Update NOW: OpenSSL 1.1.1’s Shelf-Life Has Ended
OpenSSL is the most popular SSL (Secure Socket Layer) and TLS (Transport Layer Security) program in Linux, Unix, Windows, and numerous operating systems. Besides operating systems, it’s used in web, security, and cloud applications. In other words, if you use anything requiring network security, chances are good you’re using OpenSSL.
So, you should pay attention when the OpenSSL Project officially announced the End of Life (EOL) for its Long Term Support (LTS) 1.1.1 version as of Sept. 11, 2023. From here on out, the 1.1.1 series will no longer get publicly available security updates.
Users who have procured OpenSSL 1.1.1 from an operating system vendor, such as through .rpm or .deb packages, or any other third-party source, might experience different support timelines. I wouldn’t bet on it, though. You must consult with your vendors to understand your support options.
In the meantime, as Alex Rybak, security expert and technology company Revenera’s Senior Director of Product Management, wrote on LinkedIn. “Make sure to update your OSS [open-source software] policies to auto-reject OpenSSL v1.1.1* since there will no longer be any security patches. Don’t forget to check your 3rd-party binaries for embedded versions of OpenSSL”.
Better still, upgrade to OpenSSL 3.1. This version will be supported until March 14, 2025. Or, better still, from where I sit, move to OpenSSL 3.0, which is an LTS release. It will be supported until Sept. 7, 2026.
The difference between 3.0 and 3.1 is that 3.1 includes some non-Federal Information Processing Standard (FIPS) validated algorithms. These algorithms are Triple DES ECB, Triple DES CBC, and EdDSA. Unless you specifically need one of these — or you don’t trust the FIPS algorithms — OpenSSL 3.0 is for you.
Of course, upgrading comes with its own problems. As OpenSSL warns, “Any application that currently uses an older version of OpenSSL will at the very least need to be recompiled in order to work with the new version.”
Ouch.
So, it’s possible that you really may be stuck supporting OpenSSL 1.1.1 for years to come. If that’s you, the OpenSSL Project offers a premium support contract. And, when I say “premium,” I mean premium.
Enterprise customers that have OpenSSL 1.1.1 or OpenSSL 1.02 baked into their applications or services can pay $50 thousand a year for extended support, including security fixes; Vendor Level Support for businesses using OpenSSL for a single product or product line costs $25 thousand annually; and Basic Support for companies that use OpenSSL in significant products or services and lack the internal resources to addressing their operational and application development issues. This last level will run you $15-thousand. Although OpenSSL does explicitly state this, I presume the Project will also offer security patches to lower support level customers.
This extended support doesn’t have a fixed end date. The OpenSSL Project aims to offer it as long as it remains a commercially viable option.
Shifting over is going to take a while. I know there are many programs embedded, and Internet of Things (IoT) devices that rely on OpenSSL 1.1.1, which will not be updated. The legacy problem will bite many users and companies in the rump. Eventually, you’ll have to upgrade. But, it’s going to take longer than everyone wants.
