The OpenSSL Project has released a new major version of OpenSSL, the most popular cryptography library for supporting encrypted communications via the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
OpenSSL version 1.1.1, launched yesterday, is considered a major overhaul. It comes with many new features, but also extended support, being considered the new Long-Term Support (LTS) branch that will receive bug fixes and security updates for the coming years.
The biggest addition to OpenSSL 1.1.1 is official support for the new TLS 1.3 protocol that was released in March and received the RFC 8446 identifier from the Internet Engineering Task Force (IETF) last month.
TLS 1.3 brought both cryptographic and speed improvements to the TLS protocol, which the OpenSSL team says "have been reflected in the new OpenSSL version."
For apps using OpenSSL, this means improved HTTPS connection times due to a reduction in the number of round trips required between the client and server, but also speed improvements in some cases because of the ability of some clients to start sending encrypted data to a server right away, without any round trips with the server in advance (a feature known as 0-RTT or "early data").
Further, the new TLS 1.3 support also means that OpenSSL has now dropped support for some old or insecure cryptographic algorithms that were previously supported when OpenSSL was shipping an older TLS version.
But there also additions. OpenSSL 1.1.1 now supports eleven new cryptographic algorithms, such as SHA3, SHA512/224, SHA512/256, EdDSA (including Ed25519 and Ed448), X448, Multi-Prime RSA, SM2, SM3, SM4, SipHash, and ARIA.
On top of this, OpenSSL also comes with a "complete rewrite of the OpenSSL random number generator." This component --the random number generator, or the RNG-- is a crucial component for the entire library, as all cryptographic algorithms rely on random numbers for their encryption schemes.
The "rewritten" OpenSSL RNG now supports more methods for generating random data, and the OpenSSL team hopes this would inherently improve the security of OpenSSL-encrypted data overall.
Last but not least, the new OpenSSL version also supports security improvements for preventing side-channel attacks, which is one of the primary methods that security researchers use to leak data from OpenSSL-encrypted communications.
The previous OpenSSL branch --version 1.0.2-- will receive bug fixes until the end of 2018, and security fixes until the end of 2019. OpenSSL 1.1.0, which was a short-term support release will receive security fixes until September 11, 2019, a year after today's release.
These are 2018's biggest hacks, leaks, and data breaches