The OpenSSL Library now supports Encrypted Client Hello (ECH)
specified in RFC 9849,
which was published this month. Applications that implement this
standard will be able to encrypt sensitive information that is
currently transmitted in plaintext in the TLS 1.3 handshake. In
particular, ECH can protect the client’s target server name from being
revealed to third parties.
The OPENSSL_cleanup() function is no longer registered to be called
upon the termination of the process. This means the OpenSSL Library
does not automatically free resources so the operating system reclaims
them when an application exits.
For most users, this will have no impact since the memory is freed one
way or the other.
The OpenSSL Project is announcing the upcoming release of OpenSSL 4.0 Alpha,
scheduled for March 10, 2026. As a result, the repository will be frozen before the release on February 24, 2026.
For a complete list of deprecated functions removed in OpenSSL 4.0,
please see the
ossl-removed-api
documentation. They are divided into the following pull requests:
Custom ciphers methods (EVP_CIPHER_meth_*) were removed in PR
#29299.
Custom message digest methods (EVP_MD_meth_*) were removed in PR
#29366.
Custom private key methods (EVP_PKEY_meth_*) were removed in PR
#29384.
Custom private key Abstract Syntax Notation
One methods
(EVP_PKEY_asn1_*) were removed in PR
#29405. (These
functions were deprecated in OpenSSL 3.6.)
Instead of using these methods, developers are encouraged to use the
provider framework.
OpenSSL 4.0, to be released in April 2026, is the first major
release since 3.0 which replaced
the ENGINE interface with
Providers. Removing ENGINEs is a
primary goal of this major release and this post describes the change
agreed to by both the OpenSSL Corporation and OpenSSL Foundation.
Summary
All symbols defined in openssl/engine.h have been removed from the
shared library in
OpenSSL 4.0. Applications that use the ENGINE API will fail to compile
using the default build settings. This behavior matches what happens
in previous versions when building OpenSSL with the no-engine
configuration
option
with current versions. Up-to-date applications should not include
openssl/engine.h at all.
The OpenSSL Library would like to modernise and streamline development processes, especially to ensure effective code review and make the project easier for contributors to contribute to.
As part of this effort, we will be making some changes to our coding style guidelines and adopting clang-format using the WebKit C coding style as enforced by clang-format. We will transition to using clang-format to check pre-submissions and ensure code follows the format portions of the style guide before PRs are reviewed.