The LibreSSL project, a subproject closely tied to OpenBSD and open-source implementation of the TLS protocol, has announced the release of LibreSSL 4.0, marking the first stable release of the 4.x branch.
For those unfamiliar with it, LibreSSL is the default TLS provider for OpenBSD, Dragonfly BSD, and OpenSSH on Windows. Additionally, it is a selectable provider for FreeBSD, Gentoo Linux, OPNsense, and macOS.
This new version, available alongside the recently released OpenBSD 7.6, brings numerous enhancements, bug fixes, and notable changes to the codebase.
Among the major ones, LibreSSL 4.0 introduces improved portability with initial support for Emscripten in CMake builds and has also removed support for the mips32 platform.
For Windows users, date compatibility has been extended beyond 2038, enhancing long-term usability.
Internally, the project has made significant cleanups, including simplifying X509 trust checks and removing outdated cipher implementations on legacy architectures.
Notably, many assembly functions have been removed from the public API and are now wrapped in C functions for better maintainability and transparency.
Regarding new features, LibreSSL has added a “CRLfile” option to the cms command within openssl, which helps specify additional Certificate Revocation Lists (CRLs) during verification processes.
Moreover, substantial documentation updates have ensured that the material remains accurate and up to date.
The latest release also makes compatibility changes by completely removing support for deprecated protocols such as TLSv1.0 and TLSv1.1 and removing several insecure or outdated functions.
Support for Whirlpool has also been dropped, with developers urged to move to newer cryptographic options. Furthermore, several new tests have been implemented with updated certificates, and many old, less secure functions have been entirely removed to ensure the highest levels of compliance and safety.
LibreSSL 4.0 also includes a range of bug fixes. Improvements were made to RSA key exchanges, which are now implemented in constant time for better protection against timing attacks.
Additionally, fixes were introduced to improve compliance with standards regarding supported groups and key share extensions, reducing the risk of misconfigurations and security vulnerabilities.
For more details on all changes in LibreSSL 4.0, check out the announcement on OpenBSD’s mailing list.