EVP_SKEY\u003C/a> (\u003Ca href=https://docs.openssl.org/master/man1/openssl-skeyutl/>Symmetric KEY\u003C/a>) structure to represent symmetric keys as opaque objects. Unlike raw keys, which are represented by a byte array, the key structure in EVP_SKEY is abstracted and contains additional metadata. EVP_SKEY can be used in \u003Ca href=https://github.com/openssl/openssl/pull/26702>encryption\u003C/a>, key exchange, and \u003Ca href=https://github.com/openssl/openssl/pull/28369>key derivation\u003C/a> (\u003Ca href=https://en.wikipedia.org/wiki/Key_derivation_function>KDF\u003C/a>) functions. The functions EVP_KDF_CTX_set_SKEY(), EVP_KDF_derive_SKEY(), and EVP_PKEY_derive_SKEY() have been added to work with EVP_SKEY keys;\u003C/li>\u003Cli class=\"content-block-list-item\">\u003Ca href=https://github.com/openssl/openssl/pull/22357>Added\u003C/a> support for verifying digital signatures based on the \u003Ca href=https://datatracker.ietf.org/doc/html/rfc8554>LMS\u003C/a> (Leighton-Micali Signatures) scheme, which uses \u003Ca href=https://en.wikipedia.org/wiki/Hash-based_cryptography>hash functions\u003C/a> and tree-based hashing in the form of a Merkle Tree (each branch verifies all underlying branches and nodes). LMS digital signatures are resistant to quantum computer attacks and are designed to ensure the integrity of firmware and applications;\u003C/li>\u003Cli class=\"content-block-list-item\">\u003Ca href=https://github.com/openssl/openssl/pull/27571>Added\u003C/a> support for \u003Ca href=https://csrc.nist.gov/glossary/term/security_category>NIST security categories\u003C/a> for \u003Ca href=https://docs.openssl.org/3.1/man1/openssl-pkey/>PKEY\u003C/a> object parameters (public and private keys). The security category is set via the security-category setting. The EVP_PKEY_get_security_category() function has been added to check the security level. The security level reflects resistance to quantum computer attacks and can take integer values from 0 to 5:\n 0 - implementation not resistant to quantum computer attacks;\n 1/3/5 - implementation does not preclude a quantum computer search for a key in a block cipher with a 128/192/256-bit key;\n 2/4 - implementation does not preclude a quantum computer search for a collision in a 256/384-bit hash).\n\u003C/li>\u003Cli class=\"content-block-list-item\">0 - implementation not resistant to quantum computer attacks;\u003C/li>\u003Cli class=\"content-block-list-item\">1/3/5 - implementation does not preclude a quantum computer search for a key in a block cipher with a 128/192/256-bit key;\u003C/li>\u003Cli class=\"content-block-list-item\">2/4 - implementation does not preclude a quantum computer search for a collision in a 256/384-bit hash).\u003C/li>\u003Cli class=\"content-block-list-item\">Added the \u003Ca href=https://docs.openssl.org/master/man1/openssl-configutl/>openssl configutl\u003C/a> command to process configuration files. The utility allows generating a consolidated file with all settings from a multi-file configuration with include directives;\u003C/li>\u003Cli class=\"content-block-list-item\">Added support for deterministic ECDSA digital signature generation to the FIPS crypto provider (the same signature is generated for the same input data), in accordance with the FIPS 186-5 standard requirements;\u003C/li>\u003Cli class=\"content-block-list-item\">Increased build environment requirements. A toolchain with ANSI-C support is no longer sufficient to build OpenSSL; a C-99 compliant compiler is now required;\u003C/li>\u003Cli class=\"content-block-list-item\">Functions related to the \u003Ca href=https://docs.openssl.org/3.4/man3/EVP_PKEY_ASN1_METHOD/>EVP_PKEY_ASN1_METHOD\u003C/a> structure have been deprecated;\u003C/li>\u003Cli class=\"content-block-list-item\">Support for the VxWorks platform has been discontinued.\u003C/li>\u003C/ul>\u003C/div>\u003Cdiv class=\"block-wrapper--default\">\u003Chr class=\"block-content content-block-delimiter\">\u003C/div>\u003Cdiv class=\"block-wrapper--default\">\u003Cp class=\"block-content\">The new version of the project \u003Ca href=\"https://openssl-library.org/news/secadv/20250930.txt\" rel=\"noopener noreferrer nofollow\">fixes\u003C/a> the following vulnerabilities:\u003C/p>\u003C/div>\u003Cdiv class=\"block-wrapper--default\">\u003Cul class=\"block-content content-block-list-unordered\">\u003Cli class=\"content-block-list-item\">\u003Ca href=https://security-tracker.debian.org/tracker/CVE-2025-9230>CVE-2025-9230\u003C/a> — a vulnerability in the decryption code for CMS messages encrypted with a password (PWRI). The vulnerability can lead to an out-of-bounds write and read, allowing an attacker to cause a crash or memory corruption in an application that uses OpenSSL to process CMS messages. Exploitation for code execution is not ruled out, but the severity of the issue is reduced by the fact that password-based encryption of CMS messages is very rarely used in practice. In addition to OpenSSL 3.6.0, the vulnerability is fixed in OpenSSL releases 3.5.4, 3.4.3, 3.3.5, 3.2.6, and 3.0.18. The issue has also been \u003Ca href=https://www.mail-archive.com/announce@openbsd.org/msg00565.html>fixed\u003C/a> in updates to LibreSSL 4.0.1 and 4.1.1, developed by the OpenBSD project;\u003C/li>\u003Cli class=\"content-block-list-item\">\u003Ca href=https://security-tracker.debian.org/tracker/CVE-2025-9231>CVE-2025-9231\u003C/a> — the implementation of the SM2 algorithm is vulnerable to a side-channel attack that allows an attacker on systems with 64-bit ARM CPUs to reconstruct the private key by analyzing timing variations of specific computations. The attack could potentially be carried out remotely. The severity of the attack is reduced by the fact that OpenSSL does not directly support the use of certificates with SM2 keys in TLS;\u003C/li>\u003Cli class=\"content-block-list-item\">\u003Ca href=https://security-tracker.debian.org/tracker/CVE-2025-9232>CVE-2025-9232\u003C/a> — a vulnerability in the built-in HTTP client implementation that leads to an out-of-bounds read when processing a specially crafted URL in HTTP Client functions. The issue only manifests when the no_proxy environment variable is set and can lead to an application crash.\u003C/li>\u003C/ul>\u003C/div>\u003Cdiv class=\"block-wrapper--default\">\u003Cp class=\"block-content\">\u003Ca href=\"/tag/openssl\" target=\"_blank\" rel=\"noopener noreferrer ugc\">#openssl\u003C/a> \u003Ca href=\"/tag/news\" target=\"_blank\" rel=\"noopener noreferrer ugc\">#news\u003C/a>\u003C/p>\u003C/div>\u003C/div>",{"time":1625,"blocks":1626,"version":228},1759470591208,[1627,1632,1636,1640,1644,1648,1697,1700,1704,1721],{"id":1628,"type":68,"data":1629},"acd4ed7b-e",{"caption":28,"withBorder":71,"withBackground":71,"stretched":71,"file":1630},{"url":1631},"https://media.suddo.io/file/2f3af38f-ffaf-465d-b6b8-b927250a64dc/dd4cc278-23ca-4cf2-b224-22144c6f7257/1184.webp",{"id":1633,"type":16,"data":1634},"2500892b-6",{"text":1635},"On October 1, 2025, the open-source project \u003Ca href=\"https://www.openssl.org/\" rel=\"noopener noreferrer nofollow\">OpenSSL 3.6.0\u003C/a> was \u003Ca href=\"https://openssl-library.org/post/2025-10-01-3.6-release-announcement/\" rel=\"noopener noreferrer nofollow\">released\u003C/a>. The cryptographic library supports new encryption and key management algorithms, works with SSL/TLS protocols at the Linux client kernel level, has an updated FIPS module, and has been integrated with the Certificate Management Protocol (CMP).",{"id":1637,"type":16,"data":1638},"0ba37446-b",{"text":1639},"The project's source code is written in C and Perl and is \u003Ca href=\"https://github.com/openssl/openssl\" rel=\"noopener noreferrer nofollow\">distributed\u003C/a> under the Apache 2.0 license. The release of OpenSSL 3.0.0 took place in September 2021. OpenSSL 3.4.0 was released at the end of 2024. OpenSSL 3.5.0 was introduced in April 2025.",{"id":1641,"type":16,"data":1642},"b64d70f0-9",{"text":1643},"The OpenSSL 3.6 release is classified as a standard support build, with updates released for 13 months. The OpenSSL 3.5.0 release is classified as a Long-Term Support (LTS) release, for which updates will be released for 5 years (until April 2030). Support for previous branches OpenSSL 3.3, 3.2 and 3.0 LTS \u003Ca href=\"https://www.openssl.org/policies/releasestrat.html\" rel=\"noopener noreferrer nofollow\">will last\u003C/a> until April 2026, November 2025, and September 2026, respectively.",{"id":1645,"type":16,"data":1646},"9f65ddf1-9",{"text":1647},"According to OpenNET, the main refinements and \u003Ca href=\"https://github.com/openssl/openssl/blob/master/NEWS.md#openssl-3.6\" rel=\"noopener noreferrer nofollow\">improvements\u003C/a> in OpenSSL 3.6.0 are:",{"id":1649,"type":41,"data":1650},"5c632f0e-3",{"style":43,"meta":1651,"items":1652},{},[1653,1657,1661,1665,1669,1673,1677,1681,1685,1689,1693],{"content":1654,"meta":1655,"items":1656},"\u003Ca href=\"https://github.com/openssl/openssl/pull/28278\">Added\u003C/a> support for the \u003Ca href=\"https://docs.openssl.org/master/man3/EVP_SKEY/\">EVP_SKEY\u003C/a> (\u003Ca href=\"https://docs.openssl.org/master/man1/openssl-skeyutl/\">Symmetric KEY\u003C/a>) structure to represent symmetric keys as opaque objects. Unlike raw keys, which are represented by a byte array, the key structure in EVP_SKEY is abstracted and contains additional metadata. EVP_SKEY can be used in \u003Ca href=\"https://github.com/openssl/openssl/pull/26702\">encryption\u003C/a>, key exchange, and \u003Ca href=\"https://github.com/openssl/openssl/pull/28369\">key derivation\u003C/a> (\u003Ca href=\"https://en.wikipedia.org/wiki/Key_derivation_function\">KDF\u003C/a>) functions. The functions EVP_KDF_CTX_set_SKEY(), EVP_KDF_derive_SKEY(), and EVP_PKEY_derive_SKEY() have been added to work with EVP_SKEY keys;",{},[],{"content":1658,"meta":1659,"items":1660},"\u003Ca href=\"https://github.com/openssl/openssl/pull/22357\">Added\u003C/a> support for verifying digital signatures based on the \u003Ca href=\"https://datatracker.ietf.org/doc/html/rfc8554\">LMS\u003C/a> (Leighton-Micali Signatures) scheme, which uses \u003Ca href=\"https://en.wikipedia.org/wiki/Hash-based_cryptography\">hash functions\u003C/a> and tree-based hashing in the form of a Merkle Tree (each branch verifies all underlying branches and nodes). LMS digital signatures are resistant to quantum computer attacks and are designed to ensure the integrity of firmware and applications;",{},[],{"content":1662,"meta":1663,"items":1664},"\u003Ca href=\"https://github.com/openssl/openssl/pull/27571\">Added\u003C/a> support for \u003Ca href=\"https://csrc.nist.gov/glossary/term/security_category\">NIST security categories\u003C/a> for \u003Ca href=\"https://docs.openssl.org/3.1/man1/openssl-pkey/\">PKEY\u003C/a> object parameters (public and private keys). The security category is set via the \"security-category\" setting. The EVP_PKEY_get_security_category() function has been added to check the security level. The security level reflects resistance to quantum computer attacks and can take integer values from 0 to 5:\n 0 - implementation not resistant to quantum computer attacks;\n 1/3/5 - implementation does not preclude a quantum computer search for a key in a block cipher with a 128/192/256-bit key;\n 2/4 - implementation does not preclude a quantum computer search for a collision in a 256/384-bit hash).\n",{},[],{"content":1666,"meta":1667,"items":1668},"0 - implementation not resistant to quantum computer attacks;",{},[],{"content":1670,"meta":1671,"items":1672},"1/3/5 - implementation does not preclude a quantum computer search for a key in a block cipher with a 128/192/256-bit key;",{},[],{"content":1674,"meta":1675,"items":1676},"2/4 - implementation does not preclude a quantum computer search for a collision in a 256/384-bit hash).",{},[],{"content":1678,"meta":1679,"items":1680},"Added the \"\u003Ca href=\"https://docs.openssl.org/master/man1/openssl-configutl/\">openssl configutl\u003C/a>\" command to process configuration files. The utility allows generating a consolidated file with all settings from a multi-file configuration with include directives;",{},[],{"content":1682,"meta":1683,"items":1684},"Added support for deterministic ECDSA digital signature generation to the FIPS crypto provider (the same signature is generated for the same input data), in accordance with the FIPS 186-5 standard requirements;",{},[],{"content":1686,"meta":1687,"items":1688},"Increased build environment requirements. A toolchain with ANSI-C support is no longer sufficient to build OpenSSL; a C-99 compliant compiler is now required;",{},[],{"content":1690,"meta":1691,"items":1692},"Functions related to the \u003Ca href=\"https://docs.openssl.org/3.4/man3/EVP_PKEY_ASN1_METHOD/\">EVP_PKEY_ASN1_METHOD\u003C/a> structure have been deprecated;",{},[],{"content":1694,"meta":1695,"items":1696},"Support for the VxWorks platform has been discontinued.",{},[],{"id":1698,"type":214,"data":1699},"sVaVPDt-4G",{},{"id":1701,"type":16,"data":1702},"479bb187-6",{"text":1703},"The new version of the project \u003Ca href=\"https://openssl-library.org/news/secadv/20250930.txt\" rel=\"noopener noreferrer nofollow\">fixes\u003C/a> the following vulnerabilities:",{"id":1705,"type":41,"data":1706},"0a7afb2a-a",{"style":43,"meta":1707,"items":1708},{},[1709,1713,1717],{"content":1710,"meta":1711,"items":1712},"\u003Ca href=\"https://security-tracker.debian.org/tracker/CVE-2025-9230\">CVE-2025-9230\u003C/a> — a vulnerability in the decryption code for CMS messages encrypted with a password (PWRI). The vulnerability can lead to an out-of-bounds write and read, allowing an attacker to cause a crash or memory corruption in an application that uses OpenSSL to process CMS messages. Exploitation for code execution is not ruled out, but the severity of the issue is reduced by the fact that password-based encryption of CMS messages is very rarely used in practice. In addition to OpenSSL 3.6.0, the vulnerability is fixed in OpenSSL releases 3.5.4, 3.4.3, 3.3.5, 3.2.6, and 3.0.18. The issue has also been \u003Ca href=\"https://www.mail-archive.com/announce@openbsd.org/msg00565.html\">fixed\u003C/a> in updates to LibreSSL 4.0.1 and 4.1.1, developed by the OpenBSD project;",{},[],{"content":1714,"meta":1715,"items":1716},"\u003Ca href=\"https://security-tracker.debian.org/tracker/CVE-2025-9231\">CVE-2025-9231\u003C/a> — the implementation of the SM2 algorithm is vulnerable to a side-channel attack that allows an attacker on systems with 64-bit ARM CPUs to reconstruct the private key by analyzing timing variations of specific computations. The attack could potentially be carried out remotely. The severity of the attack is reduced by the fact that OpenSSL does not directly support the use of certificates with SM2 keys in TLS;",{},[],{"content":1718,"meta":1719,"items":1720},"\u003Ca href=\"https://security-tracker.debian.org/tracker/CVE-2025-9232\">CVE-2025-9232\u003C/a> — a vulnerability in the built-in HTTP client implementation that leads to an out-of-bounds read when processing a specially crafted URL in HTTP Client functions. The issue only manifests when the \"no_proxy\" environment variable is set and can lead to an application crash.",{},[],{"id":1722,"type":16,"data":1723},"NvAfvOWCej",{"text":1724},"#openssl #news",{"authorId":600,"name":601,"avatar":602,"username":603},[1727],{"emojiId":239,"count":34,"reactedByUser":71},{"comments":243,"favorites":34,"views":1435,"hits":1729},77,"2025-10-03T05:43:34.04","2025-10-03T14:55:52.363",["Reactive",1733],{"$si18n:cached-locale-configs":1734,"$si18n:resolved-locale":28,"$sshowLoginModal":71},{},["Set"],["ShallowReactive",1737],{"feed-tag-none-none-hot-security-0":-1},true,"/tag/security",{"auth":1741,"app":1742,"theme":1743,"main":1829,"i18n":1831,"ui":1835},{"logged":71,"user":248,"authReady":71},{"lastUpdatedPostId":248,"lastUpdateTime":248},{"layout":1744,"themeName":1745,"routerTransition":1746,"routerTransitionDuration":243,"rtl":71,"boxed":1747,"sidebar":1749,"footer":1755,"responsive":1756,"toolbarHeight":950,"viewPadding":1760,"headerBarHeight":245,"colors":1763,"borderRadius":1791,"lineHeight":1794,"fontSize":1796,"fontWeight":1799,"fontFamily":1802,"typography":1804},"VerticalNav","light","fade-up",{"enabled":1738,"toolbar":1738,"width":1748},1600,{"autoClose":1738,"collapsed":71,"autoCloseBreakpoint":1750,"animEase":1751,"animDuration":1752,"openWidth":1753,"closeWidth":1754},1000,"ease-in-out",0.3,300,64,{"show":1738},{"breakpoint":1757,"override":1758},700,{"viewPadding":1759,"toolbarHeight":1761},{"desk":1760,"mobile":343},40,{"desk":950,"mobile":1762},70,{"light":1764,"dark":1779},{"sidebarBackground":1765,"bodyBackground":1766,"background":1765,"backgroundSecondary":1767,"text":1768,"textSecondary":1769,"textTertiary":1770,"border":1771,"hover":1772,"primary":1773,"info":1774,"success":1775,"warning":1776,"error":1777,"extra1":1774,"extra2":1778,"extra3":1776,"extra4":1777},"rgb(255, 255, 255)","rgb(245, 247, 249)","#F2F2F2","rgb(0, 0, 0)","#000","rgb(114, 115, 115)","rgb(226, 230, 233)","rgba(221, 224, 225, 0.5)","hsl(221.2, 83.2%, 53.3%)","rgb(97, 102, 255)","rgb(0, 179, 122)","rgb(255, 183, 0)","rgb(255, 0, 85)","rgb(255, 97, 200)",{"sidebarBackground":1780,"bodyBackground":1781,"background":1780,"backgroundSecondary":1782,"text":1783,"textSecondary":1784,"textTertiary":1785,"border":1786,"hover":1787,"primary":1788,"info":1774,"success":1789,"warning":1776,"error":1790,"extra1":1774,"extra2":1778,"extra3":1776,"extra4":1777},"rgb(35, 35, 36)","rgb(22, 22, 23)","rgb(44, 44, 45)","rgb(201, 204, 207)","#c9cccf","rgb(150, 157, 160)","rgb(53, 52, 54)","rgb(58, 58, 58)","rgb(65, 138, 244)","rgb(51, 160, 62)","rgb(214, 51, 62)",{"default":1792,"small":1793},"8px","4px",{"default":1795},"1.25",{"default":1797,"cardTitle":1798},"16px","18px",{"default":1800,"strong":1801,"cardTitle":1801},"400","600",{"default":1803,"display":1803,"mono":1803},"Roboto, system-ui, -apple-system, Segoe UI, Roboto, Ubuntu, Cantarell, Noto Sans, sans-serif",{"h1":1805,"h2":1810,"h3":1813,"h4":1816,"h5":1819,"h6":1822,"p":1826},{"fontFamily":1806,"fontSize":1807,"fontWeight":1808,"lineHeight":1809},"{fontFamily.display}","30px","700","38",{"fontFamily":1806,"fontSize":1811,"fontWeight":1808,"lineHeight":1812},"26px","33",{"fontFamily":1806,"fontSize":1814,"fontWeight":1808,"lineHeight":1815},"22px","28",{"fontFamily":1806,"fontSize":1798,"fontWeight":1817,"lineHeight":1818},"500","23",{"fontFamily":1806,"fontSize":1820,"fontWeight":1808,"lineHeight":1821},"14px","18",{"fontFamily":1823,"fontSize":1824,"fontWeight":1817,"lineHeight":1825},"{fontFamily.default}","12px","15",{"fontFamily":1823,"fontSize":1827,"lineHeight":1828},"{fontSize.default}","20",{"API_URL":-1,"forceRefresh":1830,"loadingBar":248},1759958053069,{"locale":1832,"availableLocales":1834},["Ref",1833],"en",[1833],{"feedRefreshKey":243}]