Last checked and updated on 15 May 2026
What Is New in OpenSSL 3.1
| Category | Highlights |
|---|---|
| New Features | TLS 1.2 enforces extended master secret in FIPS mode; new assembler-optimized implementations for several algorithms; support for PowerISA 2.07 on PowerPC. |
| Improvements | Performance enhancements for symmetric cipher key/IV handling; mitigations for slow OBJ_obj2txt and DH checks; faster X.509 name validation. |
| Bug Fixes | Fixed timing side-channel in ECDSA, OOB memory access in GF(2^m) curves, use-after-free in SSL_free_buffers, buffer overreads in SSL_select_next_proto and AES-XTS, POLY1305 register corruption on PowerPC and Windows. |
| Breaking Changes | SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 operate only at security level 0; LHASH statistics functions deprecated. |
| Deprecations | LHASH statistics functions removed; empty associated data entries are no longer ignored for AES-SIV. |
What security vulnerabilities were fixed in OpenSSL 3.1?
OpenSSL 3.1 addresses a range of CVEs covering timing attacks, memory safety, and protocol-level DoS issues.
- Timing side-channel in ECDSA signature computation (CVE-2024-13176).
- Out-of-bounds memory access with invalid GF(2^m) curve parameters (CVE-2024-9143).
- Denial-of-service in X.509 name checks (CVE-2024-6119).
- Buffer overread in SSL_select_next_proto (CVE-2024-5535).
- Use-after-free after SSL_free_buffers (CVE-2024-4741).
- POLY1305 MAC corrupting vector registers on PowerPC (CVE-2023-6129) and on Windows (CVE-2023-4807).
How have TLS protocol defaults changed in OpenSSL 3.1?
TLS 1.2 now requires the extended master secret when the FIPS provider is enabled, and older protocol versions are restricted to security level 0.
- When built with
enable-fips, TLS 1.2 mandates the extended master secret by default. - SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 are still available but only at security level 0, effectively discouraging their use.
- These defaults reduce the attack surface for downgrade attacks and improve compliance with modern security policies.
What performance and algorithmic improvements does OpenSSL 3.1 bring?
OpenSSL 3.1 adds new assembler-optimized implementations and fixes slow code paths in DH, RSA, and OBJ handling.
- New assembly kernels for several symmetric ciphers and hash functions improve throughput on x86-64, ARM64, and PowerPC.
- Mitigations for very slow
OBJ_obj2txt()with gigantic OID sub-identities (CVE-2023-2650). - Reduced runtime for DH parameter checks, especially with large Q values and oversized modulus (CVE-2023-3817, CVE-2023-3446).
- Symmetric cipher key and IV resize handling corrected to avoid unnecessary copies.
# Example: list supported ciphers with their performance hints
openssl ciphers -v | grep -i aes256
Which APIs and features are deprecated or breaking in OpenSSL 3.1?
The LHASH statistics functions are deprecated and SSL 3/TLS 1.0/1.1/DTLS 1.0 are limited to security level 0, which may require configuration changes.
- LHASH statistics functions (e.g.,
lh_stats()) are removed; applications should migrate to the new provider-based statistics API. - Older protocol versions now default to security level 0, so applications that rely on default security level 1 may need to explicitly set a higher level.
- Empty associated data entries are no longer ignored for AES-SIV, affecting some legacy AEAD usage patterns.
FAQ
Does OpenSSL 3.1 require changes to my existing TLS configuration?
Most configurations will continue to work, but you may need to enable the extended master secret in FIPS mode or adjust security level settings for legacy protocols.
How can I verify that the extended master secret is active in FIPS mode?
Run openssl s_client -connect host:443 -tls1_2 and check the handshake logs for the phrase Extended Master Secret.
What command shows the OpenSSL version and enabled providers?
Use openssl version -a to display the build details and the list of active providers.
Is the POLY1305 fix relevant for PowerPC users?
Yes, the fix prevents vector register corruption on PowerPC CPUs that support PowerISA 2.07.
Do the DH performance mitigations affect key generation time?
They reduce worst-case latency for large Q values and oversized moduli, making DH key generation more predictable.
Are the LHASH deprecation warnings harmless?
They indicate that the functions will be removed in a future major release, so you should replace them now.