Release of OpenSSL 3.2.0 with client support for the QUIC protocol

After eight months of development, the release of the OpenSSL 3.2.0 library was formed with the implementation of the SSL/TLS protocols and various encryption algorithms. OpenSSL 3.2 will be supported until November 23, 2025. Support for previous branches of OpenSSL 3.1 and 3.0 LTS will continue until March 2025 and September 2026, respectively. Support for branch 1.1.1 was discontinued in September of this year. The project code is distributed under the Apache 2.0 license.

Main innovations of OpenSSL 3.2.0:

  • Added client support for the QUIC protocol (RFC 9000), used as a transport in the HTTP/3 protocol. The implementation includes, among other things, the ability to transmit multiple streams over a single communication channel. Components for using QUIC on сСрвСрах will be included in the OpenSSL 3.3 release, which is scheduled to be published no later than April 30, 2024.

    QUIC is an extension of the UDP protocol that supports multiplexing of multiple connections and provides encryption methods equivalent to TLS/SSL. The protocol was created in 2013 by Google as an alternative to the TCP+TLS combination for the Web, solving problems with long connection setup and negotiation times in TCP and eliminating delays when packets are lost during data transfer.

  • TLS implements support for an extension for certificate compression at the connection negotiation stage (RFC 8879), which allows for faster connection setup since the transfer of certificate data accounts for the lion's share of traffic during the connection negotiation stage. Compression using the zlib, zstd and Brotli libraries is supported.
  • Added support for a deterministic version of digital signatures ECDSA (Deterministic ECDSA, RFC 6979) in which, instead of a random sequence when generating a signature, the HMAC-SHA256 hash from the private key and the text of the signed message is used, which allows you to always receive the same signature in different signing operations, but does not allow leakage of data that can be used to guess the private key (the private key can be guessed if at least two signatures for different data are generated using a repeating random sequence).
  • Added support for extended Ed25519 and Ed448 public key digital signatures: Ed25519ctx, Ed25519ph and Ed448ph (RFC 8032).
  • Added support for the AES-GCM-SIV (RFC 8452) encryption mode, which combines the high performance of the GCM (Galois/Counter Mode) mode with resistance to leaks when reusing random nonce code.
  • The Argon2 key generation function (RFC 9106) has been implemented, which won the competition for password hashing functions in 2015. Added the ability to use a thread pool.
  • Added support for hybrid encryption based on the HPKE (Hybrid Public Key Encryption, RFC 9180) mechanism, which combines the simplicity of key transfer in public key encryption with the high performance of symmetric encryption (data is encrypted with a fast symmetric key, and the key itself is encrypted with a slow asymmetric one).
  • TLS implements the ability to use β€œraw” public keys (RFC 7250).
  • Added support for the TCP connection fast opening mechanism (TFO - TCP Fast Open, RFC 7413), which allows you to reduce the number of connection setup steps by combining the first and second steps of the classic 3-step connection negotiation process into one request and makes it possible to send data at the initial connection setup stage.
  • TLS implements support for pluggable digital signature schemes, allowing the use of third-party implementations of algorithms, for example, for the use of algorithms in TLS that are resistant to brute force on quantum computers.
  • TLS 1.3 adds support for Brainpool secure elliptic curves.
  • Added support for SM4-XTS processor instructions.
  • On the platform Windows The ability to use the system root certificate store has been implemented (disabled by default). To access certificates in the store Windows The suggested URI is "org.openssl.winstore://".

Source: opennet.ru

Buy reliable hosting for sites with DDoS protection, VPS VDS servers πŸ”₯ Buy reliable website hosting with DDoS protection, VPS VDS servers | ProHoster