OpenSSL Communities

Foundation BAC meeting (July 29, 2025)

JE Jon Ericson Public Seen by 9

Attendees:

  • Nicola Tuveri - Academics

  • Paul Dale - Committers

  • Dmitry Belyavsky - Distributions

  • Tim Chevalier - Large Businesses

  • Matt Caswell

  • Tomas Mraz

  • Jon Ericson

  • Removal of SSLv3 (Matt)

    • Off by default for about a decade

    • 3.6 or 4.0?

    • Paul says yes for 3.6

    • Tomas wants to do it in 4.0 to avoid breaking semantic versioning. (Matt: +1)

    • Nicola says it’s not controversial to remove in the academic community

    • Dmitry mentioned distributions don’t have a problem

    • Corporation BAC has an action item to warn the communities (Paul)

    • PR is actually really straightforward (Matt)

    • SSLv2 Client Hello accepted by default (because of Windows XP, which is still in use) (Matt)

    • The SSLv2 Client Hello can get you TLS1.0, if it’s available. (Tomas)

    • If the SSLv2 Client Hello is disabled, you won’t be able to accept connections from IE 6.0 on XP.

    • https://gs.statcounter.com/ (Dmitry)

  • BIGNUM update (Matt)

    • We have some potential funding, but we can’t actually discuss it just yet. You will see some announcements in a week or so, if all goes to plan. (Matt)

    • [Editors note: we can now say the funding comes from the Sovereign Tech Fund. The agreement needed to be finalized before we could give this detail.]

    • Is there a problem statement for the update? (Dmitry)

    • BIGNUM constant time. Making BIGNUMs a fixed width as a solution. (Matt)

    • Will not be optimization of the sort of testing Red Hat is doing. (Matt)

    • We are not planning on doing a general BIGNUM library. We can make it constant time for the sizes of numbers needed for the algorithm. (Tomas)

    • Design and backward compatibility are part of the proposal. (Matt)

    • Could take up to a year to deliver, so not likely for 4.0. (Matt)

    • Could this go in a minor release? (Nicola)

    • Might require removing deprecated functions from 4.0 anyway. (Tomas)

    • We should be writing the design early on, so we will have time to deprecate things in time for 4.0. (Matt)

  • Conference/f2f update (Matt)

    • Join F2F with the TAC the day before the conference (Monday the 6th). (Matt)

    • Thank everyone for reviewing all the talks! (Matt)

    • Hana is putting together the agenda to put on the website soon as well as registration. (Matt)

    • [Editor's note: the agenda is now available and registration is open.]

    • Nicola says people at ITF are asking when the registration will open.

    • Will the portal for submitting talks close when registration opens? (Nicola)

    • Hana hasn’t said one way or another, but Matt will ask. Also check if we can take last submissions whether or not the portal is open.

    • Jon plans to moderate a panel at the conference with all TAC and BAC representatives for Q&A

  • Release strategy: more prominence to cut-off dates (even if estimates subject to change) (Nicola)

    • Even in this call the feature freeze date wasn’t exactly known. (Nicola)

    • The exact date isn’t definitely known. (Matt)

    • Shifting a little later isn’t usually a problem. (Matt)

    • If we give the dates, we will get many PRs just before the freeze date and they won’t get merged. (Tomas)

    • PRs are waiting to get reviews, so it’s not just getting them in before the release. (Paul)

    • Expected week doesn’t mean a feature will be accepted, but it can still help with planning. (Nicola)

    • Dates would need a lot of caveats, etc. (Matt)

    • Nicola pointed out the feedback wasn’t from his constituents, but that feedback can still be valuable. Might be useful to raise the issue in the Corporation BAC.

  • AOB

    • None

Action items

  • Reach out to your communities to let them know SSLv3 will be removed and get feedback on timing

  • BAC comes back with a decision before August 12 (Nicola)

  • Investigate whether we can publish projected dates for feature freeze, alphas, etc. (Matt)