A short survey: what do you like about OpenSSL? What would you like to see in OpenSSL?

Hello OpenSSL Distribution community,
I hope you’re all doing well!
I’d like to run a short survey on OpenSSL usage and what do you like, don’t like and engage the whole distribution community more with the BAC and OpenSSL. The in person meeting of the BAC is coming in the middle of May and it would be a great opportunity to present results to the BAC and OpenSSL teams present there. Please try to respond by May 9th, 2025. However, any responses even later are more than welcomed!
Feel free to skip any question you don't want to answer. If you prefer anonymous answers, please contact me directly.
What kind of distribution you represent (eg Linux distribution, independent distributor, part of a product)?
What do you like and what suits you most about OpenSSL (from a distributor perspective)?
Is there anything you don’t like and what would you change about OpenSSL (from a distributor perspective)?
Do you certify OpenSSL as part of your compliance activities (eg. FIPS 140, Common Criteria, etc.), or do you require certified OpenSSL for any security standard?
Do you participate in the upstream development, or are you downstream only? If downstream only, what are your reasons not to participate, what would change it?
Anything you’d like to add?
Thanks,
Jaroslav
Dmitry Belyavsky Thu 24 Apr 2025 9:20AM
Linux distribution
Plugability and configurability
Getting upstream feedback is sometimes problematic
Yes, FIPS, CC
Yes

Steffen Land Thu 24 Apr 2025 9:57AM
Apache Lounge is providing up-to-date Windows binaries and popular third-party modules. Build with up to date dependencies like OpenSSL and latest compilers, and tested thorough. The binaries are referenced by the ASF, Microsoft, PHP etc. and more and more software is packaged with our binaries and modules.
The binaries, are build with the sources from ASF at httpd.apache.org, contains the latest patches and latest dependencies.
Moderators are committers or PMC members of the ASF Httpd project.
More info at https://www.apachelounge.com

Matěj Cepl Thu 24 Apr 2025 2:58PM
1. What kind of distribution you represent (eg Linux distribution, independent distributor, part of a product)?
Employee of SUSE, a maintainer of Python packages (of course, talking just in my name, not in the name of my employer, yadayada), an upstream maintainer of M2Crypto.
2. What do you like, and what suits you most about OpenSSL (from a distributor perspective)?
Stability of API, stability of API, stability of API. It is painful that every upgrade of OpenSSL means days and days of fixing issues caused by API differences (I am a bit cranky right now, because I am just in the middle of upgrading to 3.5).
3. Is there anything you don’t like and what would you change about OpenSSL (from a distributor perspective)?
See above. Stability of API, stability of API, stability of API.
4. Do you certify OpenSSL as part of your compliance activities (eg. FIPS 140, Common Criteria, etc.), or do you require certified OpenSSL for any security standard?
Not me personally, but yes our colleagues work on compliance activities.
5. Do you participate in the upstream development, or are you downstream only? If downstream only, what are your reasons not to participate, what would change it?
Both, although I am not upstream (outside of M2Crypto) as much as I would like to be.
Best,
Matěj
Anton Arapov · Thu 24 Apr 2025 5:46AM
@Communities - Distributions, I noticed that Jaroslav’s survey hasn’t received any responses yet. It’s crucial that we, as the Distributions community, provide our input to ensure our collective voice is heard.
Jaroslav has been proactive in seeking our feedback to represent our interests effectively. Let’s support his efforts by sharing our experiences and suggestions regarding OpenSSL. Your insights, whether positive or constructive, can significantly influence the project’s direction and improvements.
Let’s collaborate to make OpenSSL better for all distributions!