InfoQ Homepage News OpenSSL 3.2 Brings Support for QUIC, Windows Certificate Store, and More
OpenSSL 3.2 Brings Support for QUIC, Windows Certificate Store, and More
Dec 04, 2023 1 min read
Write for InfoQ
Feed your curiosity. Help 550k+ globalsenior developers
each month stay ahead.Get in touch
The latest version of OpenSSL, OpenSSL 3.2.0, brings significant new features, including client support for QUIC, new digital signature algorithms, new certificate compression options, SSL/TLS security level increase, and more.
Short for Quick UDP internet connections, QUIC can be used for connection-oriented services running on top of UDP and can serve many of the use cases supported by SSL/TLS. QUIC is a transport protocol originally devised at Google and aimed at eventually replacing TCP. Its main goal is to improve the performance of connection-oriented apps by using multiple multiplexed connections between two endpoints. It also aims to reduce connection and transport latency, uses two-way bandwidth estimation to avoid network congestion, and supports connection migration to let a connection survive IP address changes.
According to data provided by Google, half of the connections to Google servers originating from Chrome browsers already use the QUIC protocol. QUIC is supported by all major browsers and has been implemented for many programming languages, including C/C++, Go, Rust, Python, Haskell, and more. Its availability in OpenSSL 3.2 means it will be easier for developers to add support for QUIC in their client apps.
A new capability in OpenSSL 3.2 which will be welcome to all Windows developers is support for using the Windows system certificate store as a source of trusted root certificates. This is particularly relevant for software ported from Linux to Windows, which will not need to integrate with native Windows APIs, but must be explicitly enabled using an environment variable in the current version.
OpenSSL 3.2 enables the use of zlib, Brotli, and zstd compression for TLS certificate compression to reduce the amount of data transmitted and avoid some round trips.
A few of the changes introduced in OpenSSL 3.2 may generate incompatibilities in existing programs using previous versions of the library. In particular, the default SSL/TLS security level has been changed from 1 to 2, which may affect available ciphers; the x509, ca, and req` apps now always produce X.509v3 certificates; additionally, UTF-8 is used to display Subject or issuer names in X.509 objects.
As a final note, OpenSSL 3.2 also introduces support for many new ciphers, including Ed25519ctx, Ed25519ph, Ed448ph, deterministic ECDSA, Brainpool Standard Curves, and more. If you want to get the full details about OpenSSL 3.2, do not miss the official NEWS document.
This content is in the Encryption topic
Related Topics:
-
Related Editorial
-
Related Sponsors
-
Popular across InfoQ
-
AWS Introduces ECS Managed Instances for Containerized Applications
-
Producing a Better Software Architecture with Residuality Theory
-
GitHub Introduces New Embedding Model to Improve Code Search and Context
-
Google DeepMind Introduces CodeMender, an AI Agent for Automated Code Repair
-
Building Distributed Event-Driven Architectures across Multi-Cloud Boundaries
-
Elena Samuylova on Large Language Model (LLM)-Based Application Evaluation and LLM as a Judge
-
Related Content
The InfoQ Newsletter
A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example