OpenSSL 3.1.0, the latest library for SSL/TLS protocols and encryption algorithms has been released after a year and a half of development. The project code is available under the Apache 2.0 license.
Support for OpenSSL 3.1 will be provided until March 2025. Meanwhile, support for previous versions of OpenSSL will also be available, with support for OpenSSL 3.0 and 1.1.1 until September 2026 and September 2023, respectively.
The main innovations in OpenSSL 3.1.0 include:
- The FIPS module now supports cryptographic algorithms that comply with the FIPS 140-3 safety standard. The certification process to obtain a certificate of conformity with the requirements of FIPS 140-3 has begun. Although users can continue to use the FIPS module certified for FIPS 140-2 before the certification, changes have been made in the new version of the module, including the addition of the Triple des ECB, Triple Des CBC, and EdSA algorithms, which have not yet been tested for compliance with FIPS requirements. The new version also optimizes module performance, with internal tests now launched at each loading of the module, and not only after installation.
- The OSSL_LIB_ctX processed code has a new option that is free from excessive locks, resulting in faster performance.
- The frameworks of the encoder and decoder have been enhanced to increase performance.
- Performance related to the use of internal structures (hash-tables) and caching has also been improved.
- The generation rate of RSA-keystrokes in FIPS has been increased.
- As for specific assembler optimization for AES-GCM, Chacha20, SM3, SM4, and SM4-GCM algorithms, there are now different processors architectures available. For example, the AES-GCM code is optimized using the AVX512 VAES and VPClmulqdq instructions.
- Support for the KMAC (Keccak Message Authentication Code) algorithm has been added to KBKDF (Key Based Key Derivation Function).
- The various functions “Obj_*” have been adapted for use in multi-flow code.
- The RNDR instructions and RNDRRS registers are now available for use with processors based on the Aarch64 architecture.
- Outdated opensl_lh_stats, opensl_lh_node_stats, opensl_lh_node_usage_stats, opensl_lh_stats_bio, opensl_node_bio, openssl_lh_nodet, and Declared outdated macrc
/Reports, release notes, official announcements.