← Back to blog
Field Dispatch / № 027
7 min read
Dispatch from ICMC26 · Tim's Roadmap

The release,
the room,
the record.

Tim Hudson takes OpenSSL 4.0 to ICMC — the release that finally put SSL in the rearview, retired the ENGINE API after twenty-six years, and made the project's governance a matter of public record.

Tim Hudson at the podium in Studio E with the OpenSSL Co-Equal Governance slide on screen.
Studio E · 15:30 · ICMC26 Co-Equal Governance, mid-sentence
IMG / 5168
Speaker Tim HudsonPresident, OpenSSL Corp.
Release OpenSSL 4.0Shipped 14 Apr 2026
Session OpenSSL RoadmapS13a · Studio E · 15:30
Cadence 6 · 24 · 36feat · LTS · major (mo.)
Years in 27years of work · 1995 →

Seven days before Tim Hudson walked into Studio E, the OpenSSL Library shipped the first release in its history without SSL. Four months into the year, in a room that already knew most of the numbers — Tuesday afternoon's presentation was not, strictly speaking, a product pitch. It was a release report, widened to include the FIPS validation status and the governance that holds both up. What Tim delivered, across thirty minutes and 46 slides, was three things at once: a version, a programme, and a record.

01 / The release

A version, without SSL.

The release landed on Tuesday, 14 April 2026. A week later, on the afternoon of the twenty-first, Tim walked through what was in it.

4.0
the cut release
− SSL · TLS only − ENGINE + ECH + PQ
What remains, what was removed, what was added.

The headline: no SSL. Twenty-six years into carrying two protocols named in the library's own acronym, OpenSSL 4.0 is the first release to ship without them. SSLv2 and SSLv3 — both obsolete for longer than some of the current contributors have been writing C — are gone. It is the smallest conceivable change to how the library is used day to day, and the largest imaginable change to what it means.

The second headline: no ENGINE API. Shipped in 1999, superseded by Providers in 3.0, carried in deprecated form through every 3.x release — the ENGINE API retired on the fourteenth. Eighteen thousand five hundred and more lines removed in a single cut. Twenty-six years of extensibility mechanism, closed out cleanly. If you are running code that depends on it, you are running 3.x. If you are building anything new, you are not.

And then, in the same release: Encrypted Client Hello (RFC 9849) improves internet privacy by encrypting the initial TLS handshake. Hybrid post-quantum key exchange, SM2 paired with ML-KEM. The two-stage hash-then-sign signature variant, ML-DSA-MU. A year's worth of algorithm work, delivered in a library that now runs, by any reasonable estimate, most of the internet's quiet infrastructure.

OpenSSL 4.0 — the work under the release
Lines added Lines removed Commits
300K 225K 150K 75K 0 ENGINE API removed −18,500 LOC 4.0 ships 14 Apr 2026 Q4 '24 Q1 '25 Q2 '25 Q3 '25 Q4 '25 Q1 '26 Apr '26
Source · OpenSSL Corporation release notes · quarterly commit aggregation, 3.0 → 4.0 Hover bars for quarterly detail
The ledger · OpenSSL 4.0 · since 3.0
0 Commits
0 Contributors
0K+ Lines added
0K+ Lines removed
02 / The room

Where FIPS lives.

ICMC is not a general cryptography conference. It is specifically, almost defiantly, a conference about cryptographic modules — about FIPS 140-3, Common Criteria, and the validation regimes that turn working crypto into certified crypto. The people in Studio E on Tuesday afternoon were not there to be told that post-quantum is coming. They knew. They were there for the status of validation certificates, and the queue at NIST.

Tim gave them the status.

The OpenSSL Library currently holds three active NIST certificates. OpenSSL Provider 3.1.2 — Certificate #4985 — is the project's first FIPS 140-3 validation, a milestone that took years of formal work and has already begun to propagate downstream. OpenSSL Provider 3.5 is in the NIST waiting-for-review. Behind those sit the numbers of the rebranding programme, which allows vendors to ship validated OpenSSL Library modules under their own names: twenty active submissions completed, sixteen of them targeting 140-3 directly.

The operating numbers, delivered in the even way Tim delivers numbers: 4.8 months average turnaround. Eleven days fastest. Anyone who has spent time watching a FIPS submission wait will recognise that these are not normal figures. They are the system operating at a cadence it is not known for. Getting your own rebranding certificate in 11 days is a stunning result — and one of the benefits for OpenSSL Corporation's customers.

Tim Hudson at the podium in Studio E, the OpenSSL Development Evolution chart projected behind him, the room full of laptops.
Studio E · 15:36 · the development-evolution chart, mid-explanation · IMG 5179

Deliver the OpenSSL Mission following Our Values. Evolve. Grow. Meet the challenges of the next twenty-five years.

— Tim Hudson · closing slide
03 / The record

On the record.

The third thing Tim did on Tuesday, and the one with the longest shadow, was to put the OpenSSL Library's governance into public words.

The Co-Equal Governance Model — Foundation (non-commercial) and Corporation (commercial), operating as peers, not as parent and subsidiary — has been the structure since the governance change on 1 March 2024 where we changed from merged management to independent management of the Corporation and Foundation. What changed on Tuesday was that Tim read five decisions, jointly taken and jointly published, into the record. Each is a document at a permanent URL. Each can be cited. Each can be held to.

Click any of the five below to open it.

01 The Mission

What the OpenSSL Library exists to do, in the smallest number of words that will survive a procurement review.

To deliver a high-quality, openly developed, freely available cryptographic library — trusted by the world's critical infrastructure, and kept trustworthy in public.

Shipped jointly by the Foundation and the Corporation. Not a press release; not a slogan; a clause you can quote in a bylaw.

openssl-mission.org ↗

02 The Values

Six commitments, published together. Openness of development. Quality of implementation. Security as a standing obligation, not a marketing line. Community accountability. Stewardship of the trusted computing base. Evolution, on a cadence you can plan against.

Values are the vocabulary of the bylaws. The library's technical decisions get justified against these clauses, in the open, on-list.

openssl-mission.org/values ↗

03 The Third-Party Policy

How modules, providers, and add-ons that live outside the main library are evaluated, named, and referenced by the project. The policy clarifies what can be called “OpenSSL Library”, what can be “built on the OpenSSL Library”, and what needs to carry its own name.

This is the piece of the record most often invoked in FIPS paperwork.

openssl-projects.org ↗

04 The Library Bylaws

The operational rules of the library project itself — how maintainers are appointed, how release decisions are reached, how disputes are escalated, how the relationship between Foundation and Corporation is maintained as co-equal rather than parent-child.

The bylaws are the answer to the question: who decides, and how, and with whom.

openssl-library.org/about/bylaws ↗

05 The Release Requirements

The discipline of a release. What has to be true before a version number is cut. Security review, test coverage, documentation, FIPS submission readiness, and the cadence itself: feature every six months, LTS every two years, major every three.

The roadmap below is not a hope. It is what this document commits to.

openssl-library.org/about/release-requirements ↗

Published · public record · permanent URLs
mission → openssl-mission.org
projects → openssl-projects.org
bylaws → openssl-library.org/about/bylaws

Twenty-seven years in, one person who was there at the very beginning is the person leading the OpenSSL Corporation and working with the OpenSSL Foundation to deliver collectively on the OpenSSL Mission. This is not often how these things go. It is quietly, structurally, part of why Tuesday's talk carried the weight it did.

Tim Hudson at the podium with a slide titled OpenSSL Development Evolution showing a bar chart of development activity since 1998.
Fig. iii · the curve · OpenSSL Development Evolution, 1998 →
04 / The cadence

The cadence, written down.

The slide that closed the release section pointed forward. A feature release every six months. An LTS every two years. A major every three. Not a forecast — an obligation, tied to the Release Requirements now sitting at a permanent URL.

Click a release below to see what each one carries.

Anton Arapov, Simo Sorce of Red Hat, and Tim Hudson at the OpenSSL booth after the talk.
Booth 4 · post-talk · Anton Arapov, Simo Sorce (Red Hat · PKCS#11 Provider), and Tim.
Coming up · Wednesday

Handing the floor to Tomáš.

Q21a · Wed 22 Apr · 11:00 · Salon 1–3 PQC in the OpenSSL Library

Tomáš Vávra — Engineering Manager. The algorithms Tim named on Tuesday, walked through by the engineering manager who led the team that built them.

All week · Exhibit hall Booth 4 is open

With or without oysters. Questions welcome on 4.0, the FIPS queue, or anything published on the record.

Thursday morning Dispatch № 028

The PQC talk, written up. The week, counted. Duct Tape, where necessary.

Magdalena Zdunkiewicz

Field Dispatch · OpenSSL Corporation

Dispatches are written based on direct on-site information, from the rooms where the work is happening. We count what we can count, quote what was said, and put links back to the primary record.

All dispatches Contact