The OpenSSL Project on Tuesday announced the release of OpenSSL 1.1.1, the new Long Term Support (LTS) version of the cryptographic software library.
According to the organization, the most important new feature in OpenSSL 1.1.1 is TLS 1.3, which the Internet Engineering Task Force (IETF) published last month as RFC 8446.
Since OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0, most applications that work with the older version can take advantage of the benefits provided by TLS 1.3 simply by updating to the newer version.
TLS 1.3 has numerous benefits, but the ones highlighted by the OpenSSL Project are improved connection times, the ability of clients to immediately start sending encrypted data to servers, and improved security due to the removal of outdated cryptographic algorithms.
Other noteworthy changes in OpenSSL 1.1.1 include a complete rewrite of the random number generator, support for several new cryptographic algorithms, security improvements designed to mitigate side-channel attacks, support for the Maximum Fragment Length TLS extension, and a new STORE module that implements a uniform and URI-based reader of stores that contain certificates, keys, CRLs and other objects.
The new crypto algorithms include SHA3, SHA512/224 and SHA512/256, EdDSA, X448, multi-prime RSA, SM2, SM3, SM4, SipHash and ARIA.
“OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been made from over 200 individual contributors since the release of OpenSSL 1.1.0,” OpenSSL developer Matt Caswell wrote in a blog post. “These statistics just illustrate the amazing vitality and diversity of the OpenSSL community. The contributions didn’t just come in the form of commits though. There has been a great deal of interest in this new version so thanks needs to be extended to the large number of users who have downloaded the beta releases to test them out and report bugs.”
Since OpenSSL 1.1.1 is the new LTS release, it will receive support for at least five years. The 1.1.0 release will receive support for one year starting today, and the 1.0.2 branch, which until now was the LTS release, will receive full support until the end of 2018 and then only security updates until the end of next year.
Related: First OpenSSL Updates in 2018 Patch Three Flaws
Related: OpenSSL Patches Flaws Found With Google Fuzzer
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- MOVEit Hack: Number of Impacted Organizations Exceeds 340
- SecurityWeek Analysis: Over 210 Cybersecurity M&A Deals Announced in First Half of 2023
- Industry Reactions to EU-US Data Privacy Framework: Feedback Friday
- Hackers Target Reddit Alternative Lemmy via Zero-Day Vulnerability
- Google Researchers Discover In-the-Wild Exploitation of Zimbra Zero-Day
- Honeywell DCS Platform Vulnerabilities Can Facilitate Attacks on Industrial Organizations
- Apple Re-Releases Urgent Zero-Day Patches With Fix for Website Access Issue
- APT Exploit Targeting Rockwell Automation Flaws Threatens Critical Infrastructure
Latest News
- Embracing Consolidation and Squashing Silos
- Owner of Cybercrime Website BreachForums Pleads Guilty
- JumpCloud Says Sophisticated Nation-State Hackers Targeted Specific Customers
- MOVEit Hack: Number of Impacted Organizations Exceeds 340
- SecurityWeek Analysis: Over 210 Cybersecurity M&A Deals Announced in First Half of 2023
- Exploitation of ColdFusion Vulnerability Reported as Adobe Patches Another Critical Flaw
- In Other News: Security Firm Hit by Investor Lawsuit, Satellite Hacking, Cloud Attacks
- Zluri Raises $20 Million for SaaS Management Platform
