OpenSSL Communities

December 18 meeting minutes

JE Jon Ericson Fri 16 Jan 2026 2:45AM Public Seen by 7

Attendees:

  • Dmitry Belyavsky - Committers

  • Igor Ustinov - Individuals

  • Aditya Koranga - Small Businesses

  • Nicola Tuveri - Academics

  • Matt Caswell

  • Tomas Mraz

  • Jon Ericson

Old Business

  • Open hours (Jon)

    • I’m hoping to get this started in January. The basic principle is sound, it’s just a matter of getting the details set for an initial process (which could be modified over time).

New Business

  • Removing deprecated features from OpenSSL 4.0 (Matt)

    • ENGINEs #28548  

      • Announcement on the Library blog 

      • Adds a lot of complexity to the code, which is a maintenance burden and complexity is the enemy of security. (Matt)

      • Stubs can be included at application build time which allows applications that gracefully handle ENGINE failure to compile. (Matt)

      • Already merged to master

    • Custom ciphers #29299

      • Three types of custom ciphers:

        • Providers (unchanged)

        • Global EVP ciphers (unchanged)

        • EVP_CIPHER_meth allows people to construct their own custom ciphers (removed)

      • Removes more code than you might imagine which can only be reached when using EVP_CIPHER_meth, which is a fairly niche thing to do.

      • Already merged to master

    • Custom MDs #29344

      • Pretty much the same as the cipher methods, but for message digest (MD) functions

      • Merged to master

    • Custom PKEY #29384

      • Similar to the above but for PKEY

    • Custom ASN1

      • Not yet removed from master, but there is a PR

      • Remove ASN1 from the public API, but not internally where it’s still used.

      • This doesn’t introduce as much complexity (no #ifdef LEGACY, etc.)

      • So the plan is to remove this eventually? (Dmitry) Maybe (Matt)

      • Plans to get things ready to remove entirely next year. (Richard)

    • atexit cleanup #29385

      • libcrypto uses this to free up memory on exit. It was added early on, but causes all sorts of problems.

        • Some applications might dynamically load libcrypto and unload libcrypto later, which causes a crash on exit.

      • Plan is to not register an atexit handler at all.

        • Memory won’t be freed when libcrypto is unloaded (on exiting the program, for instance).

        • Some memory checker (Valgrind, for instance) complain, though it’s not really a problem.

        • If an application wants to clean up memory, it can call OPENSSL_cleanup.

      • Dmitry has seen reports of this problem and this seems reasonable.

      • There are still potential problems with OPENSSL_cleanup, but it can be useful if you know what your are doing. (Tomas)