OpenSSL prepares for a quantum future with 3.5.0 release

The OpenSSL Project has released version 3.5.0 of its widely used open-source cryptographic library, introducing new features and notable changes that signal its evolution toward future-ready cryptography. This feature release includes support for post-quantum cryptography (PQC), server-side QUIC, and tighter control over TLS behavior.

Default behaviors reworked

OpenSSL 3.5.0 makes several potentially incompatible changes to default settings. Notably, the default encryption cipher for the req, cms, and smime command-line utilities has changed from the aging des-ede3-cbc to the stronger aes-256-cbc, reflecting modern security standards.

In TLS, the default list of supported cryptographic groups has shifted to prioritize hybrid post-quantum key encapsulation mechanisms (KEMs). Simultaneously, less-used legacy groups have been removed to streamline default configurations. On the key exchange front, the library now offers X25519MLKEM768 and X25519 by default as TLS keyshares, laying the groundwork for quantum-resistant key negotiation.

Additionally, all BIO_meth_get_*() functions have been deprecated, signaling an internal cleanup and modernization of the BIO (Basic Input/Output) API.

Feature highlights

OpenSSL 3.5.0 makes a strong leap into the future with full server-side support for QUIC (RFC 9000), the next-generation transport protocol designed to replace TCP for faster, more secure internet communication. It also introduces support for third-party QUIC stacks and 0-RTT (zero round trip time) capabilities, which could significantly enhance performance in real-time applications.

Post-quantum cryptography is another major focus in this release. OpenSSL 3.5.0 adds support for PQC algorithms such as ML-KEM, ML-DSA, and SLH-DSA, recently published standards as a result of NIST’s post-quantum standardization process.

Other new features include:

• A no-tls-deprecated-ec configuration option to disable elliptic curve groups deprecated by RFC 8422.
• A enable-fips-jitter option that allows the FIPS provider to use the JITTER entropy source for improved randomness.
• Support for central key generation in the Certificate Management Protocol (CMP).
• Introduction of EVP_SKEY, a new type of opaque symmetric key object for improved abstraction and security.
• Expanded API support for pipelining in cipher algorithms to optimize cryptographic performance.

OpenSSL 3.5.0 is available on GitHub.

Must read:

• GitHub CISO on security strategy and collaborating with the open-source community
• Don’t let these open-source cybersecurity tools slip under your radar
• 33 open-source cybersecurity solutions you didn’t know you needed

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!