Angus Robertson 577 Posted March 16, 2022 OpenSSL has released new versions of the two supported branches, 3.0.2 and 1.1.1n, Windows binaries are available from http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp . OpenSSL 3.0.2 fixes a high security risk relating to specifically formed SSL/TLS certificates using elliptic curve public keys which can cause OpenSSL to enter an infinite loop and cause denial of service by freezing. The attack can be caused by clients processing bad server certificates, or by servers that request bad client certificates, and many other cases where these bad certificates are processed, The attack has not been seen in the wild, it was identified by Google. 3.0.2 also allows PCKS12 private keys without a password to be opened. OpenSSL 1.1.1n fixes the same bug. The bug is also in 1.0.2 and 1.1.0 but these are no longer supported and users should upgrade. Note the binaries are now digitally signed by 'Magenta Systems Ltd' instead of 'Open Source Developer, François PIETTE' due to the massive cost of renewing the open source certificate. Developers can always resign the DLLs with their own signing certificate to remove the Magenta name. Separately YuOpenSSL has released both these versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs. Angus 1 Share this post Link to post