OpenSSL

OpenSSL for Microsoft Windows

When we build and ship FireDaemon Fusion and FireDaemon Inspektor we try to ensure it contains the most recent version of OpenSSL. We thought it would be useful to make our OpenSSL Binary Distribution available for you to download and use in a standalone fashion or in your own software projects.


TABLE OF CONTENTS

Download OpenSSL

OpenSSL maintains a list of 3rd-party maintained binary distributions of OpenSSL. Here's our binary distribution summary. Please ensure you review our Release Policy below before downloading and using this distribution.


ProductDescriptionDownload
OpenSSL for Microsoft Windows
Pre-compiled 64-bit (x64) and 32-bit (x86) 1.1.1 executables and libraries for Microsoft Windows Operating Systems with a dependency on the Microsoft Visual Studio 2015-2019 runtime. The distribution may be used standalone or integrated into any Windows application. The distribution's EXE and DLL files are digitally signed 'FireDaemon Technologies Limited'.


Installing OpenSSL

  1. Download and install the Microsoft Visual Studio 2015-2019 runtime. Download and install the file named vc_redist.x64.exe for 64-bit systems. Download and install the file named vc_redist.x86.exe for 32-bit systems.
  2. Download the FireDaemon OpenSSL Binary Distribution ZIP file via the link in the third column above. Unpack the contents of the "openssl-1.1" folder in the ZIP file into your directory of choice (e.g. C:\OpenSSL). Or simply copy the "openssl-1.1" folder to your preferred location on your hard disk drive.
  3. To use OpenSSL, simply open an elevated Command Prompt then:
C:\OpenSSL\x64\bin\openssl version -a

or to create a certificate signing request and private key:

set OPENSSL_CONF=C:\OpenSSL\ssl\openssl.cnf
C:\OpenSSL\x64\bin\openssl genrsa -out server.key 2048
C:\OpenSSL\x64\bin\openssl req -new -key server.key -out server.csr -sha256
C:\OpenSSL\x64\bin\openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

OpenSSL Screenshot

Below is a screenshot showing the executed commands above.


OpenSSL Screenshot

Checking SSL Certificate Validity

Check out FireDaemon Inspektor. It's a simple command-line tool that you can use to verify and validate SSL / TLS certificates and certificate chains.


OpenSSL Documentation

Please refer to OpenSSL's documentation.


Compiling OpenSSL

Source

We directly pull from OpenSSL's official GitHub repository.

Release Policy

Whenever we release an updated version of FireDaemon Fusion or OpenSSL gets updated with security fixes, we will provide the latest tagged version of the OpenSSL_1_1_1-stable branch and ship FireDaemon Fusion with it. The currently deployed OpenSSL library is version 1.1.1k at commit OpenSSL_1_1_1k-0-gfd78df59b0:

git describe --always --tag --long --first-parent --dirty

OpenSSL Compilation and Build Script

The actual command line to build OpenSSL is as follows (where %toolset% is VC-WIN32 and VC-WIN64A respectively):

perl ..\Configure %toolset% no-asm no-ssl3 no-zlib no-comp no-ui-console no-autoload-config --api=1.1.0 --prefix="%installdir%" --openssldir="%commoninstalldir%" -DOPENSSL_NO_DEPRECATED

For reference, the build script used to create the binary distribution is attached to this article.

OpenSSL Dependencies

Our OpenSSL binary distribution depends on the Microsoft Visual Studio 2015-2019 runtime. You must download and install the runtime in order for the binaries to work. The binaries were built with the Microsoft Visual C++ (MSVC) 14.28 toolset. The external dependency creates much smaller modules and .pdb files and integrates nicely with FireDaemon Fusion. We believe that this shouldn't be problematic since the MSVC 14.2 runtime is binary compatible with applications built using the MSVC 14.0 or 14.1 runtimes, and once installed the Universal C Runtime (CRT) is subject to automatic Windows updates.

OpenSSL Privilege Escalation Mitigation

When building OpenSSL, the build scripts bake the default location of the library (ie. the installation directory) and the SSL configuration into the final product. Additionally, OpenSSL automatically loads the SSL configuration file from the default file system location. This leads to an easily exploitable privilege escalation scenario documented in CVE-2019-12572. Our build of OpenSSL mitigates this flaw using the following preventative measures:

  • The target directories we are have chosen are Windows' default system program files directories assuming a 64-bit architecture with a shared configuration file directory common to both x64 and x86:
    • x64: C:\Program Files\FireDaemon OpenSSL, C:\Program Files\Common Files\FireDaemon SSL
    • x86: C:\Program Files (x86)\FireDaemon OpenSSL, C:\Program Files\Common Files\FireDaemon SSL
  • To mitigate security holes even on non-default installations, we build the library such that it doesn't automatically load the SSL configuration. Hence, when using the OpenSSL tools or the DLLs in your products you have to explicitly load the SSL configuration.
  • All FireDaemon software products that utilise OpenSSL initialise the OpenSSL library at runtime using a flag that prevents the loading of the default configuration.

OpenSSL License and Warranty

Our OpenSSL Binary Distribution is free to use and redistribute. Product use, redistribution and warranty are governed by the OpenSSL License.


OpenSSL Acknowledgments

This product includes: