OpenSSL 1.1.1 End Of Life
We are now less than 6 months away from the End Of Life (EOL) date for the OpenSSL 1.1.1 series. Users of OpenSSL 1.1.1 should consider their options and plan any actions they might need to take.
Blog
OpenSSL FIPS Update and Expansion of Rebranding Offer
We are thrilled to inform you that the complimentary FIPS rebranding service for our premium support customers has been extended. As part of this non-contractual benefit, premium support customers are entitled to one rebranding of any of our FIPS provider certificates per year, completely free of charge.
OpenSSL 3.1 Final Release
We are pleased to announce that the forthcoming OpenSSL 3.1 release is to be made available on 14th March 2023.
OpenSSL 3.1 Release Candidate
The OpenSSL Management Committee (OMC) and the OpenSSL Technical Committee (OTC) are glad to announce our first beta release of OpenSSL 3.1. We consider this to be a release candidate and as such encourage all OpenSSL users to build and test against this beta release and provide feedback.
OpenSSL 3.1 alpha release
The OpenSSL Management Committee and the OpenSSL Technical Committee are glad to announce the alpha release of OpenSSL 3.1.
CVE-2022-3786 and CVE-2022-3602: X.509 Email address buffer overflows
Today we published an advisory about CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”).
Please read the advisory for specific details about these CVEs and how they might impact you. This blog post will address some common questions that we expect to be asked about these CVEs.
Configuring supported TLS groups in OpenSSL
The configuration of supported groups in TLS servers is important to limit the resource consumption of the TLS handshakes performed by the server. This blog post should give system administrators a few useful hints on how to configure the OpenSSL library and two of the most used open source HTTP servers which use the OpenSSL library for supporting the HTTPS protocol.
UPDATE: The post was updated to mention the new CVE-2022-40735 vulnerability.
RIPEMD160 and the legacy provider
With the release of OpenSSL 3.0 and the new provider architecture,
some algorithms that were considered legacy by the OpenSSL team at the
time were moved to the legacy provider, to be loaded optionally by
those wishing to still use any of said algorithms.
FIPS 140-3 Plans
The OpenSSL Management Committee (OMC) on behalf of the OpenSSL Project is pleased to announce that the project is partnering with KeyPair Consulting and Acumen Security to validate OpenSSL to meet the requirements of the FIPS 140-3 standard.
OpenSSL Presentation at ICMC22 Conference
After 2 years of forced covid break, OpenSSL once again presented at the ICMC22 conference. The conference was a very pleasant meet-up of the community around cryptography and cryptographic modules. There were a lot of insights, feedback, and discussions around IT security. OpenSSL gave a talk on the Current Status of OpenSSL.