The new version of OpenSSL 3.3.0 has already been released

Darkcrizt

4 minutes

OpenSSL

Openssl is an api that provides a suitable environment to encrypt the data sent

The new version of OpenSSL 3.3.0 has already been released and in this release A series of improvements have been implemented for the QUIC protocol, as well as improvements to support for different architectures, bug fixes and more.

OpenSSL is an open source library essential for security in network communications that provides tools to encrypt and decrypt data, generate digital keys and certificates, implement security protocols such as SSL/TLS, and perform hashing and digital signatures.

What's new in OpenSSL 3.3.0?

In this new version, which is presented of OpenSSL 3.3.0, one of the most important new features is the improvements implemented in support for the QUIC protocol (RFC 9000), complementary to the UDP protocol used in HTTP/3. Among the additions in the new version are:

  • Support for qlog which is a standard log format used to track QUIC connections.
  • APIs have been added to allow configuring negotiated idle timeout on QUIC connections, which is useful for tuning connection behavior based on specific application requirements.
  • It is now possible to disable implicit QUIC event processing for QUIC SSL objects using new APIs.
  • Added APIs to allow querying the size and utilization of the write buffer in a QUIC stream.
  • Introduced a new API called SSL_write_ex2, which can be used specifically to send an end-of-flow (END) condition in an optimized manner when using QUIC. This improves the efficiency of data transmission using QUIC.
  • Added limited support for polling QUIC connections and non-blocking streaming objects. This can improve efficiency and performance in environments where efficient handling of multiple QUIC connections is required.

Another of the changes that stands out in this new version is the implementation of extensions to the CMP certificate management protocol (Certificate Management Protocol) according to RFC 9480 and RFC 9483 specifications, as well as added the ability to disable the atexit function in the build stage, a variant of the SSL_SESSION API to avoid the year 2038 problem on 32-bit systems, and the EVP_PKEY_fromdata function to automatically obtain parameters of the Chinese remainder theorem.

In addition to this, it was added a new API called EVP_DigestSqueeze() which allows to reduce multiple times with different output sizes when using the SHAKE algorithm, as well as support for ignoring unknown signing algorithm names, configuring priority use of PSK keys on a TLS 1.3 server,

Were implemented improvements to the ability to export build files for CMake on Unix and Windows systems, along with specific performance optimizations for various architectures and chips, such as optimized AES-GCM algorithm performance on Azure Cobalt 100 devices, AES-CTR acceleration on ARM Neoverse V1 and V2, AES and SHA3 optimizations on Apple systems with M3 chips , and the md5 assembler implementation for Loongarch64 CPUs.

Of the other changes that stand out:

  • Fixed security issues such as unlimited memory growth in session handling in TLSv1.3, identified as CVE-2024-2511. Additionally, improvements were made to the stability and reliability of the OpenSSL toolkit.
  • Various optimizations for cryptographic routines using RISC-V vector cryptographic extensions
  • Added build implementation for md5 in loongarch64
  • The activation and soft loading configuration settings for providers in openssl.cnf have been updated to require a value of [1|yes|true|on] (lowercase or UPPERCASE) to enable the configuration. Conversely, a value of [0|no|false|off] will disable the setting.
  • In openssl speed, changed the default hash function used with hmac from md5 to sha256.

If you are interested in knowing more about it, you can check the details In the following link.

How to install OpenSSL on Linux?

For those who are interested in installing OpenSSL on their distribution, you can follow the steps we share depending on the specific distribution you are using:

Ubuntu, Debian and derivatives of these can do this by opening a terminal and running the following command:

sudo apt install openssl

Fedora
On Red Hat-based distributions, such as Fedora, you can install OpenSSL using dnf:

sudo dnf install openssl

For users of Arch Linux or Arch-based distributions:

sudo pacman -S openssl

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.