OpenSSL 3.5 released today as the newest feature update to this widely-used library for SSL and TLS protocol handling.

OpenSSL 3.5 adds support for server-side QUIC ( [1]RFC 9000 ), support for third-party QUIC stacks, PQC algorithm support, various default changes, and other enhancements.

The OpenSSL 3.5.0 release announcement on [2]GitHub sums up the new release with:

This release incorporates the following potentially significant or incompatible changes:

- Default encryption cipher for the req, cms, and smime applications changed from des-ede3-cbc to aes-256-cbc.

- The default TLS supported groups list has been changed to include and prefer hybrid PQC KEM groups. Some practically unused groups were removed from the default list.

- The default TLS keyshares have been changed to offer X25519MLKEM768 and and X25519.

All BIO_meth_get_*() functions were deprecated.

This release adds the following new features:

- Support for server side QUIC (RFC 9000)

- Support for 3rd party QUIC stacks including 0-RTT support

- Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA)

- A new configuration option no-tls-deprecated-ec to disable support for TLS groups deprecated in RFC8422

- A new configuration option enable-fips-jitter to make the FIPS provider to use the JITTER seed source

- Support for central key generation in CMP

- Support added for opaque symmetric key objects (EVP_SKEY)

- Support for multiple TLS keyshares and improved TLS key establishment group configurability

- API support for pipelining in provided cipher algorithms

OpenSSL 3.5 is also the project's newest Long Term Support (LTS) release.

OpenSSL 3.5 LTS is available for download from [3]OpenSSL-Library.org .



[1] https://datatracker.ietf.org/doc/html/rfc9000

[2] https://github.com/openssl/openssl/releases/tag/openssl-3.5.0

[3] https://openssl-library.org/source/