We have released LibreSSL 3.2.2, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is the first stable release from the 3.2 series, which is included with OpenBSD 6.8. It includes the following changes from LibreSSL 3.2.1 * This is the first stable release with the new TLSv1.3 implementation enabled by default for both client and server. The OpenSSL 1.1 TLSv1.3 API is not yet available and will be provided in an upcoming release. * New X509 certificate chain validator that correctly handles multiple paths through intermediate certificates. Loosely based on Go's X509 validator. * New name constraints verification implementation which passes the bettertls.com certificate validation check suite. * Improve the handling of BIO_read()/BIO_write() failures in the TLSv1.3 stack. * Start replacing the existing TLSv1.2 record layer. * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h. * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. * Send alert on ssl_get_prev_session() failure. * Zero out variable on the stack to avoid leaving garbage in the tail of short session IDs. * Move state initialization from SSL_clear() to ssl3_clear() to ensure that it gets correctly reinitialized across a SSL_set_ssl_method() call. * Avoid an out-of-bounds write in BN_rand(). * Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up the code in ui_lib.c. * Correctly track selected ALPN length to avoid a potential segmentation fault with SSL_get0_alpn_selected() when alpn_selected is NULL. * Include machine/endian.h gost2814789.c in order to pick up the __STRICT_ALIGNMENT define. * Simplify SSL method lookups. * Clean up and simplify SSL_get_ciphers(), SSL_set_session(), SSL_set_ssl_method() and several internal functions. * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(). * Refactor dtls1_new(), dtls1_hm_fragment_new(), dtls1_drain_fragments(), dtls1_clear_queues(). * Copy the session ID directly in ssl_get_prev_session() instead of handing it through several functions for copying. * Clean up and refactor ssl_get_prev_session(); simplify tls_decrypt_ticket() and tls1_process_ticket() exit paths. * Avoid memset() before memcpy() in CBS_add_bytes(). * Rewrite X509_INFO_{new,free}() more idiomatically. * Remove unnecessary zeroing after recallocarray() in ASN1_BIT_STRING_set_bit(). * Convert openssl(1) ocsp new option handling. * Document SSL_set1_host(3), SSL_set_SSL_CTX(3). * Document return value from EC_KEY_get0_public_key(3). * Greatly expanded test coverage via the tlsfuzzer test scripts. * Expanded test coverage via the bettertls certificate test suite. * Test interoperability with the Botan TLS client. * Make pthread_mutex static initialisation work on Windows. * Get __STRICT_ALIGNMENT from machine/endian.h with portable build. The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.