Last checked and updated on 15 May 2026
What Is New in OpenSSL 3.5
| Category | Highlights |
|---|---|
| New Features | Server-side QUIC support, 0-RTT for third-party QUIC stacks, PQC algorithms (ML-KEM, ML-DSA, SLH-DSA), opaque EVP_SKEY objects, central CMP key generation, multiple TLS keyshares, pipelining API for ciphers |
| Improvements | Default TLS groups now include hybrid PQC KEM groups; default keyshare offers X25519MLKEM768 and X25519; default encryption cipher for req/cms/smime switched to aes-256-cbc; added no-tls-deprecated-ec and enable-fips-jitter config options |
| Bug Fixes | Fixes for RSA KEM RSASVE encapsulation, DANE use-after-free, delta CRL NULL deref, CMS recipient NULL checks, hex conversion overflow, numerous CVE patches across 3.5.x releases |
| Breaking Changes | All BIO_meth_get_* functions deprecated; default TLS groups list altered, removing rarely used groups; default cipher change may affect legacy scripts expecting des-ede3-cbc |
| Deprecations | BIO_meth_get_* APIs removed; legacy TLS groups deprecated via new no-tls-deprecated-ec option |
What new cryptographic algorithms does OpenSSL 3.5 introduce?
OpenSSL 3.5 adds post-quantum cryptography (PQC) primitives and makes them first-class TLS participants.
- ML-KEM (including X25519MLKEM768 hybrid groups) for key-exchange.
- ML-DSA and SLH-DSA for signatures.
- Support for opaque symmetric key objects (EVP_SKEY) that can hold PQC keys without exposing raw material.
In practice this means you can configure a server to prefer a hybrid group such as X25519MLKEM768 and still interoperate with classic clients that only understand X25519.
# openssl.conf snippet
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
default_groups = X25519MLKEM768:X25519
How have TLS defaults changed in OpenSSL 3.5?
The default TLS supported groups list now prefers hybrid PQC KEM groups and drops rarely used classic groups.
- Hybrid groups (e.g., X25519MLKEM768) are offered before pure classic groups.
- Default keyshare extension automatically includes X25519MLKEM768 and X25519, reducing round-trips for PQC-capable clients.
- A new configuration option
no-tls-deprecated-ecdisables the legacy groups deprecated in RFC 8422.
This matters if you rely on legacy groups such as secp256r1; you may need to add them back explicitly:
# openssl.conf addition
default_groups = X25519MLKEM768:X25519:secp256r1
What are the major FIPS provider updates in OpenSSL 3.5?
The FIPS provider now enforces a provenance-check-test (PCT) on key import for RSA, EC, and ECX keys and adds a PCT for DH key generation.
- RSA, EC, ECX keys imported via
EVP_PKEY_new()are validated against the FIPS-approved algorithm set. - DH key generation now includes a mandatory self-test before the key is usable.
- The
enable-fips-jitterconfiguration option allows the FIPS provider to use the JITTER entropy source.
Watch out for deployment scripts that previously imported raw keys without error handling; they must now check for EVP_PKEY_imported failures.
Which APIs were deprecated or changed in OpenSSL 3.5?
All BIO_meth_get_*() functions have been deprecated and will be removed in a future major release.
- Replace calls to
BIO_meth_get_write()with the genericBIO_method_get_write()wrapper. - The default encryption cipher for the
req,cms, andsmimeutilities switched fromdes-ede3-cbctoaes-256-cbc.
Most teams can continue to use the utilities unchanged, but scripts that explicitly set -cipher des-ede3-cbc should be reviewed.
# old usage
openssl req -new -key key.pem -cipher des-ede3-cbc -out req.csr
# new default (no -cipher needed)
openssl req -new -key key.pem -out req.csr
What critical bugs were fixed across the OpenSSL 3.5 series?
The 3.5 series addressed a wide range of security issues, from memory safety to protocol handling.
- RSA KEM RSASVE encapsulation now correctly reports failures (CVE-2026-31790).
- DANE client code no longer suffers a use-after-free (CVE-2026-28387).
- Delta CRL processing fixed a NULL-pointer dereference (CVE-2026-28388).
- CMS recipient parsing now validates pointers for both KeyAgree and KeyTransport info (CVE-2026-28389, CVE-2026-28390).
- Hexadecimal conversion buffer overflow patched (CVE-2026-31789).
- Multiple CVEs in earlier 3.5.x releases were also remediated, covering PKCS#12 MAC validation, CMS AuthEnvelopedData parsing, TLS 1.3 CompressedCertificate handling, and more.
In production, ensure you are running at least 3.5.6 to benefit from the latest mitigations.
FAQ
Does the default cipher change affect existing OpenSSL command-line workflows?
Yes, scripts that relied on des-ede3-cbc will now use aes-256-cbc unless they explicitly specify a different cipher.
Can I still use legacy TLS groups after upgrading to OpenSSL 3.5?
You can re-enable them via the default_groups configuration option, but they are omitted from the default list.
How do I enable the new PQC groups in a server configuration?
Add X25519MLKEM768 to the default_groups line in openssl.conf.
Is there a code example for generating a PQC key pair with the EVP API?
Use EVP_PKEY_new() with the algorithm name ML-KEM and then EVP_PKEY_keygen() as you would with RSA.
Do I need to modify my application to avoid the deprecated BIO_meth_get_* functions?
Replace them with the generic BIO_method_get_* equivalents to stay compatible with future releases.
What is the recommended OpenSSL version to run in production as of the 3.5 series?
OpenSSL 3.5.6 is the latest security-patched release and should be used.