OpenSSL 3.5 LTS: QUIC server support and post‑quantum crypto land in a long‑term release

Key update

OpenSSL 3.5 (final/LTS) is released. The build introduces native server‑side QUIC support, initial post‑quantum cryptography primitives (ML‑KEM, ML‑DSA, SLH‑DSA), opaque symmetric key objects (EVP_SKEY), improved TLS keyshare and group configurability, and various API/configuration additions targeted at long‑term stability and security. This is designated an LTS release with support through April 8, 2030.

Why it matters

OpenSSL is the TLS/crypto backbone for many system packages and runtimes; a stable LTS that adds server‑side QUIC and PQC primitives is immediately practical rather than theoretical. For operators and platform engineers, this means mainstream OpenSSL consumers (web servers, proxies, language runtimes, and container images) now have an upstream, supported implementation to build against when enabling QUIC or experimenting with post‑quantum algorithms — without waiting for vendor‑specific forks. Migration impact is real: distributions and downstream projects will need to package and roll out 3.5 (or a patched security point release), native modules linked to OpenSSL may need recompilation, and TLS configurations should be validated under the new options (keyshare/group controls, EVP_SKEY usage). For security teams, the PQC additions are useful for testing and prototyping hybrid PQC+classical TLS setups, but production adoption still requires interoperability, compliance checks, and careful key management planning. Overall, 3.5 moves QUIC and PQC from niche integrations into the mainstream OpenSSL lifecycle — prepare CI, native builds, and staging validation if your stack relies on OpenSSL for TLS or crypto operations.

Source

• Source