ProHoster > Blog > internet news > Release of OpenSSL 3.4, LibreSSL 4.0, Botan 3.6 and Rustls 0.23.15 cryptographic libraries

Release of OpenSSL 3.4, LibreSSL 4.0, Botan 3.6 and Rustls 0.23.15 cryptographic libraries

Several new versions of cryptographic libraries have been published:

OpenSSL 3.4.0 library release with implementation of SSL/TLS protocols and various encryption algorithms. OpenSSL 3.4 will be supported until October 2025. Support for previous OpenSSL 3.3, 3.2, 3.1 and 3.0 LTS branches will last until April 2026, November 2025, March 2025 and September 2026 respectively. The project code is distributed under the Apache 2.0 license. Main innovations:

  • Added support for a cipher suite for TLSv1.3 limited to data integrity features (RFC 9150) and including the TLS_SHA256_SHA256 and TLS_SHA384_SHA384 algorithms.
  • An optional feature has been added for the pseudo-random number generator to use an additional source of entropy based on jitter, implemented using the jitterentropy library. Entropy is generated by measuring differences in the time it takes to re-execute a specific set of instructions on the CPU, which depends on many internal factors and is unpredictable without physical control over the CPU.
  • Initial support has been added for Attribute Certificates (AC, RFC 5755), which include information about the access rights, powers, and attributes of the certificate owner, certifying the ability to perform certain actions. For example, an AC certificate can determine the right to connect to a service.
  • Added support for X.509v3 extensions related to authority certificates.
  • The FIPS provider implements support for the FIPS 140-3 Indicator API, which allows you to determine whether a particular operation was used in an approved service or not.
  • The BIO (Basic Input/Output) API has improved handling of Base64 input.
  • Added support for building the openssl utility in PIE (Position Independent Executable) mode, which allows using address space randomization (ASLR).
  • Added support for directly extractable combined digital signature algorithms such as RSA-SHA2-256.
  • PKCS#12 adds support for PBMAC 1 (Password-Based Message Authentication Code 1, RFC 9579).
  • The openssl utility has added the '-not_before' and '-not_after' options to explicitly specify the start and end times of a certificate.
  • The ability to use pre-computed values ​​when initializing cryptographic algorithms based on P-256 elliptic curves is provided.
  • The TS_VERIFY_CTX_set_* functions have been declared obsolete and have been replaced by the TS_VERIFY_CTX_set0_* functions with improved semantics.
  • The functions SSL_SESSION_get_time(), SSL_SESSION_set_time(), and SSL_CTX_flush_sessions() have been deprecated and should be replaced by SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex(), and SSL_CTX_flush_sessions_ex(), which are free from the Year 2038 problem.
  • Support for the QIUC protocol on the side, which was expected in OpenSSL 3.4 Server postponed until the next issue.

Release of the LibreSSL 4.0.0 project, developing a fork of OpenSSL, aimed at providing a higher level of security and high-quality support for SSL/TLS protocols by removing unnecessary functionality, adding additional security tools and conducting a significant cleaning and reworking of the code base. A significant change in the version number is associated with the use of decimal numbering (after 3.9 comes version 4.0). The most notable changes:

  • Added initial support for building using Emscripten, a C/C++ to WebAssembly compiler.
  • The "openssl cms" command has a CRLfile option added to specify additional certificate revocation lists (CRLs) to be used for verification.
  • Support for the mips32 platform has been discontinued.
  • Discontinued providing access to functions written in assembly language via the public API (such functions are now provided only via C language wrapper functions). Removed assembly language implementations of obsolete ciphers for legacy architectures.
  • Removed code for caching certificate validity, which became pointless after performance optimizations.
  • Improved implementation of X.509v3 extensions, unified X.509v3 methods, and cleaned up X.509v3-related APIs.
  • The implementation of the CRYPTO_EX_DATA type has been completely rewritten.
  • In libcrypto, the atoi() and strtol() functions have been replaced by strtonum().
  • Added header file crypto_arch.h, which contains code specific to hardware architectures.
  • The implementation of the DES algorithm has been redesigned and optimized.
  • Header files pem2.h, ssl2.h, ssl23.h and ui_compat.h have been removed.
  • Removed support for Whirlpool hashing algorithm.
  • Removed functions HMAC_Init(), OPENSSL_load_builtin_modules(), X509_REQ_{get,set}_extension_nids(), X509_check_trust().
  • The types PEM_USER, PEM_CTX, COMP_CTX, COMP_METHOD, X509_CRL_METHOD, STORE, STORE_METHOD and SSL_AEAD_CTX have been removed.
  • SSL_CTX_set1_cert_store() and SSL_CIPHER_get_handshake_digest() functions have been added to libssl.

Botan 3.6.0, a cryptographic library used in the NeoPG project, a fork of GnuPG 2, is now available. The library provides a large collection of ready-made primitives used in the TLS protocol, X.509 certificates, AEAD ciphers, TPM modules, PKCS#11, password hashing, and post-quantum cryptography (hash-based signatures and McEliece-based key agreement). The library is written in C++ and is licensed under the BSD license. The new version:

  • A new library with cryptographic algorithms based on elliptic curves has been integrated, operations based on typical curves in which are performed 2-3 times faster. A new API for low-level work with elliptic curves has also been proposed.
  • Added support for recently NIST-standardized post-quantum encryption algorithms: FIPS 203 ML-KEM (Kyber), FIPS 204 ML-DSA (Dilithium), and FIPS 205 SLH-DSA (SPHINCS+).
  • Added support for TPM2 chips.
  • Expanded use of constant-time computing to protect against side-channel attacks.
  • Added generation of additional entropy using the jitterentropy library.
  • Improved performance of processing data in hexadecimal format and base64 encoding.
  • Added support for AVX2-VAES and GFNI-AVX2 processor extensions.
  • Added detection of armv7, aarch64 and ppc64 CPU capabilities on the OpenBSD platform.
  • Added build option to disable all assembler inline inserts.

Rustls 0.23.15 release, which develops client and server implementations of the TLS1.2 and TLS1.3 protocols for Rust projects. Rustls does not provide its own implementation of cryptographic primitives, but uses pluggable cryptographic function providers (the supported algorithms are ECDSA, Ed25519, RSA, ChaCha20-Poly1305, AES128-GCM and AES256-GCM). By default, Rustls uses a cryptographic provider based on the aws-lc-rs library, which is developed by Amazon and is based on the AWS-LC C++ code forked from the BoringSSL project (a Google-maintained fork of OpenSSL). The ring library, which is partially based on BoringSSL and combines assembly code, C++ and Rust, can also be used as a cryptographic provider.

The new version is notable for significant performance optimizations. When using the aws-lc-rs crypto primitives, Rustls is now said to outperform OpenSSL and BoringSSL in benchmarks that measure throughput and connection negotiation/renewal speed. Release of OpenSSL 3.4, LibreSSL 4.0, Botan 3.6 and Rustls 0.23.15 cryptographic libraries Release of OpenSSL 3.4, LibreSSL 4.0, Botan 3.6 and Rustls 0.23.15 cryptographic libraries

Source: opennet.ru

Buy reliable hosting for sites with DDoS protection, VPS VDS servers 🔥 Buy reliable website hosting with DDoS protection, VPS VDS servers | ProHoster