OpenSSL has secured the internet for over 25 years, but how does a project with such deep legacy prepare for the quantum future? In this episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen speaks with Tomáš Mráz, Director of the OpenSSL Foundation, and Jon Ericson, the Foundation’s Community Manager. Together they explore the shift from the old engine model to providers in OpenSSL 3.0, the rollout of NIST-approved post-quantum algorithms in 3.5, and what’s on the horizon with 3.6. They also dive into the realities of FIPS certification, the importance of diversified funding, and how community contributions sustain the world’s most widely used cryptographic library. From surprising “OpenSSL in the Wild” use cases to the first-ever OpenSSL Conference in Prague, this episode offers a rare inside look at how OpenSSL is evolving to keep global infrastructure secure in the quantum era. OpenSSL is evolving to keep the digital world safe.

What You’ll Learn

Tomáš Mráz is the Director of the OpenSSL Software Foundation and a long-time contributor to the project. After years at Red Hat maintaining OpenSSL packages and serving on the OpenSSL Technical Committee, Tomáš now leads both governance and technical efforts for the Foundation. He has played a key role in transitioning OpenSSL to a provider-based model and integrating post-quantum cryptography support. 

Jon Ericson is the Community Manager at the OpenSSL Software Foundation. With a background in programming and community building, Jon works to strengthen the connection between OpenSSL’s global user base and its core developers. From GitHub sponsorships to community use case surveys, he ensures that OpenSSL remains responsive to the evolving needs of its contributors and stakeholders.

With the shift to post-quantum cryptography accelerating, Tomáš Mráz and Jon Ericson’s message is clear: OpenSSL’s future will be defined by community, funding, and cryptographic agility, ensuring the internet’s most trusted library stays secure in the quantum era.

From the very beginning, OpenSSL’s strength has been its community. As Jon Ericson explains, many contributions still come from volunteers fixing bugs or adding features because they personally rely on the library. This model means OpenSSL doesn’t evolve in isolation, it reflects the real-world needs of users across industries. Without this constant input, critical flaws might linger and adoption of new features would stall. Community-driven resilience is what has kept OpenSSL relevant for more than 25 years, and it’s also the key to surviving the quantum shift. Key Question: Is your organization contributing back to the open-source tools it depends on, or just consuming them?

Tomáš Mráz highlights that OpenSSL 3.0’s provider architecture was a complete rewrite of the library’s internals. Unlike the old engine system, providers allow new algorithms, including post-quantum candidates, to be plugged in without altering the core code. This design foresight meant OpenSSL could quickly integrate PQC once NIST finalized its standards in 2024, instead of waiting years for structural changes. Agility in cryptography isn’t an abstract idea here, it’s a practical necessity, and the provider model gives OpenSSL the flexibility to adapt faster than ever. Key Question: Is your cryptographic infrastructure designed for future upgrades, or locked into a rigid model?

While many in the industry chase feature lists, OpenSSL takes a different approach. As Tomáš explains, new releases are time-based (April and October), but features are only merged when they are truly ready. Current work spans QUIC improvements, zero-RTT support, timing side-channel protections, and potential PQC enhancements, but nothing will be rushed to hit an arbitrary date. This discipline has allowed OpenSSL to remain the backbone of secure communications globally, trusted by billions of devices and applications. For organizations planning their upgrades, the message is clear: align to OpenSSL’s stable releases, don’t gamble on unfinished code. Key Question: Are your upgrade plans aligned with proven releases, or are you rushing ahead of the standards?

Certification is one of the hardest parts of cryptography. OpenSSL 3.1 achieved FIPS 140-3 validation, a first in its history, and the 3.5 version is already in review to bring NIST’s post-quantum algorithms into scope. Tomáš admits the process is long, political, and outside of the Foundation’s control, with heavy negotiations between NIST, labs, and implementers. But without certification, many governments and enterprises simply cannot adopt PQC at scale. The lesson for security leaders: you can’t shortcut compliance, and you need realistic timelines to plan migrations. Key Question: Is your compliance roadmap realistic about how long certifications actually take?

OpenSSL is everywhere, often in places you’d never expect. Jon recounts a developer securing serial devices with TLS, and even Mercedes vehicles using OpenSSL in their apps to lock and unlock doors. These surprising “in the wild” stories show why upgrading matters: outdated versions leave unseen risks in everyday systems. Looking ahead, the Foundation is also launching its first-ever OpenSSL Conference in Prague, bringing together experts, contributors, and industry voices to shape the next phase. Between new funding streams, hiring developers, and expanding global engagement, OpenSSL’s next 25 years will be as pivotal as its first.

Key Question: Do you know where OpenSSL runs in your stack — and are you keeping pace with its evolution?

Want exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.


Need help subscribing? Click here for step-by-step instructions.