OpenSSL 3.0 Release Candidate

June 17, 2021

The OpenSSL Management Committee (OMC) and the OpenSSL Technical Committee
(OTC) are glad to announce our first beta release of OpenSSL 3.0. We consider
this to be a release candidate and as such encourage all OpenSSL users to build
and test against this beta release and provide feedback.

A lot of work has been going on over the last few months getting OpenSSL 3.0
ready for its final release. In fact the whole OpenSSL 3.0 development effort
has been huge with many different contributions from our user base. Since we
started this effort we have seen over 7000 commits to the 3.0 development branch
from over 300 different authors. Thanks to everyone who has played a part in
getting us to this point.

We are now nearing the finishing line and we are excited about the many new
features and changes that OpenSSL 3.0 will bring. Here are some of the
highlights:

New Licence. OpenSSL 3.0 will now be released under the standard and widely
used Apache License, version 2.0 rather than the custom “dual” (where both
apply) OpenSSL and SSLeay licences that was used in 1.1.1 and before.
New Versioning scheme. See
this blog post
for further details.
Provider based architecture. A replacement for the old “engine” interface that
enables much more flexibility and the ability for third party authors to add
new crypto algorithms into OpenSSL.
A new provider that will be undergoing validation to the FIPS 140-2 standard.
Fully “pluggable” TLSv1.3 groups, enabling third party authors the ability
to add in new TLS key exchange/encapsulation groups via a provider.
New encoder and decoder support. This enables provider authors to read or
write keys to/from files for algorithms that standard OpenSSL does not know
about. It could also enable reading/writing to new key formats.
A full implementation of the Certificate Management Protocol (CMP)
New APIs for handling MACs (Message Authentication Codes), KDFs (Key
Derivation Functions), and random numbers (EVP_RAND).
Integrated support for Kernel TLS
OpenSSL 3.0 is a major release, which means that the library ABI is changed
requiring recompilation of all dependent applications and there are also minor
API breaking changes. For most applications that need to be upgraded to work
with 3.0 we expect that a simple recompile will be sufficient. However, it is
likely that application developers will notice new deprecation warnings when
compiling their applications. Many of the “low level” cryptographic API
functions have been deprecated in preference to the higher level “EVP” APIs. For
detailed guidance on how to migrate applications to work with OpenSSL 3.0, refer
to our
migration guide.

Please download OpenSSL 3.0 beta1 from here
and let us know about any problems you encounter by opening an issue at our
github page.OpenSSL BlogRead More