41views
OpenSSL 4.0.0 has been released as a major feature update to the widely used cryptography and TLS library. This version brings new protocol capabilities, API updates, and the long-awaited removal of legacy components.
One of the standout additions is support for Encrypted Client Hello (ECH). The release also introduces cSHAKE support, new SM2-based TLS and signature features from RFC 8998, along with support for SNMP KDF and SRTP KDF. Additional enhancements include the “ML-DSA-MU” digest algorithm and negotiated FFDHE key exchange for TLS 1.2.
For FIPS users, self-tests can now be deferred and executed during module installation using the -defer_tests option with openssl fipsinstall.
At the same time, OpenSSL 4.0 introduces several breaking changes. Support for SSLv3 and the SSLv2 Client Hello has been removed, engine support has been dropped, and the c_rehash script has been replaced by openssl rehash. Deprecated TLS elliptic curves and explicit EC curves are now disabled by default at compile time unless manually re-enabled.
Other updates include making ASN1_STRING opaque, adding const qualifiers to several X.509-related APIs, and deprecating older certificate time comparison functions in favor of X509_check_certificate_times().
Further changes affect verification behavior and internal cleanup. For example, lower-bound checks are now enforced for PKCS5_PBKDF2_HMAC when used with the FIPS provider. Validation has been tightened with additional AKID and CRL checks. Also, libcrypto no longer performs global cleanup via atexit(); instead, OPENSSL_cleanup() is handled through a global destructor or may not run automatically, depending on the environment.
For developers and downstream projects, OpenSSL 4.0 represents a significant step forward. While it introduces modern cryptographic features and improvements, it also removes older interfaces that some legacy applications may still depend on.
opensslRegarding support, OpenSSL 4.0 becomes the latest feature branch, while OpenSSL 3.5 continues as the current LTS release. Users looking for the newest features can upgrade to 4.0, whereas those who prioritize long-term stability and support may prefer to remain on version 3.5 LTS.
For more details, see the changelog.
add a comment
X.Org is Still Alive and Just Fixed Five New Security Flaws
X.Org Server and Xwayland have received new security updates addressing five recently disclosed vulnerabilities in this long-standing but still maintained...
How to Install Redis on Ubuntu 26.04
Redis is a powerful, open-source, in-memory data structure store widely used as a database, cache, message broker, and streaming engine....
openSUSE Tumbleweed Switches Fresh Installs to systemd-boot
openSUSE Tumbleweed now uses systemd-boot as the default bootloader for new installations, replacing GRUB2 with BLS support. To be clear,...
Kontainer Brings a Native KDE GUI to Distrobox Container Management
Here’s a tool that can make working with containers easier, especially if memorizing all the commands isn’t your favorite thing....
