OpenSSL 3.3 released with enhanced QUIC support, improved API capabilities, and more

OpenSSL, the comprehensive toolkit for general-purpose cryptography and secure communication, has unveiled its version 3.3. This marks the initial release following OpenSSL's shift to biannual time-based releases.

The highlights of this release include QUIC qlog diagnostic logging support, the ability to non-blockingly poll multiple QUIC connections or stream objects, and optimized generation of end-of-stream frames for QUIC connections. It also allows for the disabling of QUIC event processing during API calls and configuring of QUIC idle timeout durations.

Additional features include the ability to query the size and use of a QUIC stream’s write buffer, support for RFC 9480 and RFC 9483 extensions to CMP, and the option to disable OpenSSL's use of atexit(3) at build time. The release also includes Year 2038-compatible SSL_SESSION APIs and the ability to automatically derive Chinese Remainder Theorem (CRT) parameters when requested.

Furthermore, OpenSSL 3.3 enables the ignoring of unknown algorithm names in TLS signature algorithm and group configuration strings. It also allows for a TLS 1.3 server to prefer PSK-only key exchange during session resumption. A new EVP_DigestSqueeze() API has been added, allowing SHAKE to squeeze multiple times with varying output sizes. An exporter for CMake on Unix and Windows has also been included, along with the pkg-config exporter.

OpenSSL 3.3 is a standard release, triggering a one-year full support period for regular releases. During this phase, bugs and security issues will be handled and rectified in line with the stable release updates policy. Following the conclusion of the full support phase, a one-year maintenance support phase will commence. The primary focus during this phase will be on rectifying security issues, with other bugs potentially addressed at OpenSSL engineering's discretion.