The OpenSSL 1.1.1 death date is only a month away. Companies that are still using an old version of the encryption protocol should switch as soon as possible.

The news that OpenSSL 1.1.1 is being retired is not new. OpenSSL announced this on March 28th. The association that oversees the development of the encryption protocol applies the rule of providing each version with security updates for five years. This period expires for version 1.1.1 on September 11, 2023.

For those who come out of the blue or forgot the deadline, the Dutch Digital Trust Center sends another warning that you as a Belgian organization can also take seriously. The government center that oversees digital security recommends companies to thoroughly investigate where OpenSSL is present in their software chain and whether it is still a supported version.

Present everywhere

Due to the ubiquity of OpenSSL, this is not an easy task. OpenSSL is one of the most widely used software libraries for encrypting network connections. The protocol can therefore be integrated into operating systems, but also into software for firewalls, NAS and VPN servers.

After the Spooky SSL vulnerability, which caused major problems at the end of 2022, a list of software programs that may contain OpenSSL can be found on GitHub. This list is far from complete. It is also difficult to determine the distribution of older versions of the library.

In the case of OpenSSL, using unsupported software can certainly lead to serious security problems. The software is directly connected to your internet network. An unsupported version may contain vulnerabilities that attackers like to use to maneuver through your network.

The latest version of OpenSSL is 3.1, which will be updated by March 2025. Version 3.0 even offers a guarantee until September 2026.