Blog

In July, 58 pull requests were approved for merge into the OpenSSL Library code base. There were also four people who contributed code for the first time:

• yzpgryx provided a fix to support the SM2 PEM format with matching tests.
• caolanm designated an unchanging structure to be constant.
• igus68 found a good first issue and fixed it. Before this fix, the OpenSSL cryptographic library would accept a certificate revocation list that was invalid according to the X.509 Public Key Infrastructure specification. Fun fact: Igor Ustinov represents the Individuals community on the Foundation Technical Advisory Committee and this is his first pull request. And he’s on a roll with another pull request that addresses an issue with the help wanted label.
• Saurabh825 corrected the order of options for the asn1parse command.

So far in the development cycle of OpenSSL 3.6, the plurality of changes come from developers paid by either the OpenSSL Corporation or Foundation. But individual contributions continue to make up a large proportion of commits (41%) and overall changes (28%). Additionally individual committers also have done 18.5% of reviews so far.

Early Bird registration is now open for the inaugural OpenSSL Conference, taking place from October 7 to 9, 2025, in Prague, Czech Republic. Take advantage of exclusive Early Bird rates and secure your spot now!

Join the global community of cryptographers, open-source innovators, security experts, and thought leaders who shape the future of secure communications. The OpenSSL Conference promises to be a landmark event, uniting diverse perspectives from across technical, enterprise, academic, and regulatory fields.

The freeze date for OpenSSL 3.6 Alpha is rapidly approaching. If you have a feature ready, please ensure that your associated PRs are posted, reviewed, and ready to be merged before the include/exclude decision date (Tuesday, August 5, 2025) and merged before the repository freeze date (Tuesday, August 19, 2025). Otherwise, the feature will be postponed until the next release.

Every month the OpenSSL Library receives code in the form of pull requests (PR) to GitHub. In June, 64 of those PRs were merged into the default branch of the repository thus becoming a part of the OpenSSL Library code base. Some of those changes came from developers paid by either the OpenSSL Foundation or the OpenSSL Corporation. Some of the changes come from developers who work for another company. And some, ~40% so far in 2025, come from individuals.

Recently we opened a short survey for people to share their OpenSSL stories. We’ve already heard from people who use OpenSSL to:

• Analyze QUIC traffic.
• Secure school cafeteria point of sale (POS) systems.
• Protect letters sent digitally to a printer before they are sent physically, on paper, via the postal system.
• Generate a JSON Web Token (JWT) from a PEM (Privacy Enhanced Mail) file without depending on a third party.
• Support software that depends on OpenSSL.

Release Announcement for OpenSSL Library 3.5.1, 3.4.2, 3.3.4, 3.2.5, and 3.0.17

The OpenSSL Project team announces the release of new versions of our open-source toolkit for SSL/TLS.

CVEs fixed in 3.5.1:

• CVE-2025-4575 - LOW - Fix x509 application adds trusted use instead of rejected use. All other releases contain miscellaneous minor bug fixes. For details of the changes, refer to the release notes for versions 3.0, 3.2, 3.3, 3.4, and 3.5.

Specific notes on upgrading from previous versions are available in the OpenSSL Migration Guide.

Please note that we are no longer accepting new applications for this position.

OpenSSL Foundation is seeking a talented and motivated Software Engineer (C Developer) to contribute to the development and maintenance of the widely-used OpenSSL open-source cryptographic library.

If you’re reading this blog post, you probably don’t need us to tell you how essential, widespread, and important the OpenSSL Library is. While our open source model means that everyone is freely able to use these tools, it also means we here at the OpenSSL Foundation don’t actually know all the great stories of how these tools are being used.

We’re looking for real stories of how the OpenSSL Library benefits your end users.

The OpenSSL Conference 2025 is extending its Call for Papers (CFP) deadline to June 22, 2025.

We understand that the best proposals often come from teams deep in the trenches of real-world security work. You now have additional time to craft and submit the talk, panel, or workshop that challenges assumptions, advances cryptographic innovation, drives and shapes the future of secure communications.

From May 14–16, the OpenSSL Corporation hosted a face-to-face working session in Brno, Czech Republic. The meeting was designed to bring together participants from the OpenSSL Projects and convene in an in-person meeting of the Corporation’s Business Advisory Committee (BAC). The OpenSSL Foundation was invited to join on Wednesday and Thursday in the broader conversations with the OpenSSL Projects.

This was the first time these groups gathered in person in this configuration. The sessions served as an opportunity to strengthen working relationships, align on shared priorities, and focus on strategic coordination across the ecosystem.