2025-10-08 –, Krakow/ Business Value & Enterprise Adoption
With its flexible architecture and enhanced performance, OpenSSL 3 has seen increasing adoption across the enterprise software landscape, where stringent requirements for security, modularity, performance, and stability are paramount. As one of the world’s largest enterprise software vendors, Oracle provides a broad portfolio encompassing operating systems, databases, and applications. These offerings support a wide spectrum from small to extremely large environments, operating under diverse loads, use cases, and legacy as well as modern configurations.
Adoption of OpenSSL within such a landscape introduces a range of unique requirements, including cryptographic strength tuning for legacy systems, PKCS#11 support for hardware security modules (HSMs), robust thread safety, extreme connection scalability without memory leakage, application key material injection into the TLS stack, TLS context migration across processes, and strict minimum-load performance expectations. Additionally, support is needed for Java and Microsoft Cryptography Next Generation (CNG) support.
This presentation outlines Oracle’s journey in adopting OpenSSL, and discusses the above challenges, accommodations, and workarounds. Additionally, we will offer recommendations on how OpenSSL 3 can be made easier to adopt for larger enterprise software organizations.
Oracle has integrated OpenSSL for crypto use in Oracle Database, Fusion Middle Ware, and Fusion Applications. Crypto operations are used in many features such as authentication, network encryption, TLS between DB client and server, Transparent Data Encryption, etc. To integrate OpenSSL and tailor it for various applications at the same time is critical and challenging.
1. Supporting legacy applications is an important topic in enterprise software due to its usage among business customers that are reluctant to move up and upgrade their existing systems. In the meantime, NIST FIPS compliances is required for government use cases. Providing flexible configuration is critical to satisfy customer requirements.
2. Supporting hardware security modules that store the private keys and certificates for TLS connections from DB client to server is important to government agencies since employees carry security tokens like PIV (Personal Identity Verification) cards and CAC (Common Access Cards). Hence support PKCS11 interface natively in OpenSSL is a must requirement. Leveraging OpenSSL 3.0’s flexible provider infrastructure, we developed an PKCS11 provider for Oracle use case and can be extended for general use.
3. Oracle runs on many different platforms, like AIX, Windows, HP, MacOS, etc. To be able to access native credential stores on different OS platforms is required for Oracle customers to continue using their existing hardware and credentials without the need for complex migration. We developed a new external key storage EKS OpenSSL provider to support CNG APIs that are used to access Microsoft Certificate Store. It is also planned to be extended to support MacOS key chain as external key storage.
4. Thread safety is paramount in large scale enterprise applications which have large number of concurrent sessions. And memory management including allocation, access, and deallocation are always the problematic areas for multiple layers of libraries. We will discuss some of the thread memory issues that we encountered and resolved.
5. Quantum computers pose significant risks to traditional asymmetric crypto algorithms. As TLS 1.2 is still widely used by enterprise software, providing a solution for “harvest now, decrypt later” attack is critical now for legacy enterprise applications as well. We designed a new solution to inject application level pre-configured shared secret material into TLS session keys for symmetric encryption and achieve quantum resistance.
6. Performance consideration is critical for enterprise software, and we will go through our experiences on OpenSSL performance evaluations in Oracle.
As a summary, we will walk through various aspects of integrating OpenSSL into Oracle Database and provide recommendations on how OpenSSL can be made easier to be adopted by larger enterprise software organizations.
Dr. Yi Ouyang is the Director of Software Development at Oracle, where he leads the Oracle Crypto Foundation team. In this role, he oversees the design and implementation of critical security technologies, including network security, data encryption, and authentication systems that help safeguard Oracle’s infrastructure and products.
Dr. Ouyang earned his Ph.D. in Computer Science from Dartmouth College in New Hampshire, USA, in 2008. His doctoral research concentrated on encryption key management, data protection, and privacy in sensor networks, and his work has been featured in several prestigious international conferences.
Since joining Oracle, Dr. Ouyang has been instrumental in the development of numerous security products and features, contributing to Oracle’s reputation as a global leader in enterprise security solutions.