Connect with us

Hi, what are you looking for?


Application Security

OpenSSL 3.0 Released After 3 Years of Development

OpenSSL 3.0 released

The OpenSSL Project last week announced the official release of OpenSSL 3.0, a version that has been under development for the past 3 years.

OpenSSL 3.0 released

The OpenSSL Project last week announced the official release of OpenSSL 3.0, a version that has been under development for the past 3 years.

OpenSSL 3.0 is the successor of version 1.1.1. The latest version is the result of more than 7,500 commits and contributions made by over 350 individuals, and it took 17 alpha releases and two beta releases to prepare OpenSSL 3.0 for its official release.

The full-time engineers working on OpenSSL 3.0 have been aided by many users who have been testing the new release to ensure that it works with a wide range of applications in real world environments.

The OpenSSL Project lists well over 200 changes between version 1.1.1 and 3.0. A migration guide that details the most significant changes has been made available.

“OpenSSL 3.0 is a major release and not fully backwards compatible with the previous release,” explained the OpenSSL Project’s Matt Caswell. “Most applications that worked with OpenSSL 1.1.1 will still work unchanged and will simply need to be recompiled (although you may see numerous compilation warnings about using deprecated APIs). Some applications may need to make changes to compile and work correctly, and many applications will need to be changed to avoid the deprecations warnings.”

Users have been advised to take action to prevent potential problems introduced by deprecated API functions.

They have also been informed about “a number of new concepts” and a new FIPS (Federal Information Processing Standard) module.

“Using the new FIPS module in your applications can be as simple as making some configuration file changes, although many applications will need to make other changes,” Caswell said.

Advertisement. Scroll to continue reading.

The OpenSSL Project has also informed users that OpenSSL 3.0 has switched to Apache License 2.0.

OpenSSL 3.0 is available for download from GitHub and the project’s own Git repository. Users are encouraged to report any issues they encounter. OpenSSL 1.1.1 is the long term support (LTS) version and it will continue to be supported until September 11, 2023.

The open source TLS library has evolved a great deal in terms of security since the disclosure of the Heartbleed vulnerability back in 2014, with only a handful of high-severity flaws being identified in the past few years. The most recent high-severity issue, patched last month, can allow an attacker to change an application’s behavior or cause the app to crash.

Related: OpenSSL Vulnerability Can Be Exploited to Change Application Data

Related: Evolution of OpenSSL Security After Heartbleed

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

More People On The Move

Expert Insights