OpenSSL 3.0.7
Forum rules
Be nice to others! Read the FreeCAD code of conduct!
Be nice to others! Read the FreeCAD code of conduct!
-
- Posts: 8
- Joined: Tue Nov 08, 2022 7:36 am
Re: OpenSSL 3.0.7
Hello uwestoehr,
thank you.
One question... Why the OpenSSL file version 3.0.0.0 is still in the new package if you say that 3.0.7.0 is used?
thank you.
One question... Why the OpenSSL file version 3.0.0.0 is still in the new package if you say that 3.0.7.0 is used?
Re: OpenSSL 3.0.7
Where do you see it?Pagrossman wrote: ↑Wed Dec 07, 2022 9:05 pm One question... Why the OpenSSL file version 3.0.0.0 is still in the new package if you say that 3.0.7.0 is used?
-
- Posts: 8
- Joined: Tue Nov 08, 2022 7:36 am
Re: OpenSSL 3.0.7
3.0.0.0 - c:\program files\freecad 0.20\bin\libssl-3d.dll
Re: OpenSSL 3.0.7
Thanks. This is the library used for debugging. It can be ignored,, but of course it is unnecessary to have them in the installer.Pagrossman wrote: ↑Thu Dec 08, 2022 7:36 am 3.0.0.0 - c:\program files\freecad 0.20\bin\libssl-3d.dll
I uploaded now a new installer where this file is no longer included.
Re: OpenSSL 3.0.7
Is the vulnerability patch mentioned in the v0.20.2 Changelog ?
Alone you go faster. Together we go farther
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
Re: OpenSSL 3.0.7
There is no vulnerability patch. FreeCAD is in fact not vulnerable, a DoS attack is impossible.
Moreover, as we found out we are bound to Python that requires Open SSL 1.1.x. For the Windows installer I included OpenSSL 3.0.7 but apparently it is not used by FreeCAD, at least I could not find what component might use it.
-
- Posts: 1
- Joined: Thu Jan 12, 2023 12:45 am
- Contact:
Re: OpenSSL 3.0.7
Hi all, I downloaded the latest 0.20.2 and the following DLL's (libcrypto-3, libcrypto-3-x64, libssl-3 and libssl-3-x64) are still version 3.0.0. To resolve this and the reported vulnerabilities associated with OpenSSL 3.0.0 I downloaded the OpenSSL 3.0.7 binaries and replaced the above files with the ones downloaded.
This resolved the reported vulnerabilities all except for the DLL named libssl-3d.dll which also resides in the "bin" folder under %ProgramFiles%\freecad 0.20. This DLL is also version 3.0.0, however this particular DLL does not exist in the downloaded binaries on the OpenSSL 3.0.7 download?
Does anyone know where libssl-3d.dll comes from?
This resolved the reported vulnerabilities all except for the DLL named libssl-3d.dll which also resides in the "bin" folder under %ProgramFiles%\freecad 0.20. This DLL is also version 3.0.0, however this particular DLL does not exist in the downloaded binaries on the OpenSSL 3.0.7 download?
Does anyone know where libssl-3d.dll comes from?
Re: OpenSSL 3.0.7
This is not correct. It's very unlikely but not impossible. The StartPage module uses a full-featured web engine that allows it to access arbitrary web pages.FreeCAD is in fact not vulnerable, a DoS attack is impossible.
OpenSSL 3.x is required by Qt's QtNetwork module in order to support https. Older versions like OpenSSL 1.x don't work any more because they lack of some features Qt needs. QtNetwork doesn't directly link the OpenSSL DLL but loads it at runtime so that you cannot the dependency with tools like Dependency Walker. You need a tool like Process Explorer to see which DLLs are loaded at runtime by a process.For the Windows installer I included OpenSSL 3.0.7 but apparently it is not used by FreeCAD, at least I could not find what component might use it.
Re: OpenSSL 3.0.7
I do not know the specifics for this file, but most dll files with a name ending in "d" are debug versions. Not necessary for ordinary release versions of FreeCAD.freecaduser_789 wrote: ↑Thu Jan 12, 2023 1:06 am except for the DLL named libssl-3d.dll which also resides in the "bin" folder
You can try renaming the file to effectively hide it and then see if there are any problems.
This file is included in some version 0.20 FreeCAD installations I have, but not in version 0.21 installations. It is also included in the LibPack that is used for compiling FreeCAD, but those compilations could include debug versions if the user wishes.
I suspect it is a leftover from developing and testing, and it is a mistake that it is included in the release version 0.20.
Gene
Re: OpenSSL 3.0.7
Then your installation is somehow broken. The installer only contains a "libcrypto-3-x64.dll", not also a "libcrypto-3.dll". The DLL is version 3.0.7freecaduser_789 wrote: ↑Thu Jan 12, 2023 1:06 am Hi all, I downloaded the latest 0.20.2 and the following DLL's (libcrypto-3, libcrypto-3-x64, libssl-3 and libssl-3-x64) are still version 3.0.0.
I recommend you to uninstall and then subsequently reinstall FreeCAD 0.20.2 using the latest installer liked at our webpage.
This is a debug DLL. As you have this , it seems you once installed a weekly or preliminary build. Such a file is not included in the final installer.