OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed$$$in this release is High.$$$$$$This release incorporates the following bug fixes and mitigations:$$$$$$Fixed heap use-after-free in PKCS7_verify().$$$(CVE-2026-45447)$$$$$$Fixed CMS AuthEnvelopedData processing may accept forged messages.$$$(CVE-2026-34182)$$$$$$Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler.$$$(CVE-2026-34183)$$$$$$Fixed double-free when checking OCSP stapled response.$$$(CVE-2026-35188)$$$$$$Fixed NULL pointer dereference in QUIC server initial packet handling.$$$(CVE-2026-42764)$$$$$$Fixed AES-OCB IV ignored on EVP_Cipher() path.$$$(CVE-2026-45445)$$$$$$Fixed possible heap buffer overflow in ASN.1 multibyte string conversion.$$$(CVE-2026-7383)$$$$$$Fixed out-of-bounds read in CMS password-based decryption.$$$(CVE-2026-9076)$$$$$$Fixed heap buffer over-read in ASN.1 content parsing.$$$(CVE-2026-34180)$$$$$$Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys.$$$(CVE-2026-34181)$$$$$$Fixed NULL dereference in certificate verification with OCSP Checking.$$$(CVE-2026-42765)$$$$$$Fixed possible NULL dereference in password-dased CMS decryption.$$$(CVE-2026-42766)$$$$$$Fixed NULL pointer dereference in CRMF EncryptedValue decryption.$$$(CVE-2026-42767)$$$$$$Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt()$$$and PKCS7_decrypt().$$$(CVE-2026-42768)$$$$$$Fixed trust anchor substitution via cert/issuer typo in CMP$$$rootCaKeyUpdate.$$$(CVE-2026-42769)$$$$$$Fixed FFC-DH peer validation uses attacker-supplied q.$$$(CVE-2026-42770)$$$$$$Fixed possible out of bounds read in X509_VERIFY_PARAM_set1_email().$$$(CVE-2026-42771)$$$$$$Fixed incorrect tag processing for empty messages in AES-GCM-SIV$$$and AES-SIV modes.$$$(CVE-2026-45446)$$$$$$Fixed a regression introduced in 4.0.0 that led to a openssl pkey$$$command crash when it was invoked to encrypt a private key with password$$$being provided interactively.$$$$$$Fixed a regression introduced in 4.0.0 that led to openssl s_client -adv$$$command prematurely terminating a session when reading input of 16384 bytes$$$in one read() call.

OpenSSL 4.0.0 is a feature release adding significant new functionality to OpenSSL.$$$$$$This release incorporates the following potentially significant or incompatible changes:$$$$$$Removed extra leading 00: when printing key data such as an RSA modulus in hexadecimal format where the first (most significant) byte is >= 0x80.$$$Standardized the width of hexadecimal dumps to 24 bytes for signatures (to stay within the 80 characters limit) and 16 bytes for everything else.$$$Lower bounds checks are now enforced when using PKCS5_PBKDF2_HMAC API with FIPS provider.$$$Added AKID verification checks when X509_V_FLAG_X509_STRICT is set.$$$Augmented CRL verification process with several additional checks.$$$libcrypto no longer cleans up globally allocated data via atexit().$$$BIO_snprintf() now uses snprintf() provided by libc instead of internal implementation.$$$OPENSSL_cleanup() now runs in a global destructor; or not at all by default.$$$ASN1_STRING has been made opaque.$$$Signatures of numerous API functions; including those that are related to X509 processing; are changed to include const qualifiers for argument and return types; where suitable.$$$Deprecated X509_cmp_time(); X509_cmp_current_time(); and X509_cmp_timeframe() in favor of X509_check_certificate_times().$$$Removed support for the SSLv2 Client Hello.$$$Removed support for SSLv3. SSLv3 has been deprecated since 2015; and OpenSSL had it disabled by default since version 1.1.0 (2016).$$$Removed support for engines. The no-engine build option and the OPENSSL_NO_ENGINE macro are always present.$$$Support of deprecated elliptic curves in TLS according to RFC 8422 was disabled at compile-time by default. To enable it; use the enable-tls-deprecated-ec configuration option.$$$Support of explicit EC curves was disabled at compile-time by default. To enable it; use the enable-ec_explicit_curves configuration option.$$$Removed c_rehash script tool. Use openssl rehash instead.$$$Removed the deprecated msie-hack option from the openssl ca command.$$$Removed BIO_f_reliable() implementation without replacement. It was broken since 3.0 release without any complaints.$$$Removed deprecated support for custom EVP_CIPHER; EVP_MD; EVP_PKEY; and EVP_PKEY_ASN1 methods.$$$Removed deprecated fixed SSL/TLS version method functions.$$$Removed deprecated functions ERR_get_state(); ERR_remove_state() and ERR_remove_thread_state(). The ERR_STATE object is now always opaque.$$$Dropped darwin-i386{;-cc} and darwin-ppc{;64}{;-cc} targets from Configurations.$$$$$$This release adds the following new features:$$$$$$Support for Encrypted Client Hello (ECH; RFC 9849). See doc/designs/ech-api.md for details.$$$Support for RFC 8998; signature algorithm sm2sig_sm3; key exchange group curveSM2; and [tls-hybrid-sm2-mlkem] post-quantum group curveSM2MLKEM768.$$$cSHAKE function support as per SP 800-185.$$$ML-DSA-MU digest algorithm support.$$$Support for SNMP KDF and SRTP KDF.$$$FIPS self tests can now be deferred and run as needed when installing the FIPS module with the -defer_tests option of the openssl fipsinstall command.$$$Support for using either static or dynamic VC runtime linkage on Windows.$$$Support for negotiated FFDHE key exchange in TLS 1.2 in accordance with RFC 7919.

OpenSSL 4.0.0 is a feature release adding significant new functionality to OpenSSL.$$$$$$This release incorporates the following potentially significant or incompatible changes:$$$$$$Removed extra leading 00: when printing key data such as an RSA modulus in hexadecimal format where the first (most significant) byte is >= 0x80.$$$Standardized the width of hexadecimal dumps to 24 bytes for signatures (to stay within the 80 characters limit) and 16 bytes for everything else.$$$Lower bounds checks are now enforced when using PKCS5_PBKDF2_HMAC API with FIPS provider.$$$Added AKID verification checks when X509_V_FLAG_X509_STRICT is set.$$$Augmented CRL verification process with several additional checks.$$$libcrypto no longer cleans up globally allocated data via atexit().$$$BIO_snprintf() now uses snprintf() provided by libc instead of internal implementation.$$$OPENSSL_cleanup() now runs in a global destructor; or not at all by default.$$$ASN1_STRING has been made opaque.$$$Signatures of numerous API functions; including those that are related to X509 processing; are changed to include const qualifiers for argument and return types; where suitable.$$$Deprecated X509_cmp_time(); X509_cmp_current_time(); and X509_cmp_timeframe() in favor of X509_check_certificate_times().$$$Removed support for the SSLv2 Client Hello.$$$Removed support for SSLv3. SSLv3 has been deprecated since 2015; and OpenSSL had it disabled by default since version 1.1.0 (2016).$$$Removed support for engines. The no-engine build option and the OPENSSL_NO_ENGINE macro are always present.$$$Support of deprecated elliptic curves in TLS according to RFC 8422 was disabled at compile-time by default. To enable it; use the enable-tls-deprecated-ec configuration option.$$$Support of explicit EC curves was disabled at compile-time by default. To enable it; use the enable-ec_explicit_curves configuration option.$$$Removed c_rehash script tool. Use openssl rehash instead.$$$Removed the deprecated msie-hack option from the openssl ca command.$$$Removed BIO_f_reliable() implementation without replacement. It was broken since 3.0 release without any complaints.$$$Removed deprecated support for custom EVP_CIPHER; EVP_MD; EVP_PKEY; and EVP_PKEY_ASN1 methods.$$$Removed deprecated fixed SSL/TLS version method functions.$$$Removed deprecated functions ERR_get_state(); ERR_remove_state() and ERR_remove_thread_state(). The ERR_STATE object is now always opaque.$$$Dropped darwin-i386{;-cc} and darwin-ppc{;64}{;-cc} targets from Configurations.$$$$$$This release adds the following new features:$$$$$$Support for Encrypted Client Hello (ECH; RFC 9849). See doc/designs/ech-api.md for details.$$$Support for RFC 8998; signature algorithm sm2sig_sm3; key exchange group curveSM2; and [tls-hybrid-sm2-mlkem] post-quantum group curveSM2MLKEM768.$$$cSHAKE function support as per SP 800-185.$$$ML-DSA-MU digest algorithm support.$$$Support for SNMP KDF and SRTP KDF.$$$FIPS self tests can now be deferred and run as needed when installing the FIPS module with the -defer_tests option of the openssl fipsinstall command.$$$Support for using either static or dynamic VC runtime linkage on Windows.$$$Support for negotiated FFDHE key exchange in TLS 1.2 in accordance with RFC 7919.

OpenSSL 4.0.0 is a feature release adding significant new functionality to OpenSSL.$$$$$$This release incorporates the following potentially significant or incompatible changes:$$$$$$Removed extra leading 00: when printing key data such as an RSA modulus in hexadecimal format where the first (most significant) byte is >= 0x80.$$$Standardized the width of hexadecimal dumps to 24 bytes for signatures (to stay within the 80 characters limit) and 16 bytes for everything else.$$$Lower bounds checks are now enforced when using PKCS5_PBKDF2_HMAC API with FIPS provider.$$$Added AKID verification checks when X509_V_FLAG_X509_STRICT is set.$$$Augmented CRL verification process with several additional checks.$$$libcrypto no longer cleans up globally allocated data via atexit().$$$BIO_snprintf() now uses snprintf() provided by libc instead of internal implementation.$$$OPENSSL_cleanup() now runs in a global destructor; or not at all by default.$$$ASN1_STRING has been made opaque.$$$Signatures of numerous API functions; including those that are related to X509 processing; are changed to include const qualifiers for argument and return types; where suitable.$$$Deprecated X509_cmp_time(); X509_cmp_current_time(); and X509_cmp_timeframe() in favor of X509_check_certificate_times().$$$Removed support for the SSLv2 Client Hello.$$$Removed support for SSLv3. SSLv3 has been deprecated since 2015; and OpenSSL had it disabled by default since version 1.1.0 (2016).$$$Removed support for engines. The no-engine build option and the OPENSSL_NO_ENGINE macro are always present.$$$Support of deprecated elliptic curves in TLS according to RFC 8422 was disabled at compile-time by default. To enable it; use the enable-tls-deprecated-ec configuration option.$$$Support of explicit EC curves was disabled at compile-time by default. To enable it; use the enable-ec_explicit_curves configuration option.$$$Removed c_rehash script tool. Use openssl rehash instead.$$$Removed the deprecated msie-hack option from the openssl ca command.$$$Removed BIO_f_reliable() implementation without replacement. It was broken since 3.0 release without any complaints.$$$Removed deprecated support for custom EVP_CIPHER; EVP_MD; EVP_PKEY; and EVP_PKEY_ASN1 methods.$$$Removed deprecated fixed SSL/TLS version method functions.$$$Removed deprecated functions ERR_get_state(); ERR_remove_state() and ERR_remove_thread_state(). The ERR_STATE object is now always opaque.$$$Dropped darwin-i386{;-cc} and darwin-ppc{;64}{;-cc} targets from Configurations.$$$$$$This release adds the following new features:$$$$$$Support for Encrypted Client Hello (ECH; RFC 9849). See doc/designs/ech-api.md for details.$$$Support for RFC 8998; signature algorithm sm2sig_sm3; key exchange group curveSM2; and [tls-hybrid-sm2-mlkem] post-quantum group curveSM2MLKEM768.$$$cSHAKE function support as per SP 800-185.$$$ML-DSA-MU digest algorithm support.$$$Support for SNMP KDF and SRTP KDF.$$$FIPS self tests can now be deferred and run as needed when installing the FIPS module with the -defer_tests option of the openssl fipsinstall command.$$$Support for using either static or dynamic VC runtime linkage on Windows.$$$Support for negotiated FFDHE key exchange in TLS 1.2 in accordance with RFC 7919.

Changes between 3.6.0 and 3.6.1 [27 Jan 2026]$$$Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.$$$$$$Severity: Moderate$$$$$$Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow; invalid pointer or NULL pointer dereference during MAC verification.$$$$$$Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations.$$$$$$Reported by: Stanislav Fort (Aisle Research) and Petr Šimecek (Aisle Research) and Hamza (Metadust)$$$$$$(CVE-2025-11187)$$$$$$Tomáš Mráz$$$$$$Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing.$$$$$$Severity: High$$$$$$Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow.$$$$$$Impact summary: A stack buffer overflow may lead to a crash; causing Denial of Service; or potentially remote code execution.$$$$$$Reported by: Stanislav Fort (Aisle Research)$$$$$$(CVE-2025-15467)$$$$$$Igor Ustinov$$$$$$Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.$$$$$$Severity: Low$$$$$$Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer; a NULL dereference occurs.$$$$$$Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service.$$$$$$Reported by: Stanislav Fort (Aisle Research)$$$$$$(CVE-2025-15468)$$$$$$Stanislav Fort$$$$$$Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB.$$$$$$Severity: Low$$$$$$Issue summary: The openssl dgst command-line tool silently truncates input data to 16 MiB when using one-shot signing algorithms and reports success instead of an error.$$$$$$Impact summary: A user signing or verifying files larger than 16 MiB with one-shot algorithms (such as Ed25519; Ed448; or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16 MiB remains unauthenticated.$$$$$$Reported by: Stanislav Fort (Aisle Research)$$$$$$(CVE-2025-15469)$$$$$$Viktor Dukhovni

Changes between 3.6.0 and 3.6.1 [27 Jan 2026]$$$Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.$$$$$$Severity: Moderate$$$$$$Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow; invalid pointer or NULL pointer dereference during MAC verification.$$$$$$Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations.$$$$$$Reported by: Stanislav Fort (Aisle Research) and Petr Šimecek (Aisle Research) and Hamza (Metadust)$$$$$$(CVE-2025-11187)$$$$$$Tomáš Mráz$$$$$$Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing.$$$$$$Severity: High$$$$$$Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow.$$$$$$Impact summary: A stack buffer overflow may lead to a crash; causing Denial of Service; or potentially remote code execution.$$$$$$Reported by: Stanislav Fort (Aisle Research)$$$$$$(CVE-2025-15467)$$$$$$Igor Ustinov$$$$$$Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.$$$$$$Severity: Low$$$$$$Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer; a NULL dereference occurs.$$$$$$Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service.$$$$$$Reported by: Stanislav Fort (Aisle Research)$$$$$$(CVE-2025-15468)$$$$$$Stanislav Fort$$$$$$Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB.$$$$$$Severity: Low$$$$$$Issue summary: The openssl dgst command-line tool silently truncates input data to 16 MiB when using one-shot signing algorithms and reports success instead of an error.$$$$$$Impact summary: A user signing or verifying files larger than 16 MiB with one-shot algorithms (such as Ed25519; Ed448; or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16 MiB remains unauthenticated.$$$$$$Reported by: Stanislav Fort (Aisle Research)$$$$$$(CVE-2025-15469)$$$$$$Viktor Dukhovni

Changes between 3.5 and 3.6.0 [1 Oct 2025]$$$Added support for EVP_SKEY opaque symmetric key objects to the key derivation and key exchange provider methods. Added EVP_KDF_CTX_set_SKEY(); EVP_KDF_derive_SKEY(); and EVP_PKEY_derive_SKEY() functions.$$$$$$Added PCT for key import for SLH-DSA when in FIPS mode.$$$$$$Added i2d_PKCS8PrivateKey(3) API to complement i2d_PrivateKey(3); the former always outputs PKCS#8.$$$$$$Implemented interleaved AES-CBC+HMAC-SHA algorithm on AArch64.$$$$$$Added NIST security categories for PKEY objects.$$$$$$Added notification when all stream FINs are acknowledged in QUIC. Introduced ossl_quic_channel_notify_flush_done() so that once final FINs are ACKed; the channel transitions to terminating and SSL_poll() signals completion. This allows applications to progress shutdown reliably.$$$$$$Added array memory allocation routines and converted suitable memory allocation calls in the library to them.$$$$$$Fixed behavior change of EC keygen by adding the generic error entry if the provider did not itself add an error entry onto the queue. That way; there always is an error on the error queue in case of a failure; but no behavior change in case the provider emitted the error entry itself.$$$$$$Documented all the environment variables used across the project in openssl-env(7) and in specific man pages.$$$$$$Added SHA-2 assembly implementation enhancing performance for LoongArch. Added optimized SM3; MD5; SHA-256; SHA-512 implementation using Zbb extension for RISC-V.$$$$$$Added options CRYPTO_MEM_SEC and CRYPTO_MEM_SEC_MINSIZE to openssl app to initialize secure memory at the beginning of openssl app.$$$$$$Resolved compiler warnings on Win64 builds.$$$$$$Extended new CRYPTO_THREAD_[get|set]_local API to reduce the usage of OS thread-local variables.$$$$$$Added make targets build_inst_sw and build_inst_programs which have the functionality to split the build into two parts; e.g. when tests should be built with different compiler flags than the installed software.$$$$$$Refactored OSSL_PARAM name parsing so that automatically generated parsers are used instead of OSSL_PARAM_locate() calls. This should also ensure that the list of acceptable parameters better matches those which are actually processed. It should also provide a small performance improvement; because repeated iteration over passed parameter arrays is avoided.$$$$$$Introduced SSL_OP_SERVER_PREFERENCE; superseding misleadingly named SSL_OP_CIPHER_SERVER_PREFERENCE.$$$$$$Added LMS signature verification support as per SP 800-208. This support is present in both the FIPS and default providers.$$$$$$Introduced use of <stdbool.h> when handling JSON encoding in the OpenSSL codebase; replacing the previous use of int for these boolean values.$$$$$$An ANSI-C toolchain is no longer sufficient for building OpenSSL. The code should be built using compilers supporting C-99 features.$$$$$$Support for the VxWorks platforms has been removed. These platforms were unadopted; unmaintained and reported to be non-functional.$$$$$$Relaxed the path check in OpenSSLs file: scheme implementation for OSSL_STORE. Previously; when the file: scheme is an explicit part of the URI; our implementation required an absolute path; such as file:/path/to/file.pem. This requirement is now relaxed; allowing file:path/to/file.pem; as well as file:file.pem.$$$$$$Changed openssl-pkey(1) to match the documentation when private keys are output in DER format (-outform DER) by producing the PKCS#8 form by default. Previously; this would output the traditional form for those older key types (DSA; RSA; ECDSA) that had such a form. The -traditional flag has been extended to support explicit requests to output that format in DER format (it was previously PEM-only).$$$$$$Added an openssl configutl utility for processing the OpenSSL configuration file and dumping the equal configuration file.$$$$$$Added support for setting a free function thunk to OPENSSL_sk stack types. Using a thunk allows the type specific free function to be called with

Changes between 3.5 and 3.6.0 [1 Oct 2025]$$$Added support for EVP_SKEY opaque symmetric key objects to the key derivation and key exchange provider methods. Added EVP_KDF_CTX_set_SKEY(); EVP_KDF_derive_SKEY(); and EVP_PKEY_derive_SKEY() functions.$$$$$$Added PCT for key import for SLH-DSA when in FIPS mode.$$$$$$Added i2d_PKCS8PrivateKey(3) API to complement i2d_PrivateKey(3); the former always outputs PKCS#8.$$$$$$Implemented interleaved AES-CBC+HMAC-SHA algorithm on AArch64.$$$$$$Added NIST security categories for PKEY objects.$$$$$$Added notification when all stream FINs are acknowledged in QUIC. Introduced ossl_quic_channel_notify_flush_done() so that once final FINs are ACKed; the channel transitions to terminating and SSL_poll() signals completion. This allows applications to progress shutdown reliably.$$$$$$Added array memory allocation routines and converted suitable memory allocation calls in the library to them.$$$$$$Fixed behavior change of EC keygen by adding the generic error entry if the provider did not itself add an error entry onto the queue. That way; there always is an error on the error queue in case of a failure; but no behavior change in case the provider emitted the error entry itself.$$$$$$Documented all the environment variables used across the project in openssl-env(7) and in specific man pages.$$$$$$Added SHA-2 assembly implementation enhancing performance for LoongArch. Added optimized SM3; MD5; SHA-256; SHA-512 implementation using Zbb extension for RISC-V.$$$$$$Added options CRYPTO_MEM_SEC and CRYPTO_MEM_SEC_MINSIZE to openssl app to initialize secure memory at the beginning of openssl app.$$$$$$Resolved compiler warnings on Win64 builds.$$$$$$Extended new CRYPTO_THREAD_[get|set]_local API to reduce the usage of OS thread-local variables.$$$$$$Added make targets build_inst_sw and build_inst_programs which have the functionality to split the build into two parts; e.g. when tests should be built with different compiler flags than the installed software.$$$$$$Refactored OSSL_PARAM name parsing so that automatically generated parsers are used instead of OSSL_PARAM_locate() calls. This should also ensure that the list of acceptable parameters better matches those which are actually processed. It should also provide a small performance improvement; because repeated iteration over passed parameter arrays is avoided.$$$$$$Introduced SSL_OP_SERVER_PREFERENCE; superseding misleadingly named SSL_OP_CIPHER_SERVER_PREFERENCE.$$$$$$Added LMS signature verification support as per SP 800-208. This support is present in both the FIPS and default providers.$$$$$$Introduced use of <stdbool.h> when handling JSON encoding in the OpenSSL codebase; replacing the previous use of int for these boolean values.$$$$$$An ANSI-C toolchain is no longer sufficient for building OpenSSL. The code should be built using compilers supporting C-99 features.$$$$$$Support for the VxWorks platforms has been removed. These platforms were unadopted; unmaintained and reported to be non-functional.$$$$$$Relaxed the path check in OpenSSLs file: scheme implementation for OSSL_STORE. Previously; when the file: scheme is an explicit part of the URI; our implementation required an absolute path; such as file:/path/to/file.pem. This requirement is now relaxed; allowing file:path/to/file.pem; as well as file:file.pem.$$$$$$Changed openssl-pkey(1) to match the documentation when private keys are output in DER format (-outform DER) by producing the PKCS#8 form by default. Previously; this would output the traditional form for those older key types (DSA; RSA; ECDSA) that had such a form. The -traditional flag has been extended to support explicit requests to output that format in DER format (it was previously PEM-only).$$$$$$Added an openssl configutl utility for processing the OpenSSL configuration file and dumping the equal configuration file.$$$$$$Added support for setting a free function thunk to OPENSSL_sk stack types. Using a thunk allows the type specific free function to be called with

Changes between 3.5 and 3.6.0 [1 Oct 2025]$$$Added support for EVP_SKEY opaque symmetric key objects to the key derivation and key exchange provider methods. Added EVP_KDF_CTX_set_SKEY(); EVP_KDF_derive_SKEY(); and EVP_PKEY_derive_SKEY() functions.$$$$$$Added PCT for key import for SLH-DSA when in FIPS mode.$$$$$$Added i2d_PKCS8PrivateKey(3) API to complement i2d_PrivateKey(3); the former always outputs PKCS#8.$$$$$$Implemented interleaved AES-CBC+HMAC-SHA algorithm on AArch64.$$$$$$Added NIST security categories for PKEY objects.$$$$$$Added notification when all stream FINs are acknowledged in QUIC. Introduced ossl_quic_channel_notify_flush_done() so that once final FINs are ACKed; the channel transitions to terminating and SSL_poll() signals completion. This allows applications to progress shutdown reliably.$$$$$$Added array memory allocation routines and converted suitable memory allocation calls in the library to them.$$$$$$Fixed behavior change of EC keygen by adding the generic error entry if the provider did not itself add an error entry onto the queue. That way; there always is an error on the error queue in case of a failure; but no behavior change in case the provider emitted the error entry itself.$$$$$$Documented all the environment variables used across the project in openssl-env(7) and in specific man pages.$$$$$$Added SHA-2 assembly implementation enhancing performance for LoongArch. Added optimized SM3; MD5; SHA-256; SHA-512 implementation using Zbb extension for RISC-V.$$$$$$Added options CRYPTO_MEM_SEC and CRYPTO_MEM_SEC_MINSIZE to openssl app to initialize secure memory at the beginning of openssl app.$$$$$$Resolved compiler warnings on Win64 builds.$$$$$$Extended new CRYPTO_THREAD_[get|set]_local API to reduce the usage of OS thread-local variables.$$$$$$Added make targets build_inst_sw and build_inst_programs which have the functionality to split the build into two parts; e.g. when tests should be built with different compiler flags than the installed software.$$$$$$Refactored OSSL_PARAM name parsing so that automatically generated parsers are used instead of OSSL_PARAM_locate() calls. This should also ensure that the list of acceptable parameters better matches those which are actually processed. It should also provide a small performance improvement; because repeated iteration over passed parameter arrays is avoided.$$$$$$Introduced SSL_OP_SERVER_PREFERENCE; superseding misleadingly named SSL_OP_CIPHER_SERVER_PREFERENCE.$$$$$$Added LMS signature verification support as per SP 800-208. This support is present in both the FIPS and default providers.$$$$$$Introduced use of <stdbool.h> when handling JSON encoding in the OpenSSL codebase; replacing the previous use of int for these boolean values.$$$$$$An ANSI-C toolchain is no longer sufficient for building OpenSSL. The code should be built using compilers supporting C-99 features.$$$$$$Support for the VxWorks platforms has been removed. These platforms were unadopted; unmaintained and reported to be non-functional.$$$$$$Relaxed the path check in OpenSSLs file: scheme implementation for OSSL_STORE. Previously; when the file: scheme is an explicit part of the URI; our implementation required an absolute path; such as file:/path/to/file.pem. This requirement is now relaxed; allowing file:path/to/file.pem; as well as file:file.pem.$$$$$$Changed openssl-pkey(1) to match the documentation when private keys are output in DER format (-outform DER) by producing the PKCS#8 form by default. Previously; this would output the traditional form for those older key types (DSA; RSA; ECDSA) that had such a form. The -traditional flag has been extended to support explicit requests to output that format in DER format (it was previously PEM-only).$$$$$$Added an openssl configutl utility for processing the OpenSSL configuration file and dumping the equal configuration file.$$$$$$Added support for setting a free function thunk to OPENSSL_sk stack types. Using a thunk allows the type specific free function to be called with

Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024]$$$OpenSSL 3.4.0 is a feature release adding significant new functionality to OpenSSL.$$$$$$This release incorporates the following potentially significant or incompatible changes:$$$$$$Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics$$$$$$Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that what were formerly build time locations can now be defined at run time with registry keys

Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024]$$$OpenSSL 3.4.0 is a feature release adding significant new functionality to OpenSSL.$$$$$$This release incorporates the following potentially significant or incompatible changes:$$$$$$Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics$$$$$$Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that what were formerly build time locations can now be defined at run time with registry keys

Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024]$$$OpenSSL 3.4.0 is a feature release adding significant new functionality to OpenSSL.$$$$$$This release incorporates the following potentially significant or incompatible changes:$$$$$$Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics$$$$$$Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that what were formerly build time locations can now be defined at run time with registry keys

Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024]$$$OpenSSL 3.4.0 is a feature release adding significant new functionality to OpenSSL.$$$$$$This release incorporates the following potentially significant or incompatible changes:$$$$$$Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics$$$$$$Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that what were formerly build time locations can now be defined at run time with registry keys

Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024]$$$OpenSSL 3.4.0 is a feature release adding significant new functionality to OpenSSL.$$$$$$This release incorporates the following potentially significant or incompatible changes:$$$$$$Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics$$$$$$Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that what were formerly build time locations can now be defined at run time with registry keys

Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024]$$$OpenSSL 3.4.0 is a feature release adding significant new functionality to OpenSSL.$$$$$$This release incorporates the following potentially significant or incompatible changes:$$$$$$Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics$$$$$$Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that what were formerly build time locations can now be defined at run time with registry keys

Changes between 3.5.3 and 3.5.4 [30 Sep 2025]$$$Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap$$$$$$Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write.$$$$$$Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code.$$$$$$The issue was reported by Stanislav Fort (Aisle Research).$$$$$$(CVE-2025-9230)$$$$$$Viktor Dukhovni$$$$$$Fix Timing side-channel in SM2 algorithm on 64 bit ARM$$$$$$Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms.$$$$$$Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.$$$$$$The issue was reported by Stanislav Fort (Aisle Research).$$$$$$(CVE-2025-9231)