OpenSSL and manual updating of software

26th September 2016 – Current versions: 0.9.8zh – 1.0.2j – 1.1.0b

https://www.openssl.org/news/secadv/20160926.txt 
https://www.openssl.org/news/newslog.html

OpenSSL just got another major update, and now the pre-compiled binaries for Windows are available from
https://www.openssl.org/community/binaries.html 

Many common programs use the standard DLLs available from either of the 2 main distributors, but it is just as common that the vendors do not release new updates when the SSL libs get updated.
The common practice is to update after a flaw has been used, rather than pre-empt a problem.
However if your software does use the standard libs, you have a very good chance of replacing them yourself without any problems.

Use Windows search to look in your “Programs Files” and “Program Files (x86)” folders for either of the 2 files;
libeay32.dll” or “ssleay32.dll
You can easily compare the versions by adding a new column in the search results.
Right-click on any of the column headings eg. “Name”, “Date”, or “size” etc. and chose the option “More…” at the bottom.
Now scroll through the list and look for “File Version”, and enable it.

You should rename or backup the 2 DLLs with each program before putting the new files in.
If the updated files do not work, you may need an alternative compiled version, and will have to contact the author of your software, or make a post in their forums.
Good anti-virus programs will block you from changing or deleting files in these folders, so you will have to temporarily disable “Realtime scanning”.

Some example software I manually update;
Trillian
Last.fm scrobbler
raptr game tracker
Speedfan
CoreFTP

Mostly these applications log into my personal accounts repeatedly and regularly, so it is good to keep them as secure as possible.
The author of “Speedfan” has made the wise choice of not including the DLLs with his program, but giving a link to the OpenSSL site.
Speedfan can send debug info via email, and using SSL is an option you can add when / if you need it.
As it only uses it for email, if there is no change in that part of the SSL libs it may not need updating, but I still do just so I don’t have old insecure libs floating around my PC

You aslo may not “need” to update, depending on the version of OpenSSL and what the software uses it for.
Lookup any versions you see listed in your PC on the Vulnerabilities page.
https://www.openssl.org/news/vulnerabilities.html

If you notice that your current SSL DLLs are very old, but the software is regularly updated, you should raise it as a topic in their forums.

Posted by

about.me/dr.flay

Ageing techno-hippy armed with a radio show and not afraid to use it.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.