Yesterday (11th of September), the OpenSSL team announced the stable release of OpenSSL 1.1.1. With work being in progress for two years along with more than 500 commits, the release comes with many notable upgrades.
The most important new feature in OpenSSL 1.1.1 is TLSv1.3, which was published last month as RFC 8446 by the Internet Engineering Task Force. Applications working with OpenSSL1.1.0 can gain the benefits of TLSv1.3 by upgrading to the new OpenSSL version.
TLS 1.3 features
- Reduction in the number of round trips required between the client and server to improve connection times
- 0-RTT or “early data” feature – which is the ability for clients to start sending encrypted data to the server straight away without any round trips with the server
- Removal of various obsolete and insecure cryptographic algorithms and encryption of more of the connection handshake has improved security
For more details on TLS 1.3 read:
Updates in OpenSSL 1.1.1
A complete rewrite of the OpenSSL random number generator
The OpenSSL random number generator has been completely rewritten to introduce capabilities such as:
- The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1.
- Support for multiple DRBG instances with seed chaining.
- Public and private DRBG instance.
- DRBG instances are made fork-safe.
- Keep all global DRBG instances on the secure heap if it is enabled.
- The public and private DRBG instance are per thread for lock free operation
Support for various new cryptographic algorithms
The different algorithms that are now supported by OpenSSL 1.1.1 include:
- SHA3, SHA512/224 and SHA512/256
- EdDSA (including Ed25519 and Ed448)
- X448 (adding to the existing X25519 support in 1.1.0)
- Multi-prime RSA
- ARIA (including TLS support)
Side-Channel attack security improvements
This upgrade also introduces significant Side-Channel attack security improvements, maximum fragment length TLS extension support and a new STORE module, implementing a uniform and URI based reader of stores containing keys, certificates, CRLs and numerous other objects.
OpenSSL 1.0.2 will receive full support only until the end of 2018 and security fixes only till the end of 2019. The team advises users of OpenSSL 1.0.2 to upgrade to OpenSSL 1.1.1 at the earliest.
Head over to the OpenSSL blog for further details on the news.