OpenSSL 3.5 LTS Released With Server-Side QUIC

Written by Michael Larabel in Free Software on 8 April 2025 at 09:24 AM EDT. 11 Comments

OpenSSL 3.5 released today as the newest feature update to this widely-used library for SSL and TLS protocol handling.

OpenSSL 3.5 adds support for server-side QUIC (RFC 9000), support for third-party QUIC stacks, PQC algorithm support, various default changes, and other enhancements.

The OpenSSL 3.5.0 release announcement on GitHub sums up the new release with:

This release incorporates the following potentially significant or incompatible changes:

- Default encryption cipher for the req, cms, and smime applications changed from des-ede3-cbc to aes-256-cbc.

- The default TLS supported groups list has been changed to include and prefer hybrid PQC KEM groups. Some practically unused groups were removed from the default list.

- The default TLS keyshares have been changed to offer X25519MLKEM768 and and X25519.

All BIO_meth_get_*() functions were deprecated.

This release adds the following new features:

- Support for server side QUIC (RFC 9000)

- Support for 3rd party QUIC stacks including 0-RTT support

- Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA)

- A new configuration option no-tls-deprecated-ec to disable support for TLS groups deprecated in RFC8422

- A new configuration option enable-fips-jitter to make the FIPS provider to use the JITTER seed source

- Support for central key generation in CMP

- Support added for opaque symmetric key objects (EVP_SKEY)

- Support for multiple TLS keyshares and improved TLS key establishment group configurability

- API support for pipelining in provided cipher algorithms

OpenSSL 3.5 is also the project's newest Long Term Support (LTS) release.

👁 OpenSSL logo

OpenSSL 3.5 LTS is available for download from OpenSSL-Library.org.