ENGINE code removed from the OpenSSL Library

Dec 18, 2025

OpenSSL 4.0, to be released in April 2026, is the first major release since 3.0 which replaced the ENGINE interface with Providers. Removing ENGINEs is a primary goal of this major release and this post describes the change agreed to by both the OpenSSL Corporation and OpenSSL Foundation.

Summary

All symbols defined in openssl/engine.h have been removed from the shared library in OpenSSL 4.0. Applications that use the ENGINE API will fail to compile using the default build settings. This behavior matches what happens in previous versions when building OpenSSL with the no-engine configuration option with current versions. Up-to-date applications should not include openssl/engine.h at all.

In order to ease the transition for applications that support the ENGINE API, it will be possible to compile with stub macros to avoid compilation errors. Since, even in 3.x, ENGINEs may fail to load at run time, many applications gracefully handle the scenario where an ENGINE is unavailable and can continue anyway. Those applications could be compiled with OPENSSL_ENGINE_STUBS defined (by adding -DOPENSSL_ENGINE_STUBS to compilation flags, for example) to enable the stub implementations and continue to work without having to make any code changes at all. When using the stubs the only supported value for the ENGINE argument will be NULL which means no engine.

As a reminder, OpenSSL 3.5, which includes the ENGINE API, is a long term stable (LTS) release supported until April 8, 2030.

Details

The ENGINE API was released in OpenSSL 0.9.6 on 24 September 2000. It was originally designed for supporting external cryptography devices, but ENGINEs proved useful for plugging in replacement implementations of cryptographic algorithms.

On 7 September 2021, OpenSSL 3.0 was released with support for providers which are a more flexible way to introduce code into an application that uses OpenSSL. They were designed to overcome the known limitations of the ENGINES interface. For instance, ENGINEs were tied to the already defined set of algorithms and your couldn’t really add new algorithms.

The default provider supplies a large set of useful built-in algorithms, so providers are central to the OpenSSL model. Providers also allow applications to swap in third-party algorithms in order to increase cryptographic agility.

Now that ENGINEs have been superseded by providers, the ENGINE API along with its serious limitations and use of already deprecated structures has served its purpose. It adds to the complexity and size of the OpenSSL code base, so removing ENGINEs was a priority for OpenSSL 4.0. Removing other deprecated functionality is still under discussion.

To preview the ENGINE removal, see this PR which implemented the change. It has been merged into the default branch on the OpenSSL repository.