The latest version of OpenSSL, OpenSSL 3.2.0, brings significant new features, including client support for QUIC, new digital signature algorithms, new certificate compression options, SSL/TLS security level increase, and more.
Short for Quick UDP internet connections, QUIC can be used for connection-oriented services running on top of UDP and can serve many of the use cases supported by SSL/TLS. QUIC is a transport protocol originally devised at Google and aimed at eventually replacing TCP. Its main goal is to improve the performance of connection-oriented apps by using multiple multiplexed connections between two endpoints. It also aims to reduce connection and transport latency, uses two-way bandwidth estimation to avoid network congestion, and supports connection migration to let a connection survive IP address changes.
According to data provided by Google, half of the connections to Google servers originating from Chrome browsers already use the QUIC protocol. QUIC is supported by all major browsers and has been implemented for many programming languages, including C/C++, Go, Rust, Python, Haskell, and more. Its availability in OpenSSL 3.2 means it will be easier for developers to add support for QUIC in their client apps.
A new capability in OpenSSL 3.2 which will be welcome to all Windows developers is support for using the Windows system certificate store as a source of trusted root certificates. This is particularly relevant for software ported from Linux to Windows, which will not need to integrate with native Windows APIs, but must be explicitly enabled using an environment variable in the current version.
OpenSSL 3.2 enables the use of zlib, Brotli, and zstd compression for TLS certificate compression to reduce the amount of data transmitted and avoid some round trips.
A few of the changes introduced in OpenSSL 3.2 may generate incompatibilities in existing programs using previous versions of the library. In particular, the default SSL/TLS security level has been changed from 1 to 2, which may affect available ciphers; the x509, ca, and req` apps now always produce X.509v3 certificates; additionally, UTF-8 is used to display Subject or issuer names in X.509 objects.
As a final note, OpenSSL 3.2 also introduces support for many new ciphers, including Ed25519ctx, Ed25519ph, Ed448ph, deterministic ECDSA, Brainpool Standard Curves, and more. If you want to get the full details about OpenSSL 3.2, do not miss the official NEWS document.