OpenSSL 4.0 Alpha Release
The OpenSSL Project is pleased to announce the release of OpenSSL 4.0 Alpha, a pre-release that adds significant new functionality to the OpenSSL Library.
This release incorporates the following potentially significant or incompatible
changes:
- Removed extra leading '00:' when printing key data such as an RSA modulus in hexadecimal format where the first (most significant) byte is >= 0x80.
- Standardized the width of hexadecimal dumps to 24 bytes for signatures (to stay within the 80 characters limit) and 16 bytes for everything else.
- Lower bounds checks are now enforced when using
PKCS5_PBKDF2_HMAC API with FIPS provider. - Added AKID verification checks when
X509_V_FLAG_X509_STRICT is set. - Augmented CRL verification process with several additional checks.
libcrypto no longer cleans up globally allocated data via atexit().OPENSSL_cleanup() now runs in a global destructor, or not at all by default.ASN1_STRING has been made opaque.- Signatures of numerous API functions, including those that are related to X509 processing, are changed to include
const qualifiers for argument and return types, where suitable. - Deprecated
X509_cmp_time(), X509_cmp_current_time(), and X509_cmp_timeframe() in favor of X509_check_certificate_times(). - Removed support for the SSLv2 Client Hello.
- Removed support for SSLv3. SSLv3 has been deprecated since 2015, and OpenSSL had it disabled by default since version 1.1.0 (2016).
- Removed support for engines. The
no-engine build option and the OPENSSL_NO_ENGINE macro are always present. - Support of deprecated elliptic curves in TLS according to RFC 8422 was disabled at compile-time by default. To enable it, use the
enable-tls-deprecated-ec configuration option. - Removed
c_rehash script tool. Use openssl rehash instead. - Removed the deprecated
msie-hack option from the openssl ca command. - Removed
BIO_f_reliable() implementation without replacement. It was broken since 3.0 release without any complaints. - Removed deprecated functions
ERR_get_state(), ERR_remove_state() and ERR_remove_thread_state(). The ERR_STATE object is now always opaque. - Dropped
darwin-i386{,-cc} and darwin-ppc{,64}{,-cc} targets
from Configurations.
This release adds the following new features:
- Support for Encrypted Client Hello (ECH, RFC 9849). See
doc/designs/ech-api.md for details.
- Support for RFC 8998, signature algorithm
sm2sig_sm3, key exchange group curveSM2, and [tls-hybrid-sm2-mlkem] post-quantum group curveSM2MLKEM768.
- cSHAKE function support as per SP 800-185.
- "ML-DSA-MU" digest algorithm support.
- Support for SNMP KDF and SRTP KDF.
- FIPS self tests can now be deferred and run as needed when installing
the FIPS module with the -defer_tests option of the openssl fipsinstall command.
- Support for using either static or dynamic VC runtime linkage on Windows.
- Support for negotiated FFDHE key exchange in TLS 1.2 in accordance with RFC 7919.
You can download the Alpha release from our download page or from the GitHub release page |
|
|
|
|
|
