openssl 4.0.0 rpms released and added to all supported platforms (Alma Linux, Rocky Linux, Red Hat Enterprise Linux RHEL, Oracle Linux).
OpenSSL 4.0.0 is a feature release adding significant new functionality to OpenSSL. This release incorporates the following potentially significant or incompatible changes:
— Removed extra leading ’00:’ when printing key data such as an RSA modulus in hexadecimal format where the first (most significant) byte is >= 0x80. — Standardized the width of hexadecimal dumps to 24 bytes for signatures (to stay within the 80 characters limit) and 16 bytes for everything else. — Lower bounds checks are now enforced when using `PKCS5_PBKDF2_HMAC` API with FIPS provider. — Added AKID verification checks when `X509_V_FLAG_X509_STRICT` is set. — Augmented CRL verification process with several additional checks. — `libcrypto` no longer cleans up globally allocated data via `atexit()`. — `BIO_snprintf()` now uses `snprintf()` provided by libc instead of internal implementation. — `OPENSSL_cleanup()` now runs in a global destructor, or not at all by default. — `ASN1_STRING` has been made opaque. — Signatures of numerous API functions, including those that are related to X509 processing, are changed to include `const` qualifiers for argument and return types, where suitable. — Deprecated `X509_cmp_time()`, `X509_cmp_current_time()`, and `X509_cmp_timeframe()` in favor of `X509_check_certificate_times()`. — Removed support for the SSLv2 Client Hello. — Removed support for SSLv3. SSLv3 has been deprecated since 2015, and OpenSSL had it disabled by default since version 1.1.0 (2016). — Removed support for engines. The `no-engine` build option and the `OPENSSL_NO_ENGINE` macro are always present. — Support of deprecated elliptic curves in TLS according to RFC 8422 was disabled at compile-time by default. To enable it, use the `enable-tls-deprecated-ec` configuration option. — Support of explicit EC curves was disabled at compile-time by default. To enable it, use the `enable-ec_explicit_curves` configuration option. — Removed `c_rehash` script tool. Use `openssl rehash` instead. — Removed the deprecated `msie-hack` option from the `openssl ca` command. — Removed `BIO_f_reliable()` implementation without replacement. It was broken since 3.0 release without any complaints. — Removed deprecated support for custom `EVP_CIPHER`, `EVP_MD`, `EVP_PKEY`, and `EVP_PKEY_ASN1` methods. — Removed deprecated fixed SSL/TLS version method functions. — Removed deprecated functions `ERR_get_state()`, `ERR_remove_state()` and `ERR_remove_thread_state()`. The `ERR_STATE` object is now always opaque. — Dropped `darwin-i386{,-cc}` and `darwin-ppc{,64}{,-cc}` targets from Configurations. This release adds the following new features: — Support for Encrypted Client Hello (ECH, RFC 9849). See `doc/designs/ech-api.md` for details. — Support for RFC 8998, signature algorithm `sm2sig_sm3`, key exchange group `curveSM2`, and tls-hybrid-sm2-mlkem post-quantum group `curveSM2MLKEM768`. — cSHAKE function support as per SP 800-185. — «ML-DSA-MU» digest algorithm support. — Support for SNMP KDF and SRTP KDF. — FIPS self tests can now be deferred and run as needed when installing the FIPS module with the `-defer_tests` option of the `openssl fipsinstall` command. — Support for using either static or dynamic VC runtime linkage on Windows. — Support for negotiated FFDHE key exchange in TLS 1.2 in accordance with RFC 7919. RFC 8422: RFC 9849: RFC 8998: SP 800-185: RFC 7919:
.so Suffix changed from 81.3 to 81.4 (/usr/lib64/libcrypto.so.81.4.0.0, /usr/lib64/libcrypto.so.81.4 -> libcrypto.so.81.4.0.0, /usr/lib64/libssl.so.81.4.0.0, /usr/lib64/libssl.so.81.4 -> libssl.so.81.4.0.0).
We continue to build libs with QUIC support as a separate non-conflicting package openssl-quic-libs, with separate .so.81.4 suffixing to avoid conflicts with the official .so.X.