OpenSSL 3.5.0 Cryptographic Library Release

The OpenSSL 3.5.0 library has been released, implementing the SSL/TLS protocols and various encryption algorithms. OpenSSL 3.5 is classified as a long-term support (LTS) release, with updates being released for 5 years (until April 2030). Support for previous OpenSSL 3.3, 3.2, and 3.0 LTS branches will last until April 2026, November 2025, and September 2026, respectively. The project code is distributed under the Apache 2.0 license.

Main innovations:

  • Added support for quantum computer-resistant cryptographic algorithms:
    • ML-KEM (CRYSTALS-Kyber) is a key exchange algorithm that uses cryptographic methods based on solving lattice theory problems, the solution time of which does not differ on conventional and quantum computers.
    • ML-DSA (CRYSTALS-Dilithium) is a digital signature generation algorithm based on lattice theory.
    • SLH-DSA (Sphincs+) is a digital signature generation algorithm that uses cryptographic methods based on hash functions. SLH-DSA lags behind ML-DSA in signature size and speed, but is based on completely different mathematical principles, i.e. it will remain effective in the event of compromise of algorithms based on lattice theory.
  • Full support for the QUIC protocol (RFC 9000) has been implemented, which is now available not only for client but also for server applications. QUIC is an add-on to the UDP protocol, supporting multiplexing of several connections and providing encryption methods equivalent to TLS. The QUIC protocol is used in HTTP/3 and was created as an alternative to the TCP+TLS bundle, solving problems with the long time of establishing and negotiating connections in TCP, as well as eliminating delays in the loss of packets during data transmission.
  • Added the ability to use third-party stacks with the implementation of the QUIC protocol, including stacks that support the 0-RTT (0 Round Trip Time) mode, which allows you to immediately start transmitting data after sending a connection setup packet.
  • Added support for opaque symmetric key objects (EVP_SKEY), which hide the implementation details of the key.
  • Added "no-tls-deprecated-ec" option to disable support for TLS groups deprecated by RFC-8422.
  • Added the "enable-fips-jitter" parameter, which enables the FIPS provider to use a jitter-based entropy source implemented using the jitterentropy library. Jitter-based entropy is generated by measuring the differences in the time it takes to re-execute a given set of instructions on a CPU, which depends on many internal factors and is unpredictable without physical control over the CPU.
  • CMP (Certificate Management Protocol) now supports centralized key generation (the public and private keys for the client are generated on the server side). Server).
  • Added support for providing multiple keyshares for a single TLS connection.
  • Added an API for pipelining, allowing multiple blocks of data to be processed simultaneously when using some ciphers, such as AES-GCM, that support parallel computing.
  • In req, cms and smime applications, the default encryption algorithm has been changed from des-ede3-cbc to aes-256-cbc.
  • The default list of ciphers for TLS includes and prioritizes hybrid KEM (Key Encapsulation Mechanism) groups that are resistant to brute force on a quantum computer.
  • The X25519MLKEM768 and X25519 algorithms have been added to the set of keys (keyshares) used by default in TLS.
  • The BIO_meth_get_*() functions have been deprecated.

Source: opennet.ru

Buy reliable hosting for sites with DDoS protection, VPS VDS servers πŸ”₯ Buy reliable website hosting with DDoS protection, VPS VDS servers | ProHoster