Table of Contents
- About OpenSSL
- Download OpenSSL
- Installing OpenSSL
- OpenSSL Screenshot
- OpenSSL Documentation
- Checking SSL / TLS Certificate Validity with Certify One
- Compiling OpenSSL From Source
- Integrating OpenSSL with Your Visual Studio Project
- Privilege Escalation Mitigation
- Compatibility and Support Matrix
- License, Warranty, and Support
- Acknowledgments
- Buy SSL / TLS Certificates
- About OpenSSL
- Download OpenSSL
- Installation Instructions
- OpenSSL Screenshot
- OpenSSL Documentation
- Checking SSL / TLS Certificate Validity with Certify One
- Compiling OpenSSL From Source
- Integrating OpenSSL with Your Visual Studio Project
- Privilege Escalation Mitigation
- Compatibility and Support Matrix
- License, Warranty, and Support
- Acknowledgments
- Buy SSL / TLS Certificates
About OpenSSL
OpenSSL is a popular open-source, publicly available software library that provides a robust, full-featured set of cryptographic functions and tools to secure communications over computer networks. When we build and ship FireDaemon Certify One, FireDaemon Fusion, and FireDaemon Lozenge we try to ensure it contains the most recent version of OpenSSL. We thought it would be useful to make our OpenSSL Binary Distribution available to you to download and use free of charge. The key advantages of using our OpenSSL Binary Distribution for Microsoft Windows over others that are available are:
- No need to deploy various software tools to attempt to compile the source from scratch. Our build script is available for free too if you do want to compile OpenSSL yourself.
- No external dependencies. There is no need to install or distribute the Visual C++ Redistributable Runtime (MSVC). There is an implicit dependency on the Windows Universal C Runtime (UCRT) which is included by default in all modern versions of Microsoft Windows.
- Packaged for simple deployment and use case scenarios including standalone, embeddable, deployable, or portable
- Digitally signed with our Extended Validation (EV) code signing certificate to avoid Windows SmartScreen warnings, and increase trust by Sectigo's authentication and verification procedures on us: FireDaemon Technologies Limited and validatable binary integrity to meet your compliance requirements.
Download OpenSSL
Download OpenSSL Binary Distributions for Microsoft Windows | |
OpenSSL 3.3.0 Windows Installer (x64) April 2024 SHA2-256 B78CA3B7171E2BCF3C4F7B5EDE459A52F61EEDF161645D12689C941DF4E148CA Git commit openssl-3.3.0-0-g4cb31128b5 | OpenSSL 3.3.0 ZIP File (x64/x86) SHA2-256 B444C89B8066D554221A12828A52130DF8DF43B786FBF00C365B6645BF1F1E36 Git commit openssl-3.3.0-0-g4cb31128b5 |
OpenSSL 3.2.1 Windows Installer (x64) January 2024 SHA2-256 0B2DD065B10CC69F23E313C02C9DF07A8EAB25E773C16C8B70FAB9CC22DE7152 Git commit openssl-3.2.1-0-ga7e992847d | OpenSSL 3.2.1 ZIP File (x64/x86) SHA2-256 A04827C097BCDC928172D4637EC361992A6E4BB122ABC8B7CB4ED7A82B8D6D2F Git commit openssl-3.2.1-0-ga7e992847d |
OpenSSL 3.1.5 ZIP File (x64/x86) January 2024 SHA2-256 FDE9234BDEB3FF36A4A9CCF292ADD3CC06F2E745F02C9256BB84CCE1139AFF53 Git commit openssl-3.1.5-0-g99e6624ebb | OpenSSL 3.0.13 LTS ZIP File (x64/x86) SHA2-256 990FCC382C0AE429EBE913890AD2970566F521A57BF4DFBF43E25639A5EDF2C1 Git commit openssl-3.0.13-0-g85cf92f55d |
To calculate/verify the SHA2-256 checksums please use FireDaemon Lozenge! OpenSSL maintains a list of 3rd-party maintained binary distributions of OpenSSL. Please review our Release Policy before downloading and using this distribution. |
Installing OpenSSL
Windows Installer
You can download the Windows installers found in the "Download OpenSSL" section above. Installation is straightforward. OpenSSL is installed into the following file system locations. These locations are specified during the build and follow OpenSSL's conventions.
%PROGRAMFILES%\FireDaemon OpenSSL 3 %PROGRAMFILES%\Common Files\FireDaemon SSL 3
You can silently install OpenSSL with the following command in an elevated command prompt (noting APPDIR and ADJUSTSYSTEMPATHENV are optional):
FireDaemon-OpenSSL-x64-3.3.0.exe /exenoui /exelog fdopenssl3.log /qn /norestart REBOOT=ReallySuppress APPDIR="C:\Program Files\FireDaemon OpenSSL 3" ADJUSTSYSTEMPATHENV=yes
You can silently uninstall OpenSSL with the following command in an elevated Command Prompt:
: Verify Product GUID wmic product where name="FireDaemon OpenSSL 3" get IdentifyingNumber : Uninstall silently msiexec /x {8A79DC1B-5F6C-4C14-A33F-BD020AFD6739} /quiet /noreboot : Or if you have the original installer handy FireDaemon-OpenSSL-x64-3.3.0.exe /x // /quiet
Winget Package Manager
Instead of downloading and installing the Windows Installer, you can use the Microsoft package manager called winget. Winget is built into Windows 10 and 11 or can be installed manually. To install FireDaemon OpenSSL, simply open a command prompt on your computer then:
:: Search for FireDaemon OpenSSL winget search FireDaemon.OpenSSL :: Show the FireDaemon OpenSSL package contents winget show FireDaemon.OpenSSL :: Install FireDaemon OpenSSL interactively winget install FireDaemon.OpenSSL --interactive :: Install FireDaemon OpenSSL silently (default) winget install FireDaemon.OpenSSL --silent :: Show installed packages winget list FireDaemon :: Uninstall FireDaemon OpenSSL winget uninstall FireDaemon.OpenSSL
ZIP File
Instead of using the installer or package manager, you can download one of the ZIP files found in the "Download OpenSSL" section above.
- Follow the instructions below if you have downloaded one of the ZIP files above and want to deploy OpenSSL manually (e.g. on the local hard disk or a USB drive for a portable installation)
- Download the appropriate FireDaemon OpenSSL Binary Distribution ZIP file via the links above.
- Unpack the contents of the folder found in the ZIP file to a temporary directory (e.g. C:\Temp)
- Copy the contents (i.e. the files and directories contained within) of the x64 folder or x86 folder to your target directory (e.g. C:\OpenSSL)
- Copy the ssl folder and contents to the target directory (e.g. C:\OpenSSL).
The commands to copy the files correctly from the location where you unpacked the ZIP file (assuming C:\Temp) are as follows:
: For OpenSSL 3.0 cd C:\Temp\openssl-3.0 : For OpenSSL 3.1 cd C:\Temp\openssl-3.1 : For OpenSSL 3.2 cd C:\Temp\openssl-3.2 : For OpenSSL 3.3 cd C:\Temp\openssl-3 : Copy the binaries specific to your platform : Copy 64-bit binaries robocopy x64 C:\OpenSSL /E : Or, copy 32-bit binaries. Don't copy both! robocopy x86 C:\OpenSSL /E : Copy the ssl folder robocopy ssl C:\OpenSSL\ssl /E
Your directory structure should look as follows:
C:\OpenSSL>dir /b bin include lib ssl
: You can set OPENSSL_HOME=%~dp0 in a batch script for portable installs set OPENSSL_HOME=C:\OpenSSL set OPENSSL_CONF=%OPENSSL_HOME%\ssl\openssl.cnf set PATH=%OPENSSL_HOME%\bin;%PATH% cd /d %OPENSSL_HOME% openssl version -a
To create a certificate signing request and private key using the same environment variables as above:
openssl genrsa -out server.key 4096 openssl req -new -key server.key -out server.csr -sha256 openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
OpenSSL Screenshot
Below is a screenshot showing the certificate signing request in an elevated PowerShell:
OpenSSL Documentation
Please refer to OpenSSL's documentation.
Checking SSL / TLS Certificate Validity with Certify One
FireDaemon Certify One allows you to audit, check, inspect, and validate SSL / TLS certificates and certificate chains. Fortify also has a browser-based TLS Encryption Check Tool available.
Compiling OpenSSL From Source
Release Policy
Whenever we release an updated version of FireDaemon Fusion, FireDaemon Certify One, or OpenSSL gets updated with security fixes, we will provide the latest tagged version of the OpenSSL stable branch. The currently deployed OpenSSL library commit versions are listed underneath the download links above. Commit is described viz:
git describe --always --tag --long --first-parent --dirty
Source
We directly pull from OpenSSL's official GitHub repository.
Build Script
You can use our build script to create the binary distributions. The build script has the following dependencies:
Compilation
The actual command line to build OpenSSL is as follows (where %toolset% is VC-WIN32 and VC-WIN64A respectively):
perl ..\Configure %toolset% no-asm no-ssl3 no-zlib no-comp no-autoload-config --api=1.1.0 --prefix="%installdir%" --openssldir="%commoninstalldir%" -DOPENSSL_NO_DEPRECATED
Integrating OpenSSL with Your Visual Studio Project
To use the headers and libraries present in OpenSSL in your Visual Studio project, you will need to configure the properties of your project.
Additional Include Directories
Prepend "C:\Program Files\FireDaemon Open SSL 3\include"; to Property Pages -> C/C++ -> General -> Additional Include Directories in your project per the screenshot below (adjusting the prepended path to suit your installation):
Additional Library Directories
Prepend "C:\Program Files\FireDaemon Open SSL 3\lib"; to Property Pages -> Linker -> General -> Additional Library Directories in your project per the screenshot below (adjusting the prepended path to suit your installation):
Privilege Escalation Mitigation
When building OpenSSL, the build scripts bake the default location of the library (ie. the installation directory) and the SSL configuration into the final product. By default, OpenSSL automatically loads the SSL configuration file from the default file system location. This leads to an easily exploitable privilege escalation scenario documented in CVE-2019-12572. Our build of OpenSSL mitigates this flaw using the following preventative measures:
- The target directories we have chosen are Windows' default system program files directories assuming a 64-bit architecture with a shared configuration file directory common to both x64 and x86:
- x64: C:\Program Files\FireDaemon OpenSSL, C:\Program Files\Common Files\FireDaemon SSL
- x86: C:\Program Files (x86)\FireDaemon OpenSSL, C:\Program Files\Common Files\FireDaemon SSL
- To mitigate security holes even on non-default installations, we build the library such that it doesn't automatically load the SSL configuration. Hence, when using the OpenSSL tools or the DLLs in your products you have to explicitly load the SSL configuration.
- All FireDaemon software products that utilise OpenSSL initialise the OpenSSL library at runtime using a flag that prevents the loading of the default configuration.
Compatibility and Support Matrix
The table below provides a compatibility and support matrix, mapping specific compatible Microsoft Windows operating system versions to specific FireDaemon OpenSSL software versions.
OpenSSL Versions | OpenSSL 3.3, 3.2, 3.1, 3.0, & 1.1.1 | |
Windows Operating System Version | 32-bit (x86) | 64-bit (x64) |
Windows XP (1) | ||
Windows Vista (1) | ||
Windows 7 (1) | ||
Windows 8 (1) | ||
Windows 8.1 (1) | ||
Windows 10 | ||
Windows 11 | ||
Server 2008 (2) | ||
Server 2008 R2 (2) | ||
Server 2012 | ||
Server 2012 R2 | ||
Server 2016 | ||
Server 2019 | ||
Server 2022 |
(1) Windows Desktop Operating System is End of Support
(2) Windows Server Operating System is End of Support
Compatible / Supported | The software product is designed to be installed on the Microsoft Windows operating system version. The operating system version plus software version combination is actively supported by us on the proviso that the 32-bit (x86) version is deployed on a 32-bit (x86) operating system and the 64-bit (x64) version is deployed on a 64-bit (x64) operating system. Please see the License, Warranty, and Support section below. |
Compatible / Unsupported | The software product should install on the Microsoft Windows operating system version. The operating system version plus software version combination is not supported by us. This is typically due to the operating system version reaching End of Support. |
Incompatible / Unsupported | The software product should not or does not install on the Microsoft Windows operating system version or does not work. The operating system version plus software version combination is not supported by us. |
License, Warranty, and Support
Our OpenSSL Binary Distribution is free to use and redistribute. Product use, redistribution, and warranty are governed by the OpenSSL License. If you have questions regarding OpenSSL, wish to report bugs, or require implementation guidance please consider joining the OpenSSL Community.
Acknowledgments
This product includes:
- Software developed by the OpenSSL Project for use in the OpenSSL Toolkit
- Cryptographic software written by Eric Young
- Software written by Tim Hudson.