OpenSSL 3.0.7

[Pagrossman]

Hello uwestoehr,

thank you.

One question... Why the OpenSSL file version 3.0.0.0 is still in the new package if you say that 3.0.7.0 is used?

[uwestoehr]

One question... Why the OpenSSL file version 3.0.0.0 is still in the new package if you say that 3.0.7.0 is used?

Where do you see it?

[Pagrossman]

3.0.0.0 - c:\program files\freecad 0.20\bin\libssl-3d.dll

[uwestoehr]

3.0.0.0 - c:\program files\freecad 0.20\bin\libssl-3d.dll

Thanks. This is the library used for debugging. It can be ignored,, but of course it is unnecessary to have them in the installer.

I uploaded now a new installer where this file is no longer included.

[Kunda1]

Is the vulnerability patch mentioned in the v0.20.2 Changelog ?

[uwestoehr]

Is the vulnerability patch mentioned in the v0.20.2 Changelog ?

There is no vulnerability patch. FreeCAD is in fact not vulnerable, a DoS attack is impossible.
Moreover, as we found out we are bound to Python that requires Open SSL 1.1.x. For the Windows installer I included OpenSSL 3.0.7 but apparently it is not used by FreeCAD, at least I could not find what component might use it.

[freecaduser_789]

Hi all, I downloaded the latest 0.20.2 and the following DLL's (libcrypto-3, libcrypto-3-x64, libssl-3 and libssl-3-x64) are still version 3.0.0. To resolve this and the reported vulnerabilities associated with OpenSSL 3.0.0 I downloaded the OpenSSL 3.0.7 binaries and replaced the above files with the ones downloaded.

This resolved the reported vulnerabilities all except for the DLL named libssl-3d.dll which also resides in the "bin" folder under %ProgramFiles%\freecad 0.20. This DLL is also version 3.0.0, however this particular DLL does not exist in the downloaded binaries on the OpenSSL 3.0.7 download?

Does anyone know where libssl-3d.dll comes from?

[wmayer]

FreeCAD is in fact not vulnerable, a DoS attack is impossible.

This is not correct. It's very unlikely but not impossible. The StartPage module uses a full-featured web engine that allows it to access arbitrary web pages.

For the Windows installer I included OpenSSL 3.0.7 but apparently it is not used by FreeCAD, at least I could not find what component might use it.

OpenSSL 3.x is required by Qt's QtNetwork module in order to support https. Older versions like OpenSSL 1.x don't work any more because they lack of some features Qt needs. QtNetwork doesn't directly link the OpenSSL DLL but loads it at runtime so that you cannot the dependency with tools like Dependency Walker. You need a tool like Process Explorer to see which DLLs are loaded at runtime by a process.

[GeneFC]

except for the DLL named libssl-3d.dll which also resides in the "bin" folder

I do not know the specifics for this file, but most dll files with a name ending in "d" are debug versions. Not necessary for ordinary release versions of FreeCAD.

You can try renaming the file to effectively hide it and then see if there are any problems.

This file is included in some version 0.20 FreeCAD installations I have, but not in version 0.21 installations. It is also included in the LibPack that is used for compiling FreeCAD, but those compilations could include debug versions if the user wishes.

I suspect it is a leftover from developing and testing, and it is a mistake that it is included in the release version 0.20.

Gene

[uwestoehr]

Hi all, I downloaded the latest 0.20.2 and the following DLL's (libcrypto-3, libcrypto-3-x64, libssl-3 and libssl-3-x64) are still version 3.0.0.

Then your installation is somehow broken. The installer only contains a "libcrypto-3-x64.dll", not also a "libcrypto-3.dll". The DLL is version 3.0.7

I recommend you to uninstall and then subsequently reinstall FreeCAD 0.20.2 using the latest installer liked at our webpage.

Does anyone know where libssl-3d.dll comes from?

This is a debug DLL. As you have this , it seems you once installed a weekly or preliminary build. Such a file is not included in the final installer.