Last checked and updated on 15 May 2026
What Is New in OpenSSL 3.2
| Category | Highlights |
|---|---|
| New Features | Client-side QUIC, Ed25519ctx/Ed25519ph/Ed448ph, deterministic ECDSA (RFC 6979), AES-GCM-SIV, Argon2 KDF, HPKE, SM4-XTS, Brainpool curves in TLS 1.3, TLS Raw Public Keys, TCP Fast Open, certificate compression (zlib, Brotli, zstd), provider-based pluggable signatures, Windows system store integration, IANA cipher name support, CMP protocol enhancements |
| Improvements | Default security level raised from 1 to 2, x509/ca/req tools always emit X.509v3, DN output now UTF-8 and trimmed, better provider architecture for post-quantum algorithms |
| Bug Fixes | Fixed CVE-2025-9230 (RFC 3211 KEK OOB read/write), CVE-2025-9231 (SM2 timing side-channel on ARM64), CVE-2025-9232 (HTTP no_proxy OOB read), CVE-2024-12797 (RFC 7250 handshake abort), CVE-2024-13176 (ECDSA timing side-channel), CVE-2024-9143 (GF(2^m) OOB access), CVE-2024-6119 (X.509 name DoS), CVE-2024-5535 (SSL_select_next_proto buffer overread), CVE-2024-4741 (use-after-free in SSL_free_buffers), CVE-2024-4603 (slow DSA key checks), CVE-2024-2511 (TLS 1.3 session memory growth), CVE-2024-0727 (PKCS12 decode crash), CVE-2023-6237 (slow RSA public-key validation), CVE-2023-6129 (PowerPC POLY1305 vector corruption), CVE-2023-5678 (DH large-Q slowdown) |
| Breaking Changes | Security level 2 disables legacy ciphers and weak hash algorithms; x509/ca/req always produce X.509v3 which may affect scripts expecting v1/v2; DN formatting change removes spaces around "="; provider-based signature algorithms cannot yet be set via SignatureAlgorithms config (known issue) |
What new cryptographic algorithms does OpenSSL 3.2 introduce?
OpenSSL 3.2 adds several modern algorithms that were previously unavailable in the main distribution.
- Ed25519ctx, Ed25519ph and Ed448ph (RFC 8032) for context-bound signatures.
- Deterministic ECDSA (RFC 6979) to eliminate nonce-reuse risks.
- AES-GCM-SIV (RFC 8452), a nonce-misuse-resistant AEAD.
- Argon2 KDF (RFC 9106) with built-in thread-pool support.
- Hybrid Public Key Encryption (HPKE, RFC 9180) for forward-secure key encapsulation.
- SM4-XTS block cipher mode for Chinese standards compliance.
- Brainpool elliptic curves now selectable in TLS 1.3.
How does OpenSSL 3.2 change default security and certificate handling?
The default security level is now set to 2, and the command-line tools always generate X.509v3 certificates with UTF-8 distinguished names.
In practice this means:
- Legacy ciphers such as RC4, MD5-based signatures, and 1024-bit RSA are disabled out of the box.
- The
openssl x509,openssl caandopenssl reqcommands no longer emit version 1 or 2 certificates; scripts that relied on those formats must be updated. - DN strings are printed as UTF-8 and spaces around the "=" separator are stripped, which can affect parsing tools that expect the old layout.
What production-ready features were added for modern protocols?
OpenSSL 3.2 brings a suite of protocol-level enhancements aimed at high-performance services.
- Client-side QUIC support (RFC 9000) with multiple stream handling.
- TLS certificate compression using zlib, Brotli, and zstd (RFC 8879) to reduce handshake latency.
- TCP Fast Open enabled on Linux, macOS and FreeBSD where the kernel supports it (RFC 7413).
- IANA-standard cipher suite names can now be used in configuration files, simplifying migration from other TLS stacks.
- Provider-based pluggable signature algorithms in TLS 1.3, paving the way for post-quantum signatures when a suitable provider is loaded.
# Example: enable QUIC in a libssl client
SSL_CTX *ctx = SSL_CTX_new(TLS_method());
SSL_CTX_set_quic_method(ctx, &my_quic_method);
SSL *ssl = SSL_new(ctx);
SSL_set_quic_transport_params(ssl, params, params_len);
Which bugs and vulnerabilities were fixed in the OpenSSL 3.2 series?
Multiple security patches were back-ported across the 3.2.x line, addressing both memory safety and side-channel issues.
- Out-of-bounds read/write in RFC 3211 KEK unwrap (CVE-2025-9230).
- Timing side-channel in SM2 on 64-bit ARM (CVE-2025-9231).
- HTTP client no_proxy OOB read (CVE-2025-9232).
- RFC 7250 handshake abort fix (CVE-2024-12797).
- ECDSA signature timing leak (CVE-2024-13176).
- Invalid GF(2^m) curve parameters OOB access (CVE-2024-9143).
- Denial-of-service in X.509 name checks (CVE-2024-6119).
- Buffer overread in SSL_select_next_proto (CVE-2024-5535).
- Use-after-free in SSL_free_buffers (CVE-2024-4741).
- Excessive memory growth in TLS 1.3 sessions (CVE-2024-2511).
- PKCS12 decoding crashes (CVE-2024-0727).
- Slow RSA public-key validation (CVE-2023-6237).
- PowerPC POLY1305 vector register corruption (CVE-2023-6129).
- DH generation slowdown with large Q (CVE-2023-5678).
FAQ
Do I need to adjust my applications for the new default security level?
Yes you may need to review key sizes and algorithm choices because level 2 disables legacy ciphers such as RC4 and MD5.
How can I enable the Windows system certificate store?
Set the environment variable OPENSSL_CONF to point to a config that loads the windows_store provider.
Is QUIC support ready for production use?
The QUIC implementation is functional but still considered experimental and requires linking against libssl with the QUIC flag.
What command shows the new default security level?
openssl ciphers -v will display the effective security level.
Can I use the new Argon2 KDF with the command line?
Yes, use openssl kdf -kdf argon2 -out key.bin -p memcost=65536,time=2,parallelism=4.
How do I list the newly supported Brainpool curves?
openssl ecparam -list_curves will now include brainpoolP256r1 etc.