OpenSSL 3.3 has been unveiled, marking a significant update to the renowned open-source software library that facilitates secure communications for applications and websites across various platforms.
This release, arriving after four and a half months since OpenSSL 3.2, introduces several noteworthy features. Notably, it adds support for QLog, enabling the tracing of QUIC connections. Additionally, there’s now limited support for polling QUIC connections and stream objects in a non-blocking manner. Furthermore, a set of new APIs have been introduced to configure different aspects of connections using QUIC.
Among the new APIs are options to configure the idle timeout for QUIC connections, determine the number of additional streams for a QUIC connection, and disable implicit QUIC event processing for QUIC SSL objects. OpenSSL 3.3 also brings a new SSL_write_ex2 API optimized for sending end-of-stream conditions in QUIC, along with an EVP_DigestSqueeze() API for SHAKE to squeeze multiple times with different output sizes.
Moreover, new functions like SSL_SESSION_get_time_ex() and SSL_SESSION_set_time_ex() have been introduced, ensuring Y2038 safety on 32-bit systems with 64-bit time enabled. The release also enhances the openssl x509 command with new options to override issuer and subject details when creating a certificate.
Furthermore, OpenSSL 3.3 introduces an option to configure TLS1.3 servers to prefer session resumption using PSK-only key exchange, as well as various improvements to hash algorithms, EVP functions, and CMPv3 features. It also ships with exporters for CMake and support for ignoring unknown entries in configuration options.
