OpenSSL 3.0 vs. SSL 3.0

Michael Richardson mcr at
Wed Feb 27 18:53:46 UTC 2019

Christian Heimes <christian at> wrote:
    > I'm concerned about the version number of the upcoming major release of
    > OpenSSL. "OpenSSL 3.0" just sounds and looks way too close to "SSL 3.0".
    > It took us more than a decade to teach people that SSL 3.0 is bad and
    > should be avoided in favor of TLS. In my humble opinion, it's
    > problematic and confusing to use "OpenSSL 3.0" for the next major
    > version of OpenSSL and first release of OpenSSL with SSL 3.0 support.

You make a good point which I had not thought about, having exhumed SSLx.y
From my brain.  +5

    > You skipped version 2.0 for technical reasons, because (IIRC) 2.0 was
    > used / reserved for FIPS mode. May I suggest that you also skip 3.0 for
    > UX reasons and call the upcoming version "OpenSSL 4.0". That way you can
    > avoid any confusion with SSL 3.0.

Integers are cheap.
And 4.0 is > 3.0, so (Open)SSL 4.0.0 must be better than SSL3.

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <>

More information about the openssl-users mailing list