OpenSSL 3.0 alpha3 release
The OpenSSL Management Committee and the OpenSSL Technical Committee are glad to announce the third alpha release of OpenSSL 3.0.
As any alpha release, the code is still experimental and many things can still change before the feature freeze planned for the beta release. In the following weeks more alpha releases will be issued to add more functionality, polish and improve the code and fix issues.
We have been talking about the development of the next major release of OpenSSL for a while, and you can read more about it in previous blog posts and read more about the planned changes in our design document.
This release comes after three more weeks since the last alpha pre-release, and saw a number of changes: 352 files were changed, with 7117 insertions and 3567 deletions. Among these changes, we can mention, in no particular order:
- general improvements to the built-in providers, the providers API and the
internal plumbing and the provider-aware mechanisms for
libssl
; - general improvements and fixes in the CLI apps;
- cleanup of the EC API:
EC_METHOD
became an internal-only concept, and functions using or returningEC_METHOD
arguments have been deprecated;EC_POINT_make_affine()
andEC_POINTs_make_affine()
have been deprecated in favor of automatic internal handling of conversions when needed;EC_GROUP_precompute_mult()
,EC_GROUP_have_precompute_mult()
, andEC_KEY_precompute_mult()
have been deprecated, as such precomputation data is now rarely used;EC_POINTs_mul()
has been deprecated, as for cryptographic applicationsEC_POINT_mul()
is enough.
- the
CMS
API got support for CAdES-BES signature verification; - introduction of a new
SSL_OP_IGNORE_UNEXPECTED_EOF
option; - improvements to the RSA OAEP support;
- FFDH support in the
speed
app; - CI: added external testing through the GOST engine;
- fixes for various issues;
- extended and improved test coverage;
- additions and improvements to the documentations.
Once more, a lot of these enhancements wouldn’t have happened without the positive response of the community to previous alpha announcements. We wish to reiterate our thanks for all the feedback and the contributions from the users and developers that are testing the pre-release versions of OpenSSL, which are vital to the development process of the next release.
As a special note, I’d like to highlight in this occasion that recently the
OpenSSL Management Committee published a message on the openssl-project
mailing list
seeking assistance from the community to take on a task related to the inclusion
of X9.42 KDF into the upcoming FIPS provider in time for the FIPS validation
process for OpenSSL 3.0. More details can be found in the
original message.
For more details on upgrading to OpenSSL 3.0 from previous versions, as well as known issues and the status of current development, we collected specific notes on the OpenSSL wiki. We strongly encourage consulting (and contributing to) this wiki entry also to discover the most important changes in the upcoming OpenSSL 3.0 and how they might affect you and the code you maintain.
We are always keen to see oldtimers and newcomers alike proposing issues, fixes
and contributions, not only in the form of code, but also for manpages and wiki
documentation. At this point, it is particularly important to also make sure
that the documentation for the new architecture, for the new features, and for
the new deprecations and their replacements, is available, complete, up-to-date
and sufficiently clear for external users.
We prioritize GitHub issues and pull requests as the favourite channel for
contributing to the OpenSSL 3.0 project, but any form of
interaction, including on the openssl-users
mailing list, is
always welcome.
The feedback from the community, and your involvement in testing external applications and ENGINEs against the next version of OpenSSL and improving the documentation is crucial to the continued quality of the OpenSSL Project.