Last checked and updated on 15 May 2026
Understanding OpenSSL LTS and Support Lifecycle
OpenSSL is an open-source cryptographic library maintained by the OpenSSL Library project, with commercial support provided by the OpenSSL Corporation. Each release is classified as either LTS (Long Term Support) or non-LTS, and the support duration differs significantly between the two.
LTS releases are supported for at least five years from their initial release date. Non-LTS releases, starting from the 3.5 generation onwards, receive a minimum of 13 months of support. The project commits to designating a new LTS at least every two years, so there is always at least one actively supported LTS available.
| Attribute | Details |
|---|---|
| Release cycle | Two releases per year (April and October); one designated LTS every two years |
| LTS support duration | 5 years from initial release |
| Non-LTS support duration | Minimum 13 months (from 3.5 series onward) |
| Support phases (LTS) | Full support (years 1-4) then security-only patches (final year) |
| EOL model | Hard EOL for public/OSS support; extended support available commercially for LTS only |
| Premium support | Available for LTS releases, including those past public EOL, via the OpenSSL Corporation |
In practice, most infrastructure teams pin to an LTS release and plan upgrades around the 5-year window. Non-LTS releases are better suited for projects that can afford frequent updates and want access to the latest API additions.
References: OpenSSL Roadmap, OpenSSL Versioning Policy, OpenSSL Corporation Support Plans.
What Are the Real Risks of Running an Unsupported OpenSSL Version?
Running an unsupported OpenSSL version means your TLS stack and cryptographic primitives no longer receive public security patches -- a direct exposure for anything that handles encrypted traffic, certificates, or key material.
OpenSSL vulnerabilities are not theoretical. High and critical severity CVEs affecting things like certificate verification, memory handling in handshake processing, and buffer overflows have historically targeted specific branches. Once a version reaches public EOL, those CVEs are disclosed but no patch is issued for that branch.
There are also forward-compatibility concerns. Newer TLS standards (TLS 1.3, post-quantum hybrid key exchange) and cipher suites are added only to supported branches. An unsupported version may negotiate weaker parameters or fail to connect to peers that enforce stricter policies.
For teams shipping software that bundles OpenSSL -- embedded systems, IoT firmware, language runtimes -- the risk compounds because the update path is not as simple as running a package upgrade. Knowing your EOL dates, as shown in the release table above, is the first step to staying ahead of this.
What Happens When an OpenSSL Version Reaches End of Support?
When an OpenSSL version reaches its End of OSS Support date, the project stops publishing security fixes for that branch publicly. The source code remains available, but any new vulnerabilities discovered will not be patched in that release.
For LTS versions specifically, two things diverge after the public EOL date: the open-source community support ends, but commercial extended support remains purchasable through the OpenSSL Corporation. This extended support has no fixed end date -- it continues as long as it remains commercially viable. Non-LTS versions do not have this option; they simply go dark.
Migration path
The general upgrade direction is to move to the current active LTS, as shown in the release table above. OpenSSL does not guarantee API or ABI compatibility across major version numbers, so a recompile (and sometimes code changes) is required when crossing a major boundary. The official OpenSSL Migration Guide covers the concrete API changes between major versions.
In practice, most teams have more migration work when jumping across a major version (e.g., 1.x to 3.x) than within the same major. Starting the upgrade assessment 6-12 months before EOL gives enough runway to handle dependency chains, especially if third-party libraries in your stack also link against OpenSSL.
How To Check Your OpenSSL Version
The fastest way to check which OpenSSL version is active on a system is to run the following command in your terminal:
openssl version
This prints the version string, for example OpenSSL 3.5.0 8 Apr 2025. To get the full build details including platform and compile-time options:
openssl version -a
If your application links OpenSSL dynamically, the system-level version and the runtime version may differ. You can verify what a running process is actually using with:
ldd /path/to/your/binary | grep ssl
For applications that embed OpenSSL statically or bundle their own copy (common in Go binaries, some Python wheels, or compiled appliances), check the vendor's release notes -- the system openssl command will not reflect what is linked inside the binary.
From within an application, the runtime version string is accessible via the OpenSSL_version() function (C API) or the equivalent in your language binding. Compare the version you find against the release table above to determine the End of OSS Support and premium support status.
FAQ -- OpenSSL Support, LTS, and EOL
Q1: How long is each OpenSSL version supported?
LTS releases are supported for five years from their initial release date. During the final year, only security patches are backported -- no new features or non-security bug fixes. Non-LTS releases receive a minimum of 13 months of support starting from the 3.5 series onward. Always check the release table above for the exact End of OSS Support date for any specific branch.
Q2: Does OpenSSL have Long Term Support (LTS) releases, and how do I know which version is LTS?
Yes. OpenSSL designates specific releases as LTS, with a commitment to release at least one new LTS every two years. The release table above marks each branch as LTS or non-LTS. If you need a stable base for infrastructure or embedded products, always target an LTS branch. Non-LTS releases are suitable for projects that update frequently and want access to the newest APIs.
Q3: What is the difference between End of OSS Support and premium support for OpenSSL?
End of OSS Support is the date after which the OpenSSL project stops publishing public security patches for a branch. Premium support is a paid contract offered by the OpenSSL Corporation that extends security fix access beyond that public EOL date -- but only for LTS releases. Non-LTS branches have no premium support option. The premium support has no fixed end date and is offered as long as it remains commercially viable.
Q4: Can I get security patches for an OpenSSL version that has already reached EOL?
Only if the version was an LTS release. The OpenSSL Corporation offers paid extended support contracts for LTS branches past their public EOL, providing continued access to security fixes. If the EOL version was non-LTS, no extended support is available from the OpenSSL project -- you would need to upgrade. Third-party vendors (OS distributors, cloud providers) may independently backport patches for longer, so check with your platform vendor as well.
Q5: How do I know if my OpenSSL version is still receiving security fixes?
Run openssl version to get the branch, then compare it against the release table above. If the End of OSS Support date has passed and you do not have a premium support contract, that branch is no longer receiving public patches. For statically linked or bundled OpenSSL (common in Go programs, some Python packages, and appliance firmware), the system command may not reflect the version in use -- check your application's build metadata or vendor release notes.