Re: Upgrading OpenSSL on Windows 10

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday, 25 November 2022 05:21:00 CET, Steven_M.irc via openssl-users wrote:
Hi Michael,
Thanks very much for replying to my e-mail/post. I apologize for the lateness of my reply.

This is not true in the general case. There are applications which are available on Linux which do not use the distribution's package manager. There are applications which use their own OpenSSL build, possibly linked statically or linked into one of their own shared objects or with the OpenSSL shared objects renamed. Linux distributions have not magically solved the problem of keeping all software on the system current.

That's disheartening. My next computer will be running Linux and I was thinking that (as long as I stick to installing software from appropriate repositories) my update worries would be over soon.

I'm pretty sure what Michael had in mind, is that you can have software that
runs on Linux that doesn't use system-provided OpenSSL (e,g. proprietary
software).

Well built distros, or even wll-built third party repos, will follow packaging guidelines of a given distribution. And many distributions forbid distributing
copies of libraries that are already included in the distro proper.

So if you stick to software from official repositories, you should generally
be fine (unless you go for some very obscure and badly built distro).
I'm not sure OpenSSL versions should be particularly high on anyone's priority list.

As I understand it, OpenSSL is responsible for establishing HTTPS connections, the primary protocol for ensuring security and authenticity over the Internet, and you *don't* think OpenSSL versions should be a high priority? I don't understand your lack of alarm here.

Not necessarily, you can have an application using multiple cryptographic
libraries at the same time, but for different purposes.

Application built for Windows may well use schannel for establishing
HTTPS connections and OpenSSL for encrypting the local files.

Then a security vulnerability in OpenSSL's TLS implementation won't affect
the application.

--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux