Angus Robertson 577 Posted December 19, 2021 OpenSSL has released quarterly updates for the two supported branches, 3.0.1 and 1.1.1m, Windows binaries are available from http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp . OpenSSL 3.0.1 fixes a medium security risk relating to clients verifying X509 certificates from the server, a malicious server could potentially send a bad certificate that caused the client to hang or misbehave during verify. https://www.openssl.org/news/secadv/20211214.txt Now OpenSSL 3.0 has been available for three months, updated the main supported OpenSSL release to 3.0.1. The samples SslInternet directory now has both OpenSSL 1.1.1m and 3.0.1, ICS will try and load OpenSSL 3.0 first, then 1.1.1 if not found, unless the global variable GSSLEAY_DLL_IgnoreNew is set true before OpenSSL is loaded. Likewise GSSLEAY_DLL_IgnoreOld may be set true to ignore 1.1.1 and fail unless 3.0 is available. This is available from SVN and the overnight zip. Note the binaries are now digitally signed by 'Magenta Systems Ltd' instead of 'Open Source Developer, François PIETTE' due to the massive cost of renewing the open source certificate. Developers can always resign the DLLs with their own signing certificate to remove the Magenta name. Separately YuOpenSSL has released both these versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs. Angus 3 Share this post Link to post
Rollo62 539 Posted December 20, 2021 18 hours ago, Angus Robertson said: Separately YuOpenSSL has released both these versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs. Thanks, thas very interesting news, to solve the ugly SSL issues once and for all. I wonder what prevents them to make it FMX compatible right away, on all platforms, I expect not much VCL code inside ? Share this post Link to post
Angus Robertson 577 Posted December 20, 2021 Quote I wonder what prevents them to make it FMX compatible right away, on all platforms, I expect not much VCL code inside ? The ICS packages all build okay with FMX and YuOpenSSL, why do you think it is incompatible? Or at least only with lots of deprecated warnings from OpenSSL, that we never see when using the DLLs. Just built one of the FMX samples and that works fine, once I'd commented out a couple of old lines. Need to update those old samples. Angus Share this post Link to post
Angus Robertson 577 Posted March 4, 2022 OpenSSL 3.0 (and 3.0.1, 3.0.2 etc) has now been designated a Long Term Support release, with security and bug fixes until 7th September 2026. ICS users are recommended to update to V8.68 or later and OpenSSL 3.0 for long term support. The current LTS release 1.1.1 will continue to be supported until 11th September 2023. The older 1.0.2 release only receives security fixes if you have a paid support contract with OpenSSL. The next main release will be OpenSSL 3.1.0 with initial support for QUIC which is needed for HTTP/3, but it may take a couple of years for all the work to be completed, they plan to release updates every six months. Angus 2 Share this post Link to post