OpenSSL 4.0 Released: Enhancing Privacy with Encrypted Client Hello

The landscape of internet security underwent a seismic shift on April 14, 2026, with the official release of OpenSSL 4.0. As the premier cryptographic library powering a vast majority of the world’s web servers, secure communications, and embedded systems, this update is far more than a routine maintenance release. It represents a fundamental recalibration of the baseline for privacy, performance, and quantum-readiness.

For security professionals, systems architects, and developers, OpenSSL 4.0 is the signal to begin a critical migration phase. By introducing native, robust support for Encrypted Client Hello (ECH) and solidifying foundations for a post-quantum future, this version effectively retires legacy practices that have long hindered the industry’s ability to defend against modern surveillance and future compute threats.

The Privacy Milestone: Encrypted Client Hello (ECH) Integration

The most transformative addition in OpenSSL 4.0 is the native implementation of Encrypted Client Hello (ECH). For years, the TLS handshake—the process by which a client and server establish an encrypted connection—contained a glaring privacy vulnerability: the Server Name Indication (SNI). During the initial “Client Hello” phase, the client would announce the domain name it wished to reach in plaintext. This metadata allowed Internet Service Providers (ISPs), network operators, and third-party observers to accurately log exactly which websites a user was visiting, even if the subsequent content was encrypted.

ECH, specified under the finalized standard in RFC 9849, solves this “SNI leakage” problem by encrypting the handshake’s critical metadata. The process functions by splitting the Client Hello into two segments:

• The Outer Client Hello: Contains non-sensitive metadata, such as version information and cipher suites, which are observable by the network but do not identify the specific destination.
• The Inner Client Hello: Encrypted using a public key retrieved via DNS (typically through secure channels like DoH—DNS over HTTPS), this segment contains the actual destination domain, invisible to everyone except the intended server.

By effectively blinding network observers to the destination, OpenSSL 4.0 closes the final significant gap in cleartext visibility during connection establishment. This is not merely an incremental improvement; it is a defensive wall against traffic analysis and metadata surveillance, forcing a major shift in how network filtering and compliance systems must handle encrypted traffic.

Preparing for the Quantum Frontier: RFC 8998 and Post-Quantum Cryptography

Beyond privacy, OpenSSL 4.0 is built for longevity in an era threatened by the impending arrival of cryptographically relevant quantum computers. The update brings rigorous support for Post-Quantum Cryptography (PQC), ensuring that current data remains protected against “harvest now, decrypt later” strategies.

The release integrates support for RFC 8998, which provides the framework for enhanced cryptographic agility. Key additions include:

• Hybrid Key Exchange: Support for the `tls-hybrid-sm2-mlkem` post-quantum group (curveSM2MLKEM768), combining traditional elliptic curve mechanisms with quantum-resistant key encapsulation.
• Advanced Algorithms: Implementation of the ML-DSA-MU digest algorithm and standardized cSHAKE function support (as per SP 800-185) for flexible, robust hashing.
• Protocol Modernization: Integration of sm2sig_sm3 for signatures and curveSM2 for key exchange, providing developers with the primitives needed to harden systems against both classical and quantum-era adversaries.

This commitment to future-proofing demonstrates that the OpenSSL project is proactively moving to prevent the obsolescence of current security standards, encouraging organizations to adopt these hybrid mechanisms before quantum capabilities reach maturity.

Aggressive Cleanup: Retiring the Legacy Era

With OpenSSL 4.0, the project has executed a long-overdue housecleaning. The shift to a new major version has provided the necessary mandate to discard “technical debt” that has plagued the library for over a decade. The removal of these outdated components is intended to reduce the attack surface and simplify the codebase for long-term maintenance.

The most notable removals and deprecations include:

• SSLv3 Removal: Secure Sockets Layer version 3.0, already long deprecated, has been completely purged from the codebase. It had been disabled by default since 2016, but its complete removal eliminates any remaining risk of downgrade attacks relying on this legacy protocol.
• SSLv2 Client Hello: The support for the legacy SSLv2-compatible Client Hello handshake—a relic used to allow backward compatibility for older clients—has been removed, forcing clients to adhere to modern TLS 1.2 and 1.3 standards.
• Engine Architecture: The legacy OpenSSL “Engine” framework, which historically allowed for custom cryptographic modules, has been removed. Users are now required to utilize the more modern, flexible Provider architecture introduced in version 3.0.
• Hardware Target Pruning: To streamline testing and improve stability, the release dropped support for older targets, including the darwin-i386 and powerpc/ppc64 architectures.

Additionally, the library has undergone significant API refinements. ASN1_STRING has been made opaque to prevent direct manipulation, and the cleanup mechanism—previously reliant on atexit()—has been modernized to use global destructors, ensuring safer integration in complex, multithreaded applications.

Strategic Guidance for Security Professionals

The release of OpenSSL 4.0 is not a passive update; it is an active transition. For many organizations, particularly those in regulated sectors, this update may present significant compatibility challenges. The removal of the engine API and the transition to a more strictly defined provider model will require auditing existing implementations of custom cryptographic hardware or software integrations.

Security teams should prioritize the following actions:

1. Audit Existing Dependencies: Assess all applications currently linked against legacy OpenSSL versions. Identify usage of deprecated SSLv3 or legacy handshake configurations that will fail under the 4.0 build.
2. Validate ECH Readiness: Since ECH relies on DNS infrastructure, ensure that internal DNS-over-HTTPS (DoH) services are configured and capable of providing the necessary keys for ECH negotiation.
3. Begin PQC Pilot Programs: Use the 4.0 release to initiate testing of the `tls-hybrid-sm2-mlkem` and other PQC features in non-production environments to establish performance baselines and ensure handshake compatibility.
4. Plan for Engine-to-Provider Migration: If legacy engine-based configurations exist, begin porting these to the OpenSSL Provider architecture. This is a non-trivial task that must be planned well in advance of production deployment.

The OpenSSL 4.0 release is a testament to the evolution of digital trust. By successfully balancing the necessity of stripping away obsolete, dangerous legacy protocols with the urgent demand for forward-looking privacy features like ECH and post-quantum defenses, the OpenSSL Project has provided the industry with the tools necessary to defend the modern internet. While the transition may be rigorous, it is a vital step toward a more private and resilient cryptographic future.