The OpenSSL Project last week announced the official release of OpenSSL 3.0, a version that has been under development for the past 3 years.
OpenSSL 3.0 is the successor of version 1.1.1. The latest version is the result of more than 7,500 commits and contributions made by over 350 individuals, and it took 17 alpha releases and two beta releases to prepare OpenSSL 3.0 for its official release.
The full-time engineers working on OpenSSL 3.0 have been aided by many users who have been testing the new release to ensure that it works with a wide range of applications in real world environments.
The OpenSSL Project lists well over 200 changes between version 1.1.1 and 3.0. A migration guide that details the most significant changes has been made available.
“OpenSSL 3.0 is a major release and not fully backwards compatible with the previous release,” explained the OpenSSL Project’s Matt Caswell. “Most applications that worked with OpenSSL 1.1.1 will still work unchanged and will simply need to be recompiled (although you may see numerous compilation warnings about using deprecated APIs). Some applications may need to make changes to compile and work correctly, and many applications will need to be changed to avoid the deprecations warnings.”
Users have been advised to take action to prevent potential problems introduced by deprecated API functions.
They have also been informed about “a number of new concepts” and a new FIPS (Federal Information Processing Standard) module.
“Using the new FIPS module in your applications can be as simple as making some configuration file changes, although many applications will need to make other changes,” Caswell said.
The OpenSSL Project has also informed users that OpenSSL 3.0 has switched to Apache License 2.0.
OpenSSL 3.0 is available for download from GitHub and the project’s own Git repository. Users are encouraged to report any issues they encounter. OpenSSL 1.1.1 is the long term support (LTS) version and it will continue to be supported until September 11, 2023.
The open source TLS library has evolved a great deal in terms of security since the disclosure of the Heartbleed vulnerability back in 2014, with only a handful of high-severity flaws being identified in the past few years. The most recent high-severity issue, patched last month, can allow an attacker to change an application’s behavior or cause the app to crash.
Related: OpenSSL Vulnerability Can Be Exploited to Change Application Data