20 years ago, on the 23rd December 1998, the first version of OpenSSL was
released. OpenSSL was not the original name planned for the project but it was
changed over just a few hours before the site went live. Let’s take a look at
some of the early history of OpenSSL as some of the background has not been
documented before.
Back in the late 1990’s, Eric Young and Tim Hudson were well known for their
work on the open source SSLeay library. SSLeay was widely used with Apache and
(then) third party SSL modules to create open source secure web servers. In
1998 they both worked for C2Net, enhancing SSLeay and the products using
it. C2Net was known for its flagship product, the Stronghold web server, a
packaged and compiled product built on open source software with both support
and, crucially, the ability to be used world-wide with strong encryption. It
seems trivial now but back then cryptography products exported from the US like
web servers and browsers were hobbled to use limited weak cryptography.
Eric and Tim had decided to leave C2Net to join RSA, a creator of a commercial
SSL toolkit, so the future of SSLeay was unclear. This led to the genesis of
the OpenSSL project through a discussion I had with Ralf Engelschall, a fellow
core Apache developer, on 14th October 1998 in San Francisco at the first ever ApacheCon. We picked up
the discussion a few months later, set up a mailing list on December 16th, and
invited Stephen Henson, an SSLeay expert, to participate in what we then called
OpenTLS. Ben Laurie, a core Apache developer and author of Apache-SSL, also
independently announced his intention to start a new
version of SSLeay a couple of days later.
Ralf took the source code from the public SSLeay versions 0.8.1 and 0.9.0b and
the unreleased 0.9.1b version from C2Net and imported them into the OpenTLS CVS
repository. We did some cleanup work on the files, added some patches from
ourselves, and added some well known patches from the community to form the
0.9.1c version.
At the very last minute,
just before going public, we changed from using the OpenTLS name to OpenSSL:
the upcoming TLS protocol RFC had not yet been published and the acronym was
relatively unknown at that time whereas the SSL acronym was widely recognised
and so using SSL in the name would help users understand the transition from
using SSLeay to OpenSSL. We had fortunately reserved both domain names.
On the 23rd December 1998 we opened up the
www.openssl.org site and released the OpenSSL-0.9.1c
version and source code repository.
Throughout that busy week we were communicating with Ben and Stephen to align
and merge our projects, and so shortly after the Christmas holiday we made the
full project release
announcement. The initial
project team was therefore comprised of Ben Laurie, Paul Sutton, Ralf
Engelschall, Stephen Henson and myself, Mark Cox. All but Stephen Henson were
core developers of the Apache HTTP Server.
For the first 15 years, OpenSSL membership was mostly a small collection of
individuals working on a part time basis and the membership fluctuated and
changed through those years. Approximately 5 years ago we expanded the group
and introduced formal policies. As of today we have a structure where a team of committers are able to
review and commit changes to the code, and a management committee oversee the
project. OpenSSL is funded mostly through the generous donations of
sponsors. We also have paid
support contracts and occasionally take on contracts to develop certain new
functionality. We use this funding primarily to pay fellows to work full time
on the project. The fellows maintain the infrastructure, fix bugs and security
issues, review patches, and much more (you can see what they are up to from
their monthly reports sent to the openssl-project mailing list). Many companies also donate staff time to work
on OpenSSL.
The 20th year looks to be an exciting one, with a major change to the version number scheme, the
switch to the Apache License 2.0, and a new FIPS validation project just for
starters. And although all the versions of SSL are now deprecated, it’s not
likely we’ll rebrand back to OpenTLS any time soon.
Picture showing OpenSSL Management Committee during a face to face meeting in
front of Edinburgh Castle, November 2018. Left to right: Paul Dale, Kurt
Roeckx, Richard Levitte, Matt Caswell, Mark Cox, Tim Hudson. Viktor Dukhovni
(not pictured) joined us virtually.
https://www.openssl.org/blog/blog/2018/12/20/20years/