OpenSSL 3.5 has officially launched, marking a significant update for this open-source library that enables secure communications over networks for various applications and websites. This new version comes just over six months after the previous OpenSSL 3.4 release.
One of the notable features in OpenSSL 3.5 is support for server-side QUIC (RFC 9000) along with support for third-party QUIC stacks, which includes 0-RTT support. Additionally, it introduces post-quantum cryptography (PQC) algorithms such as ML-KEM, ML-DSA, and SLH-DSA, which are essential as we move towards a more quantum-resilient digital future.
The update also adds support for central key generation in CMP, opaque symmetric key objects (EVP_SKEY), and multiple TLS keyshares. It further improves the configurability of TLS key establishment groups and offers API support for pipelining within provided cipher algorithms.
In terms of security enhancements, the default TLS-supported groups list now prioritizes hybrid PQC KEM groups. Further changes include adjustments to default TLS keyshares to offer X25519MLKEM768 and X25519, and a modification of the default encryption cipher for various applications from des-ede3-cbc to aes-256-cbc. Moreover, there is a new configuration option to disable deprecated TLS groups as specified in RFC8422, along with an option to enable the FIPS JITTER seed source.
However, developers have noted a known issue in OpenSSL 3.5 regarding SSL handshakes. When invoking SSL_accept on specific objects, it does not advance the SSL handshake as expected. A solution suggested is to utilize SSL_do_handshake instead. This issue is slated for resolution in the upcoming OpenSSL 3.5.1.
For further details, you can refer to the release notes. OpenSSL 3.5 is available for download from the official website. It is highly recommended that all users, websites, and operating systems upgrade to this release promptly to ensure enhanced security and performance.