OpenSSL 4.0 encrypts what TLS previously revealed

Contents

OpenSSL 4.0.0 has been released, bringing profound changes to the widely used crypto library. The open-source project removes outdated protocols like SSLv2 and SSLv3, abolishes the Engine concept, introduces new privacy features in the TLS handshake, and expands the library towards post-quantum cryptography. Simultaneously, developers are cleaning up the API and tightening security-relevant checks.

OpenSSL is one of the central TLS/SSL implementations and is embedded in web servers, operating systems, network devices, and countless applications. Changes to the library directly impact the security of network connections, certificate checks, and cryptographic operations across large parts of the IT infrastructure.

New Cryptography: ECH, Post-Quantum, and More

Among the most important innovations is the support for Encrypted Client Hello (ECH) according to RFC 9849. ECH encrypts parts of the TLS handshake – particularly the Server Name Indication (SNI). Previously, third parties like network operators could identify which domain a client was connecting to based on the SNI. ECH hides this information, thus significantly improving privacy at the transport layer.

Also new are hybrid key exchange methods like curveSM2MLKEM768. They combine classic elliptic curves with post-quantum algorithms and are intended to secure connections against future quantum computer attacks even today: even if an attacker breaks one of the two methods, the other still protects the connection.

The library adds several cryptographic primitives and standards. This includes the cSHAKE function according to SP 800-185 – a more flexible variant of SHA-3 that allows domain-specific hash calculations. Additionally, there is support for the ML-DSA-MU signature algorithm and SM2/SM3 according to RFC 8998, which play a role in regulatory contexts, among others. Furthermore, OpenSSL 4.0.0 introduces Key Derivation Functions (KDFs) for SNMP and the Secure Real-time Transport Protocol (SRTP), used in network management and VoIP scenarios. For TLS 1.2, OpenSSL now also supports standardized Finite-Field-Diffie-Hellman groups (FFDHE) according to RFC 7919. This improves interoperability and avoids insecure or proprietary parameter choices during key exchange.

Stricter Validation and FIPS Adjustments

Certificate validation is becoming stricter in several areas. In Strict mode, OpenSSL now additionally checks the Authority Key Identifier (AKID), and the CRL check also receives further checks. In FIPS mode, the library now enforces minimum requirements for PBKDF2 – such as the number of iterations – to prevent weak configurations.

Also new is the ability to perform FIPS self-tests with a delay. This is particularly useful in containerized environments.

Removed Protocols, APIs, and Legacy Code

With version 4.0, OpenSSL is consistently cleaning up. In addition to SSLv2 and SSLv3, the Engine concept is also being dropped. Hardware acceleration and external crypto modules will henceforth run exclusively via the Provider architecture, which has been replacing Engines since OpenSSL 3.0. Also removed: fixed TLS version methods, older elliptic curves, various low-level functions, and the script c_rehash. Instead, users should use openssl rehash.

There are several changes to the API that may require adjustments in application code. Numerous function signatures now carry const qualifiers, the data type ASN1_STRING is now fully encapsulated – access to its internal fields is only possible via accessor functions. The output of hex dumps has also been standardized: signatures are displayed in 24-byte blocks, all other data in 16-byte blocks. This is intended to improve readability and make the output more consistent. And outdated functions for time checking of certificates are being replaced by the new function X509_check_certificate_times(). There are also changes in runtime behavior: OpenSSL will no longer automatically clean up global data via atexit() and will rely more on standard functions of the C runtime library, for example with snprintf.

For developers and operators, the release means more security and modern cryptography – along with increased migration effort. Applications that directly access OpenSSL APIs or use older functions will need to be adapted. OpenSSL 4.0 thus lays the foundation for the transition to post-quantum-resistant methods and better privacy in the TLS handshake. Details about the new release can be found on the associated GitHub project page.

(fo)