OpenSSL 1.1.1 out with TLS 1.3 support and 'complete rewrite' of RNG component

TLS 1.3 brings speed improvements and better cryptography to OpenSSL, the most popular open source cryptography library on the market
Written by Catalin Cimpanu, Contributor

The OpenSSL Project has released a new major version of OpenSSL, the most popular cryptography library for supporting encrypted communications via the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

OpenSSL version 1.1.1, launched yesterday, is considered a major overhaul. It comes with many new features, but also extended support, being considered the new Long-Term Support (LTS) branch that will receive bug fixes and security updates for the coming years.

Also: 7 tips for SMBs to improve data security TechRepublic

The biggest addition to OpenSSL 1.1.1 is official support for the new TLS 1.3 protocol that was released in March and received the RFC 8446 identifier from the Internet Engineering Task Force (IETF) last month.

TLS 1.3 brought both cryptographic and speed improvements to the TLS protocol, which the OpenSSL team says "have been reflected in the new OpenSSL version."


For apps using OpenSSL, this means improved HTTPS connection times due to a reduction in the number of round trips required between the client and server, but also speed improvements in some cases because of the ability of some clients to start sending encrypted data to a server right away, without any round trips with the server in advance (a feature known as 0-RTT or "early data").

Further, the new TLS 1.3 support also means that OpenSSL has now dropped support for some old or insecure cryptographic algorithms that were previously supported when OpenSSL was shipping an older TLS version.

But there also additions. OpenSSL 1.1.1 now supports eleven new cryptographic algorithms, such as SHA3, SHA512/224, SHA512/256, EdDSA (including Ed25519 and Ed448), X448, Multi-Prime RSA, SM2, SM3, SM4, SipHash, and ARIA.

Also: Worries arise about security of new WebAuthn protocol

On top of this, OpenSSL also comes with a "complete rewrite of the OpenSSL random number generator." This component --the random number generator, or the RNG-- is a crucial component for the entire library, as all cryptographic algorithms rely on random numbers for their encryption schemes.

The "rewritten" OpenSSL RNG now supports more methods for generating random data, and the OpenSSL team hopes this would inherently improve the security of OpenSSL-encrypted data overall.

Also: Best Home Security Devices for 2018 CNET

Last but not least, the new OpenSSL version also supports security improvements for preventing side-channel attacks, which is one of the primary methods that security researchers use to leak data from OpenSSL-encrypted communications.

The previous OpenSSL branch --version 1.0.2-- will receive bug fixes until the end of 2018, and security fixes until the end of 2019. OpenSSL 1.1.0, which was a short-term support release will receive security fixes until September 11, 2019, a year after today's release.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Editorial standards