OpenSSL 3.6.0: New features, crypto support

The OpenSSL Project has announced the release of OpenSSL 3.6.0, a feature update that brings significant functionality improvements, standards compliance, and a few key deprecations that developers and security teams will need to keep in mind.

OpenSSL 3.6.0

Key cryptographic enhancements

OpenSSL 3.6.0 introduces several important crypto updates:

  • NIST security categories for PKEY objects: Public key objects now carry NIST security category information.
  • Opaque symmetric key objects: New APIs support EVP_SKEY opaque symmetric key objects for use with key derivation and key exchange provider methods. Three new functions have been added: EVP_KDF_CTX_set_SKEY(), EVP_KDF_derive_SKEY(), and EVP_PKEY_derive_SKEY().
  • LMS signature verification: Support for verifying Leighton-Micali Signatures (LMS) has been added, in line with NIST SP 800-208. This feature is available in both the FIPS and default providers.
  • Deterministic ECDSA (FIPS 186-5): The FIPS provider now supports deterministic ECDSA signature generation as specified in FIPS 186-5, offering stronger security guarantees compared to randomized approaches.

Developer and build changes

A few developer-facing changes stand out:

  • C99 requirement: OpenSSL can no longer be built with just an ANSI-C toolchain. Compilers must support C99 features going forward.
  • VxWorks support removed: Support for the VxWorks operating system has been dropped.
  • New configuration utility: A tool named openssl configutl has been introduced. It processes an OpenSSL configuration file and dumps the “equal configuration file,” simplifying configuration auditing and replication.

Deprecations

The release also continues the cleanup of older APIs.

  • EVP_PKEY_ASN1_METHOD: Functions related to EVP_PKEY_ASN1_METHOD have been deprecated, reinforcing the shift toward provider-based abstractions.

Adoption considerations

For developers and security professionals, the headline items are the LMS signature verification support and FIPS 186-5 deterministic ECDSA, both of which align OpenSSL with evolving NIST standards. Developers should also check build toolchains for C99 compliance and note the removal of VxWorks support.

OpenSSL 3.6.0 marks another step in balancing crypto agility with stability across the ecosystem. As always, testing in pre-production environments is strongly recommended before deployment.

Don't miss