From nobody Sun Apr 12 02:15:07 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ftYz55MVhz6YH2w
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Sun, 12 Apr 2026 02:15:13 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ftYz535j1z3JNG
	for <dev-commits-src-all@FreeBSD.org>; Sun, 12 Apr 2026 02:15:13 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1775960113;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=b97aEXsNOzN8MIwvbn24f1OKajDmBLiH56rlxxTe4Rs=;
	b=uXPBpR25si6MOGSy5xq0fp8SG/i+JYev41ZZf62hKeWxVq9s/+2AZKdt0kHe+vR45ldxZp
	av7IHKPm43zb0UT1BIhYtO6wu7MCJ6veI/7xlva3T76qIgVz6/bZZz9HAsgN0r+6nxu7uo
	Uhu7QijuUcZiakZVP8OBlD7AKMxshQq4+6KMpBWE0JjyXVfG6fDSzQU/CGpslQrpM7BXjw
	hZ+awEu97Gw/Q/qPzlT7o/z1ilnLZJB/cpymcpCZO6sf4L83QB8NaBq0OJCR7iewLQwe81
	rpoffuUNJDK0xNwb9kJ+/MSW+4qmAHe3x1EsX5b7cOFfQCiiy5CO/1lwduKCUg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1775960113; a=rsa-sha256; cv=none;
	b=yOKcUlkslPcS14Wq4W1zPmzyOH34J8T+QA3jsCXQFtayNkGGOkWuPtX+hP4gHW9u5rnwJ2
	SSy52ydgLXJ1gNUXkKzjB97LUW49tCdOpxKvamDDkiM1kVwc1jAP0aLPqOwhfc+Ywij1Pc
	bX8G90kzXk7WHwPkazxWcjcwiTnrZB4VG5pRRgEtE9AXW03oI+fv/2+zbO/cb0iI+w3UwU
	0FvPkDr9OloFyyHnv9aRdykkLSsAl2KTpLtDoFp9FcS4BKAnf0IQF6V5JUWnE6IOL5mm60
	p9NhenZ1mx8dI3UlLDc0cHjgg1+hdcOOmcoZATULPtAlnsK3K78GUSuws9WKeg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1775960113;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=b97aEXsNOzN8MIwvbn24f1OKajDmBLiH56rlxxTe4Rs=;
	b=Vy/odZtlT8q9dNt6HF74S11EjueFRYxlpIEWrOqUGroJ9fz+WMHqhY4GFVdMEnFs+BZel9
	jlokviyWysROQdezQE+pT0LHerzT2/Js91Mv4Qc/suLtYl+65+bzSWgzudqG1ASmDG9c87
	oYV1vZINWh3q5aye7ONrEu8MUE0pAyNYSeyUMTlEsKvmb5X7Oe4+Xc3n8AhMTnknn5rjnu
	mTBjG0pug5gKvO8oS5vw14r1+kF8u1evSnsqxXG+CpVriE1L7CF23wb535jM0yMmtQEpFO
	0aOb0YznVGIaUVTmuzkE6glIx4OP7o5GyL5wogt0lNjLkzppTtzuIfED+NmDdg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4ftYz52SpLzxn7
	for <dev-commits-src-all@FreeBSD.org>; Sun, 12 Apr 2026 02:15:13 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 4170b
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Sun, 12 Apr 2026 02:15:07 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Enji Cooper <ngie@FreeBSD.org>
Subject: git: e2fcde7333a5 - stable/15 - MFV: crypto/openssl: update to 3.5.6
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: ngie
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: e2fcde7333a515907316cf1a4ee4858edc90419d
Auto-Submitted: auto-generated
Date: Sun, 12 Apr 2026 02:15:07 +0000
Message-Id: <69db002b.4170b.7f123bf5@gitrepo.freebsd.org>

The branch stable/15 has been updated by ngie:

URL: https://cgit.FreeBSD.org/src/commit/?id=e2fcde7333a515907316cf1a4ee4858edc90419d

commit e2fcde7333a515907316cf1a4ee4858edc90419d
Author:     Enji Cooper <ngie@FreeBSD.org>
AuthorDate: 2026-04-09 01:44:24 +0000
Commit:     Enji Cooper <ngie@FreeBSD.org>
CommitDate: 2026-04-12 02:14:40 +0000

    MFV: crypto/openssl: update to 3.5.6
    
    This change brings in version 3.5.6 of OpenSSL, which features
    several security fixes (the highest of which is a MEDIUM severity
    issue), as well as some miscellaneous feature updates.
    
    Please see the release notes [1] for more details.
    
    PS Apologies for the confusing merge commits -- I was testing out a
    new automated update process and failed to catch the commit message
    issues until after I pushed the change.
    
    1. https://github.com/openssl/openssl/blob/openssl-3.5.6/NEWS.md
    
    MFC after:      1 day (the security issues warrant a quick backport).
    Merge commit 'ab5fc4ac933ff67bc800e774dffce15e2a541e90'
    
    (cherry picked from commit 10a428653ee7216475f1ddce3fb4cbf1200319f8)
---
 crypto/openssl/CHANGES.md                          | 575 +++++++++------
 crypto/openssl/CONTRIBUTING.md                     |  12 +
 crypto/openssl/Configurations/10-main.conf         |   3 +-
 crypto/openssl/Configurations/unix-Makefile.tmpl   |   3 +-
 .../openssl/Configurations/windows-makefile.tmpl   |   5 +-
 crypto/openssl/NEWS.md                             | 427 +++++------
 crypto/openssl/VERSION.dat                         |   4 +-
 crypto/openssl/apps/cmp.c                          |  18 +-
 crypto/openssl/apps/include/cmp_mock_srv.h         |   5 +-
 crypto/openssl/apps/lib/app_provider.c             |   3 +-
 crypto/openssl/apps/lib/apps.c                     |  15 +-
 crypto/openssl/apps/lib/cmp_mock_srv.c             |  38 +-
 crypto/openssl/apps/lib/win32_init.c               |   3 +-
 crypto/openssl/apps/ocsp.c                         |   2 +-
 crypto/openssl/apps/s_client.c                     |   6 +-
 crypto/openssl/apps/ts.c                           |   4 +-
 crypto/openssl/build.info                          |  16 +-
 crypto/openssl/crypto/aes/asm/aes-riscv32-zkn.pl   |   7 +-
 crypto/openssl/crypto/aes/asm/aes-riscv64-zkn.pl   |   7 +-
 .../openssl/crypto/aes/asm/aes-riscv64-zvkned.pl   |  13 +-
 crypto/openssl/crypto/aes/asm/aes-riscv64.pl       |  10 +-
 crypto/openssl/crypto/asn1/evp_asn1.c              |   4 +-
 crypto/openssl/crypto/asn1/n_pkey.c                |   4 +-
 crypto/openssl/crypto/asn1/p5_scrypt.c             |  11 +-
 crypto/openssl/crypto/bf/bf_cfb64.c                |   4 +-
 crypto/openssl/crypto/bf/bf_ofb64.c                |   4 +-
 crypto/openssl/crypto/bio/bss_dgram.c              |   4 +-
 crypto/openssl/crypto/bio/bss_file.c               |  15 +-
 crypto/openssl/crypto/bn/asm/armv4-gf2m.pl         |   4 +-
 crypto/openssl/crypto/bn/asm/rsaz-2k-avxifma.pl    | 105 ++-
 crypto/openssl/crypto/bn/asm/rsaz-3k-avxifma.pl    |  41 +-
 crypto/openssl/crypto/bn/asm/rsaz-4k-avxifma.pl    |  41 +-
 crypto/openssl/crypto/bn/asm/sparcv9-mont.pl       |   4 +-
 crypto/openssl/crypto/bn/bn_dh.c                   |  64 +-
 crypto/openssl/crypto/bn/bn_exp.c                  |  34 +-
 crypto/openssl/crypto/bn/bn_local.h                |   4 +-
 crypto/openssl/crypto/bn/bn_mont.c                 |   9 +-
 crypto/openssl/crypto/bn/bn_ppc.c                  |  10 +-
 crypto/openssl/crypto/bn/bn_prime.c                |   4 +-
 crypto/openssl/crypto/bn/bn_rsa_fips186_4.c        |   4 +-
 crypto/openssl/crypto/bn/bn_sparc.c                |  16 +-
 crypto/openssl/crypto/bsearch.c                    |   4 +-
 crypto/openssl/crypto/cast/c_cfb64.c               |   4 +-
 crypto/openssl/crypto/cast/c_ofb64.c               |   4 +-
 crypto/openssl/crypto/cmp/cmp_client.c             |  23 +-
 crypto/openssl/crypto/cmp/cmp_ctx.c                |   4 +-
 crypto/openssl/crypto/cmp/cmp_local.h              |   4 +-
 crypto/openssl/crypto/cmp/cmp_vfy.c                |  25 +-
 crypto/openssl/crypto/cms/cms_asn1.c               |  30 +-
 crypto/openssl/crypto/cms/cms_dh.c                 |  15 +-
 crypto/openssl/crypto/cms/cms_ec.c                 |  16 +-
 crypto/openssl/crypto/cms/cms_local.h              |   5 +-
 crypto/openssl/crypto/cms/cms_rsa.c                |  33 +-
 crypto/openssl/crypto/cms/cms_smime.c              |   6 +-
 crypto/openssl/crypto/conf/conf_lib.c              |   4 +-
 crypto/openssl/crypto/conf/conf_mod.c              |   4 +-
 crypto/openssl/crypto/des/cfb64ede.c               |   4 +-
 crypto/openssl/crypto/des/cfb64enc.c               |   4 +-
 crypto/openssl/crypto/des/ofb64ede.c               |   4 +-
 crypto/openssl/crypto/des/ofb64enc.c               |   4 +-
 crypto/openssl/crypto/dh/dh_asn1.c                 |   7 +-
 crypto/openssl/crypto/dh/dh_rfc5114.c              |   6 +-
 crypto/openssl/crypto/dllmain.c                    |   4 +-
 crypto/openssl/crypto/dsa/dsa_asn1.c               |   8 +-
 crypto/openssl/crypto/ec/ec_asn1.c                 |  12 +-
 crypto/openssl/crypto/ec/ec_check.c                |   4 +-
 crypto/openssl/crypto/ec/ec_lib.c                  |   4 +-
 crypto/openssl/crypto/err/err_all.c                |   6 +-
 crypto/openssl/crypto/err/openssl.txt              |   3 +-
 crypto/openssl/crypto/ess/ess_asn1.c               |   8 +-
 crypto/openssl/crypto/evp/digest.c                 |   7 +-
 crypto/openssl/crypto/evp/e_aes.c                  |  56 +-
 crypto/openssl/crypto/evp/e_aria.c                 |  22 +-
 crypto/openssl/crypto/evp/e_camellia.c             |  22 +-
 crypto/openssl/crypto/evp/e_des.c                  |  18 +-
 crypto/openssl/crypto/evp/e_des3.c                 |  24 +-
 crypto/openssl/crypto/evp/e_idea.c                 |   6 +-
 crypto/openssl/crypto/evp/e_sm4.c                  |  14 +-
 crypto/openssl/crypto/evp/encode.c                 |   4 +-
 crypto/openssl/crypto/evp/evp_enc.c                |  12 +-
 crypto/openssl/crypto/evp/kem.c                    |   4 +-
 crypto/openssl/crypto/hashtable/hashtable.c        |   6 +-
 crypto/openssl/crypto/http/http_client.c           |  26 +-
 crypto/openssl/crypto/http/http_err.c              |   4 +-
 crypto/openssl/crypto/http/http_lib.c              |   8 +-
 crypto/openssl/crypto/idea/i_cfb64.c               |   3 +-
 crypto/openssl/crypto/idea/i_ofb64.c               |   3 +-
 crypto/openssl/crypto/init.c                       |   7 +-
 crypto/openssl/crypto/initthread.c                 |  14 +-
 crypto/openssl/crypto/modes/asm/aes-gcm-ppc.pl     |   5 -
 crypto/openssl/crypto/modes/asm/ghash-armv4.pl     |   4 +-
 crypto/openssl/crypto/modes/build.info             |   2 +-
 crypto/openssl/crypto/o_str.c                      |  15 +-
 crypto/openssl/crypto/param_build.c                | 108 ++-
 crypto/openssl/crypto/perlasm/x86_64-xlate.pl      |   5 +-
 crypto/openssl/crypto/pkcs12/p12_mutl.c            |   4 +
 crypto/openssl/crypto/pkcs12/p12_utl.c             |   4 +-
 crypto/openssl/crypto/pkcs7/pk7_doit.c             |   8 +
 crypto/openssl/crypto/pkcs7/pk7_lib.c              |   9 +-
 crypto/openssl/crypto/punycode.c                   |   4 +-
 crypto/openssl/crypto/rand/rand_egd.c              |  25 +-
 crypto/openssl/crypto/rc2/rc2cfb64.c               |   4 +-
 crypto/openssl/crypto/rc2/rc2ofb64.c               |   4 +-
 crypto/openssl/crypto/rc5/rc5cfb64.c               |   4 +-
 crypto/openssl/crypto/rc5/rc5ofb64.c               |   4 +-
 crypto/openssl/crypto/riscvcap.c                   |  37 +-
 crypto/openssl/crypto/rsa/rsa_backend.c            |   4 +-
 crypto/openssl/crypto/sha/asm/keccak1600-s390x.pl  |   3 +-
 crypto/openssl/crypto/slh_dsa/slh_dsa.c            |  25 +-
 crypto/openssl/crypto/sm4/asm/vpsm4_ex-armv8.pl    |  13 +-
 crypto/openssl/crypto/store/store_lib.c            |   6 +-
 crypto/openssl/crypto/threads_none.c               |   4 +-
 crypto/openssl/crypto/threads_pthread.c            |  57 +-
 crypto/openssl/crypto/threads_win.c                |   4 +-
 crypto/openssl/crypto/ts/ts_asn1.c                 |  14 +-
 crypto/openssl/crypto/x509/pcy_tree.c              |  14 +-
 crypto/openssl/crypto/x509/t_acert.c               |   8 +-
 crypto/openssl/crypto/x509/v3_ac_tgt.c             |   8 +-
 crypto/openssl/crypto/x509/v3_cpols.c              |   4 +-
 crypto/openssl/crypto/x509/v3_prn.c                |   6 +-
 crypto/openssl/crypto/x509/v3_san.c                |   5 +-
 crypto/openssl/crypto/x509/v3_timespec.c           |   4 +-
 crypto/openssl/crypto/x509/v3_utl.c                |   9 +-
 crypto/openssl/crypto/x509/x509_vfy.c              |   7 +-
 crypto/openssl/crypto/x509/x_pubkey.c              |   6 +-
 crypto/openssl/doc/build.info                      |   6 +
 .../doc/internal/man3/OSSL_SAFE_MATH_SIGNED.pod    |   4 +-
 .../internal/man3/ossl_cmp_msg_check_update.pod    |   5 +-
 crypto/openssl/doc/internal/man7/deprecation.pod   |   4 +-
 crypto/openssl/doc/man1/CA.pl.pod                  |   4 +-
 crypto/openssl/doc/man1/openssl-ciphers.pod.in     | 777 ++++++++++++---------
 crypto/openssl/doc/man1/openssl-cmp.pod.in         |  10 +-
 crypto/openssl/doc/man1/openssl-cms.pod.in         |   2 +-
 crypto/openssl/doc/man1/openssl-format-options.pod |   4 +-
 crypto/openssl/doc/man1/openssl-pkeyutl.pod.in     |   4 +-
 .../doc/man1/openssl-verification-options.pod      |   8 +-
 crypto/openssl/doc/man1/openssl-verify.pod.in      |   7 +-
 crypto/openssl/doc/man3/ADMISSIONS.pod             |   4 +-
 crypto/openssl/doc/man3/BIO_get_data.pod           |  11 +-
 crypto/openssl/doc/man3/BIO_push.pod               |   4 +-
 crypto/openssl/doc/man3/BIO_read.pod               |   6 +-
 crypto/openssl/doc/man3/EVP_EncryptInit.pod        |  10 +-
 crypto/openssl/doc/man3/OPENSSL_malloc.pod         |   6 +-
 crypto/openssl/doc/man3/OSSL_CMP_CTX_new.pod       |  11 +-
 crypto/openssl/doc/man3/OSSL_HPKE_CTX_new.pod      |   6 +-
 crypto/openssl/doc/man3/PKCS5_PBE_keyivgen.pod     |  13 +-
 crypto/openssl/doc/man3/RSA_set_method.pod         |  10 +-
 crypto/openssl/doc/man3/SSL_CONF_cmd.pod           |  18 +-
 crypto/openssl/doc/man3/SSL_CTX_set1_curves.pod    | 125 +++-
 .../doc/man3/SSL_CTX_set_psk_client_callback.pod   |  10 +-
 crypto/openssl/doc/man3/SSL_get_ciphers.pod        |   4 +-
 crypto/openssl/doc/man3/X509V3_EXT_print.pod       |  51 ++
 crypto/openssl/doc/man3/X509_NAME_print_ex.pod     |   7 +-
 crypto/openssl/doc/man7/EVP_SIGNATURE-DSA.pod      |   4 +-
 crypto/openssl/doc/man7/EVP_SIGNATURE-ECDSA.pod    |   4 +-
 crypto/openssl/doc/man7/EVP_SIGNATURE-ED25519.pod  |   4 +-
 crypto/openssl/doc/man7/EVP_SIGNATURE-HMAC.pod     |   4 +-
 crypto/openssl/doc/man7/EVP_SIGNATURE-ML-DSA.pod   |   6 +-
 crypto/openssl/doc/man7/EVP_SIGNATURE-RSA.pod      |   4 +-
 crypto/openssl/doc/man7/EVP_SIGNATURE-SLH-DSA.pod  |   4 +-
 crypto/openssl/doc/man7/openssl-env.pod            |   9 +-
 .../doc/man7/ossl-guide-tls-introduction.pod       |   4 +-
 crypto/openssl/doc/man7/property.pod               |  34 +-
 crypto/openssl/doc/man7/provider-base.pod          |   5 +-
 .../openssl/exporters/cmake/OpenSSLConfig.cmake.in |   1 +
 .../exporters/cmake/OpenSSLConfigVersion.cmake.in  |   1 +
 .../openssl/exporters/pkg-config/libcrypto.pc.in   |   1 +
 crypto/openssl/exporters/pkg-config/libssl.pc.in   |   1 +
 crypto/openssl/exporters/pkg-config/openssl.pc.in  |   1 +
 .../perl/Text-Template-1.56/lib/Text/Template.pm   |   4 +-
 .../lib/Text/Template/Preprocess.pm                |   4 +-
 crypto/openssl/include/crypto/aes_platform.h       |   4 +-
 crypto/openssl/include/crypto/evp.h                |  24 +-
 crypto/openssl/include/crypto/httperr.h            |   2 +-
 crypto/openssl/include/crypto/sparc_arch.h         |  14 +-
 crypto/openssl/include/crypto/sparse_array.h       |   4 +-
 crypto/openssl/include/internal/time.h             |  72 +-
 crypto/openssl/include/openssl/cmp.h.in            |   4 +-
 crypto/openssl/include/openssl/core_dispatch.h     |  34 +-
 crypto/openssl/include/openssl/httperr.h           |   3 +-
 crypto/openssl/include/openssl/macros.h            |   3 +-
 crypto/openssl/include/openssl/rsa.h               |   6 +-
 crypto/openssl/include/openssl/types.h             |   4 +-
 crypto/openssl/providers/fips-sources.checksums    |  96 +--
 crypto/openssl/providers/fips.checksum             |   2 +-
 crypto/openssl/providers/fips/self_test.c          |   4 +-
 crypto/openssl/providers/fips/self_test_kats.c     |  11 +-
 .../ciphers/cipher_aes_gcm_hw_ppc.inc              |   8 +-
 .../implementations/ciphers/cipher_aes_ocb.c       |   4 +-
 .../implementations/ciphers/ciphercommon.c         |   6 +-
 .../include/prov/ciphercommon_ccm.h                |  16 +-
 .../include/prov/ciphercommon_gcm.h                |  14 +-
 .../providers/implementations/kdfs/pkcs12kdf.c     |  11 +-
 .../providers/implementations/kem/rsa_kem.c        |  22 +-
 .../implementations/keymgmt/ml_kem_kmgmt.c         |   4 +-
 .../providers/implementations/rands/drbg_hmac.c    |   4 +-
 .../providers/implementations/signature/dsa_sig.c  |  36 +-
 .../implementations/signature/ecdsa_sig.c          |  47 +-
 .../providers/implementations/signature/sm2_sig.c  |  10 +-
 .../implementations/storemgmt/file_store.c         |  11 +-
 .../implementations/storemgmt/winstore_store.c     |   6 +-
 crypto/openssl/ssl/quic/quic_impl.c                |  47 +-
 crypto/openssl/ssl/quic/quic_lcidm.c               |  14 +-
 crypto/openssl/ssl/quic/quic_reactor.c             |   6 +
 crypto/openssl/ssl/quic/quic_rx_depack.c           |   3 +-
 crypto/openssl/ssl/quic/quic_srtm.c                |   7 +-
 crypto/openssl/ssl/quic/quic_stream_map.c          |   3 +-
 crypto/openssl/ssl/quic/uint_set.c                 |   4 +-
 crypto/openssl/ssl/record/methods/tls_common.c     |  17 +-
 crypto/openssl/ssl/s3_lib.c                        |   6 +-
 crypto/openssl/ssl/ssl_asn1.c                      |   4 +-
 crypto/openssl/ssl/ssl_lib.c                       |  22 +-
 crypto/openssl/ssl/ssl_sess.c                      |   4 +-
 crypto/openssl/ssl/statem/statem_dtls.c            |   8 +-
 crypto/openssl/ssl/t1_lib.c                        |  96 +--
 crypto/openssl/test/README-external.md             |   2 +-
 crypto/openssl/test/asn1_decode_test.c             |  14 +-
 crypto/openssl/test/asn1_encode_test.c             |  14 +-
 crypto/openssl/test/asn1_internal_test.c           |  20 +-
 crypto/openssl/test/bntest.c                       |  49 +-
 crypto/openssl/test/certs/cve-2026-28388-ca.pem    |  19 +
 crypto/openssl/test/certs/cve-2026-28388-crls.pem  |  22 +
 crypto/openssl/test/certs/cve-2026-28388-leaf.pem  |  19 +
 .../ext-timeSpecification-periodic-no-second.pem   |  14 +
 crypto/openssl/test/certs/mkcert.sh                |   4 +-
 crypto/openssl/test/cmp_client_test.c              |  75 +-
 crypto/openssl/test/evp_extra_test.c               | 110 ++-
 crypto/openssl/test/evp_test.c                     |   4 +-
 crypto/openssl/test/fake_rsaprov.c                 |   5 +-
 crypto/openssl/test/http_test.c                    |  22 +-
 crypto/openssl/test/ossl_store_test.c              |   9 +-
 crypto/openssl/test/pkcs12_api_test.c              |  32 +-
 crypto/openssl/test/quicapitest.c                  |  10 +-
 .../openssl/test/recipes/10-test_bn_data/bnmod.txt |  10 +-
 crypto/openssl/test/recipes/25-test_verify.t       |  16 +-
 crypto/openssl/test/recipes/25-test_x509.t         |  10 +-
 .../openssl/test/recipes/61-test_bio_readbuffer.t  |   8 +-
 .../80-test_cmp_http_data/test_commands.csv        |   3 +-
 crypto/openssl/test/recipes/80-test_cms.t          |  47 +-
 .../test/recipes/80-test_cms_data/dh-cert.pem      |  31 +
 .../test/recipes/80-test_cms_data/dh-key.pem       |  15 +
 .../test/recipes/80-test_cms_data/dh-malformed.der | Bin 0 -> 558 bytes
 .../test/recipes/80-test_cms_data/ecdh-cert.pem    |  10 +
 .../test/recipes/80-test_cms_data/ecdh-key.pem     |   5 +
 .../recipes/80-test_cms_data/ecdh-malformed.der    | Bin 0 -> 275 bytes
 .../recipes/80-test_cms_data/rsa-malformed.der     | Bin 0 -> 526 bytes
 crypto/openssl/test/recipes/80-test_ocsp.t         |  16 +-
 crypto/openssl/test/sslapitest.c                   |  98 ++-
 crypto/openssl/test/tls-provider.c                 |   5 +-
 crypto/openssl/test/tls13groupselection_test.c     |  39 +-
 crypto/openssl/util/checkplatformsyms.pl           |  40 +-
 crypto/openssl/util/missingcrypto.txt              |   2 -
 crypto/openssl/util/mkerr.pl                       |  77 +-
 crypto/openssl/util/mkinstallvars.pl               |   5 +-
 .../util/platform_symbols/windows-symbols.txt      | 339 ++++-----
 crypto/openssl/util/wrap.pl.in                     |   1 +
 256 files changed, 3690 insertions(+), 2012 deletions(-)

diff --git a/crypto/openssl/CHANGES.md b/crypto/openssl/CHANGES.md
index 1a65b72b2965..380840deb712 100644
--- a/crypto/openssl/CHANGES.md
+++ b/crypto/openssl/CHANGES.md
@@ -28,6 +28,150 @@ OpenSSL Releases
 OpenSSL 3.5
 -----------
 
+### Changes between 3.5.5 and 3.5.6 [7 Apr 2026]
+
+ * Fixed incorrect failure handling in RSA KEM RSASVE encapsulation.
+
+   Severity: Moderate
+
+   Issue summary: Applications using RSASVE key encapsulation to establish
+   a secret encryption key can send contents of an uninitialized memory buffer
+   to a malicious peer.
+
+   Impact summary: The uninitialized buffer might contain sensitive data
+   from the previous execution of the application process which leads
+   to sensitive data leakage to an attacker.
+
+   Reported by: Simo Sorce (Red Hat).
+
+   ([CVE-2026-31790])
+
+   *Nikola Pajkovsky*
+
+ * Fixed loss of key agreement group tuple structure when the `DEFAULT` keyword
+   is used in the server-side configuration of the key-agreement group list.
+
+   Severity: Low
+
+   Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected
+   preferred key exchange group when its key exchange group configuration
+   includes the default by using the 'DEFAULT' keyword.
+
+   Impact summary: A less preferred key exchange may be used even when a more
+   preferred group is supported by both client and server, if the group
+   was not included among the client's initial predicated keyshares.
+   This will sometimes be the case with the new hybrid post-quantum groups,
+   if the client chooses to defer their use until specifically requested by
+   the server.
+   <!-- https://github.com/openssl/openssl/pull/30111 -->
+
+   ([CVE-2026-2673])
+
+   *Viktor Dukhovni*
+
+ * Fixed potential use-after-free in DANE client code.
+
+   Severity: Low
+
+   Issue summary: An uncommon configuration of clients performing DANE
+   TLSA-based server authentication, when paired with uncommon server DANE TLSA
+   records, may result in a use-after-free and/or double-free on the client
+   side.
+
+   Impact summary: A use after free can have a range of potential consequences
+   such as the corruption of valid data, crashes, or execution of arbitrary
+   code.
+
+   Reported by: Igor Morgenstern (Aisle Research).
+
+   ([CVE-2026-28387])
+
+   *Viktor Dukhovni*
+
+ * Fixed NULL pointer dereference when processing a delta CRL.
+
+   Severity: Low
+
+   Issue summary: When a delta CRL that contains a Delta CRL Indicator extension
+   is processed, a NULL pointer dereference might happen if the required CRL
+   Number extension is missing.
+
+   Impact summary: A NULL pointer dereference can trigger a crash which
+   leads to a Denial of Service for an application.
+
+   Reported by: Igor Morgenstern (Aisle Research).
+
+   ([CVE-2026-28388])
+
+   *Igor Morgenstern*
+
+ * Fixed possible NULL dereference when processing CMS KeyAgreeRecipientInfo.
+
+   Severity: Low
+
+   Issue summary: During processing of a crafted CMS EnvelopedData message
+   with KeyAgreeRecipientInfo a NULL pointer dereference can happen.
+
+   Impact summary: Applications that process attacker-controlled CMS data may
+   crash before authentication or cryptographic operations occur resulting in
+   Denial of Service.
+
+   Reported by: Nathan Sportsman (Praetorian), Daniel Rhea,
+   Jaeho Nam (Seoul National University), Muhammad Daffa,
+   Zhanpeng Liu (Tencent Xuanwu Lab), Guannan Wang (Tencent Xuanwu Lab),
+   Guancheng Li (Tencent Xuanwu Lab), and Joshua Rogers.
+
+   ([CVE-2026-28389])
+
+   *Neil Horman*
+
+ * Fixed possible NULL dereference when processing CMS
+   KeyTransportRecipientInfo.
+
+   Severity: Low
+
+   Issue summary: During processing of a crafted CMS EnvelopedData message
+   with KeyTransportRecipientInfo a NULL pointer dereference can happen.
+
+   Impact summary: Applications that process attacker-controlled CMS data may
+   crash before authentication or cryptographic operations occur resulting in
+   Denial of Service.
+
+   Reported by: Muhammad Daffa, Zhanpeng Liu (Tencent Xuanwu Lab),
+   Guannan Wang (Tencent Xuanwu Lab), Guancheng Li (Tencent Xuanwu Lab),
+   Joshua Rogers, and Chanho Kim.
+
+   ([CVE-2026-28390])
+
+   *Neil Horman*
+
+ * Fixed heap buffer overflow in hexadecimal conversion.
+
+   Severity: Low
+
+   Issue summary: Converting an excessively large OCTET STRING value to
+   a hexadecimal string leads to a heap buffer overflow on 32 bit platforms.
+
+   Impact summary: A heap buffer overflow may lead to a crash or possibly
+   an attacker controlled code execution or other undefined behavior.
+
+   Reported by: Quoc Tran (Xint.io - US Team).
+
+   ([CVE-2026-31789])
+
+   *Igor Ustinov*
+
+ * Fixed usage of `openssl s_client -connect HOST -proxy PROXY` with `HOST`
+   containing a raw IPv6 address.
+   <!-- https://github.com/openssl/openssl/pull/30384 -->
+
+   *Peter Zhang*
+
+ * Fixed broken detection of plantext HTTP over TLS.
+   <!-- https://github.com/openssl/openssl/pull/30411 -->
+
+   *Matt Caswell*
+
 ### Changes between 3.5.4 and 3.5.5 [27 Jan 2026]
 
  * Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
@@ -3461,7 +3605,7 @@ breaking changes, and mappings for the large list of deprecated functions.
 
    *Richard Levitte*
 
- * Fixed an overflow bug in the x64_64 Montgomery squaring procedure
+ * Fixed an overflow bug in the x86_64 Montgomery squaring procedure
    used in exponentiation with 512-bit moduli. No EC algorithms are
    affected. Analysis suggests that attacks against 2-prime RSA1024,
    3-prime RSA1536, and DSA1024 as a result of this defect would be very
@@ -21607,216 +21751,223 @@ ndif
 
 <!-- Links -->
 
-[CVE-2026-22796]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22796
-[CVE-2026-22795]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22795
-[CVE-2025-69421]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69421
-[CVE-2025-69420]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69420
-[CVE-2025-69419]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69419
-[CVE-2025-69418]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69418
-[CVE-2025-68160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-68160
-[CVE-2025-66199]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-66199
-[CVE-2025-15469]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-15469
-[CVE-2025-15468]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-15468
-[CVE-2025-15467]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-15467
-[CVE-2025-11187]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-11187
-[CVE-2025-9232]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9232
-[CVE-2025-9231]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9231
-[CVE-2025-9230]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9230
-[CVE-2025-4575]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-4575
-[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
-[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
-[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
-[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
-[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
-[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
-[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
-[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
-[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
-[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
-[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
-[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
-[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
-[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
-[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
-[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
-[RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
-[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
-[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
-[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
-[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
-[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
-[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
-[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
-[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
-[CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216
-[CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215
-[CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450
-[CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304
-[CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
-[CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
-[CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
-[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097
-[CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
-[CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
-[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
-[CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559
-[CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552
-[CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551
-[CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549
-[CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547
-[CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543
-[CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407
-[CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739
-[CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737
-[CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735
-[CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734
-[CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733
-[CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732
-[CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738
-[CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737
-[CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736
-[CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735
-[CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733
-[CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732
-[CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731
-[CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730
-[CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055
-[CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054
-[CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053
-[CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052
-[CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309
-[CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308
-[CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307
-[CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306
-[CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305
-[CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304
-[CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303
-[CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302
-[CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183
-[CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182
-[CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181
-[CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180
-[CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179
-[CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178
-[CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177
-[CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176
-[CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109
-[CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107
-[CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106
-[CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105
-[CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800
-[CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799
-[CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798
-[CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797
-[CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705
-[CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702
-[CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701
-[CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197
-[CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196
-[CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195
-[CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194
-[CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193
-[CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793
-[CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792
-[CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791
-[CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790
-[CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789
-[CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788
-[CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787
-[CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293
-[CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291
-[CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290
-[CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289
-[CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288
-[CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287
-[CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286
-[CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285
-[CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209
-[CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208
-[CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207
-[CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206
-[CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205
-[CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204
-[CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275
-[CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139
-[CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572
-[CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571
-[CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570
-[CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569
-[CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568
-[CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567
-[CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566
-[CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513
-[CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512
-[CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511
-[CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510
-[CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509
-[CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508
-[CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507
-[CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506
-[CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505
-[CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470
-[CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224
-[CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221
-[CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195
-[CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160
-[CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076
-[CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450
-[CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353
-[CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169
-[CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166
-[CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686
-[CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333
-[CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110
-[CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884
-[CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050
-[CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027
-[CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619
-[CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577
-[CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576
-[CVE-2011-4109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4109
-[CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108
-[CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210
-[CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207
-[CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014
-[CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252
-[CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180
-[CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864
-[CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633
-[CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740
-[CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433
-[CVE-2009-4355]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-4355
-[CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555
-[CVE-2009-3245]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3245
-[CVE-2009-1386]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1386
-[CVE-2009-1379]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1379
-[CVE-2009-1378]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1378
-[CVE-2009-1377]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1377
-[CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789
-[CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591
-[CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590
-[CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077
-[CVE-2008-1678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1678
-[CVE-2008-1672]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1672
-[CVE-2008-0891]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-0891
-[CVE-2007-5135]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-5135
-[CVE-2007-4995]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-4995
-[CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343
-[CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339
-[CVE-2006-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3738
-[CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940
-[CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937
-[CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969
-[CVE-2004-0112]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0112
-[CVE-2004-0079]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0079
-[CVE-2003-0851]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0851
-[CVE-2003-0545]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0545
-[CVE-2003-0544]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0544
-[CVE-2003-0543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0543
-[CVE-2003-0078]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0078
-[CVE-2002-0659]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0659
-[CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657
-[CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656
-[CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655
 [CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
+[CVE-2002-0655]: https://openssl-library.org/news/vulnerabilities/#CVE-2002-0655
+[CVE-2002-0656]: https://openssl-library.org/news/vulnerabilities/#CVE-2002-0656
+[CVE-2002-0657]: https://openssl-library.org/news/vulnerabilities/#CVE-2002-0657
+[CVE-2002-0659]: https://openssl-library.org/news/vulnerabilities/#CVE-2002-0659
+[CVE-2003-0078]: https://openssl-library.org/news/vulnerabilities/#CVE-2003-0078
+[CVE-2003-0543]: https://openssl-library.org/news/vulnerabilities/#CVE-2003-0543
+[CVE-2003-0544]: https://openssl-library.org/news/vulnerabilities/#CVE-2003-0544
+[CVE-2003-0545]: https://openssl-library.org/news/vulnerabilities/#CVE-2003-0545
+[CVE-2003-0851]: https://openssl-library.org/news/vulnerabilities/#CVE-2003-0851
+[CVE-2004-0079]: https://openssl-library.org/news/vulnerabilities/#CVE-2004-0079
+[CVE-2004-0112]: https://openssl-library.org/news/vulnerabilities/#CVE-2004-0112
+[CVE-2005-2969]: https://openssl-library.org/news/vulnerabilities/#CVE-2005-2969
+[CVE-2006-2937]: https://openssl-library.org/news/vulnerabilities/#CVE-2006-2937
+[CVE-2006-2940]: https://openssl-library.org/news/vulnerabilities/#CVE-2006-2940
+[CVE-2006-3738]: https://openssl-library.org/news/vulnerabilities/#CVE-2006-3738
+[CVE-2006-4339]: https://openssl-library.org/news/vulnerabilities/#CVE-2006-4339
+[CVE-2006-4343]: https://openssl-library.org/news/vulnerabilities/#CVE-2006-4343
+[CVE-2007-4995]: https://openssl-library.org/news/vulnerabilities/#CVE-2007-4995
+[CVE-2007-5135]: https://openssl-library.org/news/vulnerabilities/#CVE-2007-5135
+[CVE-2008-0891]: https://openssl-library.org/news/vulnerabilities/#CVE-2008-0891
+[CVE-2008-1672]: https://openssl-library.org/news/vulnerabilities/#CVE-2008-1672
+[CVE-2008-1678]: https://openssl-library.org/news/vulnerabilities/#CVE-2008-1678
+[CVE-2008-5077]: https://openssl-library.org/news/vulnerabilities/#CVE-2008-5077
+[CVE-2009-0590]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-0590
+[CVE-2009-0591]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-0591
+[CVE-2009-0789]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-0789
+[CVE-2009-1377]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-1377
+[CVE-2009-1378]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-1378
+[CVE-2009-1379]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-1379
+[CVE-2009-1386]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-1386
+[CVE-2009-3245]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-3245
+[CVE-2009-3555]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-3555
+[CVE-2009-4355]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-4355
+[CVE-2010-0433]: https://openssl-library.org/news/vulnerabilities/#CVE-2010-0433
+[CVE-2010-0740]: https://openssl-library.org/news/vulnerabilities/#CVE-2010-0740
+[CVE-2010-1633]: https://openssl-library.org/news/vulnerabilities/#CVE-2010-1633
+[CVE-2010-3864]: https://openssl-library.org/news/vulnerabilities/#CVE-2010-3864
+[CVE-2010-4180]: https://openssl-library.org/news/vulnerabilities/#CVE-2010-4180
+[CVE-2010-4252]: https://openssl-library.org/news/vulnerabilities/#CVE-2010-4252
+[CVE-2011-0014]: https://openssl-library.org/news/vulnerabilities/#CVE-2011-0014
+[CVE-2011-3207]: https://openssl-library.org/news/vulnerabilities/#CVE-2011-3207
+[CVE-2011-3210]: https://openssl-library.org/news/vulnerabilities/#CVE-2011-3210
+[CVE-2011-4108]: https://openssl-library.org/news/vulnerabilities/#CVE-2011-4108
+[CVE-2011-4109]: https://openssl-library.org/news/vulnerabilities/#CVE-2011-4109
+[CVE-2011-4576]: https://openssl-library.org/news/vulnerabilities/#CVE-2011-4576
+[CVE-2011-4577]: https://openssl-library.org/news/vulnerabilities/#CVE-2011-4577
+[CVE-2011-4619]: https://openssl-library.org/news/vulnerabilities/#CVE-2011-4619
+[CVE-2012-0027]: https://openssl-library.org/news/vulnerabilities/#CVE-2012-0027
+[CVE-2012-0050]: https://openssl-library.org/news/vulnerabilities/#CVE-2012-0050
+[CVE-2012-0884]: https://openssl-library.org/news/vulnerabilities/#CVE-2012-0884
+[CVE-2012-2110]: https://openssl-library.org/news/vulnerabilities/#CVE-2012-2110
+[CVE-2012-2333]: https://openssl-library.org/news/vulnerabilities/#CVE-2012-2333
+[CVE-2012-2686]: https://openssl-library.org/news/vulnerabilities/#CVE-2012-2686
+[CVE-2013-0166]: https://openssl-library.org/news/vulnerabilities/#CVE-2013-0166
+[CVE-2013-0169]: https://openssl-library.org/news/vulnerabilities/#CVE-2013-0169
+[CVE-2013-4353]: https://openssl-library.org/news/vulnerabilities/#CVE-2013-4353
+[CVE-2013-6450]: https://openssl-library.org/news/vulnerabilities/#CVE-2013-6450
+[CVE-2014-0076]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-0076
+[CVE-2014-0160]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-0160
+[CVE-2014-0195]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-0195
+[CVE-2014-0221]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-0221
+[CVE-2014-0224]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-0224
+[CVE-2014-3470]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3470
+[CVE-2014-3505]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3505
+[CVE-2014-3506]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3506
+[CVE-2014-3507]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3507
+[CVE-2014-3508]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3508
+[CVE-2014-3509]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3509
+[CVE-2014-3510]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3510
+[CVE-2014-3511]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3511
+[CVE-2014-3512]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3512
+[CVE-2014-3513]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3513
+[CVE-2014-3566]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3566
+[CVE-2014-3567]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3567
+[CVE-2014-3568]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3568
+[CVE-2014-3569]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3569
+[CVE-2014-3570]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3570
+[CVE-2014-3571]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3571
+[CVE-2014-3572]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3572
+[CVE-2014-5139]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-5139
+[CVE-2014-8275]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-8275
+[CVE-2015-0204]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0204
+[CVE-2015-0205]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0205
+[CVE-2015-0206]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0206
+[CVE-2015-0207]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0207
+[CVE-2015-0208]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0208
+[CVE-2015-0209]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0209
+[CVE-2015-0285]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0285
+[CVE-2015-0286]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0286
+[CVE-2015-0287]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0287
+[CVE-2015-0288]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0288
+[CVE-2015-0289]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0289
+[CVE-2015-0290]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0290
+[CVE-2015-0291]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0291
+[CVE-2015-0293]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0293
+[CVE-2015-1787]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-1787
+[CVE-2015-1788]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-1788
+[CVE-2015-1789]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-1789
+[CVE-2015-1790]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-1790
+[CVE-2015-1791]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-1791
+[CVE-2015-1792]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-1792
+[CVE-2015-1793]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-1793
+[CVE-2015-3193]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-3193
+[CVE-2015-3194]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-3194
+[CVE-2015-3195]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-3195
+[CVE-2015-3196]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-3196
+[CVE-2015-3197]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-3197
+[CVE-2016-0701]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-0701
+[CVE-2016-0702]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-0702
+[CVE-2016-0705]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-0705
+[CVE-2016-0797]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-0797
+[CVE-2016-0798]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-0798
+[CVE-2016-0799]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-0799
+[CVE-2016-0800]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-0800
+[CVE-2016-2105]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2105
+[CVE-2016-2106]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2106
+[CVE-2016-2107]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2107
+[CVE-2016-2109]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2109
+[CVE-2016-2176]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2176
+[CVE-2016-2177]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2177
+[CVE-2016-2178]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2178
+[CVE-2016-2179]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2179
+[CVE-2016-2180]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2180
+[CVE-2016-2181]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2181
+[CVE-2016-2182]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2182
+[CVE-2016-2183]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2183
+[CVE-2016-6302]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-6302
+[CVE-2016-6303]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-6303
+[CVE-2016-6304]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-6304
+[CVE-2016-6305]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-6305
+[CVE-2016-6306]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-6306
+[CVE-2016-6307]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-6307
+[CVE-2016-6308]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-6308
+[CVE-2016-6309]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-6309
+[CVE-2016-7052]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-7052
+[CVE-2016-7053]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-7053
+[CVE-2016-7054]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-7054
+[CVE-2016-7055]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-7055
+[CVE-2017-3730]: https://openssl-library.org/news/vulnerabilities/#CVE-2017-3730
+[CVE-2017-3731]: https://openssl-library.org/news/vulnerabilities/#CVE-2017-3731
+[CVE-2017-3732]: https://openssl-library.org/news/vulnerabilities/#CVE-2017-3732
+[CVE-2017-3733]: https://openssl-library.org/news/vulnerabilities/#CVE-2017-3733
+[CVE-2017-3735]: https://openssl-library.org/news/vulnerabilities/#CVE-2017-3735
+[CVE-2017-3736]: https://openssl-library.org/news/vulnerabilities/#CVE-2017-3736
+[CVE-2017-3737]: https://openssl-library.org/news/vulnerabilities/#CVE-2017-3737
+[CVE-2017-3738]: https://openssl-library.org/news/vulnerabilities/#CVE-2017-3738
+[CVE-2018-0732]: https://openssl-library.org/news/vulnerabilities/#CVE-2018-0732
+[CVE-2018-0733]: https://openssl-library.org/news/vulnerabilities/#CVE-2018-0733
+[CVE-2018-0734]: https://openssl-library.org/news/vulnerabilities/#CVE-2018-0734
+[CVE-2018-0735]: https://openssl-library.org/news/vulnerabilities/#CVE-2018-0735
+[CVE-2018-0737]: https://openssl-library.org/news/vulnerabilities/#CVE-2018-0737
+[CVE-2018-0739]: https://openssl-library.org/news/vulnerabilities/#CVE-2018-0739
+[CVE-2018-5407]: https://openssl-library.org/news/vulnerabilities/#CVE-2018-5407
+[CVE-2019-1543]: https://openssl-library.org/news/vulnerabilities/#CVE-2019-1543
+[CVE-2019-1547]: https://openssl-library.org/news/vulnerabilities/#CVE-2019-1547
+[CVE-2019-1549]: https://openssl-library.org/news/vulnerabilities/#CVE-2019-1549
+[CVE-2019-1551]: https://openssl-library.org/news/vulnerabilities/#CVE-2019-1551
+[CVE-2019-1552]: https://openssl-library.org/news/vulnerabilities/#CVE-2019-1552
+[CVE-2019-1559]: https://openssl-library.org/news/vulnerabilities/#CVE-2019-1559
+[CVE-2019-1563]: https://openssl-library.org/news/vulnerabilities/#CVE-2019-1563
+[CVE-2020-1967]: https://openssl-library.org/news/vulnerabilities/#CVE-2020-1967
+[CVE-2020-1971]: https://openssl-library.org/news/vulnerabilities/#CVE-2020-1971
+[CVE-2022-2097]: https://openssl-library.org/news/vulnerabilities/#CVE-2022-2097
+[CVE-2022-2274]: https://openssl-library.org/news/vulnerabilities/#CVE-2022-2274
+[CVE-2022-3996]: https://openssl-library.org/news/vulnerabilities/#CVE-2022-3996
+[CVE-2022-4203]: https://openssl-library.org/news/vulnerabilities/#CVE-2022-4203
+[CVE-2022-4304]: https://openssl-library.org/news/vulnerabilities/#CVE-2022-4304
+[CVE-2022-4450]: https://openssl-library.org/news/vulnerabilities/#CVE-2022-4450
+[CVE-2023-0215]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-0215
+[CVE-2023-0216]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-0216
+[CVE-2023-0217]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-0217
+[CVE-2023-0286]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-0286
+[CVE-2023-0401]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-0401
+[CVE-2023-0464]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-0464
+[CVE-2023-0465]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-0465
+[CVE-2023-0466]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-0466
+[CVE-2023-1255]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-1255
+[CVE-2023-2650]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-2650
+[CVE-2023-2975]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-2975
+[CVE-2023-3446]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-3446
+[CVE-2023-3817]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-3817
+[CVE-2023-4807]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-4807
+[CVE-2023-5363]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-5363
+[CVE-2023-5678]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-5678
+[CVE-2023-6129]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-6129
+[CVE-2023-6237]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-6237
+[CVE-2024-0727]: https://openssl-library.org/news/vulnerabilities/#CVE-2024-0727
+[CVE-2024-2511]: https://openssl-library.org/news/vulnerabilities/#CVE-2024-2511
+[CVE-2024-4603]: https://openssl-library.org/news/vulnerabilities/#CVE-2024-4603
+[CVE-2024-4741]: https://openssl-library.org/news/vulnerabilities/#CVE-2024-4741
+[CVE-2024-5535]: https://openssl-library.org/news/vulnerabilities/#CVE-2024-5535
+[CVE-2024-6119]: https://openssl-library.org/news/vulnerabilities/#CVE-2024-6119
+[CVE-2024-9143]: https://openssl-library.org/news/vulnerabilities/#CVE-2024-9143
+[CVE-2024-13176]: https://openssl-library.org/news/vulnerabilities/#CVE-2024-13176
+[CVE-2025-4575]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-4575
+[CVE-2025-9230]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-9230
+[CVE-2025-9231]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-9231
+[CVE-2025-9232]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-9232
+[CVE-2025-11187]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-11187
+[CVE-2025-15467]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-15467
+[CVE-2025-15468]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-15468
+[CVE-2025-15469]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-15469
+[CVE-2025-66199]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-66199
+[CVE-2025-68160]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-68160
+[CVE-2025-69418]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-69418
+[CVE-2025-69419]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-69419
+[CVE-2025-69420]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-69420
+[CVE-2025-69421]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-69421
+[CVE-2026-2673]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-2673
+[CVE-2026-22795]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-22795
+[CVE-2026-22796]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-22796
+[CVE-2026-28387]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-28387
+[CVE-2026-28388]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-28388
+[CVE-2026-28389]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-28389
+[CVE-2026-28390]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-28390
+[CVE-2026-31789]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-31789
+[CVE-2026-31790]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-31790
 [ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations
+[RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
diff --git a/crypto/openssl/CONTRIBUTING.md b/crypto/openssl/CONTRIBUTING.md
index 09416095e64d..06dfbaeff1fe 100644
--- a/crypto/openssl/CONTRIBUTING.md
+++ b/crypto/openssl/CONTRIBUTING.md
@@ -27,6 +27,18 @@ communication before submitting many pull requests. In addition,
 contributors should personally evaluate potential patches generated by
 automated tools.
 
+Provide a clear description of the issue or feature being addressed,
+including any relevant implementation details and, for performance
+improvements, benchmark results.
+
+Pull requests and commits should be self-contained, enabling readers to
+understand what changed and why without needing to reference related
+issues or having prior knowledge.  Commit messages should include all
+relevant details to help future contributors follow the git history,
+with clear explanations of what is changing and why.  Long descriptions
+are encouraged if they aid understanding.  Commit message titles (their
+first line) should be kept to 50-70 characters if possible.
+
 To make it easier to review and accept your pull request, please follow these
 guidelines:
 
diff --git a/crypto/openssl/Configurations/10-main.conf b/crypto/openssl/Configurations/10-main.conf
index cba57b41273f..692eccbfa1dc 100644
--- a/crypto/openssl/Configurations/10-main.conf
+++ b/crypto/openssl/Configurations/10-main.conf
@@ -5,7 +5,8 @@
 my $vc_win64a_info = {};
 sub vc_win64a_info {
     unless (%$vc_win64a_info) {
-        if (`nasm -v 2>NUL` =~ /NASM version ([0-9]+\.[0-9]+)/ && $1 >= 2.0) {
+        # Minimum NASM version is 2.09 otherwise SHA3 might be miscompiled
+        if (`nasm -v 2>NUL` =~ /NASM version ([0-9]+)\.([0-9]+)/ && ($1 > 2 || ($1 == 2 && $2 >= 9))) {
             $vc_win64a_info = { AS        => "nasm",
                                 ASFLAGS   => "-g",
                                 asflags   => "-Ox -f win64 -DNEAR",
diff --git a/crypto/openssl/Configurations/unix-Makefile.tmpl b/crypto/openssl/Configurations/unix-Makefile.tmpl
index 78be4a319964..5bf397eba021 100644
--- a/crypto/openssl/Configurations/unix-Makefile.tmpl
+++ b/crypto/openssl/Configurations/unix-Makefile.tmpl
@@ -72,6 +72,7 @@ OPTIONS={- $config{options} -}
 CONFIGURE_ARGS=({- join(", ",quotify_l(@{$config{perlargv}})) -})
 SRCDIR={- $config{sourcedir} -}
 BLDDIR={- $config{builddir} -}
+RESULT_D=$(BLDDIR)/test-runs
 FIPSKEY={- $config{FIPSKEY} -}
 
 VERSION={- "$config{full_version}" -}
@@ -642,7 +643,7 @@ clean: libclean ## Clean the workspace, keep the configuration
 	-find . -name '*{- platform->objext() -}' \! -name '.*' \! -type d -exec $(RM) {} \;
 	$(RM) core
 	$(RM) tags TAGS doc-nits md-nits
-	$(RM) -r test/test-runs
+	$(RM) -r $(RESULT_D)
 	$(RM) providers/fips*.new
 	-find . -type l \! -name '.*' -exec $(RM) {} \;
 
diff --git a/crypto/openssl/Configurations/windows-makefile.tmpl b/crypto/openssl/Configurations/windows-makefile.tmpl
index 894834cfb7ef..e553e8f9fec3 100644
--- a/crypto/openssl/Configurations/windows-makefile.tmpl
+++ b/crypto/openssl/Configurations/windows-makefile.tmpl
@@ -38,6 +38,7 @@
 PLATFORM={- $config{target} -}
 SRCDIR={- $config{sourcedir} -}
 BLDDIR={- $config{builddir} -}
+RESULT_D=$(BLDDIR)\test-runs
 FIPSKEY={- $config{FIPSKEY} -}
 
 VERSION={- "$config{full_version}" -}
@@ -222,7 +223,7 @@ OPENSSLDIR_dir={- canonpath($openssldir_dir) -}
 LIBDIR={- our $libdir = $config{libdir} || "lib";
           file_name_is_absolute($libdir) ? "" : $libdir -}
 MODULESDIR_dev={- use File::Spec::Functions qw(:DEFAULT splitpath catpath);
-                  our $modulesprefix = catdir($prefix,$libdir);
+                  our $modulesprefix = file_name_is_absolute($libdir) ? $libdir : catdir($prefix,$libdir);
                   our ($modulesprefix_dev, $modulesprefix_dir,
                        $modulesprefix_file) =
                       splitpath($modulesprefix, 1);
@@ -484,7 +485,7 @@ clean: libclean
 	-del /Q /S /F engines\*.lib engines\*.exp
 	-del /Q /S /F apps\*.lib apps\*.rc apps\*.res apps\*.exp
 	-del /Q /S /F test\*.exp
-	-rd /Q /S test\test-runs
+	-@if exist "$(RESULT_D)" rd /Q /S "$(RESULT_D)"
 
 distclean: clean
 	-del /Q /F include\openssl\configuration.h
diff --git a/crypto/openssl/NEWS.md b/crypto/openssl/NEWS.md
index f4ec14718d71..07f78ae2af17 100644
--- a/crypto/openssl/NEWS.md
+++ b/crypto/openssl/NEWS.md
@@ -23,6 +23,36 @@ OpenSSL Releases
 OpenSSL 3.5
 -----------
 
+### Major changes between OpenSSL 3.5.5 and OpenSSL 3.5.6 [7 Apr 2026]
+
+OpenSSL 3.5.6 is a security patch release. The most severe CVE fixed in this
+release is Medium.
+
*** 11324 LINES SKIPPED ***