openssl 4.0.0 rpms released and added to all supported platforms (Alma Linux, Rocky Linux, Red Hat Enterprise Linux RHEL, Oracle Linux).
OpenSSL 4.0.0 is a feature release adding significant new functionality to OpenSSL. This release incorporates the following potentially significant or incompatible changes:
– Removed extra leading ’00:’ when printing key data such as an RSA modulus in hexadecimal format where the first (most significant) byte is >= 0x80. – Standardized the width of hexadecimal dumps to 24 bytes for signatures (to stay within the 80 characters limit) and 16 bytes for everything else. – Lower bounds checks are now enforced when using `PKCS5_PBKDF2_HMAC` API with FIPS provider. – Added AKID verification checks when `X509_V_FLAG_X509_STRICT` is set. – Augmented CRL verification process with several additional checks. – `libcrypto` no longer cleans up globally allocated data via `atexit()`. – `BIO_snprintf()` now uses `snprintf()` provided by libc instead of internal implementation. – `OPENSSL_cleanup()` now runs in a global destructor, or not at all by default. – `ASN1_STRING` has been made opaque. – Signatures of numerous API functions, including those that are related to X509 processing, are changed to include `const` qualifiers for argument and return types, where suitable. – Deprecated `X509_cmp_time()`, `X509_cmp_current_time()`, and `X509_cmp_timeframe()` in favor of `X509_check_certificate_times()`. – Removed support for the SSLv2 Client Hello. – Removed support for SSLv3. SSLv3 has been deprecated since 2015, and OpenSSL had it disabled by default since version 1.1.0 (2016). – Removed support for engines. The `no-engine` build option and the `OPENSSL_NO_ENGINE` macro are always present. – Support of deprecated elliptic curves in TLS according to RFC 8422 was disabled at compile-time by default. To enable it, use the `enable-tls-deprecated-ec` configuration option. – Support of explicit EC curves was disabled at compile-time by default. To enable it, use the `enable-ec_explicit_curves` configuration option. – Removed `c_rehash` script tool. Use `openssl rehash` instead. – Removed the deprecated `msie-hack` option from the `openssl ca` command. – Removed `BIO_f_reliable()` implementation without replacement. It was broken since 3.0 release without any complaints. – Removed deprecated support for custom `EVP_CIPHER`, `EVP_MD`, `EVP_PKEY`, and `EVP_PKEY_ASN1` methods. – Removed deprecated fixed SSL/TLS version method functions. – Removed deprecated functions `ERR_get_state()`, `ERR_remove_state()` and `ERR_remove_thread_state()`. The `ERR_STATE` object is now always opaque. – Dropped `darwin-i386{,-cc}` and `darwin-ppc{,64}{,-cc}` targets from Configurations. This release adds the following new features: – Support for Encrypted Client Hello (ECH, RFC 9849). See `doc/designs/ech-api.md` for details. – Support for RFC 8998, signature algorithm `sm2sig_sm3`, key exchange group `curveSM2`, and tls-hybrid-sm2-mlkem post-quantum group `curveSM2MLKEM768`. – cSHAKE function support as per SP 800-185. – “ML-DSA-MU” digest algorithm support. – Support for SNMP KDF and SRTP KDF. – FIPS self tests can now be deferred and run as needed when installing the FIPS module with the `-defer_tests` option of the `openssl fipsinstall` command. – Support for using either static or dynamic VC runtime linkage on Windows. – Support for negotiated FFDHE key exchange in TLS 1.2 in accordance with RFC 7919. RFC 8422: RFC 9849: RFC 8998: SP 800-185: RFC 7919:
.so Suffix changed from 81.3 to 81.4 (/usr/lib64/libcrypto.so.81.4.0.0, /usr/lib64/libcrypto.so.81.4 -> libcrypto.so.81.4.0.0, /usr/lib64/libssl.so.81.4.0.0, /usr/lib64/libssl.so.81.4 -> libssl.so.81.4.0.0).
We continue to build libs with QUIC support as a separate non-conflicting package openssl-quic-libs, with separate .so.81.4 suffixing to avoid conflicts with the official .so.X.