Developers of the OpenBSD project release of a portable edition of a package , within which a fork of OpenSSL is being developed, aimed at providing a higher level of security. The LibreSSL project is focused on high-quality support for SSL / TLS protocols with the removal of unnecessary functionality, the addition of additional security features and a significant cleaning and reworking of the code base. The LibreSSL 3.2.0 release is seen as an experimental release that develops features that will be included with OpenBSD 6.8.
Features of LibreSSL 3.2.0:
- Server side enabled by default in addition to the previously proposed client side. The implementation of TLS 1.3 is built around a new state machine and records subsystem. The OpenSSL TLS 1.3 compatible API is not yet available, but TLS 1.3 related options have been added to the openssl command.
- In the subsystem for working with records, the check of the size of TLS 1.3 fields has been improved and a warning is provided in case of exceeding the limits.
- The TLS server only processes valid hostnames in SNI that comply with the requirements of RFC 5890 and RFC 6066.
- The TLS 1.3 implementation added support for the SSL_MODE_AUTO_RETRY mode to automatically resend connection negotiation messages.
- TLS 1.3 server and client added support for sending certificate status check requests using the extension (an OCSP response certified by a certification authority is transmitted by the server serving the site when negotiating a TLS connection).
- I/O is enabled by default with SSL_MODE_AUTO_RETRY, similar to new releases of OpenSSL.
- Added regression tests based on .
- The "openssl x509" command now flags incorrect certificate expiration times.
- In TLS 1.3 with RSA, only PSS digital signatures are allowed.
Source: opennet.ru