diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ad50806e..d587a4a7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -366,7 +366,5 @@ jobs:
       name: Run `rpk,underscore-wildcards` tests
     - run: cargo test --features pq-experimental,rpk,underscore-wildcards
       name: Run `pq-experimental,rpk,underscore-wildcards` tests
-    - run: cargo test -p hyper-boring --features hyper1-runtime
+    - run: cargo test -p hyper-boring --features hyper1
       name: Run hyper 1.0 tests for hyper-boring
-    - run: cargo test -p hyper-boring --features hyper0-runtime
-      name: Run hyper 0. tests for hyper-boring
diff --git a/RELEASE_NOTES b/RELEASE_NOTES
index fd80f9de..ca94e093 100644
--- a/RELEASE_NOTES
+++ b/RELEASE_NOTES
@@ -1,3 +1,25 @@
+
+4.14.0
+- 2024-01-27 Set CMAKE_BUILD_PARALLEL_LEVEL to available_parallelism
+- 2025-02-14 build: Fix the build for 32-bit Linux platform (#312)
+- 2024-11-30 Use corresponds macro
+- 2025-02-12 Expose SSL_set_enable_ech_grease
+- 2025-02-12 Clean up ECH tests
+- 2025-02-10 Expose client/server-side ECH
+- 2025-02-10 Expose EVP_HPKE_KEY
+- 2025-02-10 Clean up boring_sys::init()
+- 2024-11-27 Detailed error codes
+- 2025-02-04 chore: Fix docs on SslRef::replace_ex_data
+- 2025-01-22 fix manual_c_str_literals clippy warning
+- 2025-01-22 replace once_cell with LazyLock
+- 2025-01-13 RTG-3333 Support X25519MLKEM768 by default, but don't sent it as client
+- 2024-07-31 Allow dead_code instead of disabling clippy entirely for bindgen
+- 2024-11-12 Remove INVALID_CALL from mid-handshake error message
+- 2024-08-16 Fix bug with accessing memzero'd X509StoreContext in tests
+- 2024-08-16 Support linking with a runtime cpp library
+- 2024-12-06 Refactor!: Introduce a Cargo feature for optional Hyper 0 support
+- 2024-12-06 Refactor!: Remove strict `TokioIo` response requirement from `hyper_boring::v1::HttpsConnector`
+
 4.13.0
 - 2024-11-26 Sync X509StoreBuilder with openssl
 - 2024-11-26 Sync X509VerifyFlags with openssl
@@ -6,7 +28,7 @@
 - 2024-11-28 Clippy
 - 2024-03-11 Fix Windows build
 
-4.12.0 
+4.12.0
 - 2024-11-20 Add bindings for SSL_CB_ACCEPT_EXIT and SSL_CB_CONNECT_EXIT
 - 2024-10-22 (ci): brew link x86 toolchain for macos13 runner
 - 2024-10-22 Skip bindgen 0.70's layout tests before Rust 1.77
@@ -14,7 +36,7 @@
 
 4.11.0
 - 2024-10-17 boring-sys: include HPKE header file for bindgen
-- 2024-10-17 Add "fips-compat" feature
+- 2024-10-17 Add "fips-compat" feature (#286)
 - 2024-09-25 Create semgrep.yml
 
 4.10.3
@@ -47,6 +69,7 @@
 - 2024-08-04 Properly handle `Option<i32>` in `SslRef::set_curves`
 
 4.9.0
+- 2024-08-02 Actually Release 4.9.0
 - 2024-08-02 Guard against empty strings given to select_next_proto (#252)
 - 2024-08-01 Document `SslCurve::nid()`
 - 2024-08-01 Add SslCurve::to_nid() and remove SslCurveId
diff --git a/boring-sys/Cargo.toml b/boring-sys/Cargo.toml
index ee8ee7ab..7d49b267 100644
--- a/boring-sys/Cargo.toml
+++ b/boring-sys/Cargo.toml
@@ -19,6 +19,7 @@ include = [
     "/LICENSE-MIT",
     "/cmake/*.cmake",
     # boringssl (non-FIPS)
+    "/deps/boringssl/src/util/32-bit-toolchain.cmake",
     "/deps/boringssl/**/*.[chS]",
     "/deps/boringssl/**/*.asm",
     "/deps/boringssl/sources.json",
@@ -31,6 +32,7 @@ include = [
     "/deps/boringssl/**/sources.cmake",
     "/deps/boringssl/LICENSE",
     # boringssl (FIPS)
+    "/deps/boringssl-fips/src/util/32-bit-toolchain.cmake",
     "/deps/boringssl-fips/**/*.[chS]",
     "/deps/boringssl-fips/**/*.asm",
     "/deps/boringssl-fips/**/*.pl",
diff --git a/boring-sys/build/config.rs b/boring-sys/build/config.rs
index 1671981f..28a43ccc 100644
--- a/boring-sys/build/config.rs
+++ b/boring-sys/build/config.rs
@@ -165,7 +165,7 @@ impl Env {
             opt_level: target_var("OPT_LEVEL"),
             android_ndk_home: target_var("ANDROID_NDK_HOME").map(Into::into),
             cmake_toolchain_file: target_var("CMAKE_TOOLCHAIN_FILE").map(Into::into),
-            cpp_runtime_lib: target_var("BORING_BSSL_RUST_CPPLIB").map(Into::into),
+            cpp_runtime_lib: target_var("BORING_BSSL_RUST_CPPLIB"),
         }
     }
 }
diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs
index 7d1fc56d..0068ddea 100644
--- a/boring-sys/build/main.rs
+++ b/boring-sys/build/main.rs
@@ -572,6 +572,10 @@ fn built_boring_source_path(config: &Config) -> &PathBuf {
 
         let mut cfg = get_boringssl_cmake_config(config);
 
+        if let Ok(threads) = std::thread::available_parallelism() {
+            cfg.env("CMAKE_BUILD_PARALLEL_LEVEL", threads.to_string());
+        }
+
         if config.features.fips {
             let (clang, clangxx) = verify_fips_clang_version();
             cfg.define("CMAKE_C_COMPILER", clang)
diff --git a/boring/src/ssl/ech.rs b/boring/src/ssl/ech.rs
index d7b49328..27ccc5b5 100644
--- a/boring/src/ssl/ech.rs
+++ b/boring/src/ssl/ech.rs
@@ -1,11 +1,54 @@
 use crate::ffi;
-use foreign_types::{ForeignType, ForeignTypeRef};
+use foreign_types::ForeignType;
 use libc::c_int;
 
 use crate::error::ErrorStack;
 use crate::hpke::HpkeKey;
 use crate::{cvt_0i, cvt_p};
 
+pub struct SslEchKeysBuilder {
+    keys: SslEchKeys,
+}
+
+impl SslEchKeysBuilder {
+    pub fn new() -> Result<SslEchKeysBuilder, ErrorStack> {
+        unsafe {
+            ffi::init();
+            let keys = cvt_p(ffi::SSL_ECH_KEYS_new())?;
+
+            Ok(SslEchKeysBuilder::from_ptr(keys))
+        }
+    }
+
+    pub unsafe fn from_ptr(keys: *mut ffi::SSL_ECH_KEYS) -> Self {
+        Self {
+            keys: SslEchKeys::from_ptr(keys),
+        }
+    }
+
+    pub fn add_key(
+        &mut self,
+        is_retry_config: bool,
+        ech_config: &[u8],
+        key: HpkeKey,
+    ) -> Result<(), ErrorStack> {
+        unsafe {
+            cvt_0i(ffi::SSL_ECH_KEYS_add(
+                self.keys.as_ptr(),
+                is_retry_config as c_int,
+                ech_config.as_ptr(),
+                ech_config.len(),
+                key.as_ptr(),
+            ))
+            .map(|_| ())
+        }
+    }
+
+    pub fn build(self) -> SslEchKeys {
+        self.keys
+    }
+}
+
 foreign_type_and_impl_send_sync! {
     type CType = ffi::SSL_ECH_KEYS;
     fn drop = ffi::SSL_ECH_KEYS_free;
@@ -14,30 +57,7 @@ foreign_type_and_impl_send_sync! {
 }
 
 impl SslEchKeys {
-    pub fn new() -> Result<SslEchKeys, ErrorStack> {
-        unsafe {
-            ffi::init();
-            cvt_p(ffi::SSL_ECH_KEYS_new()).map(|p| SslEchKeys::from_ptr(p))
-        }
-    }
-}
-
-impl SslEchKeysRef {
-    pub fn add_key(
-        &mut self,
-        is_retry_config: bool,
-        ech_config: &[u8],
-        key: HpkeKey,
-    ) -> Result<(), ErrorStack> {
-        unsafe {
-            cvt_0i(ffi::SSL_ECH_KEYS_add(
-                self.as_ptr(),
-                is_retry_config as c_int,
-                ech_config.as_ptr(),
-                ech_config.len(),
-                key.as_ptr(),
-            ))
-            .map(|_| ())
-        }
+    pub fn builder() -> Result<SslEchKeysBuilder, ErrorStack> {
+        SslEchKeysBuilder::new()
     }
 }
diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
index 9d136388..38cce1f9 100644
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@@ -108,6 +108,8 @@ pub use self::cert_compression::CertCompressionAlgorithm;
 pub use self::connector::{
     ConnectConfiguration, SslAcceptor, SslAcceptorBuilder, SslConnector, SslConnectorBuilder,
 };
+#[cfg(not(feature = "fips"))]
+pub use self::ech::SslEchKeysRef;
 pub use self::error::{Error, ErrorCode, HandshakeError};
 
 mod async_callbacks;
@@ -2018,7 +2020,7 @@ impl SslContextBuilder {
     /// threads.
     #[cfg(not(feature = "fips"))]
     #[corresponds(SSL_CTX_set1_ech_keys)]
-    pub fn set_ech_keys(&mut self, keys: SslEchKeys) -> Result<(), ErrorStack> {
+    pub fn set_ech_keys(&self, keys: &SslEchKeys) -> Result<(), ErrorStack> {
         unsafe { cvt(ffi::SSL_CTX_set1_ech_keys(self.as_ptr(), keys.as_ptr())).map(|_| ()) }
     }
 
@@ -2253,6 +2255,16 @@ impl SslContextRef {
         let mode = unsafe { ffi::SSL_CTX_get_verify_mode(self.as_ptr()) };
         SslVerifyMode::from_bits(mode).expect("SSL_CTX_get_verify_mode returned invalid mode")
     }
+
+    /// Registers a list of ECH keys on the context. This list should contain new and old
+    /// ECHConfigs to allow stale DNS caches to update. Unlike most `SSL_CTX` APIs, this function
+    /// is safe to call even after the `SSL_CTX` has been associated with connections on various
+    /// threads.
+    #[cfg(not(feature = "fips"))]
+    #[corresponds(SSL_CTX_set1_ech_keys)]
+    pub fn set_ech_keys(&self, keys: &SslEchKeys) -> Result<(), ErrorStack> {
+        unsafe { cvt(ffi::SSL_CTX_set1_ech_keys(self.as_ptr(), keys.as_ptr())).map(|_| ()) }
+    }
 }
 
 /// Error returned by the callback to get a session when operation
diff --git a/boring/src/ssl/test/ech.rs b/boring/src/ssl/test/ech.rs
index c94a842d..d2797d42 100644
--- a/boring/src/ssl/test/ech.rs
+++ b/boring/src/ssl/test/ech.rs
@@ -18,11 +18,12 @@ static ECH_KEY_2: &[u8] = include_bytes!("../../../test/echkey-2");
 fn bootstrap_ech(config: &[u8], key: &[u8], list: &[u8]) -> (Server, ClientSslBuilder) {
     let server = {
         let key = HpkeKey::dhkem_p256_sha256(key).unwrap();
-        let mut ech_keys = SslEchKeys::new().unwrap();
-        ech_keys.add_key(true, config, key).unwrap();
+        let mut ech_keys_builder = SslEchKeys::builder().unwrap();
+        ech_keys_builder.add_key(true, config, key).unwrap();
+        let ech_keys = ech_keys_builder.build();
 
         let mut builder = Server::builder();
-        builder.ctx().set_ech_keys(ech_keys).unwrap();
+        builder.ctx().set_ech_keys(&ech_keys).unwrap();
 
         builder.build()
     };