OpenSSL 3.5.0 introduces significant updates, marking a shift towards post-quantum cryptography (PQC) in the library. This version includes the addition of PQC algorithms like ML-KEM, ML-DSA, and SLH-DSA, designed to prepare for quantum computing’s potential to break traditional encryption. In parallel, OpenSSL has implemented stronger security features such as default encryption changes and the removal of outdated cryptographic groups, paving the way for safer and more modern systems.
The library now offers full support for the QUIC protocol, enabling server-side use of this faster, more secure transport method.
This addition includes support for 0-RTT connections, enhancing real-time communication. Additionally, OpenSSL’s compatibility with third-party QUIC stacks ensures its adaptability to evolving internet communication standards. As internet speeds and demands increase, this shift to QUIC may become a pivotal development in the realm of secure communication.
The release also includes various new configuration options to bolster security and performance.
The new no-tls-deprecated-ec option disables outdated elliptic curve groups, and the enable-fips-jitter option improves entropy for better randomness. OpenSSL 3.5.0 introduces an opaque symmetric key object, EVP_SKEY, for better key abstraction, as well as centralized key generation for improved cryptographic management. These features streamline system security and functionality, preparing OpenSSL for modern challenges.
However, this update also brings some breaking changes, such as the transition from des-ede3-cbc to aes-256-cbc for default encryption. The library also deprecated certain internal functions, signaling a clean-up process to modernize the codebase. Users may experience temporary issues with SSL_accept connections, for which a workaround is provided. OpenSSL 3.5.0 represents a significant evolution, addressing both current and future encryption needs while ensuring backward compatibility with previous systems.
Reference:
