OpenSSL 3.2 released with enhanced security, client-side QUIC and Argon2 KDF support

OpenSSL, the open-source toolkit for the SSL/TLS, DTLS, and QUIC protocols, has announced the release of version 3.2, introducing a myriad of new features and improvements.

In OpenSSL 3.2, The default SSL/TLS security level has been updated from 1 to 2. The new version offers support for client-side QUIC, including the ability to handle multiple streams. It also includes support for the Argon2 KDF and related thread pool functionality. OpenSSL 3.2 has also introduced support for Hybrid Public Key Encryption.

In addition, the new version expands its support for Ed25519ctx, Ed25519ph, and Ed448ph, supplementing the existing support for Ed25519 and Ed448. Support for deterministic ECDSA signatures has also been included.

OpenSSL 3.2 introduces support for AES-GCM-SIV, a nonce-misuse-resistant AEAD, and SM4-XTS. It also incorporates support for Brainpool curves in TLS 1.3 and TLS Raw Public Keys.

The new version also includes support for TCP Fast Open on Linux, macOS, and FreeBSD, where enabled and supported. It supports TLS certificate compression, with library support for zlib, Brotli, and zstd.

Provider-based pluggable signature algorithms in TLS 1.3 are now supported, with supporting CMS and X.509 functionality. This allows the use of post-quantum/quantum-safe cryptography with a suitable provider.

OpenSSL 3.2 supports the use of the Windows system certificate store as a source of trusted root certificates. It also supports the use of the IANA standard names in TLS ciphersuite configuration. The CMP protocol support has undergone multiple new features and improvements.