We have released LibreSSL 3.1.4, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.
It includes the following interoperability and bug fixes for the
* Improve client certificate selection to allow EC certificates
instead of only RSA certificates.
* Do not error out if a TLSv1.3 server requests an OCSP response as
part of a certificate request.
* Fix SSL_shutdown behavior to match the legacy stack. The previous
behaviour could cause a hang.
* Fix a memory leak and add a missing error check in the handling of
the key update message.
* Fix a memory leak in tls13_record_layer_set_traffic_key.
* Avoid calling freezero with a negative size if a server sends a
malformed plaintext of all zeroes.
* Ensure that only PSS may be used with RSA in TLSv1.3 in order
to avoid using PKCS1-based signatures.
* Add the P-521 curve to the list of curves supported by default
in the client.
The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this