The final release of OpenSSL 3.6 has been officially published — the culmination of the collective efforts of numerous contributors who continue to drive the library’s evolution. The new version introduces additional features, bug fixes, and several compatibility-impacting changes.
The update now allows the use of NIST security categories for PKEY objects, as well as the introduction of new EVP_SKEY objects employed within provider methods for key derivation and exchange. To support these, developers have added the functions EVP_KDF_CTX_set_SKEY(), EVP_KDF_derive_SKEY(), and EVP_PKEY_derive_SKEY().
Support for LMS signatures has been implemented in accordance with the SP 800-208 standard, available both in the FIPS provider and in the default one. Furthermore, the FIPS module now supports deterministic ECDSA signature generation as specified in FIPS 186-5.
Compiler requirements have also evolved: building OpenSSL with ANSI-C is no longer supported — a compiler with C99 capabilities is now required. At the same time, support for the VxWorks platform has been discontinued.
The package now includes a new utility, openssl configutl, designed to process OpenSSL configuration files and output equivalent formatted variants. Meanwhile, all functions associated with EVP_PKEY_ASN1_METHOD have been deprecated and are slated for eventual removal.
A complete list of changes from version 3.5, including all backward-incompatible updates, can be found in the CHANGES.md file. OpenSSL 3.6 is available for download from the project’s official website or via the GitHub releases page.