OpenSSL 3.4 Series Release Notes

The major changes and known issues for the 3.4 branch of the OpenSSL toolkit are summarised below. The contents reflect the current state of the NEWS file inside the git repository.

More details can be found in the ChangeLog.

Major changes between OpenSSL 3.4.2 and OpenSSL 3.4.3 [30 Sep 2025]

OpenSSL 3.4.3 is a security patch release. The most severe CVE fixed in this release is Moderate.

This release incorporates the following bug fixes and mitigations:

• Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap. (CVE-2025-9230)

• Fix Timing side-channel in SM2 algorithm on 64 bit ARM. (CVE-2025-9231)

• Fix Out-of-bounds read in HTTP client no_proxy handling. (CVE-2025-9232)

Major changes between OpenSSL 3.4.1 and OpenSSL 3.4.2 [1 Jul 2025]

OpenSSL 3.4.2 is a bug fix release.

This release incorporates the following bug fixes and mitigations:

• Miscellaneous minor bug fixes.

Major changes between OpenSSL 3.4.0 and OpenSSL 3.4.1 [11 Feb 2025]

OpenSSL 3.4.1 is a security patch release. The most severe CVE fixed in this release is High.

This release incorporates the following bug fixes and mitigations:

• Fixed RFC7250 handshakes with unauthenticated servers don’t abort as expected. (CVE-2024-12797)

• Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176)

Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024]

OpenSSL 3.4.0 is a feature release adding significant new functionality to OpenSSL.

This release incorporates the following potentially significant or incompatible changes:

• Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics

• Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that what were formerly build time locations can now be defined at run time with registry keys

• The X25519 and X448 key exchange implementation in the FIPS provider is unapproved and has fips=no property.

• SHAKE-128 and SHAKE-256 implementations have no default digest length anymore. That means these algorithms cannot be used with EVP_DigestFinal/_ex() unless the xoflen param is set before.

• Setting config_diagnostics=1 in the config file will cause errors to be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error in the ssl module configuration.

• An empty renegotiate extension will be used in TLS client hellos instead of the empty renegotiation SCSV, for all connections with a minimum TLS version > 1.0.

• Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and SSL_CTX_flush_sessions() functions in favor of their respective _ex functions which are Y2038-safe on platforms with Y2038-safe time_t

This release adds the following new features:

• Support for directly fetched composite signature algorithms such as RSA-SHA2-256 including new API functions

• FIPS indicators support in the FIPS provider and various updates of the FIPS provider required for future FIPS 140-3 validations

• Implementation of RFC 9579 (PBMAC1) in PKCS#12

• An optional additional random seed source RNG JITTER using a statically linked jitterentropy library

• New options -not_before and -not_after for explicit setting start and end dates of certificates created with the req and x509 apps

• Support for integrity-only cipher suites TLS_SHA256_SHA256 and TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150

• Support for requesting CRL in CMP

• Support for additional X.509v3 extensions related to Attribute Certificates

• Initial Attribute Certificate (RFC 5755) support

• Possibility to customize ECC groups initialization to use precomputed values to save CPU time and use of this feature by the P-256 implementation