Yesterday (11th of September), the OpenSSL team announced the stable release of OpenSSL 1.1.1. With work being in progress for two years along with more than 500 commits, the release comes with many notable upgrades.
The most important new feature in OpenSSL 1.1.1 is TLSv1.3, which was published last month as RFC 8446 by the Internet Engineering Task Force. Applications working with OpenSSL1.1.0 can gain the benefits of TLSv1.3 by upgrading to the new OpenSSL version.
TLS 1.3 features
- Reduction in the number of round trips required between the client and server to improve connection times
- 0-RTT or “early data” feature - which is the ability for clients to start sending encrypted data to the server straight away without any round trips with the server
- Removal of various obsolete and insecure cryptographic algorithms and encryption of more of the connection handshake has improved security
For more details on TLS 1.3 read:
Introducing TLS 1.3, the first major overhaul of the TLS protocol with improved security and speed
Updates in OpenSSL 1.1.1
A complete rewrite of the OpenSSL random number generator
The OpenSSL random number generator has been completely rewritten to introduce capabilities such as:
- The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1.
- Support for multiple DRBG instances with seed chaining.
- Public and private DRBG instance.
- DRBG instances are made fork-safe.
- Keep all global DRBG instances on the secure heap if it is enabled.
Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at $19.99/month. Cancel anytime
- The public and private DRBG instance are per thread for lock free operation
Support for various new cryptographic algorithms
The different algorithms that are now supported by OpenSSL 1.1.1 include:
- SHA3, SHA512/224 and SHA512/256
- EdDSA (including Ed25519 and Ed448)
- X448 (adding to the existing X25519 support in 1.1.0)
- Multi-prime RSA
- SM2,SM3,SM4
- SipHash
- ARIA (including TLS support)
Side-Channel attack security improvements
This upgrade also introduces significant Side-Channel attack security improvements, maximum fragment length TLS extension support and a new STORE module, implementing a uniform and URI based reader of stores containing keys, certificates, CRLs and numerous other objects.
OpenSSL 1.0.2 will receive full support only until the end of 2018 and security fixes only till the end of 2019. The team advises users of OpenSSL 1.0.2 to upgrade to OpenSSL 1.1.1 at the earliest.
Head over to the OpenSSL blog for further details on the news.
GNU nano 3.0 released with faster file reads, new shortcuts and usability improvements
Haiku, the open source BeOS clone, to release in beta after 17 years of development
Ripgrep 0.10.0 released with PCRE2 and multi-line search support
United States
United Kingdom
India
Germany
France
Canada
Russia
Spain
Brazil
Australia
Argentina
Austria
Belgium
Bulgaria
Chile
Colombia
Cyprus
Czechia
Denmark
Ecuador
Egypt
Estonia
Finland
Greece
Hungary
Indonesia
Ireland
Italy
Japan
Latvia
Lithuania
Luxembourg
Malaysia
Malta
Mexico
Netherlands
New Zealand
Norway
Philippines
Poland
Portugal
Romania
Singapore
Slovakia
Slovenia
South Africa
South Korea
Sweden
Switzerland
Taiwan
Thailand
Turkey
Ukraine
