OpenSSL 3.0 Officially Released After 3 Years of Development Work

OpenSSL 3.0 is now available for download as a major update to this widely-used cryptography and SSL/TLS toolkit.

The OpenSSL Software Foundation released a completely refreshed version of the OpenSSL software, that handles much of the encrypted communications on the Internet. After over 7,500 commits and contributions from over 350 different authors, OpenSSL 3.0 is finally here.

OpenSSL’s reputation took a serious hit 7 years ago with the Heartbleed bug. In short, in 2012 the German programmer Dr. Robin Seggelmann added a new feature and forgot to validate a variable containing a length.

And then for about 2 years the defective code was used, at one time or another, by almost ever Internet user in the world. A fixed version was released in April 2014, on the same day Heartbleed was publicly disclosed.

What is OpenSSL

In short, OpenSSL is a cryptography toolkit implementing the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) network protocols and related cryptography standards required by them.

The OpenSSL command line tool is commonly used to generate private keys, create CSR (Certificate Signing Request), install your SSL/TLS certificate, and identify certificate information.

Related: Let’s Encrypt: Get Free SSL Certificate Using Certbot

Nowadays most of the Linux distributions come with OpenSSL pre-compiled.

What’s New in OpenSSL 3.0

OpenSSL 3.0 introduces a number of new concepts that application developers and users of OpenSSL should be aware of. An overview of the key concepts in libcrypto is available in the libcrypto manual page.

A key feature of OpenSSL 3.0 is the new FIPS module, with a plan to remove a slew of low-level API functions that could cases security issues. For those unfamiliar, FIPS (Federal Information Processing Standards) are a set of US Government security requirements for data and its encryption.

Currently the project’s lab is testing the module and pulling the paperwork for the FIPS 140-2 validation. The final certificate is not expected to be issued until next year.

Another big change is the new license policy. From OpenSSL 3.0 the project has switched to a standard Apache 2.0 license. That means the project can be used for commercial and non-commercial purposes. The old dual OpenSSL and SSLeay licenses still apply to older versions such as 1.1.1 and earlier.

You can download the OpenSSL 3.0 source code and integrate it into your apps, but note that since OpenSSL 3.0 is a major release, it is not fully backwards compatible with the previous OpenSSL version.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Think You're an Ubuntu Expert? Let's Find Out!

Put your knowledge to the test in our lightning-fast Ubuntu quiz!
Ten questions to challenge yourself to see if you're a Linux legend or just a penguin in the making.

1 / 10

Ubuntu is an ancient African word that means:

2 / 10

Who is the Ubuntu's founder?

3 / 10

What year was the first official Ubuntu release?

4 / 10

What does the Ubuntu logo symbolize?

5 / 10

What package format does Ubuntu use for installing software?

6 / 10

When are Ubuntu's LTS versions released?

7 / 10

What is Unity?

8 / 10

What are Ubuntu versions named after?

9 / 10

What's Ubuntu Core?

10 / 10

Which Ubuntu version is Snap introduced?

The average score is 68%