OpenSSL, the cryptographic library protecting much of internet traffic, has just released version 4.0.0. This is no routine update but a structural change that rewrites established rules and removes years of obsolete code.

Protecting Your Browsing

The most significant change concerns data protection during web browsing. With native support for Encrypted Client Hello, or ECH, the way sensitive information is handled at the start of a secure connection changes fundamentally.

When you connect to a protected site, the domain name normally remains visible during the initial handshake, even though subsequent content is encrypted. This lets network observers see which sites you’re visiting. ECH solves this by encrypting that sensitive information from the start. It’s an evolution beyond the earlier ESNI attempt, with a more complete and reliable approach.

Code Cleanup

The release also performs important housekeeping on the codebase. Old and insecure protocols like SSLv3 disappear. While it was disabled by default back in 2016, it still existed in the code. Support for SSLv2 Client Hello is also removed.

Deprecated elliptic curves and the old engine system, long replaced by modern providers, are gone. For developers, several API function signatures have changed, so anyone running software built on OpenSSL will need to carefully verify compatibility before upgrading.

Encryption for the Future

For long-term security, version 4.0 introduces the post-quantum hybrid group curveSM2MLKEM768. This is a first step toward algorithms designed to resist the computing power of future quantum computers.

New key derivation functions arrive for SNMP and SRTP protocols, along with support for FFDHE key exchange negotiated in TLS 1.2. OpenSSL 4.0.0 will be supported through May 14, 2027.

Direct impact for end users is minimal, but for anyone managing servers or developing software that depends on this library, now is the time to plan the transition carefully.