We have released LibreSSL 3.1.0, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon.
The signify signing key has been rotated this time around, and the public key for future releases should appear as follows, while the GPG key remains the same (releases are verifiable with either or both): untrusted comment: LibreSSL portable signify key, April 8 2020 public key RWT44PcJDPu8ZDd5GfXWW2vuE+xq4M3haXXfYohnEnWoEYCKHNFut6W8 This is the first development release from the 3.1.x series, which will eventually be part of OpenBSD 6.7. It includes the following changes: * Completed initial TLS 1.3 implementation with a completely new state machine and record layer. TLS 1.3 is now enabled by default for the client side, with the server side to be enabled in a future release. Note that the OpenSSL TLS 1.3 API is not yet visible/available. * Many more code cleanups, fixes, and improvements to memory handling and protocol parsing. * Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1. * Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL 1.1.1 and enabled by default. * Improved compatibility by backporting functionality and documentation from OpenSSL 1.1.1. * Added many new additional crypto test vectors. * Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics. * Default CA bundle location is now configurable in portable builds. * Added cms subcommand to openssl(1). * Added -addext option to openssl(1) req subcommand. The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.