After a year and a half of development and several corrective versions in the previous version, the launch of the new version of the library “OpenSSL 3.1.0” with the implementation of SSL/TLS protocols and various encryption algorithms.
Support for this new version of OpenSSL 3.1 will continue until March 2025, while support for legacy OpenSSL versions 3.0 and 1.1.1 will continue until September 2026 and September 2023, respectively.
For those who are unaware of OpenSSL, they should know that this is a free software project based on SSLeay, which consists of a robust package of cryptography-related libraries and administration tools, which provide cryptographic functions to other packages such as OpenSSH and web browsers (for secure access to HTTPS sites).
These tools help the system implement Secure Sockets Layer (SSL) as well as other security-related protocols such as Transport Layer Security (TLS). OpenSSL also allows you to create digital certificates that can be applied to a server, for example Apache.
OpenSSL used in encrypted validation mail clients, web-based transactions for credit card payments and in many cases in systems that require security for the information that will be exposed on the network "confidential data".
Main new features of OpenSSL 3.1.0
In this new version of OpenSSL 3.1.0, it is highlighted that FIPS module implements support for cryptographic algorithms that meet the safety standard FIPS 140-3, Besides that the module certification process has started to obtain FIPS 140-3 compliance certification.
It is mentioned that until certification is complete after updating OpenSSL to branch 3.1, users can continue to use a FIPS 140-2 certified FIPS module. Of the changes in the new version of the module, the inclusion of the Triple DES ECB, Triple DES CBC and EdDSA algorithms stands out, which have not yet been tested for compliance with FIPS requirements. Also in the new version, optimizations have been made to improve performance and a transition has been made to run internal tests with every module load, and not just after installation.
Another change that stands out is that made a change to the default salt length for PKCS#1 RSASSA-PSS signatures to the maximum size that is smaller than or equal to the digest length to comply with
FIPS 186-4. This is implemented by a new option `OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX` ("auto-digestmax") for the `rsa_pss_saltlen` parameter, which is now the default.
Besides that, the OSSL_LIB_CTX code has been reworked, the new option is free from unnecessary locks and allows for higher performance.
Also improved performance of encoder and decoder frameworks is highlighted, as well as a performance optimization made related to the use of internal structures (hash tables) and caching and also an improved speed of RSA key generation in FIPS mode.
The algorithms AES-GCM, ChaCha20, SM3, SM4 and SM4-GCM have optimizations assembler packages for different processor architectures. For example, AES-GCM code is accelerated by the AVX512 vAES and vPCLMULQDQ instructions.
Has been added support for the KMAC algorithm (KECCAK Message Authentication Code) to KBKDF (Key-Based Key Derivation Function), plus several "OBJ_*" functions have been adapted for use in multi-threaded code.
Added the ability to use the RNDR instruction and the RNDRRS registers available on processors based on the AArch64 architecture to generate pseudorandom numbers.
On the other hand, it is mentioned that the `DEFINE_LHASH_OF` macro is now deprecated in favor of the `DEFINE_LHASH_OF_EX` macro, which omits the corresponding type-specific function for definitions of these functions, regardless of whether `OPENSSL_NO_DEPRECATED_3_1` is defined. This is why users of `DEFINE_LHASH_OF` may start receiving deprecation warnings for these functions regardless of whether they are using them. It is recommended that users transition to the new macro, `DEFINE_LHASH_OF_EX`.
Finally, if you are interested in knowing more about it about this new release, you can check the details on thel following link.
Be the first to comment