Last checked and updated on 15 May 2026
What Is New in OpenSSL 3.3
| Category | Highlights |
|---|---|
| New Features | QUIC tracing (qlog), idle-timeout and stream-limit APIs, SSL_write_ex2 for FIN, EVP_DigestSqueeze, BLAKE2s variable-output, CRT derivation in EVP_PKEY_fromdata, Y2038-safe SSL_SESSION time APIs, extended CMPv3 support, new x509 -set_issuer/-set_subject options. |
| Improvements | Architecture-specific optimisations: AES-GCM unroll8 for Azure Cobalt, AES-CTR for ARM Neoverse V1/V2, SHA-3 on Apple Silicon M3, RISC-V vector crypto extensions, md5 assembly on loongarch64, larger TLS 1.2 exporter context, faster hex conversion. |
| Bug Fixes | Fixes for CVE-2026-31790 (RSA-KEM), CVE-2026-28387/88/89/90 (DANE/CMS), CVE-2026-31789 (hex overflow), CVE-2025-15467/68 (CMS AuthEnvelopedData, SSL_CIPHER_find), CVE-2025-66199 (TLS 1.3 CompressedCertificate), CVE-2025-68160 (BIO_f_linebuffer), multiple PKCS#12/PKCS7/TS bugs, and many others. |
| Breaking Changes | Provider activation flags now require explicit true/false (or 1/0); default HMAC hash changed from md5 to sha256; OPENSSL_sk_push returns 0 on NULL stack; new HTTP response header limit (256 lines); BIO_get_new_index capped at 127; SSL_SESSION time APIs switched to time_t for Y2038 safety. |
What new QUIC capabilities does OpenSSL 3.3 provide?
OpenSSL 3.3 adds a full set of QUIC tracing and stream-management APIs that let applications monitor connections with qlog and control idle timeouts and stream limits.
- qlog export for detailed QUIC packet traces.
- SSL_set_quic_idle_timeout() and SSL_get_quic_max_streams() to tune connection behaviour.
- SSL_write_ex2() can send a FIN flag efficiently on QUIC streams.
- Optional non-blocking poll support for QUIC objects.
#include <openssl/ssl.h>
SSL *s = SSL_new(ctx);
SSL_set_quic_idle_timeout(s, 30000); // 30 seconds idle timeoutHow has OpenSSL 3.3 improved performance for modern hardware?
OpenSSL 3.3 introduces several architecture-specific optimisations that accelerate symmetric ciphers and hash functions on current CPUs.
- AES-GCM unroll8 optimisation for Microsoft Azure Cobalt 100.
- AES-CTR loop unrolling for ARM Neoverse V1/V2.
- SHA-3 vectorised implementation on Apple Silicon M3 (M1/M2 already supported).
- RISC-V vector crypto extensions leveraged for bulk data processing.
- Hand-written md5 assembly for loongarch64.
In practice these changes can shave 10-20 % off throughput-bound workloads on the supported platforms.
Which critical bugs and CVEs were addressed in OpenSSL 3.3?
OpenSSL 3.3 patches a broad set of high-severity vulnerabilities across RSA-KEM, DANE, CMS, PKCS#12, TLS 1.3 and more.
- RSA-KEM RSASVE encapsulation failure handling (CVE-2026-31790).
- DANE client use-after-free (CVE-2026-28387).
- Delta CRL NULL-pointer dereference (CVE-2026-28388).
- CMS KeyAgreeRecipientInfo and KeyTransportRecipientInfo NULL dereferences (CVE-2026-28389/90).
- Hexadecimal conversion buffer overflow (CVE-2026-31789).
- CMS AuthEnvelopedData stack overflow (CVE-2025-15467).
- TLS 1.3 CompressedCertificate memory blow-up (CVE-2025-66199).
- PKCS#12 UTF-8 name handling bugs (CVE-2025-69419/21, CVE-2026-22795).
- Various ASN.1 type-confusion and validation issues (CVE-2025-69420/21, CVE-2026-22796).
Most of these fixes are transparent to applications, but they eliminate denial-of-service and potential code-execution vectors.
What breaking configuration changes should I watch out for when upgrading to OpenSSL 3.3?
OpenSSL 3.3 tightens several configuration defaults that can affect existing deployments.
- Provider activation flags in
openssl.cnfnow accept only1|yes|true|on(or the negative equivalents) to enable a provider. - The default hash for
openssl speed -hmacswitched frommd5tosha256; specify-mac md5to retain the old behaviour. OPENSSL_sk_push()now returns0on a NULL stack instead of-1, so callers must check for a zero return.- HTTP client now caps response headers at 256 lines; large-header services may need to increase
SSL_CONF_http_max_headers. BIO_get_new_index()is limited to 127 calls; custom BIO implementations should verify the return value.- New Y2038-safe session time APIs (
SSL_SESSION_get_time_ex/SSL_SESSION_set_time_ex) replace the old 32-bit time functions.
# Example: enable a provider in openssl.cnf
[provider_sect]
default = yesFAQ
Does OpenSSL 3.3 require rebuilding applications to use the new QUIC APIs?
No, existing applications continue to work unchanged; the QUIC APIs are optional and only linked when you include the quic provider.
Can I still use md5 for HMAC in openssl speed after the default change?
Yes, you can explicitly specify -mac md5 to override the new default sha256.
What is the new function to set a Y2038-safe session time?
Use SSL_SESSION_set_time_ex with a time_t argument, e.g., SSL_SESSION_set_time_ex(sess, 0, my_time).
Is the BIO_get_new_index limit of 127 something I need to handle?
In practice you rarely exceed 127 custom BIO types, but if you do you must check for a -1 return and avoid creating more.
Do the provider activation config changes affect existing openssl.cnf files?
Yes, you must use true/false or 1/0 values instead of other strings to enable or disable providers.
Are there any deprecated functions in this release?
No functions were officially deprecated in the OpenSSL 3.3 series.