After two years of work we are excited to be releasing our latest version today - OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we are committing to support it for at least five years.

OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been made from over 200 individual contributors since the release of OpenSSL 1.1.0. These statistics just illustrate the amazing vitality and diversity of the OpenSSL community. The contributions didn’t just come in the form of commits though. There has been a great deal of interest in this new version so thanks needs to be extended to the large number of users who have downloaded the beta releases to test them out and report bugs.

The headline new feature is TLSv1.3. This new version of the Transport Layer Security (formerly known as SSL) protocol was published by the IETF just one month ago as RFC8446. This is a major rewrite of the standard and introduces significant changes, features and improvements which have been reflected in the new OpenSSL version.

What’s more is that OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0 so most applications that work with 1.1.0 can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. See the TLSv1.3 page on the OpenSSL wiki for more details.

Some of the benefits of TLSv1.3 include:

Improved connection times due to a reduction in the number of round trips required between the client and server

The ability, in certain circumstances, for clients to start sending encrypted data to the server straight away without any round trips with the server required (a feature known as 0-RTT or “early data”).

Improved security due to the removal of various obsolete and insecure cryptographic algorithms and encryption of more of the connection handshake

Other features in the 1.1.1 release include:

Complete rewrite of the OpenSSL random number generator to introduce the following capabilities The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1. Support for multiple DRBG instances with seed chaining. There is a public and private DRBG instance. The DRBG instances are fork-safe. Keep all global DRBG instances on the secure heap if it is enabled. The public and private DRBG instance are per thread for lock free operation

Support for various new cryptographic algorithms including: SHA3 SHA512/224 and SHA512/256 EdDSA (including Ed25519 and Ed448) X448 (adding to the existing X25519 support in 1.1.0) Multi-prime RSA SM2 SM3 SM4 SipHash ARIA (including TLS support)

Signficant Side-Channel attack security improvements

Maximum Fragment Length TLS extension support

A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects.

Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible. For most applications this should be straight forward if they are written to work with OpenSSL 1.1.0. Since OpenSSL 1.1.0 is not an LTS release it will start receiving security fixes only with immediate affect as per our previous announcement and as published in our release strategy. It will cease receiving all support in one years time.

Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support until the end of this year. After that it will receive security fixes only. It will stop receiving all support at the end of 2019. Users of that release are strongly advised to upgrade to OpenSSL 1.1.1.

The OpenSSL team will now be moving our focus to the next release which will see us developing a new FIPS module.