OpenSSL 3.0.7

Have some feature requests, feedback, cool stuff to share, or want to know where FreeCAD is going? This is the place.
Forum rules
Be nice to others! Read the FreeCAD code of conduct!
User avatar
uwestoehr
Veteran
Posts: 4961
Joined: Sun Jan 27, 2019 3:21 am
Location: Germany
Contact:

Re: OpenSSL 3.0.7

Post by uwestoehr »

duane3104 wrote: Thu Nov 17, 2022 9:51 pm My windows V0.20 appears to use OpenSSL 1.1.1L not the 3.0.0 version.
Yes, this is correct. FreeCAD for Windows (what we offer to download) is OpenSSL 1.1.1.

For the upcoming FreeCAD 0.20.2 release I will update this to OpenSSL 3.0.7 (or whatever might be the latest version.)

Note that for all other OSes, the OpenSSL version depend on your distribution, FreeCAD is not responsible for the used OpenSSL version.
duane3104
Posts: 2
Joined: Wed Dec 10, 2014 3:04 am

Re: OpenSSL 3.0.7

Post by duane3104 »

Thanks very much @uwestoehr
Pagrossman
Posts: 8
Joined: Tue Nov 08, 2022 7:36 am

Re: OpenSSL 3.0.7

Post by Pagrossman »

duane3104 wrote: Thu Nov 17, 2022 9:51 pm @Pagrossman

First, i am a total nube so please forgive me if this is a stupid question.

But you say in your original post that FreeCAD uses OpenSSL 3.0.0.

My windows V0.20 appears to use OpenSSL 1.1.1L not the 3.0.0 version.

Would that mean that recent Windows versions would not be affected?

Perhaps the Linux versions use the 3.0.0 library?

Thanks very much for any comments.
Hi duane3104,

thank you for your reply.

You are right and it seems that V0.20 uses version 1.1.1 but at the same time the setup installs also version 3.0.0.
As you wrote, versions 1.* are not vulnerable. Unfortunately, versions 3.0.0 - 3.0.6 are vulnerable.

Version - path:
3.0.0.0 - c:\program files\freecad 0.20\bin\libcrypto-3.dll
3.0.0.0 - c:\program files\freecad 0.20\bin\libssl-3.dll
3.0.0.0 - c:\program files\freecad 0.20\bin\libssl-3d.dll
1.1.1.0 - c:\program files\freecad 0.20\bin\dlls\libcrypto-1_1.dll
1.1.1.0 - c:\program files\freecad 0.20\bin\dlls\libssl-1_1.dll
1.1.1.0 - c:\program files\freecad 0.20\bin\libcrypto-1_1-x64.dll
1.1.1.0 - c:\program files\freecad 0.20\bin\libssl-1_1-x64.dll

I don't know why the setup installs the versions 3.*, but it installs it.
User avatar
uwestoehr
Veteran
Posts: 4961
Joined: Sun Jan 27, 2019 3:21 am
Location: Germany
Contact:

Re: OpenSSL 3.0.7

Post by uwestoehr »

duane3104 wrote: Thu Nov 17, 2022 9:51 pm I don't know why the setup installs the versions 3.*, but it installs it.
It copies the files. No installation is done.
However, I setup a new LibPack with only OpenSSL 3.x. This works, but there must be a reason why we have the 1.1.1 OpenSSL in the "dlls" subfolder.

That is what I meant with changing the LibPack requires usually a full day since only proper testing reveals issues.
However, I am onto it and FreeCAD 0.20.2 will come with the updated OpenSSL
duane3104 wrote: Thu Nov 17, 2022 9:51 pm As you wrote, versions 1.* are not vulnerable. Unfortunately, versions 3.0.0 - 3.0.6 are vulnerable.
Again, please state in what way this is a critical issue for FreeCAD. As it is, I don't see a critical issue since DoS attacks etc. won't work with the way OpenSSL is integrated to FreeCAD.
Pagrossman
Posts: 8
Joined: Tue Nov 08, 2022 7:36 am

Re: OpenSSL 3.0.7

Post by Pagrossman »

I never said that this is a critical issue.

I only point out to vulnerability in OpenSSL that is included in the FreeCad.

The vulnerability says also about potentially remote code execution. I don't have a knowledge how is OpenSSL used in FreeCad. So I only could point out to this vulnerability.
User avatar
uwestoehr
Veteran
Posts: 4961
Joined: Sun Jan 27, 2019 3:21 am
Location: Germany
Contact:

Re: OpenSSL 3.0.7

Post by uwestoehr »

FreeCAD 0.20.2 for Windows comes with OpenSSL 3.0.7:
https://github.com/FreeCAD/FreeCAD/rele ... ller-1.exe

If you encounter any problems, please report back.
Pagrossman
Posts: 8
Joined: Tue Nov 08, 2022 7:36 am

Re: OpenSSL 3.0.7

Post by Pagrossman »

Thank you uwestoehr!
User avatar
uwestoehr
Veteran
Posts: 4961
Joined: Sun Jan 27, 2019 3:21 am
Location: Germany
Contact:

Re: OpenSSL 3.0.7

Post by uwestoehr »

For information:

- for FC 0.20.x we offer support for Windows 7, therefore we cannot upgrade Python 3.8.x
- Python 3.8.x is fixed to openSSL 1.1.x

therefore for Python openSSL 1.1 will stay.

For other usages of SSL, openSSL 3.0.7 will be used.

FreeCAD 0.20.2 will most probably never officially be released to fix this and an AddonManager issue. I will post here the final decision.
Pagrossman
Posts: 8
Joined: Tue Nov 08, 2022 7:36 am

Re: OpenSSL 3.0.7

Post by Pagrossman »

ou...

I wanted to download the win x64 installer today, but the link doesn't work.

Do you have some link that work?
User avatar
uwestoehr
Veteran
Posts: 4961
Joined: Sun Jan 27, 2019 3:21 am
Location: Germany
Contact:

Re: OpenSSL 3.0.7

Post by uwestoehr »

uwestoehr wrote: Tue Dec 06, 2022 11:30 pm FreeCAD 0.20.2 will most probably never officially be released to fix this and an AddonManager issue. I will post here the final decision.
It will and is now: I re-tagged the release including the AddonManager fix.

New Windows binaries to test are now available:
https://github.com/FreeCAD/FreeCAD/releases/tag/0.20.2
Post Reply