Hi all,

This email is to inform the community that support for OpenSSL 1.x is planned to be deprecated going forward. TF-A v2.15 will be the last release for which OpenSSL 1.x receives full support.

The primary reason for this change is that OpenSSL 1.1.1 reached end-of-life in September 2023, and OpenSSL 1.0.2 reached end-of-life significantly earlier. The OpenSSL project now recommends migration to OpenSSL 3.x for ongoing security updates, maintenance and feature development.

While OpenSSL offers commercial extended support for some legacy releases, the resulting patch sets are not generally available to the wider open-source community. As a result, TF-A maintainers and contributors cannot reasonably test, validate or debug against these versions. Supporting software versions that are not publicly available creates practical challenges for CI coverage, issue reproduction and long-term maintenance.

For these reasons, OpenSSL 3.x will become the supported OpenSSL version for TF-A.

To be clear, this change does not mean that TF-A will intentionally remove OpenSSL 1.x compatibility or deliberately break existing users. Existing compatibility code will remain in place where practical. However, after TF-A v2.15:

Users are therefore strongly encouraged to migrate their build environments to OpenSSL 3.x.

OpenSSL 3.x is the actively maintained upstream release series and provides ongoing security support, public availability of fixes, improved maintainability, and alignment with the direction of the OpenSSL project. Adopting OpenSSL 3.x also ensures that TF-A can be developed and tested against versions that are available to all maintainers and contributors.

Comments are welcome.

Regards,
Matthew