Security Experts:

OpenSSL 1.1.1 Released With TLS 1.3, Security Improvements

The OpenSSL Project on Tuesday announced the release of OpenSSL 1.1.1, the new Long Term Support (LTS) version of the cryptographic software library.

According to the organization, the most important new feature in OpenSSL 1.1.1 is TLS 1.3, which the Internet Engineering Task Force (IETF) published last month as RFC 8446.

Since OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0, most applications that work with the older version can take advantage of the benefits provided by TLS 1.3 simply by updating to the newer version.

TLS 1.3 has numerous benefits, but the ones highlighted by the OpenSSL Project are improved connection times, the ability of clients to immediately start sending encrypted data to servers, and improved security due to the removal of outdated cryptographic algorithms.

Other noteworthy changes in OpenSSL 1.1.1 include a complete rewrite of the random number generator, support for several new cryptographic algorithms, security improvements designed to mitigate side-channel attacks, support for the Maximum Fragment Length TLS extension, and a new STORE module that implements a uniform and URI-based reader of stores that contain certificates, keys, CRLs and other objects.

The new crypto algorithms include SHA3, SHA512/224 and SHA512/256, EdDSA, X448, multi-prime RSA, SM2, SM3, SM4, SipHash and ARIA.

“OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been made from over 200 individual contributors since the release of OpenSSL 1.1.0,” OpenSSL developer Matt Caswell wrote in a blog post. “These statistics just illustrate the amazing vitality and diversity of the OpenSSL community. The contributions didn’t just come in the form of commits though. There has been a great deal of interest in this new version so thanks needs to be extended to the large number of users who have downloaded the beta releases to test them out and report bugs.”

Since OpenSSL 1.1.1 is the new LTS release, it will receive support for at least five years. The 1.1.0 release will receive support for one year starting today, and the 1.0.2 branch, which until now was the LTS release, will receive full support until the end of 2018 and then only security updates until the end of next year.

Related: First OpenSSL Updates in 2018 Patch Three Flaws

Related: OpenSSL Patches Flaws Found With Google Fuzzer

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.