The OpenSSL project has officially released version 4.0.0, a major feature update introducing significant new functionality and protocol support to the widely used cryptographic library.
Developers can now utilize support for Encrypted Client Hello (ECH) as defined in RFC 9849. The update also implements support for RFC 8998, including the sm2sig_sm3 signature algorithm and the curveSM2MLKEM768 post-quantum key exchange group.
Breaking changes and removals
This release includes several incompatible changes that may require developers to update existing implementations. The project has removed support for SSLv2 Client Hello and SSLv3, the latter of which had been deprecated since 2015.
OpenSSL 4.0.0 also removes support for engines, making the `no-engine` build option and the `OPENSSL_NO_ENGINE` macro permanent fixtures. The `c_rehash` script tool has been replaced by the `openssl rehash` command.
Further removals include the `msie-hack` option from the `openssl ca` command and the `BIO_f_reliable()` implementation. The project also dropped support for legacy Darwin targets, specifically `darwin-i386` and `darwin-ppc` configurations.
New features in the 4.0.0 release extend to a variety of cryptographic standards. The library now supports the cSHAKE function as per NIST SP 800-185 and the ML-DSA-MU digest algorithm.
Additionally, the update adds support for SNMP KDF and SRTP KDF. For Windows users, the release now allows for either static or dynamic VC runtime linkage.
Developers working with FIPS modules can now use the `-defer_tests` option during the `openssl fipsinstall` process to run self-tests as needed rather than immediately upon installation.
