HN
Today

OpenSSL 4.0.0

OpenSSL 4.0.0 marks a significant evolution for the internet's foundational cryptographic library, bringing a suite of security enhancements, protocol updates, and crucial deprecations. This release cleans up legacy components while integrating modern cryptographic standards, reflecting the ongoing effort to fortify online communication. It's a critical update for developers and system administrators, demonstrating a strong commitment to secure and compliant network interactions.

33
Score
2
Comments
#11
Highest Rank
4h
on Front Page
First Seen
Apr 14, 6:00 PM
Last Seen
Apr 14, 9:00 PM
Rank Over Time
11111213

The Lowdown

OpenSSL, the ubiquitous toolkit for implementing SSL/TLS and general-purpose cryptography, has released its 4.0.0 version. This major feature release introduces a host of potentially incompatible changes, along with substantial new functionality, aiming to modernize the library, enhance security, and remove outdated components. It represents a significant stride in maintaining robust cryptographic standards in a constantly evolving threat landscape.

Key aspects of the OpenSSL 4.0.0 release include:

  • Security Enhancements & Standardization: Stricter validation for FIPS provider, AKID, and CRL verification, alongside standardized hexadecimal output widths.
  • API Modernization: Changes to global data cleanup, BIO_snprintf now using libc's snprintf, and ASN1_STRING becoming opaque. Many API functions received const qualifiers for improved type safety.
  • Deprecation & Removal of Legacy Support: Explicitly removed support for SSLv2 Client Hello, SSLv3, and engines. Deprecated older X509_cmp_time functions and removed various legacy API methods and tools like c_rehash script and msie-hack option.
  • Modern Cryptographic & Protocol Support: Introduction of Encrypted Client Hello (ECH) as per RFC 9849. Added support for new signature algorithms (sm2sig_sm3), key exchange groups (curveSM2, curveSM2MLKEM768), cSHAKE functions, and "ML-DSA-MU" digest algorithms.
  • Improved Flexibility & Compliance: Support for SNMP KDF, SRTP KDF, and deferred FIPS self-tests. Also allows for negotiated FFDHE key exchange in TLS 1.2 and offers static or dynamic VC runtime linkage on Windows.

This release underscores OpenSSL's commitment to adapting to contemporary security demands, shedding obsolete components, and embracing cutting-edge cryptographic research to provide a more secure and efficient foundation for digital communications.