Upgrading OpenSSL on Windows 10

Hubert Kario hkario at redhat.com
Fri Nov 25 12:37:42 UTC 2022 

On Friday, 25 November 2022 05:21:00 CET, Steven_M.irc via openssl-users 
wrote:
> Hi Michael,
> Thanks very much for replying to my e-mail/post. I apologize 
> for the lateness of my reply.
>
>> This is not true in the general case. There are applications 
>> which are available on Linux which do not use the 
>> distribution's package manager. There are applications which 
>> use their own OpenSSL build, possibly linked statically or 
>> linked into one of their own shared objects or with the OpenSSL 
>> shared objects renamed. Linux distributions have not magically 
>> solved the problem of keeping all software on the system 
>> current.
>
> That's disheartening. My next computer will be running Linux 
> and I was thinking that (as long as I stick to installing 
> software from appropriate repositories) my update worries would 
> be over soon.

I'm pretty sure what Michael had in mind, is that you can have software 
that
runs on Linux that doesn't use system-provided OpenSSL (e,g. proprietary
software).

Well built distros, or even wll-built third party repos, will follow 
packaging
guidelines of a given distribution. And many distributions forbid 
distributing
copies of libraries that are already included in the distro proper.

So if you stick to software from official repositories, you should 
generally
be fine (unless you go for some very obscure and badly built distro).
  
>> I'm not sure OpenSSL versions should be particularly high on 
>> anyone's priority list.
>
> As I understand it, OpenSSL is responsible for establishing 
> HTTPS connections, the primary protocol for ensuring security 
> and authenticity over the Internet, and you *don't* think 
> OpenSSL versions should be a high priority? I don't understand 
> your lack of alarm here.

Not necessarily, you can have an application using multiple cryptographic
libraries at the same time, but for different purposes.

Application built for Windows may well use schannel for establishing
HTTPS connections and OpenSSL for encrypting the local files.

Then a security vulnerability in OpenSSL's TLS implementation won't affect
the application.

-- 
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

More information about the openssl-users mailing list