Jump to content
Angus Robertson

New OpenSSL 3.0.1 and 1.1.1m releases

Recommended Posts

OpenSSL has released quarterly updates for the two supported branches, 3.0.1 and 1.1.1m, Windows binaries are available from

http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp .

 

OpenSSL 3.0.1 fixes a medium security risk relating to clients verifying X509 certificates from the server, a malicious server could potentially send a bad certificate that caused the client to hang or misbehave during verify.  https://www.openssl.org/news/secadv/20211214.txt

 

Now OpenSSL 3.0 has been available for three months, updated the main supported OpenSSL release to 3.0.1.  The samples SslInternet directory now has both OpenSSL 1.1.1m and 3.0.1, ICS will try and load OpenSSL 3.0 first, then 1.1.1 if not found, unless the global variable GSSLEAY_DLL_IgnoreNew is set true before OpenSSL is loaded. Likewise GSSLEAY_DLL_IgnoreOld may be set true to ignore 1.1.1 and fail unless 3.0 is available. This is available from SVN and the overnight zip. 

 

Note the binaries are now digitally signed by 'Magenta Systems Ltd' instead of 'Open Source Developer, François PIETTE' due to the massive cost of renewing the open source certificate.  Developers can always resign the DLLs with their own signing certificate to remove the Magenta name.

 

Separately YuOpenSSL has released both these versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs.

 

Angus

 

  • Thanks 3

Share this post


Link to post
18 hours ago, Angus Robertson said:

Separately YuOpenSSL has released both these versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs.

Thanks, thas very interesting news, to solve the ugly SSL issues once and for all.

I wonder what prevents them to make it FMX compatible right away, on all platforms, I expect not much VCL code inside ?

 

Share this post


Link to post
Quote

I wonder what prevents them to make it FMX compatible right away, on all platforms, I expect not much VCL code inside ?

The ICS packages all build okay with FMX and YuOpenSSL, why do you think it is incompatible?  Or at least only with lots of deprecated warnings from OpenSSL, that we never see when using the DLLs.  Just built one of the FMX samples and that works fine, once I'd commented out a couple of old lines.  Need to update those old samples.

 

Angus

 

Share this post


Link to post

OpenSSL 3.0 (and 3.0.1, 3.0.2 etc) has now been designated a Long Term Support release, with security and bug fixes until 7th September 2026.  ICS users are recommended to update to V8.68 or later and OpenSSL 3.0 for long term support. 

 

The current LTS release 1.1.1 will continue to be supported until 11th September 2023.  The older 1.0.2 release only receives security fixes if you have a paid support contract with OpenSSL. 

 

The next main release will be OpenSSL 3.1.0 with initial support for QUIC which is needed for HTTP/3, but it may take a couple of years for all the work to be completed, they plan to release updates every six months.

 

Angus

 

  • Like 2

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×