Blog

The final release of OpenSSL 4.0 is now live. We would like to thank all those who contributed to the OpenSSL 4.0 release, without whom the OpenSSL Library would not be possible.

Previous posts about the upcoming OpenSSL 4.0 release:

1. removing ENGINE code
2. removing deprecated functions for creating or modifying custom METHODS
3. no longer registering a function via atexit function
4. adding ECH support
5. removing SSLv3 and SSLv2 Client Hello

Summary

The ASN1_STRING structure can no longer be accessed directly. Instead, accessor functions must be used.

While these accessor functions have been available since OpenSSL 1.0.1, this change is being made now to enable future work improving X509 memory efficiency. Requiring accessor functions will allow ASN1 strings to be stored as pointers to data in read only memory instead of making duplicate copies.

Release Announcement for OpenSSL Library 3.6.2, 3.5.6, 3.4.5, 3.3.7, 3.0.20, 1.1.1zg and 1.0.2zp

The OpenSSL Project team announces the release of new versions of our open-source toolkit for SSL/TLS.

Previous posts about the upcoming OpenSSL 4.0 release:

1. removing ENGINE code
2. removing deprecated functions for creating or modifying custom METHODS
3. no longer registering a function via atexit function
4. adding ECH support

Summary

Secure Sockets Layer version 3.0 (SSLv3) was deprecated in RFC 7568. SSLv3 was disabled at build-time in OpenSSL 1.0.2h by default. As of OpenSSL 4.0, SSLv3 support has been removed altogether.

In addition, OpenSSL no longer supports the SSLv2 Client Hello.

The OpenSSL Project is pleased to announce that OpenSSL 4.0 Beta1 pre-release is available, adding significant functionality to the OpenSSL Library.

The expiration date of the OpenSSL release signing key with fingerprint BA5473A2B0587B07FB27CF2D216094DFD0CB81EF has been extended from 08 Apr 2026 to 14 Jun 2026.

Only the key expiration date has changed. The signing key itself remains the same.

The updated public key is available at: https://keys.openpgp.org/search?q=BA5473A2B0587B07FB27CF2D216094DFD0CB81EF

Previous posts about the upcoming OpenSSL 4.0 release:

1. removing ENGINE code
2. removing deprecated functions for creating or modifying custom METHODS
3. no longer registering a function via atexit function

Summary

The OpenSSL Library now supports Encrypted Client Hello (ECH) specified in RFC 9849, which was published this month. Applications that implement this standard will be able to encrypt sensitive information that is currently transmitted in plaintext in the TLS 1.3 handshake. In particular, ECH can protect the client’s target server name from being revealed to third parties.

Previous posts about features removed from OpenSSL 4.0:

1. ENGINE code
2. deprecated functions for creating or modifying custom METHODS

Summary

The OPENSSL_cleanup() function is no longer registered to be called upon the termination of the process. This means the OpenSSL Library does not automatically free resources so the operating system reclaims them when an application exits.

For most users, this will have no impact since the memory is freed one way or the other.

The OpenSSL Project is announcing the upcoming release of OpenSSL 4.0 Alpha, scheduled for March 10, 2026. As a result, the repository will be frozen before the release on February 24, 2026.

Following on from the removal of ENGINE code, deprecated functions for creating or modifying custom METHODS will be removed from OpenSSL 4.0.

Summary

For a complete list of deprecated functions removed in OpenSSL 4.0, please see the ossl-removed-api documentation. They are divided into the following pull requests:

• Custom ciphers methods (EVP_CIPHER_meth_*) were removed in PR #29299.
• Custom message digest methods (EVP_MD_meth_*) were removed in PR #29366.
• Custom private key methods (EVP_PKEY_meth_*) were removed in PR #29384.
• Custom private key Abstract Syntax Notation One methods (EVP_PKEY_asn1_*) were removed in PR #29405. (These functions were deprecated in OpenSSL 3.6.)

Instead of using these methods, developers are encouraged to use the provider framework.