resumption
• Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple times with different output sizes.
• Added exporter for CMake on Unix and Windows, alongside the pkg-config exporter.
• And more. Please check out CHANGES.md for a full list of changes between OpenSSL 3.2 and OpenSSL 3.3.

No further features or API changes are planned for 3.3 beyond those listed above. We will not be accepting any additional features for 3.3; any unmerged feature PRs will now be considered for 3.4.

The release process of OpenSSL 3.3 is being managed by Neil Horman (@nhorman). Details on the release schedule can be found on the new OpenSSL Release Schedule board on GitHub.

This year, we had the privilege of participating in FOSDEM for the first time. This offered us an opportunity to engage with the open source community at the conference, share our insights, and learn from the vast pool of knowledge that FOSDEM brings together.

FOSDEM, short for Free and Open Source Software Developers’ European Meeting, is an event that brings together thousands of open source developers, enthusiasts, and professionals from around the world. It’s a festival of knowledge, with workshops, talks, and sessions covering a myriad of topics from software development and security to hardware innovation and beyond.

For OpenSSL, going to FOSDEM gave us the unique opportunity to meet face-to-face with individuals from the varied open source community and share experiences, challenges, and solutions in the realm of open source.

One of the highlights of our participation was the stand we hosted at FOSDEM this year. To celebrate our 25th anniversary we handed out over 300 T-Shirts at FOSDEM. We wanted to give a token to express our gratitude to the incredible open source community that has supported the project throughout the years.

As our mission and values states “We believe in the principles of open source software, not only for its inherent values but also for the transparency and accountability it provides to our security and privacy tools.” Our participation at FOSDEM has reinforced our values and we look forward to continuing our journey in the world of open source.

We are thrilled to announce our upcoming webinar, Writing Your First OpenSSL Application.

This webinar is designed to take you from an understanding of basic cryptography concepts to writing your first secure application using OpenSSL. It’s the perfect starting point for anyone looking to dive into the world of secure application development. Here’s what we’ll cover:

• Define the use cases for which OpenSSL can be used
• How to find documentation to learn how to use OpenSSL in applications
• How to write applications using OpenSSL
• How to test and verify functionality of OpenSSL applications
• How to identify and fix bugs in OpenSSL applications
• Q&A Session: Have your questions answered by our OpenSSL experts. This is a great opportunity to clear up any doubts and gain additional insights.

By the end of this presentation, the audience should be able to match their application needs to OpenSSL library features, find documentation to explain how to leverage those features, create applications using OpenSSL, and learn how to detect and understand errors that may arise.

Event Details

• Date: Mar 28, 2024
• Time: 09:00 AM Pacific Time (US and Canada)
• Location: Online (Zoom)

How to Register

Registering for the webinar is simple. Just click here, fill in your details, and you’ll receive a confirmation email with all the information you’ll need to join us on the day of the event. You will need to register in order to be able to attend the webinar.

Intended Audience

With cyber threats evolving every day, the importance of secure software cannot be overstated. This webinar will provide valuable insights and practical skills to audiences looking to start a career in cybersecurity, aiming to enhance their current skills, or are simply curious about secure application development.

Don’t miss this opportunity to embark on your journey with OpenSSL and secure application development. Register today and take the first step toward mastering the art of writing secure software. See you at the webinar!

Email us at feedback@openssl.org if you have any questions or comments.

The Alpha release of OpenSSL 3.3 is now live. This release is in accordance with our adoption of biannual time-based releases. As this is an alpha release, it is intended for development and testing purposes. It represents the first step in our planned release of OpenSSL 3.3. To view the full 3.3 release schedule please refer to this blog.

OpenSSL 3.3 will feature the following new features:

• QUIC qlog diagnostic logging support
• Support for the non-blocking polling of multiple QUIC connection or stream objects
• Support for optimised generation of end-of-stream frames for QUIC connections
• Support for disabling QUIC event processing when making API calls
• Support for configuring QUIC idle timeout durations
• Support for querying the size and utilisation of a QUIC stream’s write buffer
• RCU lock infrastructure for performance enhancements
• Support for RFC 9480 and RFC 9483 extensions to CMP
• Ability to disable OpenSSL usage of atexit(3) at build time
• Year 2038-compatible SSL_SESSION APIs
• Ability to automatically derive Chinese Remainder Theorem (CRT) parameters when requested
• Ability to ignore unknown algorithm names in TLS signature algorithm and group configuration strings
• Ability to configure a TLS 1.3 server to prefer PSK-only key exchange during session resumption

No further features or API changes are planned for 3.3 beyond those listed above. We will not be accepting any additional features for 3.3; any unmerged feature PRs will now be considered for 3.4.

The release process of OpenSSL 3.3 will be managed by Neil Horman (@nhorman). Details on the release schedule can be found on the new OpenSSL Release Schedule board on GitHub.

We are pleased to announce our schedule for the April release of OpenSSL 3.3. In accordance with our adoption of biannual time-based releases following the release of OpenSSL 3.2, this will be our first time-based release.

The release schedule is as follows:

• An alpha of OpenSSL 3.3 will be made on 20 March 2024.

• A beta of OpenSSL 3.3 will then be made on 29 March 2024.

• The expected final release date for OpenSSL 3.3.0 is 10 April 2024. Backup release dates are 17 April 2024 and 24 April 2024.

Additional alphas and betas are not anticipated.

OpenSSL 3.3 will feature the following new features:

• QUIC qlog diagnostic logging support
• Support for the non-blocking polling of multiple QUIC connection or stream objects
• Support for optimised generation of end-of-stream frames for QUIC connections
• Support for disabling QUIC event processing when making API calls
• Support for configuring QUIC idle timeout durations
• Support for querying the size and utilisation of a QUIC stream’s write buffer
• RCU lock infrastructure for performance enhancements
• Support for RFC 9480 and RFC 9483 extensions to CMP
• Ability to disable OpenSSL usage of atexit(3) at build time
• Year 2038-compatible SSL_SESSION APIs
• Ability to automatically derive Chinese Remainder Theorem (CRT) parameters when requested
• Ability to ignore unknown algorithm names in TLS signature algorithm and group configuration strings
• Ability to configure a TLS 1.3 server to prefer PSK-only key exchange during session resumption

No further features or API changes are planned for 3.3 beyond those listed above. We will not be accepting any additional features for 3.3; any unmerged feature PRs will now be considered for 3.4.

The release process of OpenSSL 3.3 will be managed by Neil Horman (@nhorman). Details on the release schedule can be found on the new OpenSSL Release Schedule board on GitHub.

The release of the subsequent feature release, OpenSSL 3.4, will occur no later than 31 October 2024.

As many of you are aware we have undergone a lot of internal organisation changes within the OpenSSL Project in the last couple of years, one of the key changes being the introduction of the OpenSSL Working Group.

In the February 2023 face-to-face meeting we decided to create the OpenSSL Working Group in an effort to be more efficient at addressing and executing on decisions made.

The WG was formed as an initiative to include more people into the OpenSSL decision making process and organize a place where OMC members, engineering, management, paid team members, and invited third parties all meet together and tackle urgent issues together and in a timely manner.

As a result we have been able to for the first time ever in the history of OpenSSL come close to hitting a committed release date, we had initially aimed for an October release and we got it out in early November. Now as we have moved on to a time-based release schedule, the Working Group has been keeping us on track to have our April release date.

Other things the Working Group has guided the project on include:

• Providers Workshop
• Creation of regular webinars and a YouTube channel
• Improved Documentation - OpenSSL Onboarding Documents, OpenSSL Flyers, OpenSSL Banners etc
• Regular updates on the internal workings of the project via project board, blogs, and email
• Hosted a stand at FOSDEM
• Celebrating our 25 year anniversary with our contributors and community members
• And much more!

To get a more in-depth look into what the Working Group is working on every week please take a look at our public project board where we track almost every issue publicly, minus a couple items that require privacy. The working group has proven instrumental in increasing trust and confidence in the project by making sure decisions are made in a timely manner so that the OpenSSL Project can gain a reputation of being a reliable and sustainable open source project.

If you have any questions or concerns please contact us at feedback@openssl.org

Exciting news in the world of online security! NetApp, an intelligent data infrastructure company, is now a Gold Sponsor of OpenSSL, showing their strong support for making the internet a safer place for everyone.

NetApp’s sponsorship brings valuable resources to OpenSSL, enabling the project to accelerate development, conduct thorough security audits, and ensure ongoing maintenance and support. In return, NetApp gains access to cutting-edge cryptographic technologies, contributing to the enhancement of its own security solutions and reinforcing its position as a leader in data management.

This teamwork shows how powerful it can be when companies invest in the tools that keep our online world secure. As NetApp and OpenSSL work together, they’re not just making their own projects better – they’re inspiring others to join in and make the whole online community stronger.

Contact us at feedback@openssl.org or on GitHub Discussions if you have any questions or comments.

In the fast-paced world of cybersecurity, the ability to secure digital assets is paramount. We’re excited to announce our upcoming webinar, “Getting Started with OpenSSL,” which is designed to provide attendee’s with a solid foundation in using OpenSSL to enhance the security of their applications and systems. Join us for this webinar and learn all about OpenSSL’s purpose, features, and components.

Why Attend? Empower Yourself: Gain practical skills to implement OpenSSL in your projects. Community Engagement: Connect with a community of security-conscious individuals.

Save the Date: 📅 Date: Feb 06, 2024 🕒 Time: 08:00 AM Pacific Time (US and Canada 📍 Location: https://zoom.us/webinar/register/WN_GWqOVe4FRZC-IctgLzmpBQ

Secure your spot now and embark on a journey to unlock the secrets of OpenSSL. Don’t miss this opportunity to enhance your cybersecurity knowledge. Register today and stay one step ahead in safeguarding your digital assets!