OpenSSL 3.5.0: Post-Quantum Security and Improved TLS Support

Enhanced TLS Support and New Protocols

Beyond the introduction of PQC algorithms, OpenSSL 3.5.0 brings significant improvements to its Transport Layer Security (TLS) support. The updated version includes the default supported groups list, which now features hybrid PQC KEM groups such as X25519MLKEM768, along with traditional groups like X25519. This hybrid approach enhances security by combining classical cryptographic methods with quantum-resistant techniques. Additionally, OpenSSL 3.5.0 introduces server-side support for the QUIC protocol, standardized in RFC 9000. This support encompasses compatibility with third-party QUIC stacks and 0-RTT connections, all aimed at boosting communication efficiency.

The release introduces several new configuration options, designed to provide greater flexibility and control. Among these are options for disabling deprecated TLS groups, enabling the FIPS jitter entropy source, and utilizing opaque symmetric key objects for enhanced key handling. These features allow administrators to fine-tune their security protocols, balancing the need for robust protection with the operational demands of their specific environments. Centralized key generation in CMP further streamlines the process of maintaining secure communications, making this release a comprehensive upgrade for OpenSSL users.

Compatibility Changes and Deprecations

As with any major update, OpenSSL 3.5.0 includes some compatibility changes and deprecations that users should be aware of to ensure a smooth transition. One of the most significant changes is the shift in the default encryption cipher for certain applications from des-ede3-cbc to aes-256-cbc. This change reflects the ongoing evolution of encryption standards and the need for stronger ciphers to protect sensitive data. Users relying on the older des-ede3-cbc cipher will need to update their configurations to maintain compatibility with the new release.

Another important change involves the deprecation of all BIO_meth_get_*() functions. Moving forward, developers will need to adapt their code to accommodate this deprecation, ensuring that their applications continue to function without interruption. A known issue has also been identified in OpenSSL 3.5.0: an error occurs when calling SSL_accept on objects obtained from SSL_accept_connection. Until this issue is addressed in a future release, users are advised to use SSL_do_handshake as a workaround. These compatibility changes and deprecations highlight the need for careful planning and testing when upgrading to the latest version of OpenSSL.

Looking Ahead

OpenSSL has unveiled its new cryptographic library version 3.5.0, marking a pivotal leap in digital security through the inclusion of post-quantum cryptography (PQC) algorithms. This development is crucial in addressing the looming threat quantum computing poses to current encryption methods. The latest version integrates three primary PQC algorithms: ML-KEM for secure key exchange, ML-DSA for resilient digital signatures, and SLH-DSA, utilizing the SPHINCS+ framework for hash-based signatures. These algorithms ensure that encryption techniques remain robust even as quantum computing progresses.

The advanced algorithms incorporated in OpenSSL 3.5.0 adhere to emerging security standards, ensuring broad compatibility and enhanced protection. This release not only fortifies defenses against potential quantum threats but also sets a standard for the future direction of cybersecurity. By proactively addressing the needs of a post-quantum era, OpenSSL 3.5.0 becomes an essential upgrade for anyone prioritizing digital security.