This release sees further work on the post-quantum provider with the addition of the NewHope (March 2016 version) key exchange algorithm and the SPHINCS signature algorithm. The McEliece implementation has also been revised and now has KeyFactory implementation for it as well. The DANE API has been updated to reflect the latest standard changes. SHA-3 support has been added for HMAC as well as for the DSA, ECDSA, DDSA, and ECDDSA signature algorithms. SHA-3 support has also been added for RSA signatures and OAEP encryption. Support has been added for the GOST R34.11-2012 message digest as well. The TSP API now supports millisecond resolution in time-stamps and TLS supports RFC 7685 and ECDH_anon key exchange. The CMS password recipient generator now supports PRFs other than SHA-1 as well. In terms of bug fixes: issues with cloning of BLAKE digests, an occasional error in the Poly1305 calculator, UserNotice issues with empty sequences, and validation issues with time-stamp requests containing extensions have all been fixed. CRMF now recognises when non-default OAEP parameters are used and issues around the encoding of parameters for ECIES/IES have also been addressed.