About Tools Blog
Angelique Dawnbringer

OpenSSL 1.1.1 Is Released

On September 11, OpenSSL released OpenSSL 1.1.1. It is ABI compliant with 1.1.0 and has TLSv1.3 which means most applications can just do an drop-in-place replacement and leverage the new functionality. I myself am of the opinion everyone should adapt to "latest" (e.g. 1.1.1 as of me writing this), as soon as possible, which disables a lot of insecure options and methods.

OpenSSL 1.1.1 is also their LTS release and users are strongly advised to upgrade to OpenSSL 1.1.1. OpenSSL 1.0.2, which was the previous LTS release, stops receiving updates by the end of this year(2018) and will only receive security fixes until the end of 2019.

To use the latest keys, you will need to specify these specifically for cipher suite configuration! They are named/defined differently and no longer specify the certificate type or key-exchange mechanism.

There are a few situations where drop-in-place replacement is not possible. Renegotiation is not possible, nor is the usage of DSA-certificates with TLSv1.3. Another one of them "might be" in case of middlebox deployments. There is a compatibility-mode available. For more info, read here

Something worth mentioning, it contains:

  • A complete rewrite of the OpenSSL random number generator to introduce the following capabilities:
    • The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1.
    • Support for multiple DRBG instances with seed chaining.
    • A public and private DRBG instance.
    • The DRBG instances are fork-safe.
    • Keep all global DRBG instances on the secure heap if it is enabled.
    • The public and private DRBG instance are per thread for lock free operation
  • Support for new cryptographic algorithms like:
    • SHA3
    • SHA512/224 and SHA512/256
    • EdDSA (including Ed25519 and Ed448 - signature algorithms)
    • X25519 & X448 (key agreement algorithms)
    • Multi-prime RSA
    • SM2
    • SM3
    • SM4
    • SipHash
    • ARIA (including TLS support)
  • Signficant Side-Channel attack security improvements
  • Maximum Fragment Length TLS extension support
  • & A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects.

Author: Angelique Dawnbringer Published: 2018-08-26 09:56:19 Keywords:
  • OpenSSL 1.1.1
  • Release
  • LTS
Modified: 2018-09-13 13:22:36