{"id":11429,"date":"2025-04-08T09:04:20","date_gmt":"2025-04-08T16:04:20","guid":{"rendered":"https:\/\/jasonsblog.ddns.net\/?p=11429"},"modified":"2025-04-08T09:04:20","modified_gmt":"2025-04-08T16:04:20","slug":"openssl-3-5-brings-major-cryptographic-shifts","status":"publish","type":"post","link":"https:\/\/jasonsblog.ddns.net\/index.php\/2025\/04\/08\/openssl-3-5-brings-major-cryptographic-shifts\/","title":{"rendered":"OpenSSL 3.5 Brings Major Cryptographic Shifts"},"content":{"rendered":"\n

Some nice developments with OpenSSL.<\/p>\n\n\n\n

https:\/\/linuxiac.com\/openssl-3-5-brings-major-cryptographic-shifts\/<\/a><\/p>\n\n\n

<\/div><\/div><\/div>\n\n\n
OpenSSL 3.5 introduces major crypto updates, including PQC support, server-side QUIC, and new TLS defaults.<\/h5>\n\n\n\n

By Bobby Borisov<\/p>\n\n\n\n

\"OpenSSL<\/figure>\n\n\n\n

Over five months after its previous 3.4 version<\/a>, the team behind OpenSSL has just announced the release of OpenSSL 3.5, introducing several notable enhancements.<\/p>\n\n\n\n

As the main highlight, the default encryption cipher for the req, cms, and smime applications has been changed from des-ede3-cbc<\/code> to the more powerful aes-256-cbc<\/code>.<\/p>\n\n\n\n

Furthermore, the default TLS-supported groups list is now configured to include and favor hybrid post-quantum cryptography (PQC) KEM groups, removing some lesser-used groups in the process. Developers should also note that the default TLS keyshares now offer X25519MLKEM768<\/code> and X25519<\/code> to bolster key establishment options.<\/p>\n\n\n\n

Another important point worth highlighting is the deprecation of all BIO_meth_get_*()<\/code> functions. While this may prompt changes in legacy code, it sets the stage for more modern approaches to bio-layer functionality.<\/p>\n\n\n\n

Meanwhile, organizations that rely heavily on TLS can look forward to support for multiple TLS keyshares and improved TLS key establishment group configurability\u2014ideal for those seeking maximum flexibility in their cryptographic setups.<\/p>\n\n\n\n

Users will also be excited to learn that OpenSSL 3.5.0 offers server-side QUIC (RFC 9000) support, plus compatibility with third-party QUIC stacks, including 0-RTT support for faster handshakes. In addition, the release advances post-quantum readiness by adding PQC algorithms (ML-KEM, ML-DSA, and SLH-DSA).<\/p>\n\n\n\n

Furthermore, new configuration options have been introduced, like no-tls-deprecated-ec<\/code> to disable support for TLS groups deprecated in RFC8422 and enable-fips-jitter<\/code> to incorporate JITTER seed sources for the FIPS provider.<\/p>\n\n\n\n

For larger deployments requiring cryptographically nimble workflows, central key generation in CMP and opaque symmetric key objects (EVP_SKEY) bring convenience and enhanced control.<\/p>\n\n\n\n

Additionally, the release provides API support for pipelining in provided cipher algorithms, a welcome improvement for those optimizing high-performance applications.<\/p>\n\n\n\n

Lastly, a known issue may affect some users: calling SSL_accept<\/code> on objects returned from SSL_accept_connection<\/code> results in an unexpected error instead of advancing the handshake as intended.<\/p>\n\n\n\n

For now, developers can circumvent this by calling SSL_do_handshake<\/code> instead, though a permanent fix is already planned for OpenSSL 3.5.1.<\/p>\n\n\n\n

The release\u2019s changelog<\/a> contains a detailed list of all changes in OpenSSL 3.5.<\/p>\n","protected":false},"excerpt":{"rendered":"

Some nice developments with OpenSSL. https:\/\/linuxiac.com\/openssl-3-5-brings-major-cryptographic-shifts\/ OpenSSL 3.5 introduces major crypto updates, including PQC support, server-side QUIC, and new TLS defaults. By Bobby Borisov Over five months after its previous 3.4 version, the team behind OpenSSL has just announced the release of OpenSSL 3.5, introducing several notable enhancements. As the main highlight, the default encryption […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-11429","post","type-post","status-publish","format-standard","hentry","category-tech"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/11429","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=11429"}],"version-history":[{"count":1,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/11429\/revisions"}],"predecessor-version":[{"id":11430,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/11429\/revisions\/11430"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=11429"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=11429"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=11429"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}