Last week, the OpenSSL Project announced the formal release of OpenSSL 3.0, which has been in development for three years.
Version 1.1.1 of OpenSSL has been superseded by version 3.0. The most recent version is the result of over 7,500 commits and contributions from over 350 people, and it took 17 alpha versions and two beta releases to get OpenSSL 3.0 ready for release.
Many users have helped the full-time developers working on OpenSSL 3.0 test the new release to ensure that it works with a wide range of applications in real-world scenarios.
Between version 1.1.1 to version 3.0, the OpenSSL Project cites over 200 modifications. A migration guide has been made available that covers the most significant changes.
“OpenSSL 3.0 is a major release that is not fully backwards compatible with earlier releases,” said Matt Caswell of the OpenSSL Project. “Most OpenSSL 1.1.1 programmes will continue to function normally and will only need to be recompiled (although you may see numerous compilation warnings about using deprecated APIs). Some apps may require changes in order to build and function effectively, and many applications may require changes in order to prevent deprecation warnings.”
Deprecated API functions have been warned about, and users have been urged to take measures to avoid difficulties.
They were also told about “a few new concepts” and a new FIPS (Federal Information Processing Standard) module.
“Using the new FIPS module in your applications can be as simple as making a few configuration file modifications,” Caswell said, adding that many applications will require more changes.
OpenSSL 3.0 now runs under the Apache License 2.0, according to the OpenSSL Project.
OpenSSL 3.0 can be found on GitHub and in the project’s own Git repository. Any faults that users encounter are encouraged to be reported. The long-term support (LTS) version of OpenSSL is 1.1.1, which will be supported until September 11, 2023.
Since the Heartbleed vulnerability was revealed in 2014, the open source TLS library has improved significantly in terms of security, with only a few high-severity problems being discovered in recent years. The most recent high-severity flaw, which was patched last month, allows an attacker to alter the functionality of an app or force it to crash.