Openssl is an api that provides a suitable environment to encrypt the data sent
The launch of the new version of OpenSSL 3.2.0 has just been announced, which arrives almost shortly after eight months of development and comes integrating compatibility improvements, as well as support for hybrid encryption based on HPKE, among other things more.
For those who are unaware of OpenSSL, they should know that this is a free software project based on SSLeay, which consists of a robust package of cryptography-related libraries and administration tools, which provide cryptographic functions to other packages such as OpenSSH and web browsers (for secure access to HTTPS sites).
These tools help the system implement Secure Sockets Layer (SSL) as well as other security-related protocols such as Transport Layer Security (TLS). OpenSSL also allows you to create digital certificates that can be applied to a server, for example Apache.
Main new features of OpenSSL 3.2.0
In this new version of OpenSSL 3.2.0, it is highlighted that Added support for the QUIC protocol client (RFC 9000), which isIt is used as a transport in the HTTP/3 protocol. This implementation includes the ability to send multiple streams over a single communication channel, among other features. It is mentioned that the elements necessary to use QUIC on servers will be available in the OpenSSL 3.3 version, which is scheduled for release no later than April 30, 2024.
Another novelty that stands out is thate TLS now has support for an extension for certificate compression during the connection negotiation phase (RFC 8879). This enhancement enables faster connection setup since certificate data transfer constitutes the majority of traffic during this connection negotiation phase. Compression is supported by the zlib, zstd, and Brotli libraries.
In addition to this, it also highlights the added support for ECDSA in which, instead of a random sequence when generating a signature, the HMAC-SHA256 hash is used of the private key and the text of the signed message, which allows you to always receive the same signature in different signing operations, but does not allow the leakage of data that can be used to guess the private key.
In Windows, the possibility of using the root certificate store is implemented system (disabled by default) To access the certificates in the Windows store, the URI “org.openssl.winstore://” is proposed.
On the other hand, it highlights the optimization for SM2 algorithm in aarch64, which uses an extensive precomputed table for base point point multiplication, which increases the size of
libcrypto from 4.4 MB to 4.9 MB.
Of the other changes that stand out from this new version:
- Support for Ed25519ctx, Ed25519ph and Ed448ph (RFC 8032) in addition to existing support for Ed25519 and Ed448
- Added a new configuration option, no-sm2-precomp, to disable the precomputed table.
- AES-GCM-SIV (RFC 8452)
- Implemented Argon2 (RFC 9106) key generation feature and supported thread pool functionality
- Added support for hybrid encryption based on the HPKE mechanism (RFC 9180), which combines the simplicity of key transfer in public key encryption with the high performance of symmetric encryption.
- The ability to use raw public keys in TLS (RFC 7250)
- Support for TCP Fast Open (RFC 7413), when supported by the operating system
- Support for provider-based pluggable signing schemes in TLS, allowing third-party providers of post-quantum and other algorithms to use those algorithms with TLS.
- Support for Brainpool curves in TLS 1.3
- SM4-XTS
Finally, it is worth mentioning that the release of this new version of OpenSSL 3.2.0 will be supported until November 23, 2025, while support for the previous branches of OpenSSL 3.1 and 3.0 LTS will continue until March 2025 and September 2026, respectively.
If you are interested in knowing more about it about this new release, you can check the details on thel following link.