OpenSSL security audit

OpenSSL is to undergo a comprehensive security audit by NCC Group.

OpenSSL is one of the most widely deployed software libraries in the world, and is a critical part of the Internet's security infrastructure. It is an open source implementation of the Secure Sockets Layer (SSL 2/3) and Transport Layer Security (TLS), and is used in many web servers and web browsers.

Heartbleed - the catastrophic security flaw uncovered during 2014 - put OpenSSL in the news and helped prompt the current security audit. The OpenSSL team has been preparing for the audit by reformatting the code uniformly to make it more readable. Some of the code is 20 years old, dating back to OpenSSL's origins in the popular SSLeay library written by Eric Young and enhanced by Tim Hudson, both former work colleagues of this writer.

Eric and Tim joined RSA Security in 1998 and forked SSLeay as SSL-C, a commercial library which was released as part of the RSA BSAFE library. For SSLeay to continue as an open source library, it needed a maintainer, and Ben Laurie of Apache fame forked the code as OpenSSL, carrying on Eric and Tim's excellent work with a team he assembled.

OpenSSL was itself forked in 2014 as the LibreSSL project by the OpenBSD developers, apparently frustrated by Heartbleed and other vulnerabilities in OpenSSL. LibreSSL aims to refactor OpenSSL by pruning support for rarely used features and operating systems, and removing unused code.

CompleteFTP does not use the OpenSSL library (or LibreSSL), and when news of Heartbleed broke we were able to assure our users that they were not affected.