OpenSSL Communities
Mon 21 Jul 2025 3:00PM

Removal of SSLv3

MC Matt Caswell Public Seen by 13

Hi all,

This PR proposes to remove support for SSLv3 entirely. It has been disabled by default since 2016 (1.1.0) - but this PR would remove the code entirely.

https://github.com/openssl/openssl/pull/28044

What is the BAC's opinion on this?

Thanks

Matt

DB

Dmitry Belyavsky Mon 21 Jul 2025 3:26PM

It definitely should be done for 4.0 but I think, if we don't break ABI, we can already do it in 3.6

JB

James Bourne Mon 21 Jul 2025 5:50PM

Per the BAC meeting in Brno earlier this year, IMHO, all this obsolete code should be purged from the mainline product (à la LibreSSL). Perhaps move it to a supplemental library for backward compatibility or reference. So per @Dmitry Belyavsky, remove if it doesn't break the 3.6 ABI. 😽

RB

Randall Becker Mon 21 Jul 2025 7:23PM

From my perspective, and for builds for the HPE NonStop community, SSLv3 is not being used - nor has been. It is not being configured into any packages, so removal should have no impact.

PD

Paul Dale Mon 21 Jul 2025 9:13PM

The sooner it is completely removed the better IMO. Users have had nine years to ready themselves for this. That's generous.

If we absolutely must keep it around, I like the supplemental library idea.

NT

Nicola Tuveri Tue 22 Jul 2025 3:27PM

So far I got 2 answers in the academics community, with diverging opinions on wether this is a 3.6 or 4.0 change, but general support for removing SSLv3 support as soon as it is proper.

https://openssl-communities.org/d/VF7No4lz/removal-of-sslv3