The OpenSSL strategy seems to be to try to leapfrog LibreSSL in terms of version numbers (which already has released a 2.x branch, hence their 3.x versioning), and revise their API, but still have considerable complexity.<p>The LibreSSL approach was to write a new library and API, libtls, which does away with the substantial configuration complexity in applications: <a href="https://man.openbsd.org/tls_init.3" rel="nofollow">https://man.openbsd.org/tls_init.3</a><p>I'd argue that LibreSSL's is the better approach.
<i>The Core will implement a property based look-up feature for finding algorithms, e.g. it might allow you find an algorithm where "fips=true", or "keysize=128, constant_time=true".</i><p>Why? What designer builds a system this way, without knowing precisely what algorithm they're using?
Yikes. Backwards compatibility is tough.<p>Strange that with the bump to 3.0 they didn’t at least announce the removal legacy primitives and TLS versions. Are they going to support DES and RC4 forever?
Neat. I look forward to better FIPS handling and the deprecation story.<p>And to vulnerabilities from the loadable module support. Getting the property based binding right looks tough!