Unpacking Software Livestream

Join our monthly Unpacking Software livestream to hear about the latest news, chat and opinion on packaging, software deployment and lifecycle management!

Learn More

Chocolatey Product Spotlight

Join the Chocolatey Team on our regular monthly stream where we put a spotlight on the most recent Chocolatey product releases. You'll have a chance to have your questions answered in a live Ask Me Anything format.

Learn More

Chocolatey Coding Livestream

Join us for the Chocolatey Coding Livestream, where members of our team dive into the heart of open source development by coding live on various Chocolatey projects. Tune in to witness real-time coding, ask questions, and gain insights into the world of package management. Don't miss this opportunity to engage with our team and contribute to the future of Chocolatey!

Learn More

Calling All Chocolatiers! Whipping Up Windows Automation with Chocolatey Central Management

Webinar from
Wednesday, 17 January 2024

We are delighted to announce the release of Chocolatey Central Management v0.12.0, featuring seamless Deployment Plan creation, time-saving duplications, insightful Group Details, an upgraded Dashboard, bug fixes, user interface polishing, and refined documentation. As an added bonus we'll have members of our Solutions Engineering team on-hand to dive into some interesting ways you can leverage the new features available!

Watch On-Demand
Chocolatey Community Coffee Break

Join the Chocolatey Team as we discuss all things Community, what we do, how you can get involved and answer your Chocolatey questions.

Watch The Replays
Chocolatey and Intune Overview

Webinar Replay from
Wednesday, 30 March 2022

At Chocolatey Software we strive for simple, and teaching others. Let us teach you just how simple it could be to keep your 3rd party applications updated across your devices, all with Intune!

Watch On-Demand
Chocolatey For Business. In Azure. In One Click.

Livestream from
Thursday, 9 June 2022

Join James and Josh to show you how you can get the Chocolatey For Business recommended infrastructure and workflow, created, in Azure, in around 20 minutes.

Watch On-Demand
The Future of Chocolatey CLI

Livestream from
Thursday, 04 August 2022

Join Paul and Gary to hear more about the plans for the Chocolatey CLI in the not so distant future. We'll talk about some cool new features, long term asks from Customers and Community and how you can get involved!

Watch On-Demand
Hacktoberfest Tuesdays 2022

Livestreams from
October 2022

For Hacktoberfest, Chocolatey ran a livestream every Tuesday! Re-watch Cory, James, Gary, and Rain as they share knowledge on how to contribute to open-source projects such as Chocolatey CLI.

Watch On-Demand

Downloads:

1,870,372

Downloads of v 1.0.1.20141015:

1,017

Last Update:

13 Nov 2014

Package Maintainer(s):

Software Author(s):

  • Shining Light Productions

Tags:

openssl ssl tls pfx pem key rsa

OpenSSL - The Open Source SSL and TLS toolkit

This is not the latest version of OpenSSL - The Open Source SSL and TLS toolkit available.

  • 1
  • 2
  • 3

1.0.1.20141015 | Updated: 13 Nov 2014

Downloads:

1,870,372

Downloads of v 1.0.1.20141015:

1,017

Software Author(s):

  • Shining Light Productions

OpenSSL - The Open Source SSL and TLS toolkit 1.0.1.20141015

This is not the latest version of OpenSSL - The Open Source SSL and TLS toolkit available.

  • 1
  • 2
  • 3

Some Checks Have Failed or Are Not Yet Complete

Not All Tests Have Passed


Validation Testing Unknown


Verification Testing Unknown


Scan Testing Successful:

No detections found in any package files

Details
Learn More

Deployment Method: Individual Install, Upgrade, & Uninstall

To install OpenSSL - The Open Source SSL and TLS toolkit, run the following command from the command line or from PowerShell:

>

To upgrade OpenSSL - The Open Source SSL and TLS toolkit, run the following command from the command line or from PowerShell:

>

To uninstall OpenSSL - The Open Source SSL and TLS toolkit, run the following command from the command line or from PowerShell:

>

Deployment Method:

NOTE

This applies to both open source and commercial editions of Chocolatey.

1. Enter Your Internal Repository Url

(this should look similar to https://community.chocolatey.org/api/v2/)


2. Setup Your Environment

1. Ensure you are set for organizational deployment

Please see the organizational deployment guide

2. Get the package into your environment

  • Open Source or Commercial:
    • Proxy Repository - Create a proxy nuget repository on Nexus, Artifactory Pro, or a proxy Chocolatey repository on ProGet. Point your upstream to https://community.chocolatey.org/api/v2/. Packages cache on first access automatically. Make sure your choco clients are using your proxy repository as a source and NOT the default community repository. See source command for more information.
    • You can also just download the package and push it to a repository Download

3. Copy Your Script

choco upgrade openssl.light -y --source="'INTERNAL REPO URL'" --version="'1.0.1.20141015'" [other options]

See options you can pass to upgrade.

See best practices for scripting.

Add this to a PowerShell script or use a Batch script with tools and in places where you are calling directly to Chocolatey. If you are integrating, keep in mind enhanced exit codes.

If you do use a PowerShell script, use the following to ensure bad exit codes are shown as failures:


choco upgrade openssl.light -y --source="'INTERNAL REPO URL'" --version="'1.0.1.20141015'" 
$exitCode = $LASTEXITCODE

Write-Verbose "Exit code was $exitCode"
$validExitCodes = @(0, 1605, 1614, 1641, 3010)
if ($validExitCodes -contains $exitCode) {
  Exit 0
}

Exit $exitCode

- name: Install openssl.light
  win_chocolatey:
    name: openssl.light
    version: '1.0.1.20141015'
    source: INTERNAL REPO URL
    state: present

See docs at https://docs.ansible.com/ansible/latest/modules/win_chocolatey_module.html.


chocolatey_package 'openssl.light' do
  action    :install
  source   'INTERNAL REPO URL'
  version  '1.0.1.20141015'
end

See docs at https://docs.chef.io/resource_chocolatey_package.html.


cChocoPackageInstaller openssl.light
{
    Name     = "openssl.light"
    Version  = "1.0.1.20141015"
    Source   = "INTERNAL REPO URL"
}

Requires cChoco DSC Resource. See docs at https://github.com/chocolatey/cChoco.


package { 'openssl.light':
  ensure   => '1.0.1.20141015',
  provider => 'chocolatey',
  source   => 'INTERNAL REPO URL',
}

Requires Puppet Chocolatey Provider module. See docs at https://forge.puppet.com/puppetlabs/chocolatey.


4. If applicable - Chocolatey configuration/installation

See infrastructure management matrix for Chocolatey configuration elements and examples.

Package Approved

This package was approved by moderator ferventcoder on 16 Nov 2014.

Description

This is really 1.0.1j, but the Nuget spec doesn't allow such version identifiers, so the file versions are used.

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

The Win32 OpenSSL Installation Project is dedicated to providing a simple installation of OpenSSL. It is easy to set up and easy to use through the simple, effective installer. No need to compile anything or jump through any hoops, just click a few times and it is installed, leaving you to doing real work. Download it today! Note that these are default builds of OpenSSL and subject to local and state laws. More information can be found in the legal agreement of the installation.


tools\chocolateyInstall.ps1
$package = 'OpenSSL.Light'

try {

  #default is to plop in c:\ -- yuck!
  $installDir = Join-Path $Env:ProgramFiles 'OpenSSL'

  $params = @{
    packageName = $package;
    fileType = 'exe';
    #InnoSetup - http://unattended.sourceforge.net/InnoSetup_Switches_ExitCodes.html
    silentArgs = '/silent', '/verysilent', '/sp-', '/suppressmsgboxes',
      "/DIR=`"$installDir`"";
    url = 'https://slproweb.com/download/Win32OpenSSL_Light-1_0_1j.exe'
    url64bit = 'https://slproweb.com/download/Win64OpenSSL_Light-1_0_1j.exe'
  }

  Install-ChocolateyPackage @params

  if (!$Env:OPENSSL_CONF)
  {
    $configPath = Join-Path $installDir 'bin\openssl.cfg'

    if (Test-Path $configPath)
    {
      [Environment]::SetEnvironmentVariable(
        'OPENSSL_CONF', $configPath, 'User')

      Write-Host "Configured OPENSSL_CONF variable as $configPath"
    }
  }

  Write-ChocolateySuccess $package
} catch {
  Write-ChocolateyFailure $package "$($_.Exception.Message)"
  throw
}

Log in or click on link to see number of positives.

In cases where actual malware is found, the packages are subject to removal. Software sometimes has false positives. Moderators do not necessarily validate the safety of the underlying software, only that a package retrieves software from the official distribution point and/or validate embedded software against official distribution point (where distribution rights allow redistribution).

Chocolatey Pro provides runtime protection from possible malware.

Add to Builder Version Downloads Last Updated Status
OpenSSL – The Open Source SSL and TLS toolkit 3.1.3 8866 Thursday, September 28, 2023 Approved
OpenSSL – The Open Source SSL and TLS toolkit 3.1.2 10462 Wednesday, August 2, 2023 Approved
OpenSSL – The Open Source SSL and TLS toolkit 3.1.1 13300 Wednesday, May 31, 2023 Approved
OpenSSL – The Open Source SSL and TLS toolkit 3.1.0 16208 Wednesday, March 15, 2023 Approved
OpenSSL – The Open Source SSL and TLS toolkit 3.0.8 7434 Thursday, February 9, 2023 Approved
OpenSSL – The Open Source SSL and TLS toolkit 3.0.7 232533 Wednesday, November 2, 2022 Approved
OpenSSL – The Open Source SSL and TLS toolkit 3.0.5 122665 Wednesday, July 6, 2022 Approved
OpenSSL – The Open Source SSL and TLS toolkit 3.0.4 6775 Wednesday, June 22, 2022 Approved
OpenSSL – The Open Source SSL and TLS toolkit 3.0.3 88171 Wednesday, May 4, 2022 Approved
OpenSSL – The Open Source SSL and TLS toolkit 3.0.2 49514 Wednesday, March 16, 2022 Approved
OpenSSL – The Open Source SSL and TLS toolkit 3.0.1 55578 Wednesday, December 15, 2021 Approved
OpenSSL – The Open Source SSL and TLS toolkit 3.0.0 93008 Thursday, September 9, 2021 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.1.20181020 833290 Saturday, October 20, 2018 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.1 40896 Friday, September 14, 2018 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.80000000 29843 Tuesday, August 14, 2018 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.70000000 80814 Tuesday, March 27, 2018 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.60000000 41270 Saturday, November 4, 2017 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.50000001 20308 Wednesday, June 28, 2017 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.50000000 6169 Friday, May 26, 2017 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.40000001 3202 Saturday, May 6, 2017 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.40000000 1608 Thursday, April 27, 2017 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.20170216 14177 Thursday, February 16, 2017 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.20170126 3499 Thursday, January 26, 2017 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.20161111 8977 Friday, November 11, 2016 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.20160926 6141 Monday, September 26, 2016 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.20160923 698 Friday, September 23, 2016 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0 3130 Saturday, August 27, 2016 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.0.2.20160710 3541 Sunday, July 10, 2016 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.0.2.20160504 518 Wednesday, May 4, 2016 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.0.2.20160428 796 Thursday, April 28, 2016 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.0.2.20160302 3222 Wednesday, March 2, 2016 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.0.2.20160130 1832 Saturday, January 30, 2016 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.0.2.20151205 3257 Saturday, December 5, 2015 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.0.2.20151010 3708 Saturday, October 10, 2015 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.0.2.20150710 3285 Friday, July 10, 2015 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.0.2.20150704 602 Saturday, July 4, 2015 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.0.2.20150627 611 Saturday, June 27, 2015 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.0.2.20150613 846 Saturday, June 13, 2015 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.0.2.20150612 480 Friday, June 12, 2015 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.0.2.20150320 1621 Friday, March 20, 2015 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.0.2 999 Monday, March 2, 2015 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.0.1.20150209 713 Monday, February 9, 2015 Approved
OpenSSL - The Open Source SSL and TLS toolkit 1.0.1.20141015 1017 Thursday, November 13, 2014 Approved
OpenSSL - The Open Source SSL and TLS toolkit 1.0.1.20140824 953 Sunday, August 24, 2014 Approved
OpenSSL - The Open Source SSL and TLS toolkit 1.0.1.20140411 865 Friday, April 11, 2014 Approved
OpenSSL - The Open Source SSL and TLS toolkit 1.0.1.20130603 1008 Monday, June 3, 2013 Approved
OpenSSL - The Open Source SSL and TLS toolkit 1.0.1.20121127 655 Wednesday, November 28, 2012 Approved
OpenSSL - The Open Source SSL and TLS toolkit 1.0.1.3 931 Friday, October 12, 2012 Approved

https://www.openssl.org/news/changelog.html

Changes between 1.0.1i and 1.0.1j [15 Oct 2014]

*) SRTP Memory Leak.

A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack. This issue affects OpenSSL
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. Implementations of OpenSSL that
have been compiled with OPENSSL_NO_SRTP defined are not affected.

The fix was developed by the OpenSSL team.
(CVE-2014-3513)
[OpenSSL team]

*) Session Ticket Memory Leak.

When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
(CVE-2014-3567)
[Steve Henson]

*) Build option no-ssl3 is incomplete.

When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
(CVE-2014-3568)
[Akamai and the OpenSSL team]

*) Add support for TLS_FALLBACK_SCSV.
Client applications doing fallback retries should call
SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
(CVE-2014-3566)
[Adam Langley, Bodo Moeller]

*) Add additional DigestInfo checks.

Reencode DigestInto in DER and check against the original when
verifying RSA signature: this will reject any improperly encoded
DigestInfo structures.

Note: this is a precautionary measure and no attacks are currently known.

[Steve Henson]

Changes between 1.0.1h and 1.0.1i [6 Aug 2014]

*) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
SRP code can be overrun an internal buffer. Add sanity check that
g, A, B < N to SRP code.

Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for discovering this issue.
(CVE-2014-3512)
[Steve Henson]

*) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message
is badly fragmented. This allows a man-in-the-middle attacker to force a
downgrade to TLS 1.0 even if both the server and the client support a
higher protocol version, by modifying the client's TLS records.

Thanks to David Benjamin and Adam Langley (Google) for discovering and
researching this issue.
(CVE-2014-3511)
[David Benjamin]

*) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
to a denial of service attack. A malicious server can crash the client
with a null pointer dereference (read) by specifying an anonymous (EC)DH
ciphersuite and sending carefully crafted handshake messages.

Thanks to Felix Gr�bert (Google) for discovering and researching this
issue.
(CVE-2014-3510)
[Emilia K�sper]

*) By sending carefully crafted DTLS packets an attacker could cause openssl
to leak memory. This can be exploited through a Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
(CVE-2014-3507)
[Adam Langley]

*) An attacker can force openssl to consume large amounts of memory whilst
processing DTLS handshake messages. This can be exploited through a
Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
(CVE-2014-3506)
[Adam Langley]

*) An attacker can force an error condition which causes openssl to crash
whilst processing DTLS packets due to memory being freed twice. This
can be exploited through a Denial of Service attack.
Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
this issue.
(CVE-2014-3505)
[Adam Langley]

*) If a multithreaded client connects to a malicious server using a resumed
session and the server sends an ec point format extension it could write
up to 255 bytes to freed memory.

Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
issue.
(CVE-2014-3509)
[Gabor Tyukasz]

*) A malicious server can crash an OpenSSL client with a null pointer
dereference (read) by specifying an SRP ciphersuite even though it was not
properly negotiated with the client. This can be exploited through a
Denial of Service attack.

Thanks to Joonas Kuorilehto and Riku Hietam�ki (Codenomicon) for
discovering and researching this issue.
(CVE-2014-5139)
[Steve Henson]

*) A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information
from the stack. Applications may be affected if they echo pretty printing
output to the attacker.

Thanks to Ivan Fratric (Google) for discovering this issue.
(CVE-2014-3508)
[Emilia K�sper, and Steve Henson]

*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
for corner cases. (Certain input points at infinity could lead to
bogus results, with non-infinity inputs mapped to infinity too.)
[Bodo Moeller]

Changes between 1.0.1g and 1.0.1h [5 Jun 2014]

*) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
handshake can force the use of weak keying material in OpenSSL
SSL/TLS clients and servers.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
researching this issue. (CVE-2014-0224)
[KIKUCHI Masashi, Steve Henson]

*) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
OpenSSL DTLS client the code can be made to recurse eventually crashing
in a DoS attack.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
(CVE-2014-0221)
[Imre Rad, Steve Henson]

*) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
client or server. This is potentially exploitable to run arbitrary
code on a vulnerable client or server.

Thanks to J�ri Aedla for reporting this issue. (CVE-2014-0195)
[J�ri Aedla, Steve Henson]

*) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
are subject to a denial of service attack.

Thanks to Felix Gr�bert and Ivan Fratric at Google for discovering
this issue. (CVE-2014-3470)
[Felix Gr�bert, Ivan Fratric, Steve Henson]

*) Harmonize version and its documentation. -f flag is used to display
compilation flags.
[mancha ([email protected])]

*) Fix eckey_priv_encode so it immediately returns an error upon a failure
in i2d_ECPrivateKey.
[mancha ([email protected])]

*) Fix some double frees. These are not thought to be exploitable.
[mancha ([email protected])]

Changes between 1.0.1f and 1.0.1g [7 Apr 2014]

*) A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley ([email protected]) and Bodo Moeller ([email protected]) for
preparing the fix (CVE-2014-0160)
[Adam Langley, Bodo Moeller]

*) Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140

Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
[Yuval Yarom and Naomi Benger]

*) TLS pad extension: draft-agl-tls-padding-03

Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
TLS client Hello record length value would otherwise be > 255 and
less that 512 pad with a dummy extension containing zeroes so it
is at least 512 bytes long.

[Adam Langley, Steve Henson]

Changes between 1.0.1e and 1.0.1f [6 Jan 2014]

*) Fix for TLS record tampering bug. A carefully crafted invalid
handshake could crash OpenSSL with a NULL pointer exception.
Thanks to Anton Johansson for reporting this issues.
(CVE-2013-4353)

*) Keep original DTLS digest and encryption contexts in retransmission
structures so we can use the previous session parameters if they need
to be resent. (CVE-2013-6450)
[Steve Henson]

*) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
avoids preferring ECDHE-ECDSA ciphers when the client appears to be
Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
[Rob Stradling, Adam Langley]

Changes between 1.0.1d and 1.0.1e [11 Feb 2013]

*) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
supporting platforms or when small records were transferred.
[Andy Polyakov, Steve Henson]

Changes between 1.0.1c and 1.0.1d [5 Feb 2013]

*) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.

This addresses the flaw in CBC record processing discovered by
Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
at: http://www.isg.rhul.ac.uk/tls/

Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
Emilia K�sper for the initial patch.
(CVE-2013-0169)
[Emilia K�sper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]

*) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
ciphersuites which can be exploited in a denial of service attack.
Thanks go to and to Adam Langley ([email protected]) for discovering
and detecting this bug and to Wolfgang Ettlinger
([email protected]) for independently discovering this issue.
(CVE-2012-2686)
[Adam Langley]

*) Return an error when checking OCSP signatures when key is NULL.
This fixes a DoS attack. (CVE-2013-0166)
[Steve Henson]

*) Make openssl verify return errors.
[Chris Palmer ([email protected]) and Ben Laurie]

*) Call OCSP Stapling callback after ciphersuite has been chosen, so
the right response is stapled. Also change SSL_get_certificate()
so it returns the certificate actually sent.
See http://rt.openssl.org/Ticket/Display.html?id=2836.
[Rob Stradling ([email protected])]

*) Fix possible deadlock when decoding public keys.
[Steve Henson]

*) Don't use TLS 1.0 record version number in initial client hello
if renegotiating.
[Steve Henson]

Changes between 1.0.1b and 1.0.1c [10 May 2012]

*) Sanity check record length before skipping explicit IV in TLS
1.2, 1.1 and DTLS to avoid DoS attack.

Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)
[Steve Henson]

*) Initialise tkeylen properly when encrypting CMS messages.
Thanks to Solar Designer of Openwall for reporting this issue.
[Steve Henson]

*) In FIPS mode don't try to use composite ciphers as they are not
approved.
[Steve Henson]

Changes between 1.0.1a and 1.0.1b [26 Apr 2012]

*) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
mean any application compiled against OpenSSL 1.0.0 headers setting
SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
0x10000000L Any application which was previously compiled against
OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
will need to be recompiled as a result. Letting be results in
inability to disable specifically TLS 1.1 and in client context,
in unlike event, limit maximum offered version to TLS 1.0 [see below].
[Steve Henson]

*) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
disable just protocol X, but all protocols above X if there are
protocols below X still enabled. In more practical terms it means
that if application wants to disable TLS1.0 in favor of TLS1.1 and
above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
client side.
[Andy Polyakov]

Changes between 1.0.1 and 1.0.1a [19 Apr 2012]

*) Check for potentially exploitable overflows in asn1_d2i_read_bio
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean.

Thanks to Tavis Ormandy, Google Security Team, for discovering this
issue and to Adam Langley <[email protected]> for fixing it.
(CVE-2012-2110)
[Adam Langley (Google), Tavis Ormandy, Google Security Team]

*) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
[Adam Langley]

*) Workarounds for some broken servers that "hang" if a client hello
record length exceeds 255 bytes:

1. Do not use record version number > TLS 1.0 in initial client
hello: some (but not all) hanging servers will now work.
2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
the number of ciphers sent in the client hello. This should be
set to an even number, such as 50, for example by passing:
-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
Most broken servers should now work.
3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
TLS 1.2 client support entirely.
[Steve Henson]

*) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
[Andy Polyakov]


This package has no dependencies.

Discussion for the OpenSSL - The Open Source SSL and TLS toolkit Package

Ground Rules:

  • This discussion is only about OpenSSL - The Open Source SSL and TLS toolkit and the OpenSSL - The Open Source SSL and TLS toolkit package. If you have feedback for Chocolatey, please contact the Google Group.
  • This discussion will carry over multiple versions. If you have a comment about a particular version, please note that in your comments.
  • The maintainers of this Chocolatey Package will be notified about new comments that are posted to this Disqus thread, however, it is NOT a guarantee that you will get a response. If you do not hear back from the maintainers after posting a message below, please follow up by using the link on the left side of this page or follow this link to contact maintainers. If you still hear nothing back, please follow the package triage process.
  • Tell us what you love about the package or OpenSSL - The Open Source SSL and TLS toolkit, or tell us what needs improvement.
  • Share your experiences with the package, or extra configuration or gotchas that you've found.
  • If you use a url, the comment will be flagged for moderation until you've been whitelisted. Disqus moderated comments are approved on a weekly schedule if not sooner. It could take between 1-5 days for your comment to show up.
comments powered by Disqus