Removal of SSLv3
Matt Caswell Mon 21 Jul 2025 3:00PMPublicSeen by 25Hi all,
This PR proposes to remove support for SSLv3 entirely. It has been disabled by default since 2016 (1.1.0) - but this PR would remove the code entirely.
https://github.com/openssl/openssl/pull/28044
What is the BAC's opinion on this?
Thanks
Matt
Paul DaleTue 29 Jul 2025 12:02PM
| 10 - Remove in v3.6 | |
| 10 - Remove in v4.0 | |
| 0 - Do not remove | |
Committer poll has closed. Proportional representation follows here.
Nicola TuveriTue 29 Jul 2025 12:02PM
| 20 - Remove in v4.0 | |
| 0 - Remove in v3.6 | |
| 0 - Do not remove | |
https://openssl-communities.org/p/fwQTAuZ2/removal-of-sslv3-v3-6-or-v4-0-
Compared to the early comments discussing the opportunity of completely removing the SSLv3 code, which indicated some opinions in favor for removal as soon as possible, the final poll shows unanimous preference in the Academic community for removal at the next major release (v4.0, planned for Apr 2026).
The final poll recorded 5 votes, all in favor of v4.0 as the target.
Matt CaswellWed 30 Jul 2025 7:39AM
No public functions are removed in the proposed PR (https://github.com/openssl/openssl/pull/28044). But functions like `SSLv3_method()`, `SSLv3_server_method` and `SSLv3_client_method` are modified to always return `NULL`. There are also some options removed from the command line apps (which I suppose could in theory break some scripts)
Matt CaswellWed 30 Jul 2025 7:44AM
Hmmm... Although I just noticed that the 28044 PR as it currently stands removes the `enable-ssl3` Configure option. So it is not longer possible to build a version of OpenSSL where the public functions `SSLv3_method()`, `SSLv3_server_method` and `SSLv3_client_method` exist, i.e. if you were previously using this option, then you would no longer be able to do so. So that is a technical ABI break - you could not just drop in the 3.6 binaries as a replacement for 3.5.
Nicola TuveriTue 12 Aug 2025 7:16AM
@Tim Chevalier could you please update the poll with your results ASAP? The Foundation asked for the BAC's feedback by today.
Nicola TuveriTue 12 Aug 2025 7:46AM
Here is an easy to parse summary of the consultation outcomes: https://gist.github.com/romen/4e5437f380e369f93b3d7f06e6364819
Nicola TuveriTue 12 Aug 2025 7:56AM
I plan to amend the gist as I get Tim's answer. If you have any edit request, please ping me either here or directly on the gist.
Tim ChevalierTue 12 Aug 2025 2:07PM
Sorry, I missed this thread (I've been out) and I have not polled the community. Based on the July BAC discussion, the conservative approach would be to fully remove in the 4.0 release.
Dmitry Belyavsky ·Tue 29 Jul 2025 12:33PM
Yes, no public functions are removed