Nearly six months after the previous 3.5 version, the team behind OpenSSL has just announced the release of OpenSSL 3.6, a feature update that introduces major improvements to cryptography handling, compliance, and tooling.
Among the most notable changes is the addition of NIST security categories for PKEY objects, giving developers clearer mappings for cryptographic strength. The update also introduces support for EVP_SKEY opaque symmetric key objects, along with new functions—EVP_KDF_CTX_set_SKEY()
, EVP_KDF_derive_SKEY()
, and EVP_PKEY_derive_SKEY()
.
Security compliance sees a boost with LMS (Leighton-Micali Signature) verification included in both the default and FIPS providers. Additionally, OpenSSL 3.6 introduces support for deterministic ECDSA signature generation in accordance with FIPS 186-5, thereby enhancing the reliability of cryptographic operations.
On the tooling side, a new openssl configutl
utility has been introduced. This tool processes OpenSSL configuration files and outputs equivalent configurations, helping administrators validate and review system setups more easily.
However, this release also brings changes that may affect existing environments. An ANSI-C toolchain is no longer sufficient, as OpenSSL now requires a C-99 compliant compiler for builds. Furthermore, support for VxWorks platforms has been removed, reflecting a shift toward maintaining only actively used targets.
Finally, several functions tied to EVP_PKEY_ASN1_METHOD
have been marked as deprecated, signaling developers to update their code in line with the newer APIs.
For more information, see the changelog.