Developers of the OpenBSD project release of a portable edition of a package , within which a fork of OpenSSL is being developed, aimed at providing a higher level of security. The LibreSSL project is focused on high-quality support for the SSL/TLS protocols by removing unnecessary functionality, adding additional security features, and significantly cleaning and reworking the code base. LibreSSL 3.1.1 is marked as the first stable version of the 3.1 branch, which will be part of the OpenBSD 6.7 release expected in the coming days.
Features of LibreSSL 3.1.1:
- The implementation of TLS 1.3 based on a new finite state machine and a subsystem for working with records has been completed. By default, only the client part of TLS 1.3 is enabled for now; the server part is planned to be activated by default in a future release. An OpenSSL TLS 1.3 compatible API is not yet available.
- Cipher suite processing has been extended to automatically include algorithms required for TLSv1.3 if they are not explicitly mentioned during connection negotiation;
- Provided cipher name aliases from the TLSv1.3 suite, defined in RFC 8446;
- The RSA-PSS and RSA-OAEP methods have been moved from OpenSSL 1.1.1;
- From OpenSSL 1.1.1, the CMS (Cryptographic Message Syntax) implementation has been ported and enabled by default;
- The "cms" command has been added to the openssl utility, as well as the "req -addext" and "s_server -groups" options. Added support for TLSv1.3 extension types to the "-tlsextdebug" option;
; - Improved compatibility with OpenSSL 1.1.1;
- The behavior of EVP_chacha20() is closer to OpenSSL;
- The code has been cleaned, improvements have been made to the functions of working with memory and parsing protocols.
Source: opennet.ru
