Update to OpenSSL 3.4.3, a moderate severity security release.

• Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230).
• Fix Out-of-bounds read in HTTP client no_proxy handling (CVE-2025-9232).
• Avoided a potential race condition, where OSSL_STORE_CTX kept open during lookup while potentially being used by multiple threads simultaneously, that could lead to potential crashes when multiple concurrent TLS connections are served.
• Secure memory allocation calls are no longer used for HMAC keys.
• Hardened the provider implementation of the RSA public key “encrypt” operation to add a missing check that the caller-indicated output buffer size is at least as large as the byte count of the RSA modulus.
• Fixed the length of the ASN.1 sequence for the SM3 digests of RSA-encrypted signatures.

• Support Delphi 13 Florence Win32 and Win64.

• Update to OpenSSL 3.4.2.
  • Aligned the behaviour of TLS and DTLS in the event of a no_renegotiation alert being received. Older versions of OpenSSL failed with DTLS if a no_renegotiation alert was received. All versions of OpenSSL do this for TLS. From 3.2 a bug was exposed that meant that DTLS ignored no_rengotiation. We have now restored the original behaviour and brought DTLS back into line with TLS.
  • Miscellaneous bug fixes.

Update to OpenSSL 3.4.1.

• Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected.
• Fixed timing side-channel in ECDSA signature computation.
• Reverted the behavior change of CMS_get1_certs and CMS_get1_crls that happened in the 3.4.0 release. These functions now return nil again if there are no certs or crls in the CMS object.

First release, based on OpenSSL 3.4.0.

Changes from OpenSSL 3.3:

Potentially significant or incompatible changes:

• SHAKE-128 and SHAKE-256 implementations have no default digest length anymore. That means these algorithms cannot be used with EVP_DigestFinal / EVP_DigestFinal_ex unless the xoflen param is set before.
• An empty renegotiate extension will be used in TLS client hellos instead of the empty renegotiation SCSV, for all connections with a minimum TLS version > 1.0.
• Deprecation of SSL_SESSION_get_time, SSL_SESSION_set_time, and SSL_CTX_flush_sessions functions in favor of their respective …_ex functions SSL_SESSION_get_time_ex, SSL_SESSION_set_time_ex, and SSL_CTX_flush_sessions_ex which are Y2038-safe on platforms with Y2038-safe C_time_t.

New features:

• Support for directly fetched composite signature algorithms such as RSA-SHA2-256 including new API functions.
• Implementation of RFC 9579 (PBMAC1) in PKCS#12.
• Support for integrity-only cipher suites TLS_SHA256_SHA256 and TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150.
• Support for requesting CRL in CMP.
• Support for additional X.509v3 extensions related to Attribute Certificates.
• Initial Attribute Certificate (RFC 5755) support.
• Possibility to customize ECC groups initialization to use precomputed values to save CPU time and use of this feature by the P-256 implementation.