Shulou(Shulou.com)06/01 Report--

After two years of patching and improvement, OpenSSL recently released version 1.1.1 and promised to support it for at least five years.

In his blog post, OpenSSL's Matt Caswell thanked the more than two hundred volunteers who optimized OpenSSL nearly 5000 times, as well as all the various users who downloaded the test version and provided feedback.

One of the highlights of OpenSSL1.1.1 is undoubtedly TLS1.3. This latest protocol, released for RFC8446 by IETF a month ago, rewrites the old standard, and its inclusion of new features is eye-catching and presented in version 1.1.1 of OpenSSL.

More importantly, OpenSSL 1.1.1 is an API, and ABI is compatible with OpenSSL 1.1.0. So most applications that use 1.1.0 can get many of the benefits of TLSv1.3 through the new version of OpenSSL. However, because TLSv1.3 and TLSv1.2 work very differently, a few applications may be warned. For more details, see the TLSv1.3 page on OpenSSL wiki.

The article also points out the new features included in OpenSSL 1.1.1:

● reduces the connection time by reducing the number of round trips between the client and the server.

● in some cases, the client can immediately start sending encrypted data to the server without any round trip to the server (called 0-RTT or "early data").

● improves security by removing a variety of outdated and insecure encryption algorithms and more connection handshake encryption

And new additions to OpenSSL 1.1.1:

● completely rewrites the OpenSSL random number generator to introduce the following features

△ 's default RAND method now uses AES-CTR DRBG that conforms to the NIST standard SP 800-90Ar1.

△ supports multiple DRBG instances through the seed chain.

△ has one public and private DRBG instance.

△ DRBG instances are bifurcated secure.

△ enables all global DRBG instances to remain on the secure heap.

△ public and private DRBG instances lock free operations per thread

● supports a variety of new encryption algorithms, including:

△ SHA3

△ SHA512 / 224 and SHA512 / 256

△ EdDSA (including Ed25519 and Ed448)

△ X448 (existing X25519 support added to 1.1.0)

△ multi-prime RSA

△ SM2

△ SM3

△ SM4

△ SipHash

△ ARIA (including TLS support)

Significant side channel security improvement of ●

● maximum fragment length TLS extension support

● is a new STORE module that implements a unified and URI-based storage reader that can contain keys, certificates, CRL, and many other objects.

In addition, since OpenSSL 1.1.0 is not a LTS version, according to OpenSSL's previous announcement and the policy released this time, it will start receiving security fixes immediately and will stop getting all support (no longer maintenance) within a year.

Previous versions of LTS (OpenSSL 1.0.2) will continue to have full support until the end of this year. After that, it will only receive a security fix. It will stop receiving all support by the end of 2019. The author strongly recommends that users of this version upgrade to OpenSSL 1.1.1.

Matt Caswell also revealed that the next important function of OpenSSL will be the new FIPS module.

Can't you do without OpenSSL, are you eager to try?

[from SSL China]

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.