OpenSSL 4.0 has been officially released, introducing major security-focused enhancements, including Encrypted Client Hello support, new cryptographic algorithms, and the removal of legacy components to modernize the widely used TLS and cryptography library.
The new version marks a significant step forward for the OpenSSL project, bringing both new capabilities and structural changes. As detailed in the official release notes page, this update expands protocol support while also cleaning up outdated APIs and legacy functionality.
One of the most important additions in OpenSSL 4.0 is support for Encrypted Client Hello (ECH). This feature enhances privacy during TLS connections by encrypting the initial handshake data to prevent exposure of sensitive connection details such as the requested hostname.
The inclusion of ECH reflects a broader industry push toward stronger privacy protections at the protocol level. By encrypting more of the connection setup process, OpenSSL helps reduce visibility for intermediaries that could otherwise inspect or monitor early-stage communication data.
Alongside this, the release introduces support for new key derivation functions, including SNMP KDF and SRTP KDF. These additions expand the library’s capabilities in handling secure communication scenarios across different protocols and use cases.
OpenSSL 4.0 also integrates additional cryptographic features, such as cSHAKE function support and new signature and key exchange mechanisms defined in recent standards. These updates ensure compatibility with evolving security requirements and modern cryptographic practices.
Another important aspect of this release is the introduction of new digest algorithm support and enhancements related to TLS key exchange. These changes contribute to stronger and more flexible encryption options for developers building secure applications.
At the same time, OpenSSL 4.0 removes several deprecated components. Older APIs, legacy SSL/TLS methods, and outdated platform targets have been dropped to simplify the codebase and improve maintainability.
This cleanup is part of an ongoing effort to modernize the library while reducing reliance on legacy behaviors that may no longer meet current security expectations. However, it also means that some older applications may require adjustments to remain compatible with the new version.
The release also brings updates to FIPS-related functionality. Self-tests can now be deferred and executed during installation when needed, offering more flexibility for environments that rely on FIPS compliance.
Overall, OpenSSL 4.0 represents a balance between innovation and simplification. It introduces meaningful new features while also removing outdated elements to ensure that the library remains relevant for modern secure communication needs.
With its expanded cryptographic capabilities and improved privacy features, OpenSSL 4.0 is expected to play a key role in future Linux and cross-platform security implementations.
