Skip to content

Releases: openssl/openssl

OpenSSL 3.5.0

08 Apr 13:17
@openssl-machine openssl-machine
openssl-3.5.0
636dfad
Compare
Choose a tag to compare
OpenSSL 3.5.0 Latest
Latest

OpenSSL 3.5.0 is a feature release adding significant new functionality to
OpenSSL.

This release incorporates the following potentially significant or incompatible
changes:

  • Default encryption cipher for the req, cms, and smime applications
    changed from des-ede3-cbc to aes-256-cbc.

  • The default TLS supported groups list has been changed to include and
    prefer hybrid PQC KEM groups. Some practically unused groups were removed
    from the default list.

  • The default TLS keyshares have been changed to offer X25519MLKEM768 and
    and X25519.

  • All BIO_meth_get_*() functions were deprecated.

This release adds the following new features:

  • Support for server side QUIC (RFC 9000)

  • Support for 3rd party QUIC stacks including 0-RTT support

  • Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA)

  • A new configuration option no-tls-deprecated-ec to disable support for
    TLS groups deprecated in RFC8422

  • A new configuration option enable-fips-jitter to make the FIPS provider
    to use the JITTER seed source

  • Support for central key generation in CMP

  • Support added for opaque symmetric key objects (EVP_SKEY)

  • Support for multiple TLS keyshares and improved TLS key establishment group
    configurability

  • API support for pipelining in provided cipher algorithms

Known issues in 3.5.0

  • #27282
    Calling SSL_accept on objects returned from SSL_accept_connection
    results in error. It is expected that making this call will advance
    the SSL handshake for the passed connection, but currently it does not.
    This can be handled by calling SSL_do_handshake instead. A fix is planned
    for OpenSSL 3.5.1
Assets 6
Loading
2 Join discussion

OpenSSL 3.5.0-beta1

25 Mar 15:08
@openssl-machine openssl-machine
openssl-3.5.0-beta1
0c6656a
Compare
Choose a tag to compare
OpenSSL 3.5.0-beta1 Pre-release
Pre-release

OpenSSL 3.5.0 beta1 is a feature release adding significant new functionality to
OpenSSL.

This release incorporates the following potentially significant or incompatible
changes:

  • Default encryption cipher for the req, cms, and smime applications
    changed from des-ede3-cbc to aes-256-cbc.

  • The default TLS supported groups list has been changed to include and
    prefer hybrid PQC KEM groups. Some practically unused groups were removed
    from the default list.

  • The default TLS keyshares have been changed to offer X25519MLKEM768 and
    and X25519.

  • All BIO_meth_get_*() functions were deprecated.

This release adds the following new features:

  • Support for server side QUIC (RFC 9000)

  • Support for 3rd party QUIC stacks including 0-RTT support

  • Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA)

  • A new configuration option no-tls-deprecated-ec to disable support for
    TLS groups deprecated in RFC8422

  • A new configuration option enable-fips-jitter to make the FIPS provider
    to use the JITTER seed source

  • Support for central key generation in CMP

  • Support added for opaque symmetric key objects (EVP_SKEY)

  • Support for multiple TLS keyshares and improved TLS key establishment group
    configurability

  • API support for pipelining in provided cipher algorithms

Loading
3 Join discussion

OpenSSL 3.5.0-alpha1

12 Mar 13:52
@openssl-machine openssl-machine
openssl-3.5.0-alpha1
8fabfd8
Compare
Choose a tag to compare
OpenSSL 3.5.0-alpha1 Pre-release
Pre-release

OpenSSL 3.5.0-alpha1 is a feature pre-release adding significant new functionality to
OpenSSL.

This release incorporates the following potentially significant or incompatible
changes:

  • Default encryption cipher for the req, cms, and smime applications
    changed from des-ede3-cbc to aes-256-cbc.

  • The TLS supported groups list has been changed in favor of PQC support.

  • The default TLS keyshares have been changed to offer X25519MLKEM768 and
    and X25519.

This release adds the following new features:

  • Support for server side QUIC (RFC 9000)

  • Support for 3rd party QUIC stacks

  • Support for PQC algorithms (ML-KEM, ML-DSA, SLH-DSA)

  • Allow the FIPS provider to optionally use the JITTER seed source.
    Because this seed source is not part of the OpenSSL FIPS validations,
    it should only be enabled after the [jitterentropy-library] has been
    assessed for entropy quality. Moreover, the FIPS provider including
    this entropy source will need to obtain an [ESV] from the [CMVP] before
    FIPS compliance can be claimed. Enable this using the configuration
    option enable-fips-jitter.

  • Support for central key generation in CMP

  • Support added for opaque symmetric key objects (EVP_SKEY).

  • Support for multiple TLS keyshares.

Loading

OpenSSL 3.4.1

11 Feb 14:46
@openssl-machine openssl-machine
openssl-3.4.1
a26d853
Compare
Choose a tag to compare
OpenSSL 3.4.1

OpenSSL 3.4.1 is a security patch release. The most severe CVE fixed in this release is High.

This release incorporates the following bug fixes and mitigations:

  • Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected. (CVE-2024-12797)

  • Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176)

Loading

OpenSSL 3.3.3

11 Feb 14:49
@openssl-machine openssl-machine
openssl-3.3.3
42768ea
Compare
Choose a tag to compare
OpenSSL 3.3.3

OpenSSL 3.3.3 is a security patch release. The most severe CVE fixed in this release is High.

This release incorporates the following bug fixes and mitigations:

  • Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected. (CVE-2024-12797)

  • Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176)

  • Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters. (CVE-2024-9143)

Loading

OpenSSL 3.2.4

11 Feb 14:52
@openssl-machine openssl-machine
openssl-3.2.4
8ac4271
Compare
Choose a tag to compare
OpenSSL 3.2.4

OpenSSL 3.2.4 is a security patch release. The most severe CVE fixed in this release is High.

This release incorporates the following bug fixes and mitigations:

  • Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected. (CVE-2024-12797)

  • Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176)

  • Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters. (CVE-2024-9143)

Loading

OpenSSL 3.1.8

11 Feb 14:52
@openssl-machine openssl-machine
openssl-3.1.8
77e6daa
Compare
Choose a tag to compare
OpenSSL 3.1.8

OpenSSL 3.1.8 is a security patch release. The most severe CVE fixed in this release is Low.

This release incorporates the following bug fixes and mitigations:

  • Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176)

  • Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters. (CVE-2024-9143)

Loading

OpenSSL 3.0.16

11 Feb 14:53
@openssl-machine openssl-machine
openssl-3.0.16
fa1e5df
Compare
Choose a tag to compare
OpenSSL 3.0.16

OpenSSL 3.0.16 is a security patch release. The most severe CVE fixed in this release is Low.

This release incorporates the following bug fixes and mitigations:

  • Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176)

  • Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters. (CVE-2024-9143)

Loading

OpenSSL 3.4.0

22 Oct 12:40
@mattcaswell mattcaswell
openssl-3.4.0
98acb6b
Compare
Choose a tag to compare
OpenSSL 3.4.0

OpenSSL 3.4.0 has been released. You can find more details about this release in the release notes.

Loading
6 Join discussion

OpenSSL 3.4.0-beta1

07 Oct 13:53
@t8m t8m
openssl-3.4.0-beta1
ec6991f
Compare
Choose a tag to compare
OpenSSL 3.4.0-beta1 Pre-release
Pre-release

Beta 1 of OpenSSL 3.4.0 is now available: please download and test it!

Loading
4 Join discussion