OpenSSL 3.0 is now available for download as a major update to this widely-used cryptography and SSL/TLS toolkit.
The OpenSSL Software Foundation released a completely refreshed version of the OpenSSL software, that handles much of the encrypted communications on the Internet. After over 7,500 commits and contributions from over 350 different authors, OpenSSL 3.0 is finally here.
OpenSSL’s reputation took a serious hit 7 years ago with the Heartbleed bug. In short, in 2012 the German programmer Dr. Robin Seggelmann added a new feature and forgot to validate a variable containing a length. And then for about 2 years the defective code was used, at one time or another, by almost ever Internet user in the world. A fixed version was released in April 2014, on the same day Heartbleed was publicly disclosed.
What is OpenSSL
In short, OpenSSL is a cryptography toolkit implementing the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) network protocols and related cryptography standards required by them.
The OpenSSL command line tool is commonly used to generate private keys, create CSR (Certificate Signing Request), install your SSL/TLS certificate, and identify certificate information.
Nowadays most of the Linux distributions come with OpenSSL pre-compiled.
What’s New in OpenSSL 3.0
OpenSSL 3.0 introduces a number of new concepts that application developers and users of OpenSSL should be aware of. An overview of the key concepts in libcrypto is available in the libcrypto manual page.
A key feature of OpenSSL 3.0 is the new FIPS module, with a plan to remove a slew of low-level API functions that could cases security issues. For those unfamiliar, FIPS (Federal Information Processing Standards) are a set of US Government security requirements for data and its encryption.
Currently the project’s lab is testing the module and pulling the paperwork for the FIPS 140-2 validation. The final certificate is not expected to be issued until next year.
Another big change is the new license policy. From OpenSSL 3.0 the project has switched to a standard Apache 2.0 license. That means the project can be used for commercial and non-commercial purposes. The old dual OpenSSL and SSLeay licenses still apply to older versions such as 1.1.1 and earlier.
You can download the OpenSSL 3.0 source code and integrate it into your apps, but note that since OpenSSL 3.0 is a major release, it is not fully backwards compatible with the previous OpenSSL version.