Goodbye ūüĎč

A lot of time has passed since my last blog post. It’s also been a long time since I started this blog. For over 12 years I have been providing precompiled OpenSSL libraries. With this blog I wanted to make the work on this and the Delphi Encryption Compendium more transparent.

I was very closely involved with Delphi and the community around it for many years. Some know me as a conference speaker, others through forums.

But my spare time became more and more limited and for the last 4 years I have published updates directly without any blog post. With the newer OpenSSL versions the build process has changed drastically and due to the lack of my own use of Windows or Delphi (anymore) I currently have no need and no time left to implement the complex changes.

It is time for me to move on. New professional and private challenges have been keeping me busy for a long time. I have to focus on them now.

In the past, many well-known Fortune 500 companies have indirectly trusted me. Even somebody at the NASA thought it was worth a small hint1. That was amazing! ūüöÄūü§©

I want to thank all of you for your loyalty and support over the years.

See you soon, maybe at conferences. Live long and prosper ūüĖĖ

P.S.: The blog will remain an archive for now. Comments will be deactivated at some point.

P.P.S.: As Remy pointed out in his comment, the new location of the Indy-related OpenSSL libraries is on GitHub: https://github.com/IndySockets/OpenSSL-Binaries.

1 https://cddis.nasa.gov/Data_and_Derived_Products/Caster_client_config.html. See Windows Client Step 6: “Click on the link that says “Pre-compiled Win32/64 libraries without external dependencies to the Microsoft Visual Studio Runtime DLLs, except for the system provided msvcrt.dll”. This is important! That link refers you to indy.fulgan.com/SSL.”

OpenSSL 1.0.1s and 1.0.2g

OpenSSL updates for 1.0.1 and 1.0.2

Again this post is a little late but the updates on the Fulgan Mirror are not ūüėČ

Direct Links

https://indy.fulgan.com/SSL/openssl-1.0.2g-x64_86-win64.zip
https://indy.fulgan.com/SSL/openssl-1.0.2g-i386-win32.zip

https://indy.fulgan.com/SSL/openssl-1.0.1s-x64_86-win64.zip
https://indy.fulgan.com/SSL/openssl-1.0.1s-i386-win32.zip

Recommended Version (1.0.2g) highlighted.

End of Lifetime notice
0.9.8 branch support already ceased.
Support for the 1.0.1 branch will cease on 12/31/2016, too. Users of the 1.0.1 branch are advised to upgrade within this period.

See the official OpenSSL Release Strategy.

LinkLibs
For those interested in the Link Libs and Definitions have a look at the new directory on the mirror where you find the files created while building the above libraries: http://indy.fulgan.com/SSL/LinkLibs/.

IMPORTANT EDIT: See comments, Indy has problems loading the new libraries. I am going to inform the team, an Indy Update is likely going to be necessary. The libraries as is are working correctly. Hopefully they can help out in the mean time to fix this. As I am out of town my own Delphi tests will delay until the end of next week ūüė¶ If urgently needed (as high security risks have been fixed), consider switching to SLProWeb OpenSSL releases in the meantime (but I can’t tell if they fail, too. And they require VC++ runtime DLLs, see their website)!

Turned out that this User didn’t update his Indy installation:

Important Note from the Indy Team
Our team member Remy LeBeau told me yesterday that if you use these libraries with Indy / Delphi, you must use one of the more recent Indy Versions, otherwise loading will fail with “EIdOSSLCouldNotLoadSSLLibrary”. Thanks Remy for clarification! All Versions after September 2015 should work. The current Indy Version is 10.6.2.5345. Versions like e.g. 10.6.0.5167 will fail. This is due to some changes in the OpenSSL headers which were required: SSLv2 is deprecated in the OpenSSL libraries now and old Indy Versions check if these functions exist. See: http://www.indyproject.org/Sockets/blogs/changelog/20150907.de.aspx

Cheers,
Frederik

OpenSSL 1.0.2f, 1.0.1r Security Updates and EOL Announcements

OpenSSL updates for 1.0.2 and 1.0.1

My updates have been available¬†on the¬†Fulgan Mirror¬†since January 28th, 2016.¬†If I don’t have the time to¬†publish a blog post, consider checking the mirror using the link given. Our mirror is updated once a day, so the updates¬†should be available for public¬†within 24 hrs after the official OpenSSL announcement.

If you didn’t update yet, please¬†consider updating ASAP.

Direct Links

http://indy.fulgan.com/SSL/openssl-1.0.2f-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.2f-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.1r-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.1r-x64_86-win64.zip

Recommended Version (1.0.2f) highlighted.

About the Update
This update fixes several issues, one of high severity.
1) High Severity: To make a long story short, not in all situation safe primes where used.
2) Fallback to unsafe / disabled ciphers has been blocked for SSLv2.
3) LogJam projection has been enhanced

See the full advisory here: OpenSSL Security Advisory 20160128

Important End of Lifetime notice
The support for the 0.9.8 and 1.0.0 Branch ceased on 12/31/2015! No further updates and security fixes are made available for those branches. Please use one of the above mentioned branches.

New End of Lifetime notice
Support for the 1.0.1 branch will cease on 12/31/2016, too. Users of the 1.0.1 branch are advised to upgrade within this period.

See the official OpenSSL Release Strategy.

LinkLibs
For those interested in the Link Libs and Definitions have a look at the new directory on the mirror where you find the files created while building the above libraries: http://indy.fulgan.com/SSL/LinkLibs/.

Cheers,
Frederik

OpenSSL 1.0.2d, 1.0.1p & LinkLibs

OpenSSL updates for 1.0.2 and 1.0.1

Sorry had no time to write a Post, on the Fulgan Mirror for a couple of days now:

http://indy.fulgan.com/SSL/openssl-1.0.2d-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.2d-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.1p-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.1p-x64_86-win64.zip

Recommended Versions highlighted.

End of Lifetime notice: The support for the 0.9.8 and 1.0.0 Branch will cease on 12/31/2015. Security fixes will only be applied until then. See the official announcement: OpenSSL Release Strategy.

For those interested in the Link Libs and Definitions have a look at the new directory on the mirror where you find the files created while building the above libraries: http://indy.fulgan.com/SSL/LinkLibs/.

Cheers,
Frederik

OpenSSL 1.0.2c, 1.0.1o, 1.0.0s, 0.9.8zg & LinkLibs

Fresh OpenSSL updates

Yesterday I published updated precompiled libraries for Win32/Win64 to the Fulgan Mirror:

http://indy.fulgan.com/SSL/openssl-1.0.2c-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.2c-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.1o-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.1o-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.0s-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.0s-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-0.9.8zg-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-0.9.8zg-x64_86-win64.zip

Recommended Versions highlighted.

End of Lifetime notice: The support for the 0.9.8 and 1.0.0 Branch will cease on 12/31/2015. Security fixes will only be applied until then. See the official announcement: OpenSSL Release Strategy.

For those interested in the Link Libs and Definitions have a look at the new directory on the mirror where you find the files created while building the above libraries: http://indy.fulgan.com/SSL/LinkLibs/.

Cheers,
Frederik

OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf

Important OpenSSL updates

March 19th, 2015 the OpenSSL team released new versions of the OpenSSL source code which includes 12 fixes for several high, medium and low security issues.

Details of the Issues are found here: http://openssl.org/news/secadv_20150319.txt

Since yesterday night the precompiled libraries are available on the Fulgan Mirror.

Direct Links:
http://indy.fulgan.com/SSL/openssl-0.9.8zf-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-0.9.8zf-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.0r-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.0r-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.1m-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.1m-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.2a-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.2a-x64_86-win64.zip

Recommended Versions highlighted.

Support for the 0.9.8 branch will cease at the end of 2015. As of now I recommend the 1.0.1 branch.

I am glad to announce that my libraries are now linked from the offical OpenSSL.org website (2nd link over there). That’s a great appreciation!

Cheers,
Frederik

OpenSSL 1.0.1k, 1.0.0p and 0.9.8zd

Eight security fixes have been included in the release from January 8th, 2015. All are of low or medium risk: http://openssl.org/news/secadv_20150108.txt

Direct Link for precompiled 1.0.1k DLLs:
http://indy.fulgan.com/SSL/openssl-1.0.1k-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.1k-x64_86-win64.zip

I needed to fix the build process manually, as described here:
https://github.com/openssl/openssl/issues/209
https://github.com/openssl/openssl/commit/56cd7404499669a32126b5fee2ff75a97fea43f7

As the build process is currently broken for versions 0.9.8 and 1.0.0 too, the updates to 0.9.8zd and 1.0.1p are delayed. Issue reported here: https://github.com/openssl/openssl/issues/210. Let me know if 0.9.8 or 1.0.0 branch is urgently required. Otherwise I am likely going to skip those releases and continue with future updates as usual.

Build working again, here are the direct links for the versions 1.0.0p and 0.9.8zd:
http://indy.fulgan.com/SSL/openssl-1.0.0p-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.0p-x64_86-win64.zip
http://indy.fulgan.com/SSL/openssl-0.9.8zd-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-0.9.8zd-x64_86-win64.zip

As a note, The OpenSSL Team recently published an End of Life Announcement for the 0.9.8 branch:

“The OpenSSL Project is today making the following announcement:
Support for version 0.9.8 will cease on 31st December 2015.
No further releases of 0.9.8 will be made after that date. Security fixes only
will be applied to 0.9.8 until then.

So, please take the appropriate steps to upgrade to newer branches, either 1.0.0 or 1.0.1 (recommended).

Cheers,
Frederik

OpenSSL 1.0.1j, 1.0.0o, 0.9.8zc

New OpenSSL updates

Again, forgot to blog about. Need to create a script for these kind of posts..

Direct Links:
http://indy.fulgan.com/SSL/openssl-0.9.8zc-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-0.9.8zc-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.0o-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.0o-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.1j-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.1j-x64_86-win64.zip

Recommended Versions highlighted.

The 0.9.8 branch is a little bit older and kept for compatibility reasons. Afaik it is going to be discontinued. Version 1.0.0 is still valid but from my experience it is safe (again after all this Heartbleed mess) and best to use the current 1.0.1 branch.

Cheers,
Frederik

OpenSSL 1.0.1i, 1.0.0n, 0.9.8zb

New OpenSSL updates

The current updates had been available on the Fulgan Mirror for some days, sorry for the delayed blog post.

Direct Links:
http://indy.fulgan.com/SSL/openssl-0.9.8zb-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-0.9.8zb-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.0n-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.0n-x64_86-win64.zip

http://indy.fulgan.com/SSL/openssl-1.0.1i-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.1i-x64_86-win64.zip

Recommended Versions highlighted.

The 0.9.8 branch is a little bit older and kept for compatibility reasons. Version 1.0.0 is still valid but from my experience it is safe and best to use the current 1.0.1 branch.

Build process for 1.0.0 and 0.9.8 branch working again. Thanks to the Team at vSoft for providing support and donating a FinalBuilder license!

Cheers,
Frederik

OpenSSL 1.0.0l & 1.0.1g

New and highly important OpenSSL updates:

Today’s update fixes a critical security issue (a.k.a. The Heartbleed Bug) where remote memory might be disclosed to the connecting party. Security advisory: http://www.openssl.org/news/secadv_20140407.txt

Direct Links:
http://indy.fulgan.com/SSL/openssl-0.9.8y-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-0.9.8y-x64_86-win64.zip
http://indy.fulgan.com/SSL/openssl-1.0.0l-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.0l-x64_86-win64.zip
http://indy.fulgan.com/SSL/openssl-1.0.1g-i386-win32.zip
http://indy.fulgan.com/SSL/openssl-1.0.1g-x64_86-win64.zip

Recommended Versions highlighted.

The 0.9.8y branch is a little bit older and kept for compatibility reasons. Version 1.0.0l is still valid but from my experience it is safe and best to use the current 1.0.1g. For the records: I uploaded the updates 1.0.0l and 1.0.1f back in January to the Fulgan Mirror but had no time to blog about. So if you are curious always check the mirror, too.

One note: Please don’t write me email reminders about released OpenSSL updates. I am already on the OpenSSL mailing lists and know within seconds about. If I don’t publish updates within the usual short time frame I am simply unavailable (which might have several reasons as for any other human being).

Cheers,