Downloads:

350,033

Downloads of v 1.0.1.20141015:

844

Last Update:

13 Nov 2014

Package Maintainer(s):

Software Author(s):

  • Shining Light Productions

Tags:

openssl SSL TLS pfx pem key RSA

OpenSSL - The Open Source SSL and TLS toolkit

This is not the latest version of OpenSSL - The Open Source SSL and TLS toolkit available.

1.0.1.20141015 | Updated: 13 Nov 2014

Downloads:

350,033

Downloads of v 1.0.1.20141015:

844

Software Author(s):

  • Shining Light Productions

OpenSSL - The Open Source SSL and TLS toolkit 1.0.1.20141015

This is not the latest version of OpenSSL - The Open Source SSL and TLS toolkit available.

All Checks are Unknown

2 Test of Unknown Status


Validation Testing Unknown


Verification Testing Unknown

To install OpenSSL - The Open Source SSL and TLS toolkit, run the following command from the command line or from PowerShell:

>

To upgrade OpenSSL - The Open Source SSL and TLS toolkit, run the following command from the command line or from PowerShell:

>

To uninstall OpenSSL - The Open Source SSL and TLS toolkit, run the following command from the command line or from PowerShell:

>

NOTE: This applies to both open source and commercial editions of Chocolatey.

1. Ensure you are set for organizational deployment

Please see the organizational deployment guide

  • Open Source or Commercial:
    • Proxy Repository - Create a proxy nuget repository on Nexus, Artifactory Pro, or a proxy Chocolatey repository on ProGet. Point your upstream to https://chocolatey.org/api/v2. Packages cache on first access automatically. Make sure your choco clients are using your proxy repository as a source and NOT the default community repository. See source command for more information.
    • You can also just download the package and push it to a repository Download

3. Enter your internal repository url

(this should look similar to https://chocolatey.org/api/v2)

4. Choose your deployment method:


choco upgrade openssl.light -y --source="'STEP 3 URL'" [other options]

See options you can pass to upgrade.

See best practices for scripting.

Add this to a PowerShell script or use a Batch script with tools and in places where you are calling directly to Chocolatey. If you are integrating, keep in mind enhanced exit codes.

If you do use a PowerShell script, use the following to ensure bad exit codes are shown as failures:


choco upgrade openssl.light -y --source="'STEP 3 URL'" 
$exitCode = $LASTEXITCODE

Write-Verbose "Exit code was $exitCode"
$validExitCodes = @(0, 1605, 1614, 1641, 3010)
if ($validExitCodes -contains $exitCode) {
  Exit 0
}

Exit $exitCode

- name: Ensure openssl.light installed
  win_chocolatey:
    name: openssl.light
    state: present
    version: 1.0.1.20141015
    source: STEP 3 URL

See docs at https://docs.ansible.com/ansible/latest/modules/win_chocolatey_module.html.

Coming early 2020! Central Managment Reporting available now! More information...


chocolatey_package 'openssl.light' do
  action    :install
  version  '1.0.1.20141015'
  source   'STEP 3 URL'
end

See docs at https://docs.chef.io/resource_chocolatey_package.html.


Chocolatey::Ensure-Package
(
    Name: openssl.light,
    Version: 1.0.1.20141015,
    Source: STEP 3 URL
);

Requires Otter Chocolatey Extension. See docs at https://inedo.com/den/otter/chocolatey.


cChocoPackageInstaller openssl.light
{
   Name     = 'openssl.light'
   Ensure   = 'Present'
   Version  = '1.0.1.20141015'
   Source   = 'STEP 3 URL'
}

Requires cChoco DSC Resource. See docs at https://github.com/chocolatey/cChoco.


package { 'openssl.light':
  provider => 'chocolatey',
  ensure   => '1.0.1.20141015',
  source   => 'STEP 3 URL',
}

Requires Puppet Chocolatey Provider module. See docs at https://forge.puppet.com/puppetlabs/chocolatey.


salt '*' chocolatey.install openssl.light version="1.0.1.20141015" source="STEP 3 URL"

See docs at https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.chocolatey.html.

5. If applicable - Chocolatey configuration/installation

See infrastructure management matrix for Chocolatey configuration elements and examples.

This package was approved by moderator ferventcoder on 16 Nov 2014.

Description

This is really 1.0.1j, but the Nuget spec doesn't allow such version identifiers, so the file versions are used.

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

The Win32 OpenSSL Installation Project is dedicated to providing a simple installation of OpenSSL. It is easy to set up and easy to use through the simple, effective installer. No need to compile anything or jump through any hoops, just click a few times and it is installed, leaving you to doing real work. Download it today! Note that these are default builds of OpenSSL and subject to local and state laws. More information can be found in the legal agreement of the installation.

tools\chocolateyInstall.ps1
$package = 'OpenSSL.Light'

try {

  #default is to plop in c:\ -- yuck!
  $installDir = Join-Path $Env:ProgramFiles 'OpenSSL'

  $params = @{
    packageName = $package;
    fileType = 'exe';
    #InnoSetup - http://unattended.sourceforge.net/InnoSetup_Switches_ExitCodes.html
    silentArgs = '/silent', '/verysilent', '/sp-', '/suppressmsgboxes',
      "/DIR=`"$installDir`"";
    url = 'https://slproweb.com/download/Win32OpenSSL_Light-1_0_1j.exe'
    url64bit = 'https://slproweb.com/download/Win64OpenSSL_Light-1_0_1j.exe'
  }

  Install-ChocolateyPackage @params

  if (!$Env:OPENSSL_CONF)
  {
    $configPath = Join-Path $installDir 'bin\openssl.cfg'

    if (Test-Path $configPath)
    {
      [Environment]::SetEnvironmentVariable(
        'OPENSSL_CONF', $configPath, 'User')

      Write-Host "Configured OPENSSL_CONF variable as $configPath"
    }
  }

  Write-ChocolateySuccess $package
} catch {
  Write-ChocolateyFailure $package "$($_.Exception.Message)"
  throw
}

In cases where actual malware is found, the packages are subject to removal. Software sometimes has false positives. Moderators do not necessarily validate the safety of the underlying software, only that a package retrieves software from the official distribution point and/or validate embedded software against official distribution point (where distribution rights allow redistribution).

Chocolatey Pro provides runtime protection from possible malware.

Version Downloads Last Updated Status
OpenSSL – The Open Source SSL and TLS toolkit 1.1.1 32290 Friday, September 14, 2018 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.80000000 29273 Tuesday, August 14, 2018 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.70000000 79603 Tuesday, March 27, 2018 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.60000000 37978 Saturday, November 4, 2017 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.50000001 20054 Wednesday, June 28, 2017 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.50000000 5722 Friday, May 26, 2017 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.40000001 2952 Saturday, May 6, 2017 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.40000000 1332 Thursday, April 27, 2017 Approved
OpenSSL – The Open Source SSL and TLS toolkit 1.1.0.20170216 13976 Thursday, February 16, 2017 Approved

https://www.openssl.org/news/changelog.html

Changes between 1.0.1i and 1.0.1j [15 Oct 2014]

*) SRTP Memory Leak.

   A flaw in the DTLS SRTP extension parsing code allows an attacker, who
   sends a carefully crafted handshake message, to cause OpenSSL to fail
   to free up to 64k of memory causing a memory leak. This could be
   exploited in a Denial Of Service attack. This issue affects OpenSSL
   1.0.1 server implementations for both SSL/TLS and DTLS regardless of
   whether SRTP is used or configured. Implementations of OpenSSL that
   have been compiled with OPENSSL_NO_SRTP defined are not affected.

   The fix was developed by the OpenSSL team.
   (CVE-2014-3513)
   [OpenSSL team]

*) Session Ticket Memory Leak.

   When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
   integrity of that ticket is first verified. In the event of a session
   ticket integrity check failing, OpenSSL will fail to free memory
   causing a memory leak. By sending a large number of invalid session
   tickets an attacker could exploit this issue in a Denial Of Service
   attack.
   (CVE-2014-3567)
   [Steve Henson]

*) Build option no-ssl3 is incomplete.

   When OpenSSL is configured with "no-ssl3" as a build option, servers
   could accept and complete a SSL 3.0 handshake, and clients could be
   configured to send them.
   (CVE-2014-3568)
   [Akamai and the OpenSSL team]

*) Add support for TLS_FALLBACK_SCSV.
   Client applications doing fallback retries should call
   SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
   (CVE-2014-3566)
   [Adam Langley, Bodo Moeller]

*) Add additional DigestInfo checks.

   Reencode DigestInto in DER and check against the original when
   verifying RSA signature: this will reject any improperly encoded
   DigestInfo structures.

   Note: this is a precautionary measure and no attacks are currently known.

   [Steve Henson]

Changes between 1.0.1h and 1.0.1i [6 Aug 2014]

*) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
   SRP code can be overrun an internal buffer. Add sanity check that
   g, A, B < N to SRP code.

   Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
   Group for discovering this issue.
   (CVE-2014-3512)
   [Steve Henson]

*) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
   TLS 1.0 instead of higher protocol versions when the ClientHello message
   is badly fragmented. This allows a man-in-the-middle attacker to force a
   downgrade to TLS 1.0 even if both the server and the client support a
   higher protocol version, by modifying the client's TLS records.

   Thanks to David Benjamin and Adam Langley (Google) for discovering and
   researching this issue.
   (CVE-2014-3511)
   [David Benjamin]

*) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
   to a denial of service attack. A malicious server can crash the client
   with a null pointer dereference (read) by specifying an anonymous (EC)DH
   ciphersuite and sending carefully crafted handshake messages.

   Thanks to Felix Gr�bert (Google) for discovering and researching this
   issue.
   (CVE-2014-3510)
   [Emilia K�sper]

*) By sending carefully crafted DTLS packets an attacker could cause openssl
   to leak memory. This can be exploited through a Denial of Service attack.
   Thanks to Adam Langley for discovering and researching this issue.
   (CVE-2014-3507)
   [Adam Langley]

*) An attacker can force openssl to consume large amounts of memory whilst
   processing DTLS handshake messages. This can be exploited through a
   Denial of Service attack.
   Thanks to Adam Langley for discovering and researching this issue.
   (CVE-2014-3506)
   [Adam Langley]

*) An attacker can force an error condition which causes openssl to crash
   whilst processing DTLS packets due to memory being freed twice. This
   can be exploited through a Denial of Service attack.
   Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
   this issue.
   (CVE-2014-3505)
   [Adam Langley]

*) If a multithreaded client connects to a malicious server using a resumed
   session and the server sends an ec point format extension it could write
   up to 255 bytes to freed memory.

   Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
   issue.
   (CVE-2014-3509)
   [Gabor Tyukasz]

*) A malicious server can crash an OpenSSL client with a null pointer
   dereference (read) by specifying an SRP ciphersuite even though it was not
   properly negotiated with the client. This can be exploited through a
   Denial of Service attack.

   Thanks to Joonas Kuorilehto and Riku Hietam�ki (Codenomicon) for
   discovering and researching this issue.
   (CVE-2014-5139)
   [Steve Henson]

*) A flaw in OBJ_obj2txt may cause pretty printing functions such as
   X509_name_oneline, X509_name_print_ex et al. to leak some information
   from the stack. Applications may be affected if they echo pretty printing
   output to the attacker.

   Thanks to Ivan Fratric (Google) for discovering this issue.
   (CVE-2014-3508)
   [Emilia K�sper, and Steve Henson]

*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
   for corner cases. (Certain input points at infinity could lead to
   bogus results, with non-infinity inputs mapped to infinity too.)
   [Bodo Moeller]

Changes between 1.0.1g and 1.0.1h [5 Jun 2014]

*) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
handshake can force the use of weak keying material in OpenSSL
SSL/TLS clients and servers.

 Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
 researching this issue. (CVE-2014-0224)
 [KIKUCHI Masashi, Steve Henson]

*) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
OpenSSL DTLS client the code can be made to recurse eventually crashing
in a DoS attack.

 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
 (CVE-2014-0221)
 [Imre Rad, Steve Henson]

*) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
client or server. This is potentially exploitable to run arbitrary
code on a vulnerable client or server.

 Thanks to J�ri Aedla for reporting this issue. (CVE-2014-0195)
 [J�ri Aedla, Steve Henson]

*) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
are subject to a denial of service attack.

 Thanks to Felix Gr�bert and Ivan Fratric at Google for discovering
 this issue. (CVE-2014-3470)
 [Felix Gr�bert, Ivan Fratric, Steve Henson]

*) Harmonize version and its documentation. -f flag is used to display
compilation flags.
[mancha ([email protected])]

*) Fix eckey_priv_encode so it immediately returns an error upon a failure
in i2d_ECPrivateKey.
[mancha ([email protected])]

*) Fix some double frees. These are not thought to be exploitable.
[mancha ([email protected])]

Changes between 1.0.1f and 1.0.1g [7 Apr 2014]

*) A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

 Thanks for Neel Mehta of Google Security for discovering this bug and to
 Adam Langley ([email protected]) and Bodo Moeller ([email protected]) for
 preparing the fix (CVE-2014-0160)
 [Adam Langley, Bodo Moeller]

*) Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140

 Thanks to Yuval Yarom and Naomi Benger for discovering this
 flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
 [Yuval Yarom and Naomi Benger]

*) TLS pad extension: draft-agl-tls-padding-03

 Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
 TLS client Hello record length value would otherwise be > 255 and
 less that 512 pad with a dummy extension containing zeroes so it
 is at least 512 bytes long.

 [Adam Langley, Steve Henson]

Changes between 1.0.1e and 1.0.1f [6 Jan 2014]

*) Fix for TLS record tampering bug. A carefully crafted invalid
handshake could crash OpenSSL with a NULL pointer exception.
Thanks to Anton Johansson for reporting this issues.
(CVE-2013-4353)

*) Keep original DTLS digest and encryption contexts in retransmission
structures so we can use the previous session parameters if they need
to be resent. (CVE-2013-6450)
[Steve Henson]

*) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
avoids preferring ECDHE-ECDSA ciphers when the client appears to be
Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
[Rob Stradling, Adam Langley]

Changes between 1.0.1d and 1.0.1e [11 Feb 2013]

*) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
supporting platforms or when small records were transferred.
[Andy Polyakov, Steve Henson]

Changes between 1.0.1c and 1.0.1d [5 Feb 2013]

*) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.

 This addresses the flaw in CBC record processing discovered by
 Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
 at: http://www.isg.rhul.ac.uk/tls/

 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
 Security Group at Royal Holloway, University of London
 (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
 Emilia K�sper for the initial patch.
 (CVE-2013-0169)
 [Emilia K�sper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]

*) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
ciphersuites which can be exploited in a denial of service attack.
Thanks go to and to Adam Langley ([email protected]) for discovering
and detecting this bug and to Wolfgang Ettlinger
([email protected]) for independently discovering this issue.
(CVE-2012-2686)
[Adam Langley]

*) Return an error when checking OCSP signatures when key is NULL.
This fixes a DoS attack. (CVE-2013-0166)
[Steve Henson]

*) Make openssl verify return errors.
[Chris Palmer ([email protected]) and Ben Laurie]

*) Call OCSP Stapling callback after ciphersuite has been chosen, so
the right response is stapled. Also change SSL_get_certificate()
so it returns the certificate actually sent.
See http://rt.openssl.org/Ticket/Display.html?id=2836.
[Rob Stradling ([email protected])]

*) Fix possible deadlock when decoding public keys.
[Steve Henson]

*) Don't use TLS 1.0 record version number in initial client hello
if renegotiating.
[Steve Henson]

Changes between 1.0.1b and 1.0.1c [10 May 2012]

*) Sanity check record length before skipping explicit IV in TLS
1.2, 1.1 and DTLS to avoid DoS attack.

 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
 fuzzing as a service testing platform.
 (CVE-2012-2333)
 [Steve Henson]

*) Initialise tkeylen properly when encrypting CMS messages.
Thanks to Solar Designer of Openwall for reporting this issue.
[Steve Henson]

*) In FIPS mode don't try to use composite ciphers as they are not
approved.
[Steve Henson]

Changes between 1.0.1a and 1.0.1b [26 Apr 2012]

*) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
mean any application compiled against OpenSSL 1.0.0 headers setting
SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
0x10000000L Any application which was previously compiled against
OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
will need to be recompiled as a result. Letting be results in
inability to disable specifically TLS 1.1 and in client context,
in unlike event, limit maximum offered version to TLS 1.0 [see below].
[Steve Henson]

*) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
disable just protocol X, but all protocols above X if there are
protocols below X still enabled. In more practical terms it means
that if application wants to disable TLS1.0 in favor of TLS1.1 and
above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
client side.
[Andy Polyakov]

Changes between 1.0.1 and 1.0.1a [19 Apr 2012]

*) Check for potentially exploitable overflows in asn1_d2i_read_bio
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean.

 Thanks to Tavis Ormandy, Google Security Team, for discovering this
 issue and to Adam Langley <[email protected]> for fixing it.
 (CVE-2012-2110)
 [Adam Langley (Google), Tavis Ormandy, Google Security Team]

*) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
[Adam Langley]

*) Workarounds for some broken servers that "hang" if a client hello
record length exceeds 255 bytes:

 1. Do not use record version number > TLS 1.0 in initial client
    hello: some (but not all) hanging servers will now work.
 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
    the number of ciphers sent in the client hello. This should be
    set to an even number, such as 50, for example by passing:
    -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
    Most broken servers should now work.
 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
    TLS 1.2 client support entirely.
 [Steve Henson]

*) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
[Andy Polyakov]


This package has no dependencies.

Discussion for the OpenSSL - The Open Source SSL and TLS toolkit Package

Ground Rules:

  • This discussion is only about OpenSSL - The Open Source SSL and TLS toolkit and the OpenSSL - The Open Source SSL and TLS toolkit package. If you have feedback for Chocolatey, please contact the Google Group.
  • This discussion will carry over multiple versions. If you have a comment about a particular version, please note that in your comments.
  • The maintainers of this Chocolatey Package will be notified about new comments that are posted to this Disqus thread, however, it is NOT a guarantee that you will get a response. If you do not hear back from the maintainers after posting a message below, please follow up by using the link on the left side of this page or follow this link to contact maintainers. If you still hear nothing back, please follow the package triage process.
  • Tell us what you love about the package or OpenSSL - The Open Source SSL and TLS toolkit, or tell us what needs improvement.
  • Share your experiences with the package, or extra configuration or gotchas that you've found.
  • If you use a url, the comment will be flagged for moderation until you've been whitelisted. Disqus moderated comments are approved on a weekly schedule if not sooner. It could take between 1-5 days for your comment to show up.
comments powered by Disqus