Removal of SSLv3
Matt Caswell Mon 21 Jul 2025 3:00PMPublicSeen by 25Hi all,
This PR proposes to remove support for SSLv3 entirely. It has been disabled by default since 2016 (1.1.0) - but this PR would remove the code entirely.
https://github.com/openssl/openssl/pull/28044
What is the BAC's opinion on this?
Thanks
Matt
James BourneMon 21 Jul 2025 5:50PM
Per the BAC meeting in Brno earlier this year, IMHO, all this obsolete code should be purged from the mainline product (à la LibreSSL). Perhaps move it to a supplemental library for backward compatibility or reference. So per @Dmitry Belyavsky, remove if it doesn't break the 3.6 ABI. 😽
Randall BeckerMon 21 Jul 2025 7:23PM
From my perspective, and for builds for the HPE NonStop community, SSLv3 is not being used - nor has been. It is not being configured into any packages, so removal should have no impact.
Paul DaleMon 21 Jul 2025 9:13PM
The sooner it is completely removed the better IMO. Users have had nine years to ready themselves for this. That's generous.
If we absolutely must keep it around, I like the supplemental library idea.
Nicola TuveriTue 22 Jul 2025 3:27PM
So far I got 2 answers in the academics community, with diverging opinions on wether this is a 3.6 or 4.0 change, but general support for removing SSLv3 support as soon as it is proper.
https://openssl-communities.org/d/VF7No4lz/removal-of-sslv3
BAC representatives: When to remove SSLv3 support?
dot vote by Nicola Tuveri Closed Tue 12 Aug 2025 9:00PM
What is this poll about?
I have been tasked to collect the advice from each Foundation BAC representative on the opinion of their community about scheduling this for v3.6 or v4.0.
Please collect feedback in your communities and report here the results as percentages, to represent the consensus within each of your communities.
Why is this important?
At the July BAC meeting we noticed there was no objection so far about removal, but that within each community there were different opinions on removing support for SSLv3 ASAP (i.e., v3.6, planned for October 2025) or if it should be scheduled for the next major release (i.e., v4.0, planned for April 2026).
Let's use this poll to summarize the feedback from each community.
What are you asking people to do?
In this poll you have a budget of 20 dots to allocate to the options your communities prefer. You can place all dots on one option or spread them out: each dot represents 5% of your collected feedback.
Results
| Results | Option | % of points | Points | Mean | Voters | ||
|---|---|---|---|---|---|---|---|
| Remove in v3.6 | 65 | 65 | 13 | 5 | |||
| Remove in v4.0 | 35 | 35 | 7 | 5 | |||
| Do not remove | 0 | 0 | 0 | 5 | |||
| Undecided | 0 | 0 | 1 |
5 of 6 votes cast (83% participation)
Dmitry BelyavskyTue 29 Jul 2025 12:02PM
| 15 - Remove in v3.6 | |
| 5 - Remove in v4.0 | |
| 0 - Do not remove | |
Presuming no ABI break
Tomas MrazTue 29 Jul 2025 12:26PM
@Dmitry Belyavsky So by presuming no ABI break I suppose it was meant in a strict sense that no public API function is removed but instead just returns error if it is SSLv3 specific?
James BourneTue 29 Jul 2025 12:02PM
| 20 - Remove in v3.6 | |
| 0 - Remove in v4.0 | |
| 0 - Do not remove | |
All insecure protocols and corresponding obsolete code should be removed from the codebase ASAP. SSLv3 has been dead and buried since at least 2014. I would even question backwards compatibility. Break stuff now while you have a chance. https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
Randall BeckerTue 29 Jul 2025 12:02PM
| 20 - Remove in v3.6 | |
| 0 - Remove in v4.0 | |
| 0 - Do not remove | |
I have not been including SSLv3 for at least 5 years in any builds.
Dmitry Belyavsky ·Mon 21 Jul 2025 3:26PM
It definitely should be done for 4.0 but I think, if we don't break ABI, we can already do it in 3.6