|
|
Log in / Subscribe / Register

OpenSSL 3.0.0 released

Version 3.0 of the OpenSSL TLS library has been released; the large version-number jump (from 1.1.1) reflects a new versioning scheme.

Most applications that worked with OpenSSL 1.1.1 will still work unchanged and will simply need to be recompiled (although you may see numerous compilation warnings about using deprecated APIs). Some applications may need to make changes to compile and work correctly, and many applications will need to be changed to avoid the deprecations warnings. We have put together a migration guide to describe the major differences in OpenSSL 3.0 compared to previous releases.

OpenSSL has also been relicensed to Apache 2.0, which should end the era of "special exceptions" needed to use OpenSSL in GPL-licensed applications. See this blog entry and the changelog for more information.

From:  OpenSSL <openssl-AT-openssl.org>
To:  openssl-project-AT-openssl.org, OpenSSL User Support ML <openssl-users-AT-openssl.org>, OpenSSL Announce ML <openssl-announce-AT-openssl.org>
Subject:  OpenSSL version 3.0.0 published
Date:  Tue, 07 Sep 2021 12:04:20 +0000
Message-ID:  <20210907120420.GA3531__27664.5093037345$1631016424$gmane$org@openssl.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


   OpenSSL version 3.0.0 released
   ==============================

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 3.0.0 of our open source toolkit for SSL/TLS.
   For details of the changes, see the release notes at:

        https://www.openssl.org/news/openssl-3.0-notes.html

   Specific notes on upgrading to OpenSSL 3.0 from previous versions are
   available in the OpenSSL Migration Guide, here:

        https://www.openssl.org/docs/man3.0/man7/migration_guide....

   OpenSSL 3.0.0 is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

     * https://www.openssl.org/source/
     * ftp://ftp.openssl.org/source/

   The distribution file name is:

    o openssl-3.0.0.tar.gz
      Size: 14978663
      SHA1 checksum:  3be896f1b33bc01af874ccca701a6f700af9de20
      SHA256 checksum:  59eedfcb46c25214c9bd37ed6078297b4df01d012267fe9e9eee31f61bc70536

   The checksums were calculated using the following commands:

    openssl sha1 openssl-3.0.0.tar.gz
    openssl sha256 openssl-3.0.0.tar.gz

   Yours,

   The OpenSSL Project Team.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmE3US4ACgkQ1enkP335
7owe+w/9FdP6I9XEuuo5O6ZOhYyzTuS8v9DGuzIzBEsBWpsA+gfOxF5Bx4WlnGAt
kB+2qfNfOgt00OrSUHntgn1+ubFvN+xteaslYsF3fN9FCPX2iQzXMPVM47UqYpA5
tCm0XrJo+PAZB4mEnOH6QBXZWPTE7E84HGUNyS8LfYeEbbLKEcc/xQBPpRovL3fA
6TnMrAvypIwEqgljyNzuMq7iD5WDA0Y26JwjCCtk0vNOVkDQDooGQHMY180BLfQT
Rk65hEt3/UkpLVCwCknrZsMWixXzTgcFb+403EPXMisyyQLEgxevrsGpQgINxraD
1JyRNnwJpIJuxl+j1oYjpdCbNQrQr7QKAj8pL5OGNVxXvyuZe9YyLrKmHvh09Q6M
nxbJFQmCyrZQvxCya+YR2VU9KxkYiXbiX2pHl06qN8n3MOhtVaxJPKM6WUwJLlo9
qD9JmLtW4gXCH4qHcqnb8jS0Zoxja1bzWwgvQx1A9XI4s2drhRvXkQmt+lxEUdcM
MiT3LrBgjfKgNa7XWmTOZxyLa74WyETVcjvI3ovJxiS4RAB7s7ssDVa8tnTUeeZG
gtXSTv49+l0j+DQcz8nxQeILimOusHzE5JO3JvGQKPbSQbdUQbNrsbTEvz5mIMu9
k/VuvJd1ezjYySp9pnZ3UTxrB1RozJ97iupq8MSzwElkSfUigrg=
=R5PX
-----END PGP SIGNATURE-----

to post comments

OpenSSL 3.0.0 released

Posted Sep 7, 2021 15:25 UTC (Tue) by willy (subscriber, #9762) [Link]

Why 3.0 instead of 2.0?

https://www.openssl.org/blog/blog/2018/11/28/version/

OpenSSL 3.0.0 released

Posted Sep 7, 2021 15:52 UTC (Tue) by josh (subscriber, #17465) [Link] (3 responses)

And there was much rejoicing.

License issues due to the original OpenSSL license were a headache when I first started working in Open Source 20 years ago. I'm glad that those issues can now be a thing of the past.

OpenSSL 3.0.0 released

Posted Sep 7, 2021 18:06 UTC (Tue) by joib (subscriber, #8541) [Link] (2 responses)

Now we can spend the following 20 years arguing whether Apache-2.0 really is incompatible with GPL-2.0-only! :)

OpenSSL 3.0.0 released

Posted Sep 7, 2021 18:45 UTC (Tue) by josh (subscriber, #17465) [Link] (1 responses)

Many people (myself included) believe it is incompatible, and many projects acknowledge it as such. There are relatively few GPLv2-only projects out there. Any GPLv3 project is compatible, any v2-or-later project is compatible (though I *completely* understand the aversion to "or later" licensing), and I think energy spent on arguing for the compatibility of v2 with Apache-2.0 would be better spent relicensing projects to v3 or v2-and-v3, or if absolutely necessary, v2 with an exception for Apache-2.0.

Also, the Linux kernel has already made arrangements with several authors of crypto code in OpenSSL to use that code under more permissive licensing that's GPLv2-compatible. Such arrangements may work for other GPLv2 projects that need specific bits.

OpenSSL 3.0.0 released

Posted Sep 20, 2021 22:44 UTC (Mon) by augustz (guest, #37348) [Link]

Many folks using Apache or MIT licenses are not on the same page with FSF, especially around GPLv3.

Here is the ASF statement: "We avoid GPLv3 software because merely linking to it is considered by the GPLv3 authors to create a derivative work. We want to honor their license. Unless GPLv3 licensors relax this interpretation of their own license regarding linking, our licensing philosophies are fundamentally incompatible."

OpenSSL 3.0.0 released

Posted Sep 7, 2021 17:34 UTC (Tue) by patrick_g (subscriber, #44470) [Link] (3 responses)

It's time for a LWN article comparing OpenSSL and LibreSSL.

OpenSSL 3.0.0 released

Posted Sep 7, 2021 18:26 UTC (Tue) by atai (subscriber, #10977) [Link] (1 responses)

and boring, wolf, etc.

OpenSSL 3.0.0 released

Posted Sep 8, 2021 5:50 UTC (Wed) by wahern (subscriber, #37304) [Link]

BoringSSL is a fork of OpenSSL similar to LibreSSL. LibreSSL forked first, then BoringSSL a few months later. Early on LibreSSL and BoringSSL exchanged alot of code as they furiously worked to hide various APIs behind opaque pointers. One of the biggest problems making it difficult to improve OpenSSL code quality was that the APIs relied too heavily on macros accessing structure members, which made even bug fixes, not to mention refactors, extremely difficult without breaking either the API or, especially, the ABI.

WolfSSL has no relationship to OpenSSL. It's another TLS stack entirely. Like many TLS stacks, it offers an OpenSSL-compat interface, which because of the nature of OpenSSL's original API (see above) were always rather limited in scope and not particularly helpful when porting any but the simplest applications.

LibreSSL

Posted Sep 7, 2021 18:30 UTC (Tue) by corbet (editor, #1) [Link]

It's probably not quite what you are looking for, but we ran this article on LibreSSL back at the beginning of the year.

OpenSSL 3.0.0 released

Posted Sep 8, 2021 8:46 UTC (Wed) by NAR (subscriber, #1313) [Link] (6 responses)

Other major new features
[...]
A proper HTTP(S) client

I understand that the openssl library needs an HTTP(S) client to check weather a certificate has been withdrawn. What I don't understand is that why do they carry their own implementation instead of using a library like libcurl. Do they want to avoid any external dependency? Or there isn't a HTTP client that works on all platforms that openssl supports? Or there's a chicken-and-egg problem, open source HTTP clients tend to depend on openssl?

OpenSSL 3.0.0 released

Posted Sep 8, 2021 10:23 UTC (Wed) by grawity (subscriber, #80596) [Link] (1 responses)

I suspect dependencies may be the reason, and not just circular dependencies on openssl (but that's certainly a headache for packagers too).

If you look through lddtree, it turns out libcurl links against a whole lot of stuff you might not necessarily want to have loaded into your address space (not saying harmful, but more like memory usage, symbol conflicts, and stuff like that). I guess libfetch etc would be lighter but also not as readily available.

But yes, it reminds me of Pidgin (the IM client), which at some point removed well over a dozen hand-rolled HTTP clients from its codebase...

OpenSSL 3.0.0 released

Posted Sep 8, 2021 21:14 UTC (Wed) by JanC_ (guest, #34940) [Link]

And libcurl itself also implements a lot of protocols other than just HTTP(S), so it’s not only the dependencies that can be considered “too much”…

OpenSSL 3.0.0 released

Posted Sep 8, 2021 15:51 UTC (Wed) by ballombe (subscriber, #9523) [Link] (3 responses)

> I understand that the openssl library needs an HTTP(S) client to check weather

Indeed, as everybody else.

OpenSSL 3.0.0 released

Posted Sep 9, 2021 13:42 UTC (Thu) by amw (subscriber, #29081) [Link] (2 responses)

I just look out of the window :-)

OpenSSL 3.0.0 released

Posted Sep 10, 2021 4:26 UTC (Fri) by calumapplepie (guest, #143655) [Link] (1 responses)

HTTPSS is what I recommend to all my friends: all communication is done via smoke signal.

OpenSSL 3.0.0 released

Posted Sep 10, 2021 15:57 UTC (Fri) by KJ7RRV (subscriber, #153595) [Link]

For added security, I recommend HTTPSSS. Unencrypted smoke signals are quite simple to intercept.


Copyright © 2021, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds