OpenSSL 4.0.0: Major Updates and Enhancements

OpenSSL 4.0.0 introduces a range of new features and significant changes, enhancing its functionality and security. Key updates include the removal of extra leading '00:' in hexadecimal key data, standardizing hexadecimal dump widths, and enforcing lower bounds checks with the PKCS5_PBKDF2_HMAC API when using the FIPS provider. The release also includes AKID verification checks and augmented CRL verification processes.

Several deprecated features have been removed, such as support for SSLv2 and SSLv3, engines, and certain elliptic curves in TLS. The release also sees the removal of the c_rehash script tool, replaced by 'openssl rehash', and deprecated functions like X509_cmp_time() in favor of X509_check_certificate_times().

New features include support for Encrypted Client Hello (ECH) as per RFC 9849, and RFC 8998's signature algorithm sm2sig_sm3. The release also adds support for cSHAKE functions, the 'ML-DSA-MU' digest algorithm, and SNMP and SRTP KDFs. FIPS self-tests can now be deferred, and there's support for both static and dynamic VC runtime linkage on Windows.

These updates aim to improve OpenSSL's security, flexibility, and compliance with modern standards, making it a robust choice for developers seeking a comprehensive cryptographic library.