Update to OpenSSL 3.3.5, a moderate severity security release.

• Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230).
• Fix Out-of-bounds read in HTTP client no_proxy handling (CVE-2025-9232).
• Avoided a potential race condition, where OSSL_STORE_CTX kept open during lookup while potentially being used by multiple threads simultaneously, that could lead to potential crashes when multiple concurrent TLS connections are served.
• Secure memory allocation calls are no longer used for HMAC keys.
• Hardened the provider implementation of the RSA public key “encrypt” operation to add a missing check that the caller-indicated output buffer size is at least as large as the byte count of the RSA modulus.

• Support Delphi 13 Florence Win32 and Win64.

• Update to OpenSSL 3.3.4.
  • Aligned the behaviour of TLS and DTLS in the event of a no_renegotiation alert being received. Older versions of OpenSSL failed with DTLS if a no_renegotiation alert was received. All versions of OpenSSL do this for TLS. From 3.2 a bug was exposed that meant that DTLS ignored no_rengotiation. We have now restored the original behaviour and brought DTLS back into line with TLS.
  • Miscellaneous bug fixes.

• Update to OpenSSL 3.3.3.
  • Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected.
  • Fixed timing side-channel in ECDSA signature computation.
  • Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters.

• Update to OpenSSL 3.3.2.
  • Fixed possible denial of service in X.509 name checks (CVE-2024-6119).
  • Fixed possible buffer overread in SSL_select_next_proto (CVE-2024-5535).

First release, based on OpenSSL 3.3.1.

Changes from OpenSSL 3.2:

• New features:
  • Support for qlog for tracing QUIC connections has been added.
  • Added APIs to allow configuring the negotiated idle timeout for QUIC connections, and to allow determining the number of additional streams that can currently be created for a QUIC connection.
  • Added APIs to allow disabling implicit QUIC event processing for QUIC SSL objects.
  • Added APIs to allow querying the size and utilisation of a QUIC stream’s write buffer.
  • New API SSL_write_ex2, which can be used to send an end-of-stream (FIN) condition in an optimised way when using QUIC.
  • Limited support for polling of QUIC connection and stream objects in a non-blocking manner.
  • Added a new EVP_DigestSqueeze API. This allows SHAKE to squeeze multiple times with different output sizes.
  • The BLAKE2s hash algorithm matches BLAKE2b’s support for configurable output length.
  • The EVP_PKEY_fromdata function has been augmented to allow for the derivation of CRT (Chinese Remainder Theorem) parameters when requested
  • Added API functions SSL_SESSION_get_time_ex and SSL_SESSION_set_time_ex using C_time_t which is Y2038 safe on 32 bit systems when 64 bit time is enabled
  • Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms config options and the respective calls to SSL_CTX_set1_sigalgs and SSL_CTX_set1_client_sigalgs that start with '?' character are ignored and the configuration will still be used.
  • Added several new features of CMPv3 defined in RFC 9480 and RFC 9483
  • New option SSL_OP_PREFER_NO_DHE_KEX, which allows configuring a TLS1.3 server to prefer session resumption using PSK-only key exchange over PSK with DHE, if both are available.
  • Added X509_STORE_get1_objects to avoid issues with the existing X509_STORE_get0_objects API in multi-threaded applications.
• Potentially significant or incompatible changes:
  • Accept longer context for TLS 1.2 exporters.
  • The d2i_ASN1_GENERALIZEDTIME, d2i_ASN1_UTCTIME, ASN1_TIME_check, and related functions have been augmented to check for a minimum length of the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.
  • OPENSSL_sk_push and other sk_xxx_push() functions now return 0 instead of -1 if called with a nil stack argument.
  • New limit on HTTP response headers is introduced to HTTP client. The default limit is set to 256 header lines.
• Bug fixes and mitigations:
  • The BIO_get_new_index function can only be called 127 times before it reaches its upper bound of BIO_TYPE_MASK and will now return -1 once its exhausted.

Changes from OpenSSL 3.2:

• Potentially significant or incompatible changes:
  • The default SSL/TLS security level has been changed from 1 to 2.
  • Support for client side QUIC, including support for multiple streams (RFC 9000).
  • Support for Ed25519ctx, Ed25519ph and Ed448ph in addition to existing support for Ed25519 and Ed448 (RFC 8032).
  • Support for deterministic ECDSA signatures (RFC 6979)
  • Support for AES-GCM-SIV, a nonce-misuse-resistant AEAD (RFC 8452).
  • Support for the Argon2 KDF, along with supporting thread pool functionality (RFC 9106).
  • Support for Hybrid Public Key Encryption (HPKE) (RFC 9180).
  • Support for SM4-XTS
  • Support for Brainpool curves in TLS 1.3.
  • Support for TLS Raw Public Keys (RFC 7250).
  • Support for TLS certificate compression, including library support for zlib, Brotli and zstd (RFC 8879).
  • Support for provider-based pluggable signature algorithms in TLS 1.3 with supporting CMS and X.509 functionality. With a suitable provider this enables the use of post-quantum/quantum-safe cryptography.
  • Multiple new features and improvements to CMP protocol support

Changes from OpenSSL 3.1:

• SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
• Performance enhancements.