Angus Robertson 574 Posted November 10, 2023 OpenSSL has released new versions of the two active branches. These releases fix a medium severity bug with symmetric cipher key and initialisation vector (IV) length that can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. This does not effect SSL/TLS, only encryption using EVP_EncryptInit_ex2(). Windows binaries are available in SVN and the overnight zip file and separately from https://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp Separately, YuOpenSSL has released 3.0.12 as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs. In addition to the three DLL files, the zip includes a compiled RES resource file that contains the same DLLs, text files and version information, see the RC file. The RES file may be linked into application EXE files and code then used to extract the DLLs from the resource to a temporary directory to avoid distributing them separately. ICS V9.1 and later optionally support loading the resource file, currently in SVN and the overnight zip. The OpenSSL extract directory is shell path CSIDL_COMMON_APPDATA which in recent Windows versions is "C:\Users\All Users\" aliased as "C:\ProgramData\", in sub-directory "ICS-OpenSSl" with a sub-directory for each different OpenSSL major/minor version, ie "3012" for 3.0.12, ie "C:\ProgramData\ICS-OpenSSl\3012\libcrypto-3.dll". OverbyteIcsDefs.inc has a new define OpenSSL_Resource_Files which causes the resource file to be linked, the major/minor version being defined as OpenSSL_30, OpenSSL_31 or OpenSSL_32 (not supported yet), the actual resource files are LibV3xOpenSSL32.RES and LibV3xOpenSSL64.RES where x is the minor version. Note ICS supports linking specific major/minor versions of OpenSSL, but only one per application, but not multiple patch versions which don't have new features, only security and bug fixes. The RES files are distributed in the zip files with the DLLs from the ICS wiki site, with the latest versions in the source directory. If the new resource can not be found or there is a problem extracting the DLLs, ICS falls back to looking for OpenSSL DLLs as previous releases. The OverbyteIcsDefs.inc in SVN has define OpenSSL_Resource_Files enabled, so if copied will mean projects rebuilt will automatically have the OpenSSL resources linked without any other changes. A decision will be taken before the final release as to whether this is best behaviour, it does resolve a long term problem of DLL hell or keeping OpenSSL DLLs updated in potentially dozens of different directories, particularly if applications build to Win32 and Win64 directories, now a single set of any version is needed in "C:\ProgramData\ICS-OpenSSL". The only downside is larger EXE files, particularly if an application has multiple EXEs. ICS has a global variable GSSL_DLL_DIR that defines where to look for the OpenSSL files, defaulting to blank but set in all samples to the program directory so a known version of OpenSSL is loaded. Perhaps ICS should set this to "C:\ProgramData\ICS-OpenSSL" by default so only a single set of DLLs are needed. Only snag is automating a means of getting files to this directory if the resource files are not used. Angus 2 Share this post Link to post