Deprecated API Removal timeline?

43 views
Skip to first unread message

Gary Schmidt

unread,
Aug 5, 2025, 10:36:30 PMAug 5
to openssl-users
Hi,

I would like to know if there is a timeline for the removal of deprecated APIs from the OpenSSL library?  (My google-fu has failed to locate one.)

Background: I've been using the 3.0 library via the 1.1.1 APIs, and as 3.0 is going EOS RSN I am planning to move to 3.5, and as part of that I would like to future-proof things a bit by updating things.  But to get management buy-in I need to be able say, "After date X, (or release Y),  it won't work."

To repeat, when will deprecated APIs go away?

        Cheers,
                Gary    B-)

Jon Ericson

unread,
Aug 5, 2025, 10:52:13 PMAug 5
to Gary Schmidt, openssl-users
On Tue, Aug 5, 2025 at 19:36 'Gary Schmidt' via openssl-users <openss...@openssl.org> wrote:

I would like to know if there is a timeline for the removal of deprecated APIs from the OpenSSL library?  (My google-fu has failed to locate one.)

There isn’t a firm decision yet. The earliest release for a breaking change is 4.0 in April 2026. See: 

While it could be later, there’s been a desire to clean up the code for a while and I wouldn’t bet on a delay. 

Note that 3.5 is an LTS so it will be supported for 5 years. Obviously upgrading to the newer API is recommended sooner than that. 

Thanks,
Jon


Martin Bonner

unread,
Aug 6, 2025, 2:43:23 AMAug 6
to jon.e...@openssl.org, openssl-users

Note that 3.5 is an LTS so it will be supported for 5 years.

Obviously upgrading to the newer API is recommended sooner than that. 

 

Why?  My employer plans to upgrade to 3.5 soon, and then is very unlikely to upgrade to 4.x for three or four years, at which point we will go to the latest current LTS.  What benefit is there in using the newer API before then.  (“It can do new shiny things” doesn’t really count.  I don’t need to do those new shiny things.)

 

Martin Bonner

 

 

From: Jon Ericson <jo...@openssl.org>
Sent: 06 August 2025 03:52
To: Gary Schmidt <grsc...@acm.org>
Cc: openssl-users <openss...@openssl.org>
Subject: [EXTERNAL] Re: Deprecated API Removal timeline?

 

Note that 3.5 is an LTS so it will be supported for 5 years. Obviously upgrading to the newer API is recommended sooner than that. 

 

Thanks,

Jon

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

Matt Caswell

unread,
Aug 6, 2025, 5:04:19 AMAug 6
to Martin Bonner, jon.e...@openssl.org, openssl-users
On Wed, 6 Aug 2025 at 07:43, 'Martin Bonner' via openssl-users <openss...@openssl.org> wrote:

Note that 3.5 is an LTS so it will be supported for 5 years.

Obviously upgrading to the newer API is recommended sooner than that. 

 

Why?  My employer plans to upgrade to 3.5 soon, and then is very unlikely to upgrade to 4.x for three or four years, at which point we will go to the latest current LTS.  What benefit is there in using the newer API before then.  (“It can do new shiny things” doesn’t really count.  I don’t need to do those new shiny things.)


To clarify what I think we are talking about here: I think we are referring to applications written to use APIs available since 1.1.1 (or before) that have since been deprecated in 3.x and subsequently *may* be removed in 4.0 (which is being released in April 2026). As Jon said no decisions have yet been made about whether and what will be removed in 4.0 but the Business Advisory Committees (whose members are elected from the community) are currently seeking feedback on this at the moment. Head over to openssl-communities.org and voice your opinion to your representative if you have a view on this.

That said, it seems very likely that at least some (possibly all) of the deprecated APIs will be removed in 4.0.

We do generally recommend that you avoid using the deprecated APIs now. But this is a recommendation only. What is right for your particular circumstance is something that only you can know. The deprecated APIs will at least remain supported in some OpenSSL release until April 2030 (when support for 3.5 will end).

Some possible reasons to consider removing use of deprecated APIs earlier than that:
- To avoid investing in code that will ultimately have to be changed - especially if you are writing new code using the old APIs.
- Because it may take some time to plan, perform and rollout updates to your application - give yourself plenty of time do it  - especially if you plan to move to the next LTS to be released in April 2027 instead of sticking with 3.5 to the very end
- To give you greater agility as you move forward. Maybe none of the features you gain from the new APIs are interesting to you now - but business needs change. By making the necessary changes now you give yourself the ability to respond quickly. Given that you will have to make the changes eventually anyway - why not do it earlier.
- To gain advantages of new features such as post-quantum algorithms. These algorithms are not available via the "low-level" APIs that are now deprecated. You can only use the newer APIs to gain direct access to them (although libssl will still use them where appropriate)
- If there is any need in your business for FIPS compliance then you really must use the newer APIs
- To take advantage of third party providers

There's probably more reasons I could think of. But ultimately it is up to you and there could also be reasons to wait.

Matt
 

 

Martin Bonner

 

 

From: Jon Ericson <jo...@openssl.org>
Sent: 06 August 2025 03:52
To: Gary Schmidt <grsc...@acm.org>
Cc: openssl-users <openss...@openssl.org>
Subject: [EXTERNAL] Re: Deprecated API Removal timeline?

 

Note that 3.5 is an LTS so it will be supported for 5 years. Obviously upgrading to the newer API is recommended sooner than that. 

 

Thanks,

Jon

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/PH3PPF7A88A980AE506A0EF875DD8D1B1AAF32DA%40PH3PPF7A88A980A.namprd11.prod.outlook.com.

Dmitry Misharov

unread,
Aug 6, 2025, 7:40:29 AMAug 6
to openssl-users, Martin Bonner, openssl-users, Jon Ericson
Just a reminder that if you still need a support of the EOL OpenSSL versions you can leverage one of these support plans https://openssl-corporation.org/support/

rsbe...@nexbridge.com

unread,
Aug 6, 2025, 8:59:13 AMAug 6
to Martin Bonner, jon.e...@openssl.org, openssl-users

I think the hope here is that the deprecated API elements in 3.5 are not being used when you move to 3.5 (and complete your migration). Once that is done, AFAIK, there is no actual effort needed to move to the 4.0 API after removal. Unless you keep using deprecated APIs. The decision is not finalised, but expect rapid movement on it.

 

Randall Becker

 

From: 'Martin Bonner' via openssl-users <openss...@openssl.org>
Sent: August 6, 2025 2:43 AM
To: jon.e...@openssl.org
Cc: openssl-users <openss...@openssl.org>
Subject: RE: [EXTERNAL] Re: Deprecated API Removal timeline?

 

Note that 3.5 is an LTS so it will be supported for 5 years.

Obviously upgrading to the newer API is recommended sooner than that. 

 

Why?  My employer plans to upgrade to 3.5 soon, and then is very unlikely to upgrade to 4.x for three or four years, at which point we will go to the latest current LTS.  What benefit is there in using the newer API before then.  (“It can do new shiny things” doesn’t really count.  I don’t need to do those new shiny things.)

 

Martin Bonner

 

 

From: Jon Ericson <jo...@openssl.org>
Sent: 06 August 2025 03:52
To: Gary Schmidt <grsc...@acm.org>
Cc: openssl-users <openss...@openssl.org>
Subject: [EXTERNAL] Re: Deprecated API Removal timeline?

 

Note that 3.5 is an LTS so it will be supported for 5 years. Obviously upgrading to the newer API is recommended sooner than that. 

 

Thanks,

Jon

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

--

Reply all
Reply to author
Forward
0 new messages