The just-released new OpenSSL 3.3 version of this fundamental secure communications library introduces many features, optimizations, and enhancements to boost OpenSSL’s functionality, security, and efficiency. So, let’s take a look at them.
What’s New in OpenSSL 3.3?
- Enhanced QUIC Protocol Support: OpenSSL 3.3 supports QUIC, a modern transport layer network protocol. Notable additions include qlog support for tracing QUIC connections, APIs for managing QUIC connection idle timeouts, stream creation, and disabling implicit QUIC event processing.
- Improved Stream Handling and Connectivity: The introduction of
SSL_write_ex2API allows for optimized end-of-stream signaling within QUIC, complementing the new ability to query QUIC stream buffer sizes and utilization. This version also enables limited polling of QUIC connection and stream objects in non-blocking modes, further enhancing application responsiveness. - Cryptography Enhancements: OpenSSL 3.3 expands its cryptographic capabilities with several notable features. The new EVP_DigestSqueeze() API accommodates varying output sizes for SHAKE digest algorithms. Additionally, BLAKE2s hashing algorithm now supports configurable output lengths, mirroring BLAKE2b’s flexibility. Furthermore, EVP_PKEY_fromdata enhances key derivation functionalities, including support for Chinese Remainder Theorem parameters.
- Build and Configuration Improvements: This release introduces an exporter for CMake on both Unix and Windows, facilitating easier integration and deployment. It also adds a new atexit configuration switch for managing OPENSSL_cleanup upon library unloading, alongside enhancements in provider activation and loading settings.
- Security and Protocol Optimizations: OpenSSL 3.3 includes a range of optimizations aimed at various platforms, including Microsoft Azure Cobalt 100, ARM Neoverse, Apple Silicon M3, and RISC-V architectures. These optimizations ensure that OpenSSL remains at the forefront of performance and security across diverse hardware environments.
- API and Functionality Refinements: Among the myriad of improvements, this release offers new APIs for session time management, ignoring unknown entries in TLS signature algorithms configurations, and managing X509 certificates more effectively in multi-threaded scenarios. Additionally, it introduces a limit on HTTP response headers to enhance client security.
Addressing Compatibility and Security
OpenSSL 3.3 also addresses potential compatibility issues and security concerns. It introduces checks for minimum input string lengths by ITU-T standards, adjusts the handling of configuration settings, and sets new limits for HTTP client headers. Moreover, it migrates the default hash function from MD5 to SHA256 for HMAC operations.
Bug Fixes and Beyond
This release tackles specific bugs, such as the upper bound limitation of the BIO_get_new_index() function, ensuring the OpenSSL remains reliable and robust. For developers and users keen on leveraging the new QUIC functionalities, the OpenSSL team encourages reviewing the QUIC README file, which offers valuable documentation and example code.
The detailed list of all changes in OpenSSL 3.3 can be found in the project’s changelog.
