Raw Public Keys have emerged as a component for securing communications between clients and servers. Raw Public Keys, as defined in RFC 7250, play a role in ensuring the confidentiality, integrity, and authenticity of data exchanged over the web. As a result OpenSSL will be adding support for Raw Public Keys in the upcoming OpenSSL 3.2.

Raw Public Keys are a cryptographic mechanism used in public key infrastructure (PKI) systems. They are a way of representing a public key without the associated digital certificate, which contains additional information like the owner’s identity, expiration date, and digital signatures from a certificate authority. This makes Raw Public Keys more lightweight and efficient, especially in resource-constrained environments.

The upcoming OpenSSL 3.2 will be implementing Hybrid Public Key Encryption (HPKE) into the library.

Hybrid Public Key Encryption (HPKE) is a cryptographic protocol defined in RFC 9180 (Request for Comments) that aims to provide a flexible and secure way to perform public key encryption in various scenarios. HPKE combines the security of public key encryption with the flexibility of using different key exchange methods and encryption schemes. This protocol is designed to be used in a wide range of applications, including securing communications over the internet and other networked environments.

Implementing HPKE in OpenSSL will help ensure that your public key encryption solution is both effective and reliable for securing data in various applications and environments for the following reasons:

In the ever-evolving landscape of cybersecurity, staying ahead of potential threats is crucial. The OpenSSL project has been at the forefront of cryptographic security for decades, providing a robust toolkit that enables encryption, decryption, and other cryptographic functions. In the continuous pursuit of enhancing security and regulatory compliance, we want to share our updated ambitious FIPS (Federal Information Processing Standards) plans.

We will be releasing a series of new tutorials in the upcoming OpenSSL 3.2 release to help new users of OpenSSL get a quick start on developing applications using the OpenSSL libraries. They will also be helpful to users wanting to try out the new client side QUIC capabilities.

OpenSSL 3.2 Alpha 2 has recently been released.

Please see our previous blog post for a list of all of the exciting new features that are contained in the upcoming 3.2 release.

As you may know the OpenSSL Project recently attended ICMC 23 where we were given the opportunity to update our peers about the rapid fundamental changes the project has gone through in 2023.

To summarize here are the key takeaways from our presentation:

As a part of our mission to be more open and engaged with our community, OpenSSL is pleased to announce we will be attending the International Cryptographic Module Conference 2023 or ICMC 2023 in Ottawa, Canada this week. ICMC 23 is building on a decade of cybersecurity thought leadership as the industry faces widespread changes and emerging threats in commercial cryptography.

The OpenSSL Management Committee (OMC) represents the official voice of the project and is ultimately responsible for all decisions regarding management and strategic direction of the project.

You may have already seen the recent blog post about Mark Cox leaving the OMC.

Following on from that we are delighted to announce that Anton Arapov, our engineering manager, has now joined the OMC.

You can check our website for the full list of members.

OpenSSL 1.1.1 series has reached its End of Life (EOL). As such it will no longer receive publicly available security fixes.

We are pleased to announce the immediate availability of OpenSSL 3.2 Alpha 1. This release incorporates a number of new features, most notably:

• Client-side QUIC support, including support for multiple streams (RFC 9000)
• Certificate compression in TLS (RFC 8879), including support for zlib, zstd and Brotli
• Deterministic ECDSA (RFC 6979)
• Support for Ed25519ctx, Ed25519ph, Ed448 and Ed448ph (RFC 8032) in addition to existing support for Ed25519
• AES-GCM-SIV (RFC 8452)
• Argon2 (RFC 9106) and supporting thread pool functionality
• HPKE (RFC 9180)
• The ability to use raw public keys in TLS (RFC 7250)
• TCP Fast Open (RFC 7413) support, where supported by the OS
• Support for provider-based pluggable signature schemes in TLS, enabling third-party post-quantum algorithm providers to use these algorithms with TLS
• Support for Brainpool curves in TLS 1.3
• SM4-XTS
• Support for using the Windows system certificate store as a source of trusted root certificates. This is not yet enabled by default and must be activated using an environment variable. This is likely to become enabled by default in a future feature release.