 Yeah, welcome, welcome everyone. So this is an open SL journey. It wasn't So we are Mr. Marsh representing the open SSL foundation open SSL services company, which I will talk in a few We will start with a government governance a bit of community and we'll finish with the technical technical updates Well, let's go about the open SSL open SL is a cryptographic toolkits which I think All of you know me or I'm normally using so it's directly or indirectly So we will be happy to answer any questions you may have we will be specifically happy to find the people around who are using as a developer Open SSL Toolkit so this is basically what it will be here about And let's go. Yeah, what is open SSL? So it is a robust commercial grade Full feature toolkits, which is available to everyone. It is an open source There is a lot of companies around the world using it for doing big business small business and Etc. We are also It's you know the 25 years old library, so there is a quite an experience behind and a lot of companies like to realize relies on us in a In their work with governments. We also provide a Shortcuts to get governmental certification for the cryptography so any Cryptographic needs the company may have Yeah, so this is what I already mentioned This is what we represent open SSL software foundation is an entity which is non-profit entity Which represent project in the legal? capacities and basically take care about trademarks copyrights Managing donations which were coming to our project and open SSL software services is everything commercial It's a for-profit organizations. This is basically the organization which pays us with so much to do the work organization It's also the entity which is used to sign contracts with the customers and paid support And it is also a vendor of records for the NISD for the compliance fees certification Speaking of government governance, so we have we're basically a small small organization and I wonder how What people think how big there are but we are just eight people like eight eight. It's six engineers, right? Yeah, six engineers plus me or I'm doing a management work And we have a lady who are taking care of the business operations. So speaking of the Governments, so some of these people who are paid resources by the open SSL represents the open SSL management committee which is a small group of people who has a decision on a Management it's exactly management protection this is strategic decisions everything which About business financial governmental decisions and basically maintain the project resources The OTC which is much more interesting this Technical committee represents but I represented by also like paid resources of the open SSL, but also they're working hard to Get on board more people representing communities representing customers representing the world let's say and we have quite I don't know straightforward process to get to the OTC And we're looking looking for a people who are working with the open SSL so that they can potentially During the technical committee. It is very important for us to extend our community outreach and have a Good representation of the open SSL developers and users outside of our small group engineers who are working in open SSL on a project Open itself technical committee Is the technical voice of the project? Maintain the engineering processes doing the technical decisions Decides on the road map and Etc. Working group as a new entity which was created recently where we tried to put together OMC and OTC resources together but it is limited to the people who are working in a Working for open SSL directly. I think mostly We have invited to notice him and member who never joined but we may think to May think of extending it, but yeah working group is assembled together every week where we have all the Problems very that basically tackle the problems tackle the difficult problems We have a discussion what is the best way to out lose a community outreach where we should go We should talk how we should do some presentation, etc. And This is where we come into another interesting point Your raises here we decided to Come up with a mission and mission statement and values for the project They I won't be reading it. Have your time to read it So idea was to actually understand what what who are we what are we doing? So that we have a good guidance on our decisions It turned out as a very important milestone for us to actually know how we want to Develop in the future what we want to accept to the project who we want to accept to the project How we want to work with the community is how we need to rework the How we want to rework the Policies we have how to make them more open and Every decision every discussion we have nowadays we're trying to To see through this prism of these values we share with this statement and values with a wider community We've got a very good feedback and so this week we adopted it. So we actually from now on we live in Statement and values and I hope It will serve well So this is what I partly Mentioned so yeah, so we trying as a project do much better as we then we did in the past By reaching out to the community stop showing our roadmap having in a Talking about that the priorities about the project. We want to hear back from pretty much everyone We are working hard right now to make our public Our roadmap public which will happen this year. You're very welcome to To follow the open SSL on LinkedIn or open SSL in our block on open SSL.org So we gonna have More and more updates in there as soon as we reach a certain milestones about our openness Part of the things we are changing is the way we do in the release The interesting thing its picture is not exactly final. It's under the discussion What is important from this picture? We gonna do releases frequently the switch to the time based release schedule We would like to release every April and October Which is good. It will be much longer list in 25 years here Yeah, and so an idea is that The time will prevail over the feature sets. We obviously gonna be gonna have a discussions What we would like to have enough time in the releases But it like not everything may may make it to the release But we will see how it will go. We are going to start working on the release definition phase This is where we will be defining what we would like to have an upcoming release We're gonna have a discussions I think somewhere in the middle of the face. Maybe towards the end of the face We will certainly share our plans on a website and every Social media resource we can touch So, yeah, we're really really looking forward for anyone who is working in any capacity in open SSL to actually Give us a feedback This is you So now this is the more technical part of the of the talk Let's start with What was in open SSL 3.1 that trees was done in released in middle of March and There were it was very small release because We were already working for a long time on the quick support but Then we decided we need we need one more release in between to basically support the FIPS 140-3 and So that was added there and it was also decided that We should have something more and we decided that Yeah, performance problems with 3.0 release Could be improved, but some of the changes were quite invasive. So We decided to not have it as a kind of bug fix for the 3.0 But do it in the form of the 3.1 release Yeah, those Basically all the Plugability and and flexibility that was added to 3.0 release like the edit support of the library context which you can use to like select Or complete almost completely isolate Different users of open SSL within a single process That's that comes at some cost especially with multi-treading you have to have some quite Big or quite pervasive locking there and and so on so all this And and it was also designed from start with some maybe not not that good decisions on on this on this Flexibility so there was One big change which was done by Hugo who is over there in the audience which basically made the library context much less Fighting over over locks and so on so That that was one one of the big invasive change in in 3.1 Yeah, on the on the performance improvement side, there is still a lot of lot to improve but Yeah, we are getting better and hopefully in future versions It will be even better in some cases. It's all already in the master branch there are Some some changes that make some jobs Done with open SSL even faster than one one one, but but yeah, these are exceptions, but yeah So I don't know So 3.1 is released the pips 140 dash 3 is in in validation Of course because it's pips 140 dash 3 It's a new standard many new new things in there. It's very likely that that before we get 3.1 validated Officially validated by NIST It will take like one year since the submission. So it's it's more like Sometime next year when you will get the 3.1 validated now about the 3.2 release As you as some of you probably know the main focus on 3.2 was adding quick support and That's that's quite huge thing, of course But now we are in late stages of development of it Basically the implementation is almost feature complete In terms of like quick client, it's not it's server is not not was not targeted for 3.2 and Yeah them like what we think is the biggest like Advantage or or good thing for our users Is that the API of of that that you can use for quick will be very like Naturally Extending the existing API As I already said something about that there are further performance optimizations in 3.2 And there are a lot of other small features some some of them not not that small even There are things like What is there? Certificate compression are going to support basically Now implementations in open SSL can can Like Internal code of open SSL can can use Multiple threads it can spawn spawn threads and application can limit the number of threads Open SSL that will spawn by itself That was for example required not only for are going to but also for quick Implementation for some of the features of the quick implementation. It's not not mandatory, but Especially like some some of the Users of quick in open SSL can can take advantage of it About the quick API basically this This quick API is nothing nothing completely new. It's it's building up on the SSL API that that's already there You can use Basically, it's it should be very simple to write Blocking quick client and access quick streams from multiple threads simultaneously these are like The access to the internals is properly locked and so on so you you will you will be able to for example read from one stream from once one thread and Write to another stream from another thread and that should all work nicely You will use The familiar calls like SSL new SSL connect to connect the quick connection Bride to Streams read from streams by SSL read shut down to Close the connection and so on But of course there is new AP there there are some new APIs which are needed for having Multi multi multiple stream support in quick so you create a new stream that's Initiated by by the local site by using SSL new stream and You accept streams from from the pier by SSL accept stream and the SSL stream conclude is to indicate the end of stream and That's basically it Like before we open for questions It's also important thing that we are as a company. We would like to grow We have a lot of ahead of us if you are working in this open SSL you have questions You welcome if you would like to explore and options what we can offer in a company We'll be happy to talk to everyone and Any questions and also most importantly like we have or I have this is a full of t-shirts The motivator you to ask questions. I think it's we should be able to provide a T-shirt to everyone who ask a question if we don't have enough time Here for a Q&A Find us outside and we are available for any question I'm sorry about that I did not explain that So a quick is a new new protocol which basically replaces TCP plus TLS With it's it's it's In some cases it's faster, but it especially it provides like Those multiple streams which don't block each other. So it's it's like You can you can avoid some Head of so-called head of line blocking So so basically if the application typical usage is web where you have like multiple streams of data which is flowing to you from the server like pictures Scribes whatever and and you you you basically get All those independent streams of data like independently like you can you can transfer them independently and If some packets are lost Which contains some of those streams and not all of them then then you you basically can like Continue downloading the others and then only after the the packet is retransmitted and you get some of the blocked data, but It's it's not like everything is blocked If you touched ever HTTP 3 so it's 3 You could possibly touch quick as well Basically quick is the HD it's it's the connection or the connection layer layer by behind the HDP But but quick is like general it's not it's not Directly by by or directly linked to HDP There yeah, there there is a CI basically which is Yeah, so how is testing done in open SSL and open SSL releases Yeah, we have CI it's which is mostly on on github that the github CI and We have also some internal CI which is build both CI based on billboard Which is basically nothing special, but yeah, we are we are building on a lot of operating systems In the build both and a lot of other because there are so many options how you can build and configure open SSL It's like there are hundreds of jobs that are running on github Yeah, he was you you yeah Yeah, so Basically, he's asking about FIPS mode in open SSL was the difference between 3.0 3 1 1 0 FIPS module and so on So the the FIPS mode How to start the difference between 3.0 and 3 3.1 FIPS module I would not call it FIPS mode because FIPS mode is something that's more like Fedora Red Hat centric thing but And and the 1.0 module had actually the FIPS mode where where you switch the library into the FIPS mode and That was basically meaning that you are calling the calling the Implementation from the FIPS module But In 3.0 we edit this the so-called providers, which is basically those algorithmic implementations, which are isolated from the rest of the library and One of them is the FIPS FIPS validated implementation Yeah, which is in loadable module. It's shut shut library shut shut module, which you can load and If you call implementation if you call on if you or if you set up the library to call Algorithms only from this module, then you are basically in FIPS validated kind of mode So and the difference between 3.0 and 3.1 is Targeted FIPS version FIPS 140-2 It's like the 3.0 version is targeting FIPS 140-2 version of the standard and 3.1 targets targets FIPS 140-3 version That's a very long We can talk about it later Yeah, it's a good a good question. What's the what's the legal status of those old Extended support releases Yeah, we are doing so-called extended support releases with which contain new new like fixes for Security issues or other critical issues that our customers premium customers report to us but Those are still open source. They are it's it's very similar to what for example redhead does yeah because it does He has paid support for open source software But the difference is of course that we don't release this This Code of these new patches to public We give it only to customers and we ask them to not share it yeah with others like public They can they are not they are not bound by license to Do not share it but they are not bound by the contract But we are asking them to not do it and we can of course terminate the contract if they do it So they won't get the future ones if they share the patches Here's a files And you new security process of open SSL. I think it's yeah, it's it's it's actually not that new It's it's like we are we are What was I thought was thinking for new security process Thank you Choose one okay What what I could repeat the question what what are we doing as security practices for for each release for development practice Yeah, we what is the security? We use use static analyzers use cover it they we Use fuzzing we are Tested regularly under the OSS fast CI Yeah, we have we have some we have some code to coding guide how how you properly do coding for open SSL source code and Yeah, we have CIs yeah, yeah views views those ASAN T-SAN memory sanitizer in in in the CI jobs, so Yeah, it's I I cannot tell which which of those practices is most most like important for us, but Deems and the company is trying to reach out and say say let's do more coverage Let's do this fuzzing with other tool and it's kind of like kind of a problem for us to look into everything and Understand if it's useful if it's not useful, but in general the perception is that we doing just all right at this point Yeah, yeah, yeah, of course of course Yeah, I was I first said that it's we are doing Like we have pretty strict code review process When we are accepting patches, that's also very important How much time do we have? No That's mostly about the future plans Yeah question was when when the server side quick support will land in open SSL So I'm like it's not finalized. Yeah, we probably would like to have it in three or three Not sure if if it's realistic or not But hopefully And like this 3.4 It's yeah, it's definitely so the intention in a for the future to do the most actually everything we can do in public Make it public So the problem for this moment is that the tools we are using the migrating from one to another tool to actually manage the the roadmap It's a question how much we would like to share being an OTC community I feel like there is nothing to keep in secret with a few exceptions of the embargo it security fixes we do But to answer your question, we are not doing right now almost nothing to be really open and we're doing a lot right now to change it and I If and if you're failing reach out to me and tell me that's your failing I cannot something more like the the OTC Meeting minutes is public. It's in repo on get up. Maybe nobody knows where to get it, but it's there Yeah, so it's it's like yeah, and of course the meeting minutes. It's just the most important things from the meeting Yeah, it's not like everything that everybody says I Yes, basically the yeah, if it's possible to integrate a quick API into event loops like people Yeah, yeah, basically the API Like Hugo would be maybe better to answer it, but but then you can talk with him, but yeah, it's possible I Mean that's a very open question I would like we can have a discussion outside, but it's like something we can yeah last question Okay Yeah, the question was about like a more generic question How the testing in a soft like in a such a complex project like an open SSL or the project which isn't which integrates open SSL do the Do the testing so that nothing escapes? I don't know if it's I mean we can Talk about you really a lot another question We do have Nice to meet you by the way Like the problem is that it's impossible for us to do application testing basically yeah, because there are so many applications So we depend on that's and that's basically every Open open source of where has this problem, which is like used used widely And so we depend on users to actually try it test it Before the release before the final release and report box. Yeah, if they don't do that I don't think we have a chance to like Yeah, that and open SSL has extremely huge API like the legacy APIs is the surface is so so big that it's impossible to like Really envision what can be the problems in the new in your releases It was mostly like the three or all release was like most most problematic in this regard the three or two Yeah, we have some back in quick. We will fix it. Yeah, that's it. It's it's new thing but The 3.0 which was most the refactoring that was Thank you everyone for coming