OpenSSL 3.0 Cryptographic Library Released with new license

OpenSSL 3.0

Recently, OpenSSL 3.0 was announced , the new major version of the popular cryptographic library that is also one of the most essential components of the Internet . This is a job that has occupied developers for three years in which there have been 17 alpha releases, 2 betas and 7,500 commits, all of that coming from 350 different authors.

OpenSSL 3 comes with many major changes that not only cover the software itself, but also other aspects such as the documentation and licenses used. As Matt Caswell explains in the official announcement, “there has been a 94% increase in the amount of documentation we have since OpenSSL 1.1.1 and an (adjusted) increase in ‘lines of code’ in our tests of 54% . 

Caswell has also highlighted the community’s enthusiasm and level of activity in making contributions. The new version of the cryptographic library has been able to count on some dedicated engineers, who have been able to be paid thanks to the fact that the project has obtained financing through different channels.

With regard to changes and news, we start with the change of license. Previous versions of OpenSSL used both their own license and SSLeay (which will remain), but OpenSSL 3 will use Apache License 2.0 , which is an Open Source license and free software of a lax nature compatible with version 3 of GPL, but not 2.

More Post from Linux :

Now covering what the software itself is, OpenSSL supplies two types of APIs to invoke cryptographic algorithms: high-level ones, which are generally designed to work on all kinds of algorithms, and low-level ones, which are aimed at a specific implementation of an algorithm. For many years the use of low-level APIs was discouraged by OpenSSL developers, so they took the opportunity to make the decision to officially mark them as obsolete .

Some cryptographic algorithms in the Envelope API (EVP) have been marked as legacy support and their use is discouraged as of OpenSSL 3, so they are not available by default and will have to be manually enabled.

OpenSSL version 1.1.1 introduced the concept of providers, which collect and make available implementations of algorithms. Now, in its version 3, the cryptographic library supports the possibility of specifying by programming or a configuration file which providers to use for an application, with five different ones as standard. One of the standard providers available is FIPS , so the validated cryptographic algorithms for this module are available by default.

The version scheme is another point that has changed in OpenSSL 3. Until the 1.1.1 release, the different patch levels were indicated with a letter at the end of the version number, but from the third major version this will be changed. by the following scheme: MAJOR.MENOR.PATCH . This means that now the third figure will indicate the patch, the second the possibility that new features have been introduced and the first, in case of change, that compatibility at the API and ABI level is not guaranteed.

Other improvements and novelties are the implementation of the Certificate Management Protocol (CMP), which also covers CRMF and HTTP transfer; a suitable HTTP and HTTPS client in ‘libcrypto’ that supports GET and POST, redirection, simple and ASN.1 encoded content, proxies and timeouts; plus support for the TLS of the Linux kernel.

All the details of OpenSSL 3 can be consulted through the official announcement and the project wiki , while the cryptographic library can be downloaded from the corresponding section on the project website . While upgrading from version 1.1.1, which is LTS, should be straightforward, proceed with caution.

Be the first to comment

Leave a Reply

Your email address will not be published.