Jump to content
Angus Robertson

New OpenSSL 3.0.2 and 1.1.1n releases

Recommended Posts

OpenSSL has released new versions of the two supported branches, 3.0.2 and 1.1.1n, Windows binaries are available from

 

http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp .

 

OpenSSL 3.0.2 fixes a high security risk relating to specifically formed SSL/TLS certificates using elliptic curve public keys which can cause OpenSSL to enter an infinite loop and cause denial of service by freezing. The attack can be caused by clients processing bad server certificates, or by servers that request bad client certificates, and many other cases where these bad certificates are processed,  The attack has not been seen in the wild, it was identified by Google.

 

3.0.2 also allows PCKS12 private keys without a password to be opened.

 

OpenSSL 1.1.1n fixes the same bug.  The bug is also in 1.0.2 and 1.1.0 but these are no longer supported and users should upgrade.  

 

Note the binaries are now digitally signed by 'Magenta Systems Ltd' instead of 'Open Source Developer, François PIETTE' due to the massive cost of renewing the open source certificate.  Developers can always resign the DLLs with their own signing certificate to remove the Magenta name.

 

Separately YuOpenSSL has released both these versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs.

 

Angus    

  • Thanks 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×