openSSL 4.0.0 Release Supports Post-Quantum Cryptography and Drops Legacy Protocols
OpenSSL 4.0.0 Release Details
The latest iteration of the widely-used cryptography library, OpenSSL 4.0.0, has been released, marking the removal of several outdated security protocols and introducing cutting-edge post-quantum capabilities.
Main Changes
- Removal of SSLv3 support, deprecated since 2015
- Elimination of the SSLv2 Client Hello
- Deprecation of the engine API
- Obsolete EVP_CIPHER, EVP_MD, EVP_PKEY, and EVP_PKEY_ASN1 methods removed
Enhanced Security Features
- Support for Encrypted Client Hello (ECH) as defined in RFC 9849
- Introduction of the hybrid key exchange group curveSM2MLKEM768 and the ML-DSA-MU digest algorithm
- Inclusion of the cSHAKE function per NIST SP 800-185
API and Behavioral Modifications
- Making ASN1_STRING opaque
- Introducing const qualifications for various signature functions
- Deprecation of functions X509_cmp_time(), X509_cmp_current_time(), and X509_cmp_timeframe()
Performance and Functionality Improvements
- libcrypto no longer relies on atexit() to clean up globally allocated data
- BIO_f_reliable() eliminated without a direct replacement
- X509_V_FLAG_X509_STRICT enabled, obliging AKID verification checks
- CRL verification undergoes added scrutiny when X509_V_FLAG_X509_STRICT is enabled
Configuration Changes
- Disabling support for deprecated elliptic curves in TLS according to RFC 8422
- Explicit EC curves can be re-enabled through specific configuration options
- Compiling for darwin-i386 and darwin-ppc variants is no longer supported
- Replacing the c_rehash script with openssl rehash
According to the official OpenSSL announcement, users are encouraged to explore this new development and assess its impact on their respective applications and systems.
The OpenSSL 4.0.0 release is now available on GitHub.
About Author
English