On April 15th, it was announced that OpenSSL 4.0 was officially released yesterday (April 14th). This open-source project has taken a crucial step towards a modern security architecture, with the new version focusing on three core areas: enhanced privacy protection, support for post-quantum cryptography, and the cleanup of legacy technologies.
Regarding privacy protection, OpenSSL 4.0 introduces support for Encrypted Client Hello, effectively hiding the Server Name Indication by encrypting the initial TLS handshake process, preventing third-party eavesdroppers from obtaining the specific domain information accessed by users.
ECH stands for Encrypted Client Hello Protocol, used to encrypt the initial Client Hello message in the TLS handshake. In traditional TLS connections, the server name indication is transmitted in plaintext, allowing third parties to eavesdrop on the domains accessed by users. ECH effectively prevents the leakage of domain privacy by network eavesdroppers by encrypting this critical field, significantly improving the level of user online privacy protection.
Addressing future security challenges, the new version significantly improves support for post-quantum cryptography, achieving support for the RFC 8998 standard and introducing the ML-DSA-MU and tls-hybrid-sm2-mlkem post-quantum groups, thereby better addressing the encryption cracking risks that may arise from the development of quantum computing.
RFC 8998 is an international standard promoted by China, defining the application specifications of commercial cryptographic algorithms in the TLS 1.3 protocol. This standard allows the use of Chinese cryptographic algorithms such as SM2, SM3, and SM4 in the TLS handshake, providing a standardized implementation path for scenarios that need to comply with domestic cryptographic regulations.
OpenSSL 4.0 also cleans up several legacy technologies, including removing support for SSLv3 and other older protocols, and removing the SSLv2 Client Hello and engine mechanism. The new version also streamlines the target platforms, removing support for Darwin i386 and PowerPC/PPC64 architectures, encouraging developers to migrate to more modern technology stacks.
OpenSSL is an open-source, industry-grade cryptographic security library widely used to implement SSL/TLS protocols (such as HTTPS) in network communication, and provides a rich set of encryption algorithms (such as RSA and AES) and key/certificate management tools.
It is the cornerstone of modern secure internet communication (such as website encryption and VPNs), with key functions including generating private keys, creating Certificate Signing Requests (CSRs), configuring CAs, and certificate verification.
About The Author
