Embed Code:
Post-quantum cryptography isn’t on the horizon anymore; it’s here. Standards are set, migrations are underway, and some of the most widely used libraries in the world are already adapting. Few projects matter more in this transition than OpenSSL, the cryptographic toolkit embedded in billions of systems worldwide. In a recent episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen sat down with Tomáš Mráz, Director of the OpenSSL Foundation, and Jon Ericson, the Foundation’s Community Manager, to explore how OpenSSL is navigating the quantum shift while keeping the internet secure for everyone.
For Tomáš, the journey into cryptography has been a long one. From building PKCS#11 modules early in his career, to years maintaining OpenSSL for Red Hat and Fedora, to now leading the Foundation while still contributing code, his perspective blends technical depth with organizational responsibility. “I wanted to keep my software development skills,” he explained, “while also helping lead the Foundation into its next phase.” That dual role matters as OpenSSL balances its legacy as the internet’s most trusted cryptographic library with the pressures of quantum readiness, funding, and global adoption.
Jon, meanwhile, joined OpenSSL only six months ago as Community Manager, but quickly realized just how unique the project’s culture is. “From the very beginning, contributions came from people who weren’t getting paid,” he noted. “That’s still true today.” OpenSSL is one of the rare projects where unpaid volunteers, company-backed developers, and a small core team come together to secure the backbone of the internet. For Jon, the excitement around post-quantum cryptography is proof that the community is paying attention. “I wrote one post about the ML-KEM algorithm,” he shared, “and it immediately became my most popular ever.” People aren’t just curious; they see what’s coming.
That sense of momentum has shaped how OpenSSL develops. With version 3.0, the project introduced the provider model, a complete rewrite of its internals that replaced the old “engine” system. Providers allow new algorithms, including post-quantum candidates, to be added without changing the core library – a design that gave OpenSSL the agility to quickly implement NIST’s newly standardized algorithms in version 3.5. “It was a very hectic time,” Tomáš recalled. “We had to change priorities and follow the standards as soon as they were published.” Agility isn’t just a buzzword here; it’s baked into how OpenSSL now works.
But agility doesn’t mean rushing. Tomáš explained that OpenSSL’s release cycle is time-based, in April and October, but features only ship when they’re ready. “We are currently working on multiple things,” he said, citing QUIC improvements, zero-RTT support, side-channel protections in libcrypto, and more PQC features. “But we only merge features when they’re stable.” That discipline is what allows global businesses, governments, and critical systems to trust OpenSSL updates without fear of instability.
Of course, shipping features is only half the battle. Certification remains one of the most complex hurdles in cybersecurity. OpenSSL 3.1 achieved FIPS 140-3 validation for the first time, but Tomáš acknowledged just how hard the process was. “We submitted the validation quite early,” he explained, “but when you do something completely new, it takes time.” The Foundation has already ensured contracts for 3.5 validation, which will bring NIST’s PQC algorithms into scope, but the process involves negotiations with NIST, labs, and regulators. Compliance isn’t optional, and certification timelines are outside the project’s control. That reality forces organizations to plan carefully around adoption.
Meanwhile, Jon continues to emphasize how OpenSSL shows up in places you’d never expect. In a recent survey called “OpenSSL in the Wild,” the team collected use cases from the community. One developer secured serial devices that had historically sent plain-text passwords by layering OpenSSL TLS on top. “It’s used unbelievably everywhere,” Jon said. “Things you can’t imagine, from serial devices to Mercedes vans.” For Jon, stories like that are a reminder that OpenSSL isn’t just abstract code; it’s embedded in daily life. If it fails, the ripple effects would be massive.
The conversation also touched on the future. Tomáš admitted that the current three NIST algorithms won’t be the final answer. “I hope they won’t need changes because they’d be broken,” he said. “But I expect even better, more efficient algorithms for specific use cases.” That’s why he stresses agility and performance optimization, including potential assembly implementations for CPUs, to make sure PQC works at scale. For Jon, the real challenge isn’t just implementing the new algorithms, it’s pulling users forward. “There are lots of people on very old versions of OpenSSL,” he warned. Without migration, they won’t get the benefits of PQC or the protections of new security models.
Looking ahead, the OpenSSL Foundation is growing. The team is hiring new developers, crucial, since most of today’s developers are also directors, and planning its first-ever OpenSSL Conference in Prague this October. With program committees reviewing proposals and names like Dan Bernstein on the agenda, the conference marks a milestone in OpenSSL’s evolution from codebase to community hub. “If you’re interested in OpenSSL, this is the place to be,” Tomáš said with excitement.
The final takeaway? OpenSSL’s future won’t be defined by hype, but by community, funding, and cryptographic agility. Whether it’s securing a car door, protecting enterprise communications, or enabling quantum-safe encryption, the project’s impact is everywhere. As Tomáš put it, “We would not want to sacrifice security for performance. That would not be a good thing.” In a quantum-threat world, that balance, security first, agility always, will define the next era of trust.
Post-quantum cryptography isn’t on the horizon anymore; it’s here. Standards are set, migrations are underway, and some of the most widely used libraries in the world are already adapting. Few projects matter more in this transition than OpenSSL, the cryptographic toolkit embedded in billions of systems worldwide. In a recent episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen sat down with Tomáš Mráz, Director of the OpenSSL Foundation, and Jon Ericson, the Foundation’s Community Manager, to explore how OpenSSL is navigating the quantum shift while keeping the internet secure for everyone.
For Tomáš, the journey into cryptography has been a long one. From building PKCS#11 modules early in his career, to years maintaining OpenSSL for Red Hat and Fedora, to now leading the Foundation while still contributing code, his perspective blends technical depth with organizational responsibility. “I wanted to keep my software development skills,” he explained, “while also helping lead the Foundation into its next phase.” That dual role matters as OpenSSL balances its legacy as the internet’s most trusted cryptographic library with the pressures of quantum readiness, funding, and global adoption.
Jon, meanwhile, joined OpenSSL only six months ago as Community Manager, but quickly realized just how unique the project’s culture is. “From the very beginning, contributions came from people who weren’t getting paid,” he noted. “That’s still true today.” OpenSSL is one of the rare projects where unpaid volunteers, company-backed developers, and a small core team come together to secure the backbone of the internet. For Jon, the excitement around post-quantum cryptography is proof that the community is paying attention. “I wrote one post about the ML-KEM algorithm,” he shared, “and it immediately became my most popular ever.” People aren’t just curious; they see what’s coming.
That sense of momentum has shaped how OpenSSL develops. With version 3.0, the project introduced the provider model, a complete rewrite of its internals that replaced the old “engine” system. Providers allow new algorithms, including post-quantum candidates, to be added without changing the core library – a design that gave OpenSSL the agility to quickly implement NIST’s newly standardized algorithms in version 3.5. “It was a very hectic time,” Tomáš recalled. “We had to change priorities and follow the standards as soon as they were published.” Agility isn’t just a buzzword here; it’s baked into how OpenSSL now works.
But agility doesn’t mean rushing. Tomáš explained that OpenSSL’s release cycle is time-based, in April and October, but features only ship when they’re ready. “We are currently working on multiple things,” he said, citing QUIC improvements, zero-RTT support, side-channel protections in libcrypto, and more PQC features. “But we only merge features when they’re stable.” That discipline is what allows global businesses, governments, and critical systems to trust OpenSSL updates without fear of instability.
Of course, shipping features is only half the battle. Certification remains one of the most complex hurdles in cybersecurity. OpenSSL 3.1 achieved FIPS 140-3 validation for the first time, but Tomáš acknowledged just how hard the process was. “We submitted the validation quite early,” he explained, “but when you do something completely new, it takes time.” The Foundation has already ensured contracts for 3.5 validation, which will bring NIST’s PQC algorithms into scope, but the process involves negotiations with NIST, labs, and regulators. Compliance isn’t optional, and certification timelines are outside the project’s control. That reality forces organizations to plan carefully around adoption.
Meanwhile, Jon continues to emphasize how OpenSSL shows up in places you’d never expect. In a recent survey called “OpenSSL in the Wild,” the team collected use cases from the community. One developer secured serial devices that had historically sent plain-text passwords by layering OpenSSL TLS on top. “It’s used unbelievably everywhere,” Jon said. “Things you can’t imagine, from serial devices to Mercedes vans.” For Jon, stories like that are a reminder that OpenSSL isn’t just abstract code; it’s embedded in daily life. If it fails, the ripple effects would be massive.
The conversation also touched on the future. Tomáš admitted that the current three NIST algorithms won’t be the final answer. “I hope they won’t need changes because they’d be broken,” he said. “But I expect even better, more efficient algorithms for specific use cases.” That’s why he stresses agility and performance optimization, including potential assembly implementations for CPUs, to make sure PQC works at scale. For Jon, the real challenge isn’t just implementing the new algorithms, it’s pulling users forward. “There are lots of people on very old versions of OpenSSL,” he warned. Without migration, they won’t get the benefits of PQC or the protections of new security models.
Looking ahead, the OpenSSL Foundation is growing. The team is hiring new developers, crucial, since most of today’s developers are also directors, and planning its first-ever OpenSSL Conference in Prague this October. With program committees reviewing proposals and names like Dan Bernstein on the agenda, the conference marks a milestone in OpenSSL’s evolution from codebase to community hub. “If you’re interested in OpenSSL, this is the place to be,” Tomáš said with excitement.
The final takeaway? OpenSSL’s future won’t be defined by hype, but by community, funding, and cryptographic agility. Whether it’s securing a car door, protecting enterprise communications, or enabling quantum-safe encryption, the project’s impact is everywhere. As Tomáš put it, “We would not want to sacrifice security for performance. That would not be a good thing.” In a quantum-threat world, that balance, security first, agility always, will define the next era of trust.
You can hear the full conversation with on Shielded: The Last Line of Cyber Defense, available now on Apple Podcasts, Spotify, and YouTube Podcasts.
About Tomáš Mráz
Tomáš Mráz is the Director of the OpenSSL Foundation and one of the longest-serving contributors to the OpenSSL project. With a career spanning decades in cryptographic development, he first worked on PKCS#11 modules before becoming a Red Hat engineer, where he maintained OpenSSL for both Red Hat Enterprise Linux and Fedora. Over the years, he became a key member of the OpenSSL Technical Committee before stepping into leadership at the Foundation. Known for balancing deep technical expertise with organizational stewardship, Tomáš continues to write code while guiding the Foundation’s strategic direction. His leadership has been instrumental in the shift from the legacy “engine” system to the modern provider model, the adoption of NIST’s post-quantum algorithms, and the pursuit of FIPS 140-3 certification. With quantum threats accelerating, his message is clear: OpenSSL must remain agile, standards-driven, and uncompromising on security.
About Jon Ericson
Jon Ericson is the Community Manager of the OpenSSL Foundation, where he champions the contributions, stories, and engagement of one of the most important open-source projects in cybersecurity. With a background in programming and technical writing, Jon brings a unique perspective that bridges the developer community and the OpenSSL core team. In just months on the job, he has highlighted the global reach of OpenSSL through initiatives like “OpenSSL in the Wild,” uncovering surprising use cases from serial devices to connected cars. His work underscores the importance of community-driven development in sustaining trust at an internet scale. Passionate about bringing more people into the cryptographic conversation, Jon sees OpenSSL’s strength not just in its code, but in the diversity of contributors who continue to shape it. His perspective is simple but urgent: for OpenSSL to thrive in the post-quantum era, the community must stay engaged, funded, and forward-looking. With the shift to post-quantum cryptography accelerating, their message is clear: OpenSSL’s strength will come from its community, its discipline, and its ability to stay agile in the face of change.