OpenSSL 1.0.1s and 1.0.2g

OpenSSL updates for 1.0.1 and 1.0.2

Again this post is a little late but the updates on the Fulgan Mirror are notūüėČ

Direct Links

https://indy.fulgan.com/SSL/openssl-1.0.2g-x64_86-win64.zip
https://indy.fulgan.com/SSL/openssl-1.0.2g-i386-win32.zip

https://indy.fulgan.com/SSL/openssl-1.0.1s-x64_86-win64.zip
https://indy.fulgan.com/SSL/openssl-1.0.1s-i386-win32.zip

Recommended Version (1.0.2g) highlighted.

End of Lifetime notice
0.9.8 branch support already ceased.
Support for the 1.0.1 branch will cease on 12/31/2016, too. Users of the 1.0.1 branch are advised to upgrade within this period.

See the official OpenSSL Release Strategy.

LinkLibs
For those interested in the Link Libs and Definitions have a look at the new directory on the mirror where you find the files created while building the above libraries: http://indy.fulgan.com/SSL/LinkLibs/.

IMPORTANT EDIT: See comments, Indy has problems loading the new libraries. I am going to inform the team, an Indy Update is likely going to be necessary. The libraries as is are working correctly. Hopefully they can help out in the mean time to fix this. As I am out of town my own Delphi tests will delay until the end of next weekūüė¶ If urgently needed (as high security risks have been fixed), consider switching to SLProWeb OpenSSL releases in the meantime (but I can’t tell if they fail, too. And they require VC++ runtime DLLs, see their website)!

Turned out that this User didn’t update his Indy installation:

Important Note from the Indy Team
Our team member Remy LeBeau told me yesterday that if you use these libraries with Indy / Delphi, you must use one of the more recent Indy Versions, otherwise loading will fail with “EIdOSSLCouldNotLoadSSLLibrary”. Thanks Remy for clarification! All Versions after September 2015 should work. The current Indy Version is 10.6.2.5345. Versions like e.g. 10.6.0.5167 will fail. This is due to some changes in the OpenSSL headers which were required: SSLv2 is deprecated in the OpenSSL libraries now and old Indy Versions check if these functions exist. See: http://www.indyproject.org/Sockets/blogs/changelog/20150907.de.aspx

Cheers,
Frederik

OpenSSL 1.0.2f, 1.0.1r Security Updates and EOL Announcements

OpenSSL updates for 1.0.2 and 1.0.1

My updates have been available¬†on the¬†Fulgan Mirror¬†since January 28th, 2016.¬†If I don’t have the time to¬†publish a blog post, consider checking the mirror using the link given. Our mirror is updated once a day, so the updates¬†should be available for public¬†within 24 hrs after the official OpenSSL announcement.

If you didn’t update yet, please¬†consider updating ASAP.

Direct Links

http://indy.fulgan.com/SSL/openssl-1.0.2f-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.2f-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.1r-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.1r-x64_86-win64.zip

Recommended Version (1.0.2f) highlighted.

About the Update
This update fixes several issues, one of high severity.
1) High Severity: To make a long story short, not in all situation safe primes where used.
2) Fallback to unsafe / disabled ciphers has been blocked for SSLv2.
3) LogJam projection has been enhanced

See the full advisory here: OpenSSL Security Advisory 20160128

Important End of Lifetime notice
The support for the 0.9.8 and 1.0.0 Branch ceased on 12/31/2015! No further updates and security fixes are made available for those branches. Please use one of the above mentioned branches.

New End of Lifetime notice
Support for the 1.0.1 branch will cease on 12/31/2016, too. Users of the 1.0.1 branch are advised to upgrade within this period.

See the official OpenSSL Release Strategy.

LinkLibs
For those interested in the Link Libs and Definitions have a look at the new directory on the mirror where you find the files created while building the above libraries: http://indy.fulgan.com/SSL/LinkLibs/.

Cheers,
Frederik

OpenSSL 1.0.2d, 1.0.1p & LinkLibs

OpenSSL updates for 1.0.2 and 1.0.1

Sorry had no time to write a Post, on the Fulgan Mirror for a couple of days now:

http://indy.fulgan.com/SSL/openssl-1.0.2d-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.2d-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.1p-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.1p-x64_86-win64.zip

Recommended Versions highlighted.

End of Lifetime notice: The support for the 0.9.8 and 1.0.0 Branch will cease on 12/31/2015. Security fixes will only be applied until then. See the official announcement: OpenSSL Release Strategy.

For those interested in the Link Libs and Definitions have a look at the new directory on the mirror where you find the files created while building the above libraries: http://indy.fulgan.com/SSL/LinkLibs/.

Cheers,
Frederik

OpenSSL 1.0.2c, 1.0.1o, 1.0.0s, 0.9.8zg & LinkLibs

Fresh OpenSSL updates

Yesterday I published updated precompiled libraries for Win32/Win64 to the Fulgan Mirror:

http://indy.fulgan.com/SSL/openssl-1.0.2c-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.2c-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.1o-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.1o-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.0s-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.0s-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-0.9.8zg-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-0.9.8zg-x64_86-win64.zip

Recommended Versions highlighted.

End of Lifetime notice: The support for the 0.9.8 and 1.0.0 Branch will cease on 12/31/2015. Security fixes will only be applied until then. See the official announcement: OpenSSL Release Strategy.

For those interested in the Link Libs and Definitions have a look at the new directory on the mirror where you find the files created while building the above libraries: http://indy.fulgan.com/SSL/LinkLibs/.

Cheers,
Frederik

OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf

Important OpenSSL updates

March 19th, 2015 the OpenSSL team released new versions of the OpenSSL source code which includes 12 fixes for several high, medium and low security issues.

Details of the Issues are found here: http://openssl.org/news/secadv_20150319.txt

Since yesterday night the precompiled libraries are available on the Fulgan Mirror.

Direct Links:
http://indy.fulgan.com/SSL/openssl-0.9.8zf-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-0.9.8zf-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.0r-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.0r-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.1m-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.1m-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.2a-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.2a-x64_86-win64.zip

Recommended Versions highlighted.

Support for the 0.9.8 branch will cease at the end of 2015. As of now I recommend the 1.0.1 branch.

I am glad to announce that my libraries are now linked from the offical OpenSSL.org website (2nd link over there). That’s a great appreciation!

Cheers,
Frederik

OpenSSL 1.0.1k, 1.0.0p and 0.9.8zd

Eight security fixes have been included in the release from January 8th, 2015. All are of low or medium risk: http://openssl.org/news/secadv_20150108.txt

Direct Link for precompiled 1.0.1k DLLs:
http://indy.fulgan.com/SSL/openssl-1.0.1k-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.1k-x64_86-win64.zip

I needed to fix the build process manually, as described here:
https://github.com/openssl/openssl/issues/209
https://github.com/openssl/openssl/commit/56cd7404499669a32126b5fee2ff75a97fea43f7

As the build process is currently broken for versions 0.9.8 and 1.0.0 too, the updates to 0.9.8zd and 1.0.1p are delayed. Issue reported here: https://github.com/openssl/openssl/issues/210. Let me know if 0.9.8 or 1.0.0 branch is urgently required. Otherwise I am likely going to skip those releases and continue with future updates as usual.

Build working again, here are the direct links for the versions 1.0.0p and 0.9.8zd:
http://indy.fulgan.com/SSL/openssl-1.0.0p-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.0p-x64_86-win64.zip
http://indy.fulgan.com/SSL/openssl-0.9.8zd-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-0.9.8zd-x64_86-win64.zip

As a note, The OpenSSL Team recently published an End of Life Announcement for the 0.9.8 branch:

“The OpenSSL Project is today making the following announcement:
Support for version 0.9.8 will cease on 31st December 2015.
No further releases of 0.9.8 will be made after that date. Security fixes only
will be applied to 0.9.8 until then.

So, please take the appropriate steps to upgrade to newer branches, either 1.0.0 or 1.0.1 (recommended).

Cheers,
Frederik

OpenSSL 1.0.1j, 1.0.0o, 0.9.8zc

New OpenSSL updates

Again, forgot to blog about. Need to create a script for these kind of posts..

Direct Links:
http://indy.fulgan.com/SSL/openssl-0.9.8zc-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-0.9.8zc-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.0o-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.0o-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.1j-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.1j-x64_86-win64.zip

Recommended Versions highlighted.

The 0.9.8 branch is a little bit older and kept for compatibility reasons. Afaik it is going to be discontinued. Version 1.0.0 is still valid but from my experience it is safe (again after all this Heartbleed mess) and best to use the current 1.0.1 branch.

Cheers,
Frederik