From Fedora Project Wiki

OpenSSL3.0

Summary

The OpenSSL package is rebased to version 3.0 and the dependent packages are rebuilt.

Owner

Current status

Detailed Description

The OpenSSL 3.0 release is going to be a significantly new release with changed ABI however with minimal API changes. That means most of the dependent packages will need just a rebuild to work with the new OpenSSL package. However (at least temporarily) a compat-openssl11 package will be provided along the base package so the operation of the Rawhide is not disrupted.

The OpenSSL 3.0 is still in development now but a first beta release should be done in June. After that time the work on the rebase will start and it should be possible to finish it still with a beta releases. Later releases up to the final one should not be disruptive and they should not break API/ABI.

Benefit to Fedora

This change introduces OpenSSL 3.0 with its significantly reworked internals which allow for better replacement of the crypto implementations via the Crypto Providers concept.

Scope

  • Proposal owners: Provide a compat-openssl11 package, identify dependent packages, provide the rebased openssl package, work with dependent package owners on rebuilds.
  • Other developers: Dependent package owners rebuild their packages. Most of the dependencies will not require code changes but for some more fragile dependencies (mostly language bindings) there might be changes needed especially in the test cases which depend on some legacy behavior.
  • Release engineering: Releng issue #9390 If compat package is provided a mass rebuild should not be necessary.
  • Policies and guidelines: No update of packaging guidelines or other policies should be needed.
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

If compat-openssl11 package is provided there should be no issues with upgrades.

How To Test

If your application uses OpenSSL to communicate via TLS or perform other tasks that use cryptographic algorithms from OpenSSL, please test whether it continues to work properly. This should be covered by the comprehensive upstream testsuite of OpenSSL. However many dependent packages also provide good test coverage of OpenSSL functionality.

User Experience

There should be no impact on end-user experience.

Dependencies

There are many packages which depend on libssl or libcrypto from OpenSSL. Most of them should just work after rebuild with the new openssl package. However it is also not critically needed to rebuild everything at once if compat library compat-openssl11 package is provided.

Contingency Plan

If the openssl-3.0 is too unstable before the branching point of Fedora 36 we will not update the package and delay the change to Fedora 37.

If the openssl is already updated but it is found out to be too unstable later we can revert to previous version however a rebuild of all dependencies that were already rebuilt will be needed.

  • Contingency mechanism: Revert package, rebuild updated dependencies.
  • Contingency deadline: Before release
  • Blocks release? No
  • Blocks product? No

Documentation

OpenSSL 3.0 upstream design document

OpenSSL 3.0 release schedule

OpenSSL 3.0 migration guide

Release Notes

Fedora Linux 36 comes with OpenSSL 3.0 as the primary OpenSSL package. It brings support for Crypto Providers interface.