January 14, 2026
Speed kills… your laggy crypto
The State of OpenSSL for pyca/cryptography
Python’s crypto maintainers say OpenSSL is dragging; commenters want a Rust-powered escape
TLDR: Python’s cryptography maintainers say OpenSSL 3 slowed them down and plan to rely less on it, favoring faster Rust code. Comments cheer the move, roast OpenSSL’s confusing APIs and errors, and debate the risk of ecosystem breakage—because this affects how securely and quickly the web keeps your data safe
OpenSSL—the engine under much of the internet’s lock icon—just got roasted by the people who’ve used it daily for 12 years. The maintainers of the popular Python cryptography library say OpenSSL 3 is slower and more confusing, and they’re cutting back their reliance after seeing big speed gains with their own Rust code. Cue the comments section turning into a tech reality show: formerly_proven calls reading OpenSSL’s innards “self‑flagellation,” while woodruffw spotlights the jaw‑dropping 60% faster certificate checks from Rust. Avamander cheers the breakup, dragging OpenSSL’s cryptic error messages, and Retr0id drops the mic with “new OpenSSL APIs suck,” then praises pyca/cryptography’s design.
So what’s the fuss? OpenSSL changed its APIs and got more complex, and performance dipped—like swapping sneakers for ankle weights. The maintainers say OpenSSL didn’t improve testing or safety enough to justify the slowdown, while their Rust-based parsers avoided pointless copies and locks for big wins. Fans are hyped for a Rust glow‑up, others nervously ask about compatibility, and everyone is dunking on the new API “spaghetti.” One commenter admits it’s wild OpenSSL stayed the default so long. Meanwhile, pyca/cryptography gets showered with love for its clear, well-documented Python interface and steady hands at the wheel. Internet drama, but make it secure
Key Points
- •pyca/cryptography maintainers report significant concerns with OpenSSL’s direction since OpenSSL 3, including performance regressions and API complexity.
- •OpenSSL’s history is outlined in three phases: pre-Heartbleed under-maintenance, post-Heartbleed improvements, and OpenSSL 3 regressions.
- •Elliptic curve public key loading slowed 5–8x from OpenSSL 1.1.1 to 3.0.7 (later improved to ~3x slower), with maintainers told such regressions were expected.
- •pyca/cryptography rewrote X.509 and public key parsing in Rust, achieving ~10x faster parsing and ~60% faster end-to-end X.509 path validation.
- •The project plans to reduce reliance on OpenSSL and criticizes OpenSSL 3’s OSSL_PARAM-based APIs for added complexity and poor ergonomics.