Skip to content

OpenSSL 3.4.0

Latest
Latest
Compare
Choose a tag to compare
@philyuchkoff philyuchkoff released this 22 Oct 13:47
· 1 commit to master since this release
3.4.0
de05f3c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

OpenSSL 3.4

Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024]

OpenSSL 3.4.0 is a feature release adding significant new functionality to OpenSSL.

This release incorporates the following potentially significant or incompatible changes:

  • Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics
  • Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that what were formerly build time locations can now be defined at run time with registry keys
  • The X25519 and X448 key exchange implementation in the FIPS provider is unapproved and has fips=no property.
  • SHAKE-128 and SHAKE-256 implementations have no default digest length anymore. That means these algorithms cannot be used with EVP_DigestFinal/_ex() unless the xoflen param is set before.
  • Setting config_diagnostics=1 in the config file will cause errors to be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error in the ssl module configuration.
  • An empty renegotiate extension will be used in TLS client hellos instead of the empty renegotiation SCSV, for all connections with a minimum TLS version > 1.0.
  • Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and SSL_CTX_flush_sessions() functions in favor of their respective _ex functions which are Y2038-safe on platforms with Y2038-safe time_t

This release adds the following new features:

  • Support for directly fetched composite signature algorithms such as RSA-SHA2-256 including new API functions
  • FIPS indicators support in the FIPS provider and various updates of the FIPS provider required for future FIPS 140-3 validations
  • Implementation of RFC 9579 (PBMAC1) in PKCS#12
  • An optional additional random seed source RNG JITTER using a statically linked jitterentropy library
  • New options -not_before and -not_after for explicit setting start and end dates of certificates created with the req and x509 apps
  • Support for integrity-only cipher suites TLS_SHA256_SHA256 and TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150
  • Support for requesting CRL in CMP
  • Support for additional X.509v3 extensions related to Attribute Certificates
  • Initial Attribute Certificate (RFC 5755) support
  • Possibility to customize ECC groups initialization to use precomputed values to save CPU time and use of this feature by the P-256 implementation
Assets 3
Loading