Update to OpenSSL 3.6.1, a security patch release. The most severe CVE fixed is High.

Bug fixes:

• Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187).
• Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467).
• NULL dereference in SSL_CIPHER_find function on unknown cipher ID (CVE-2025-15468).
• TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199).
• Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160).
• Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418).
• Out of bounds write in PKCS12_get_friendlyname UTF-8 conversion (CVE-2025-69419).
• Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420).
• NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421).
• Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795).
• ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes function (CVE-2026-22796).

Mitigations:

• Fixed a regression in X509_V_FLAG_CRL_CHECK_ALL flag handling by restoring its pre-3.6.0 behaviour.
• Fixed a regression in handling stapled OCSP responses causing handshake failures for OpenSSL 3.6.0 servers with various client implementations.

First release, based on OpenSSL 3.6.0.

Changes from YuOpenSSL-3.5:

• Added support for EVP_SKEY opaque symmetric key objects to the key derivation and key exchange provider methods. Added EVP_KDF_CTX_set_SKEY, EVP_KDF_derive_SKEY, and EVP_PKEY_derive_SKEY functions.
• Added i2d_PKCS8PrivateKey API to complement i2d_PrivateKey, the former always outputs PKCS#8.
• Added NIST security categories for PKEY objects.
• Added notification when all stream FINs are acknowledged in QUIC. Once final FINs are ACKed, the channel transitions to terminating and SSL_poll signals completion. This allows applications to progress shutdown reliably.
• Added array memory allocation routines, i.e. CRYPTO_malloc_array.
• Fixed behavior change of EC keygen by adding the generic error entry if the provider did not itself add an error entry onto the queue. That way, there always is an error on the error queue in case of a failure, but no behavior change in case the provider emitted the error entry itself.
• Extended new CRYPTO_THREAD_get_local / CRYPTO_THREAD_set_local API to reduce the usage of OS thread-local variables.
• Refactored OSSL_PARAM name parsing so that automatically generated parsers are used instead of OSSL_PARAM_locate calls. This should also ensure that the list of acceptable parameters better matches those which are actually processed. It should also provide a small performance improvement, because repeated iteration over passed parameter arrays is avoided.
• Introduced SSL_OP_SERVER_PREFERENCE, superseding misleadingly named SSL_OP_CIPHER_SERVER_PREFERENCE.
• Added LMS signature verification support.
• Relaxed the path check in OpenSSL's file: scheme implementation for OSSL_STORE_open and friends. Previously, when the file: scheme is an explicit part of the URI, our implementation required an absolute path, such as file:/path/to/file.pem. This requirement is now relaxed, allowing file:path/to/file.pem, as well as file:file.pem.
• Added support for setting a free function thunk to OPENSSL_STACK_ptr stack types. Using a thunk allows the type specific free function to be called with the correct type information from generic functions like OPENSSL_sk_pop_free.
• Changed default EC point formats configuration to support only 'uncompressed' format, and added SSL_OP_LEGACY_EC_POINT_FORMATS flag and options to re-enable previous default, if required.
• Increased PKCS#12 default macsaltlen from 8 to 16, as, per NIST SP 800-132.
• Added X509_CRL_get0_tbs_sigalg accessor for the signature lgorithmIdentifier inside CRL's TBSCertList.
• Added OIDS for HKDFs with SHA-256, SHA-384, and SHA-512. Added ability to load HKDF configured with these explicit digests by name or OID.

Update the Brotli built-in decompressor to v1.2.0, with reduced binary size.