Blog

At ICMC26, Tim Hudson announced a change to the OpenSSL Library release schedule for future releases. Last year we committed to making long term stable (LTS) releases every two years. Following the release of 4.0, the first major release since 2018, we now commit to a major release every two years.

So the next LTS will be 4.2 in April 2027 and then we’ll have a major release, 5.0, in October 2027. That means the final 4.x release will be supported for the entire 5.x release cycle. This gives significant flexibility for projects that depend on OpenSSL to decide the appropriate moment to move to a more recent version of the library.

The final release of OpenSSL 4.0 is now live. We would like to thank all those who contributed to the OpenSSL 4.0 release, without whom the OpenSSL Library would not be possible.

Previous posts about the upcoming OpenSSL 4.0 release:

1. removing ENGINE code
2. removing deprecated functions for creating or modifying custom METHODS
3. no longer registering a function via atexit function
4. adding ECH support
5. removing SSLv3 and SSLv2 Client Hello

Summary

The ASN1_STRING structure can no longer be accessed directly. Instead, accessor functions must be used.

While these accessor functions have been available since OpenSSL 1.0.1, this change is being made now to enable future work improving X509 memory efficiency. Requiring accessor functions will allow ASN1 strings to be stored as pointers to data in read only memory instead of making duplicate copies.

Release Announcement for OpenSSL Library 3.6.2, 3.5.6, 3.4.5, 3.3.7, 3.0.20, 1.1.1zg and 1.0.2zp

The OpenSSL Project team announces the release of new versions of our open-source toolkit for SSL/TLS.

Previous posts about the upcoming OpenSSL 4.0 release:

1. removing ENGINE code
2. removing deprecated functions for creating or modifying custom METHODS
3. no longer registering a function via atexit function
4. adding ECH support

Summary

Secure Sockets Layer version 3.0 (SSLv3) was deprecated in RFC 7568. SSLv3 was disabled at build-time in OpenSSL 1.0.2h by default. As of OpenSSL 4.0, SSLv3 support has been removed altogether.

In addition, OpenSSL no longer supports the SSLv2 Client Hello.

The OpenSSL Project is pleased to announce that OpenSSL 4.0 Beta1 pre-release is available, adding significant functionality to the OpenSSL Library.

The expiration date of the OpenSSL release signing key with fingerprint BA5473A2B0587B07FB27CF2D216094DFD0CB81EF has been extended from 08 Apr 2026 to 14 Jun 2026.

Only the key expiration date has changed. The signing key itself remains the same.

The updated public key is available at: https://keys.openpgp.org/search?q=BA5473A2B0587B07FB27CF2D216094DFD0CB81EF

Previous posts about the upcoming OpenSSL 4.0 release:

1. removing ENGINE code
2. removing deprecated functions for creating or modifying custom METHODS
3. no longer registering a function via atexit function

Summary

The OpenSSL Library now supports Encrypted Client Hello (ECH) specified in RFC 9849, which was published this month. Applications that implement this standard will be able to encrypt sensitive information that is currently transmitted in plaintext in the TLS 1.3 handshake. In particular, ECH can protect the client’s target server name from being revealed to third parties.

Previous posts about features removed from OpenSSL 4.0:

1. ENGINE code
2. deprecated functions for creating or modifying custom METHODS

Summary

The OPENSSL_cleanup() function is no longer registered to be called upon the termination of the process. This means the OpenSSL Library does not automatically free resources so the operating system reclaims them when an application exits.

For most users, this will have no impact since the memory is freed one way or the other.

The OpenSSL Project is announcing the upcoming release of OpenSSL 4.0 Alpha, scheduled for March 10, 2026. As a result, the repository will be frozen before the release on February 24, 2026.