OpenSSL just shipped version 4.0.0, a feature release carrying substantial architectural shifts alongside new cryptographic capabilities. Developers jumping in should anticipate breaking changes, particularly around API signatures and cleanup routines. The library now enforces stricter checks on PKCS5_PBKDF2_HMAC usage when integrating with the FIPS provider, demanding attention from security-conscious engineering teams.

Major deprecations define this release, most importantly the complete removal of SSLv2 and SSLv3 support, protocols long considered obsolete by the security community. Furthermore, the older 'engine' architecture is gone entirely, forcing users toward newer integration methods. Hexadecimal output formatting has also been standardized, adjusting widths for signatures and general data dumps to maintain cleaner console readability.

New functionality arrives, centering on modern privacy enhancements, including full support for Encrypted Client Hello (ECH) as specified in RFC 9849. The release also incorporates support for post-quantum cryptography groups like `curveSM2MLKEM768` and adds the `sm2sig_sm3` signature algorithm. System administrators running older setups must note that the `c_rehash` script is replaced entirely by the `openssl rehash` command.

Finally, internal memory management sees modernization; `libcrypto` no longer relies on `atexit()` for global data cleanup, shifting responsibilities to a global destructor by default, though this behavior can be altered. ASN1_STRING has been made opaque, signaling a deeper structural change within core data handling routines.