diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a8f170856..3591e10cd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,7 @@ on:
   pull_request:
     branches:
       - master
+      - v4.x
   push:
     branches:
       - master
@@ -63,6 +64,15 @@ jobs:
         run: cargo doc --no-deps -p boring -p boring-sys --features rpk,pq-experimental,underscore-wildcards
         env:
           DOCS_RS: 1
+      - name: Cargo.toml boring versions consistency
+        shell: bash
+        run: |
+          WORKSPACE_VERSION=$(grep -F '[workspace.package]' -A1 Cargo.toml | grep -F version | grep -Eo '".*"')
+          if [[ -z "$WORKSPACE_VERSION" ]]; then echo 2>&1 "error: can't find boring version"; exit 1; fi
+          if grep -E 'boring.* =' Cargo.toml | grep -vF "$WORKSPACE_VERSION"; then
+            echo 2>&1 "error: boring dependencies must match workspace version $WORKSPACE_VERSION"
+            exit 1
+          fi
   test:
     name: Test
     runs-on: ${{ matrix.os }}
@@ -306,45 +316,6 @@ jobs:
     - name: Build for ${{ matrix.target }}
       run: cargo build --target ${{ matrix.target }} --all-targets
 
-  cross-build-fips:
-    name: Cross build from macOS to Linux (FIPS)
-    runs-on: macos-13 # Need an Intel (x86_64) runner for Clang 12.0.0
-    strategy:
-      matrix:
-        include:
-          - target: x86_64-unknown-linux-gnu
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        submodules: 'recursive'
-    - name: Install Rust (rustup)
-      run: rustup update stable --no-self-update && rustup default stable && rustup target add ${{ matrix.target }}
-      shell: bash
-    - name: Install golang
-      uses: actions/setup-go@v5
-      with:
-        go-version: '>=1.22.0'
-    - name: Install ${{ matrix.target }} toolchain
-      run: brew tap messense/macos-cross-toolchains && brew install ${{ matrix.target }} && brew link x86_64-unknown-linux-gnu
-    - name: Install Clang-12
-      uses: KyleMayes/install-llvm-action@v1
-      with:
-        version: "12.0.0"
-        directory: ${{ runner.temp }}/llvm
-    - name: Add clang++-12 link
-      working-directory: ${{ runner.temp }}/llvm/bin
-      run: ln -s clang++ clang++-12
-    - name: Set BORING_BSSL_FIPS_COMPILER_EXTERNAL_TOOLCHAIN
-      run: echo "BORING_BSSL_FIPS_COMPILER_EXTERNAL_TOOLCHAIN=$(brew --prefix ${{ matrix.target }})/toolchain" >> $GITHUB_ENV
-      shell: bash
-    - name: Set BORING_BSSL_FIPS_SYSROOT
-      run: echo "BORING_BSSL_FIPS_SYSROOT=$BORING_BSSL_FIPS_COMPILER_EXTERNAL_TOOLCHAIN/${{ matrix.target }}/sysroot" >> $GITHUB_ENV
-      shell: bash
-    - name: Set CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER
-      run: echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER=${{ matrix.target }}-gcc" >> $GITHUB_ENV
-    - name: Build for ${{ matrix.target }}
-      run: cargo build --target ${{ matrix.target }} --all-targets --features fips
-
   test-features:
     name: Test features
     runs-on: ubuntu-latest
diff --git a/Cargo.toml b/Cargo.toml
index eb99271d6..91b6b54b8 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -19,9 +19,9 @@ tag-prefix = ""
 publish = false
 
 [workspace.dependencies]
-boring-sys = { version = "4.19.0", path = "./boring-sys" }
-boring = { version = "4.19.0", path = "./boring" }
-tokio-boring = { version = "4.19.0", path = "./tokio-boring" }
+boring-sys = { version = "4.20.0", path = "./boring-sys" }
+boring = { version = "4.20.0", path = "./boring" }
+tokio-boring = { version = "4.20.0", path = "./tokio-boring" }
 
 bindgen = { version = "0.72.0", default-features = false, features = ["runtime"] }
 bitflags = "2.9"
diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs
index 06a30d1fe..5879ede4b 100644
--- a/boring-sys/build/main.rs
+++ b/boring-sys/build/main.rs
@@ -784,6 +784,7 @@ fn generate_bindings(config: &Config) {
         "curve25519.h",
         "des.h",
         "dtls1.h",
+        "err.h",
         "hkdf.h",
         #[cfg(not(feature = "fips"))]
         "hpke.h",
diff --git a/boring/src/error.rs b/boring/src/error.rs
index 5c1ad40bb..04815863d 100644
--- a/boring/src/error.rs
+++ b/boring/src/error.rs
@@ -183,7 +183,7 @@ impl Error {
                 self.line,
             );
             if let Some(cstr) = self.data_cstr() {
-                ffi::ERR_set_error_data(cstr.as_ptr().cast_mut(), ffi::ERR_FLAG_STRING);
+                ffi::ERR_add_error_data(1, cstr.as_ptr().cast_mut());
             }
         }
     }
diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
index fe4bf0784..a697cdc37 100644
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@@ -1039,7 +1039,7 @@ impl SslContextBuilder {
             has_shared_cert_store: false,
         };
 
-        builder.set_ex_data(*RPK_FLAG_INDEX, is_rpk);
+        builder.replace_ex_data(*RPK_FLAG_INDEX, is_rpk);
 
         builder
     }