Change Proposal Name: rebase to OpenSSL 4.0

Summary

OpenSSL 4.0 is going to land in April 2026. It is a major release with many significant changes, and we should start preparing to it.

Owner

• Name: Dmitry Belyavskiy
• Email: dbelyavs@redhat.com

Current status

• Targeted release: Fedora Linux 45
• Last updated: 2026-03-23
• Announced
• Discussion thread
• FESCo issue: #3481
• Tracker bug: #2402319
• Release notes tracker: #264

Detailed Description

OpenSSL upstream has started development of the version OpenSSL 4.0 It will imply soname bump, removing ENGINE support, etc. As OpenSSL uses time-based release planning, the release would happen in April 2026.

If I'm not mistaken, this change could land only in Fedora 45, but I think it's worth considering the transition already.

We definitely would need an openssl3 package(s) including the one with engine support but I would better avoid being a primary maintainer of it.

Feedback

Benefit to Fedora

Fedora would get the latest stable version of OpenSSL, a corner-stone crypto toolkit used in a gazillion of projects.

We also get rid of engine support which is currently slowly degrading because of being superseded by providers.

Scope

• Proposal owners: rebasing OpenSSL to 4.0, and building OpenSSH and maybe some other crucial components to provide the system in an accessible state.

Maintaining the openssl3 package (but I would prefer offloading it to someone else)

• Other developers:

Rebuild their components against new version of OpenSSL (implying mass rebuild).

• Release engineering: #Releng issue number

Mass rebuild is required.

• Policies and guidelines: N/A (not needed for this Change)

• Trademark approval: N/A (not needed for this Change)

• Alignment with the Fedora Strategy: yes

Upgrade/compatibility impact

It depends on the openssl3 package presence. If it is present, previous packages would continue working. If not, the 3rd-party packages and packages using engines and deprecated API removed in 4.0 will be broken.

Early Testing (Optional)

Do you require 'QA Blueprint' support? Maybe

How To Test

All the components relying on OpenSSL should be rebuilt with the new version and pass the regular tests. If the openssl3 package is provided, the spec files for the packages not switching to the new version should be updated.

User Experience

There should not be any major UX changes.

Dependencies

A lot of them.

Contingency Plan

Providing the openssl3 package.

• Contingency mechanism: (What to do? Who will do it?) Provide openssl3 package for backward compatibility.
• Contingency deadline: N/A (not a System Wide Change)
• Blocks release? Yes/No

Documentation

• OpenSSL 4.0.0 Roadmap

Release Notes

OpenSSL is rebased to 4.0, and there are a lot of changes...