Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

OpenSSL 1.1.1 released with support for TLS 1.3, improved side channel security

Save for later
  • 3 min read
  • 12 Sep 2018

article-image

Yesterday (11th of September), the OpenSSL team announced the stable release of OpenSSL 1.1.1. With work being in progress for two years along with more than 500 commits, the release comes with many notable upgrades.

The most important new feature in OpenSSL 1.1.1 is TLSv1.3, which was published last month as RFC 8446 by the Internet Engineering Task Force. Applications working with OpenSSL1.1.0 can gain the benefits of TLSv1.3 by upgrading to the new OpenSSL version.

TLS 1.3 features

  1. Reduction in the number of round trips required between the client and server to improve connection times
  2. 0-RTT or “early data” feature - which is the ability  for clients to start sending encrypted data to the server straight away without any round trips with the server
  3. Removal of various obsolete and insecure cryptographic algorithms and encryption of more of the connection handshake has improved security


For more details on TLS 1.3 read:

Introducing TLS 1.3, the first major overhaul of the TLS protocol with improved security and speed

Updates in OpenSSL 1.1.1

A complete rewrite of the OpenSSL random number generator


The OpenSSL random number generator has been completely rewritten to introduce capabilities such as:

  • The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1.
  • Support for multiple DRBG instances with seed chaining.
  • Public and private DRBG instance.
  • DRBG instances are made fork-safe.
  • Keep all global DRBG instances on the secure heap if it is enabled.
  • Unlock access to the largest independent learning library in Tech for FREE!
    Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
    Renews at €18.99/month. Cancel anytime
  • The public and private DRBG instance are per thread for lock free operation

Support for various new cryptographic algorithms


The different algorithms that are now supported by OpenSSL 1.1.1 include:

  • SHA3, SHA512/224 and SHA512/256
  • EdDSA (including Ed25519 and Ed448)
  • X448 (adding to the existing X25519 support in 1.1.0)
  • Multi-prime RSA
  • SM2,SM3,SM4
  • SipHash
  • ARIA (including TLS support)

Side-Channel attack security improvements


This upgrade also introduces significant Side-Channel attack security improvements, maximum fragment length TLS extension support and a new STORE module, implementing a uniform and URI based reader of stores containing keys, certificates, CRLs and numerous other objects.

OpenSSL 1.0.2 will receive full support only until the end of 2018 and security fixes only till the end of 2019. The team advises users of OpenSSL 1.0.2 to upgrade to OpenSSL 1.1.1 at the earliest.
Head over to the OpenSSL blog for further details on the news.

GNU nano 3.0 released with faster file reads, new shortcuts and usability improvements


Haiku, the open source BeOS clone, to release in beta after 17 years of development


Ripgrep 0.10.0 released with PCRE2 and multi-line search support