v4.0.0

A high-level overview is available in History.md: https://github.com/ruby/openssl/blob/master/History.md#version-400

Merged Pull Requests

• pkey: Use openssl generated pkcs8 key instead by @samuel40791765 in #830
• Various cleanups in pkey tests by @rhenium in #834
• Reduce OpenSSL::Buffering#do_write overhead by @byroot in #831
• Require LibreSSL 3.9 or later (Drop support for 3.1-3.8) by @rhenium in #836
• Require OpenSSL 1.1.0 or later (Drop support for 1.0.2) by @rhenium in #839
• Require OpenSSL 1.1.1 or later (Drop support for 1.1.0) by @rhenium in #841
• Use X509_ALGOR_get0() accessor for X509_ALGOR by @botovq in #687
• pkey: change PKey::{RSA,DSA,DH}#params to use nil for missing parameters by @rhenium in #774
• ts: use TS_VERIFY_CTX_set0_{store,certs}() on OpenSSL 3.4 by @rhenium in #842
• ssl: separate SSLContext#min_version= and #max_version= by @rhenium in #849
• pkey/ec: remove deprecated PKey::EC::Point#mul(ary, ary [, bn]) form by @rhenium in #843
• test_ssl.rb: Test respecting system default min. by @junaruga in #851
• Cleanups in SSL tests by @rhenium in #853
• Add build support for AWS-LC by @samuel40791765 in #852
• Avoid calling sk_*() with NULL by @rhenium in #854
• ssl: remove cert_store from start_server test helper by @rhenium in #858
• Patch and enable tests with AWS-LC by @samuel40791765 in #855
• Use ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] instead of OpenSSL::OPENSSL_FIPS. by @junaruga in #862
• ssl: manually craft invalid SAN extensions in tests by @rhenium in #861
• digest: always run SHA-3 and truncated SHA-2 tests by @rhenium in #864
• ssl: refactor check_supported_protocol_versions by @rhenium in #866
• ssl: fix tests using TLS 1.1 or older by @rhenium in #867
• Improve AWS-LC tests by @junaruga in #863
• Improve document of initialize_copy by @midnight-wonderer in #869
• Skip PKCS7 with indefinite length test in AWS-LC by @samuel40791765 in #871
• pkcs7: fix test failure on RHEL 9 by @rhenium in #876
• CI: Upgrade OpenSSL versions by @junaruga in #878
• Fix the tests using SHA-1 Probabilistic Signature Scheme (PSS) parameters. by @junaruga in #879
• .github/workflows/test.yml: stop using ubuntu-20.04 runner image by @rhenium in #880
• ssl: fix SSLSocket#syswrite with String-convertible objects by @rhenium in #881
• asn1: check for missing EOC in indefinite length encoding by @rhenium in #859
• .github/workflows/test.yml: update test-openssls by @rhenium in #884
• AWS-LC has support for parsing ber constructed strings now by @samuel40791765 in #888
• cipher: remove Cipher#encrypt(password, iv) form by @rhenium in #887
• ssl: fix potential memory leak in SSLContext#setup by @rhenium in #882
• CI test.yml - add workflow_dispatch by @MSP-Greg in #890
• ssl: add SSLContext#sigalgs= and #client_sigalgs= by @rhenium in #895
• pkey: add support for OpenSSL 3 provider-only pkeys by @rhenium in #898
• Use Dir.glob and base keyword arg for the installer of Ruby package by @hsbt in #904
• Run have_func with the header providing the declarations by @nobu in #905
• ssl: rename SSLContext#ecdh_curves= to #groups= by @rhenium in #900
• pkey/ec: avoid calling SYM2ID() on user-supplied objects by @rhenium in #907
• asn1: align UTCTime year range with RFC 5280 by @rhenium in #909
• Various test and CI improvements by @rhenium in #910
• Rakefile: fix :test/:test_fips => :compile dependency by @rhenium in #911
• ssl: add SSLSocket#sigalg, #peer_sigalg, #group by @junaruga in #908
• ssl: add post-quantum cryptography (PQC) tests by @junaruga in #913
• lib/openssl.rb: require files in alphabetical order by @rhenium in #914
• Cleanup ossl_*_new() functions by @rhenium in #912
• x509store: fix StoreContext#current_cert by @rhenium in #919
• pkcs7: clean up tests by @rhenium in #921
• pkcs7: fix error queue leak in OpenSSL::PKCS7#detached by @rhenium in #922
• pkcs7: make PKCS7#add_recipient actually useful by @rhenium in #923
• pkey: skip tests using invalid keys in the FIPS mode by @rhenium in #930
• Add missing write barriers in X509 by @jhawthorn in #932
• pkey: fix repeated passphrase prompts in OpenSSL::PKey.read by @rhenium in #931
• pkey: fix loading public keys with early OpenSSL 3.0.x releases by @rhenium in #940
• CONTRIBUTING.md: Add Debugging section [ci skip] by @junaruga in #944
• Revert "pkey: stop retrying after non-retryable error from OSSL_DECODER" by @rhenium in #943
• c_rehash: fix hash_name output for small hashes by @orgads in #942
• Add AuthTagError exception for AEAD authentication failures by @samuel-williams-shopify in #939
• Fix test_ssl.rb in FIPS. by @junaruga in #937
• Fix "default gem" link in README.md by @holtrop in #945
• CI: Add GitHub Actions ppc64le/s390x cases by @junaruga in #946
• pkey: disallow {DH,DSA,EC,RSA}.new without arguments on OpenSSL 3.0 by @rhenium in #848
• pkey/dh: refactor tests by @rhenium in #947
• CI: Upgrade OpenSSL and LibreSSL versions by @junaruga in #948
• Add a workflow to sync commits to ruby/ruby by @k0kubun in #951
• ssl: use SSL_CTX_set_dh_auto() by default by @rhenium in #924
• ssl: allow SSLContext#set_params to be used from non-main Ractors by @rhenium in #925
• Update link to OpenSSL configuration file docs by @tobscher in #956
• cipher: various docs improvements by @rhenium in #954
• Update keys used in tests by @rhenium in #953
• Add support for "fetched" EVP_MD and EVP_CIPHER by @rhenium in #958
• pkey: unify error classes into PKeyError by @rhenium in #929
• Replace Ruby 3.5 with Ruby 4.0 by @yahonda in #961
• ssl: fix test_pqc_sigalg on RHEL 9.7 by @rhenium in #965
• pkey/ec: fix OpenSSL::PKey::EC::Group#curve_name for unknown curves by @rhenium in #966
• asn1: refactor converting ASN1_OBJECT to string by @rhenium in #967
• ts: fix docs for attrs on OpenSSL::Timestamp::Factory by @rhenium in #970
• Remove dummy declarations for mOSSL and eOSSLError by @rhenium in #971
• Revert "rewriting most of the asn1 init code in ruby" by @rhenium in #972
• Expand tabs in C source files by @rhenium in #973
• asn1: use ASN1_TIME_to_tm() to decode UTCTime and GeneralizedTime by @rhenium in #974
• x509cert: handle invalid validity periods in Certificate#inspect by @rhenium in #977
• Treat ASN1_STRING as opaque by @botovq in #978
• asn1integer_to_num: don't cast away const by @botovq in #979
• ossl.c: implement OpenSSL::OpenSSLError#detailed_message by @rhenium in #976
• x509cert: update doc for OpenSSL::X509::Certificate#== by @rhenium in #984
• pkcs7: raise OpenSSL::PKCS7::PKCS7Error in #initialize by @rhenium in #983
• Freeze more constants for Ractor compatibility by @rhenium in #985
• Release 4.0.0 by @rhenium in #982

New Contributors

• @samuel40791765 made their first contribution in #830
• @midnight-wonderer made their first contribution in #869
• @jhawthorn made their first contribution in #932
• @orgads made their first contribution in #942
• @samuel-williams-shopify made their first contribution in #939
• @holtrop made their first contribution in #945
• @k0kubun made their first contribution in #951
• @tobscher made their first contribution in #956
• @yahonda made their first contribution in #961

Full Changelog: v3.3.2...v4.0.0