OpenSSL 4.0 ends SSLv3, adds encrypted Client Hello and support for SNMP KDF & SRTP KDF

OpenSSL 4.0 arrives as a feature release with major changes to protocol support and security. Users gain enhanced privacy with the introduction of encrypted Client Hello, conforming to RFC 9849 and raising protection for TLS connections. At the same time, support for SSLv3 and SSLv2 Client Hello is fully removed, finalizing a long deprecation process and strengthening compliance with modern standards.

While these updates shift protocol support, the engines' framework is eliminated: engine-related build options and macros are always present, and the architecture reflects this streamlined model. OpenSSL 4.0 also introduces new cryptographic options, including support for SM2 and SM3 algorithms, post-quantum hybrid key exchange via SM2MLKEM768, and the ML-DSA-MU digest algorithm.

Following these feature additions, output and compatibility are refined: hexadecimal dumps are now more consistent and concise, omitting unnecessary leading bytes and enforcing specific width constraints for signatures and other data. Developers should also note the removal of several deprecated APIs, including the X509_cmp_time functions and engine-specific hooks, as well as default disabling of some legacy elliptic curve support at compile time.

Additional improvements include strengthened AKID and CRL verification in X.509 handling and enforced lower bounds on password-based cryptography with the FIPS module.