OpenSSL 1.0.0: What's New, Release History & EOL Status

What Is New in OpenSSL 1.0.0

Does OpenSSL 1.0.0 add support for TLS 1.2 and newer cipher suites?

Yes, OpenSSL 1.0.0 introduces full TLS 1.2 support with modern cipher suites.

In practice this means you can negotiate AES-GCM, SHA-256/384 PRFs, and the ChaCha20-Poly1305 AEAD cipher directly from the command line or via the API. The default configuration now prefers TLS 1.2 over older versions, which improves security posture for production services.

• New cipher identifiers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• Legacy SSLv2/SSLv3 are disabled by default; enable them only with explicit flags.

openssl s_client -connect example.com:443 -tls1_2

How does OpenSSL 1.0.0 improve elliptic curve cryptography support?

OpenSSL 1.0.0 adds native ECC key generation and ECDH/ECDSA operations.

This matters if your services rely on low-latency key exchange or need to meet FIPS-140-2 curve requirements. The library now ships with a curated set of NIST and Brainpool curves and provides a simplified API for generating and using them.

• Supported curves include prime256v1, secp384r1, secp521r1, brainpoolP256r1.
• New EVP_PKEY_EC methods replace the older EC_KEY functions for better abstraction.

openssl ecparam -name prime256v1 -genkey -noout -out ec_key.pem

What breaking changes should I be aware of when upgrading to OpenSSL 1.0.0?

Upgrading to 1.0.0 removes several legacy algorithms and alters default protocol settings.

Watch out for the following production impacts:

• MD2 and MD4 hash functions are no longer compiled in; applications that call EVP_md2() will fail to link.
• SSLv2 and SSLv3 are disabled by default; you must add -no_ssl2 or -no_ssl3 to re-enable, but this is discouraged.
• The SSL_CTX_set_options call now clears the SSL_OP_NO_TLSv1_2 flag unless explicitly set, which can change handshake behavior.
• Low-level RSA helpers such as RSA_generate_key are deprecated; switch to the EVP_PKEY API to avoid compilation errors.

Which APIs were deprecated in OpenSSL 1.0.0 and what are the recommended replacements?

A number of low-level crypto APIs were deprecated in favor of the EVP abstraction layer.

Most teams should migrate to the EVP_* family to gain algorithm agility and future-proof their code.

• Deprecated: RSA_sign, RSA_verify → Use EVP_DigestSign / EVP_DigestVerify.
• Deprecated: Direct MD5(), SHA1() calls → Use EVP_DigestInit_ex with the desired EVP_MD.
• Deprecated: SSLv2_client_method, SSLv3_server_method → Use TLS_method and set min/max version via SSL_CTX_set_min_proto_version.

EVP_DigestSignInit(mdctx, NULL, EVP_sha256(), NULL, pkey);