OpenSSL 3.6 is now in public testing with a first alpha release, promising new features and improvements for this open-source, cross-platform, and free software library that provides secure communications over computer networks for applications and websites.
OpenSSL 3.6 promises LMS signature verification support as per [SP 800-208] in both the FIPS and default providers, and support for EVP_SKEY opaque symmetric key objects to the key derivation and key exchange provider methods via EVP_KDF_CTX_set_SKEY(), EVP_KDF_derive_SKEY(), and EVP_PKEY_derive_SKEY() functions.
The upcoming OpenSSL 3.6 release also adds PCT support for key import for SLH-DSA when in FIPS mode, FIPS 140-3 PCT support on DH key generation, NIST security categories for PKEY objects, and support for FIPS 186-5 deterministic ECDSA signature generation to the FIPS provider.
On top of that, OpenSSL 3.6 will introduce a openssl configutl utility that can be used for processing the OpenSSL configuration file and dumping the equivalent configuration file, and support for building OpenSSL on compilers supporting C-99 features, as an ANSI-C toolchain is no longer sufficient for building OpenSSL.
Among other noteworthy changes, OpenSSL 3.6 promises to update the FIPS provider with support for performing a PCT on key import for RSA, EC, and ECX, which is mandated by FIPS 140-3 IG 10.3. The upcoming release will also remove VxWorks platforms and deprecate EVP_PKEY_ASN1_METHOD related functions.
Check out the release notes on the project’s GitHub page for more details about the changes included in the first alpha release of OpenSSL 3.6, which you can download from the same location if you want to take it for a test drive. However, please keep in mind that this is a pre-release version, not suitable for production use.
