We have released LibreSSL 2.3.1, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This release is the second snapshot based on the development OpenBSD 5.9 branch. It is still likely to change more compared to the 2.2.x and 2.1.x branches. The ABI/API for the LibreSSL 2.3.x series will be declared stable around March 2016. See http://www.libressl.org/releases.html for more details. LibreSSL 2.3.1 has the following notable changes: * ASN.1 cleanups and RFC5280 compliance fixes. * Time representations switched from 'unsigned long' to 'time_t'. LibreSSL now checks if the host OS supports 64-bit time_t. * Fixed a leak in SSL_new in the error path. * Support always extracting the peer cipher and version with libtls. * Added ability to check certificate validity times with libtls, tls_peer_cert_notbefore and tls_peer_cert_notafter. * Changed tls_connect_servername to use the first address that resolves with getaddrinfo(). * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since initial commit in 2004). * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported by Qualys Security. * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of sizeof(RC4_CHUNK), reported by Pascal Cuoq . * Reject too small bits value in BN_generate_prime_ex(), so that it does not risk becoming negative in probable_prime_dh_safe(), reported by Franck Denis. * Enable nc(1) builds on more platforms. The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.