FireDaemon OpenSSL for Microsoft Windows

Table of Contents

About OpenSSL

OpenSSL is a popular open-source, publicly available software library that provides a robust, full-featured set of cryptographic functions and tools to secure communications over computer networks. When we build and ship FireDaemon Certify One, FireDaemon Fusion, and FireDaemon Lozenge we try to ensure it contains the most recent version of OpenSSL. We thought it would be useful to make our OpenSSL Binary Distribution available to you to download and use free of charge. The key advantages of using our OpenSSL Binary Distribution for Microsoft Windows over others that are available are:

  • No need to deploy various software tools to attempt to compile the source from scratch. Our build script is available for free too if you do want to compile OpenSSL yourself
  • No external dependencies. Installing or distributing the Visual C++ Redistributable Runtime (MSVC) is unnecessary. There is an implicit dependency on the Windows Universal C Runtime (UCRT) which is included by default in all modern versions of Microsoft Windows
  • Packaged for simple deployment and use case scenarios, including standalone, embeddable, deployable, or portable
  • Digitally signed with our Extended Validation (EV) code signing certificate to avoid Windows SmartScreen warnings and increase trust by Sectigo's authentication and verification procedures on us: FireDaemon Technologies Limited and validatable binary integrity to meet your compliance requirements.

Download OpenSSL

Below, you will find pre-compiled OpenSSL executables (EXE) and libraries (DLL) for Microsoft Windows Operating Systems in the form of installer and ZIP files. OpenSSL can be used standalone or integrated into any Windows application. The installers, EXEs and DLLs are digitally signed with our Extended Validation (EV) code signing certificate. We do not have an EAR CCL ECCN for our Binary Distributions. This is intentional. You must seek independent legal advice before using/integrating/exporting our Binary Distributions in your products if you believe you are subject to export controls.



Download OpenSSL Binary Distributions for Microsoft Windows


OpenSSL 3.4.0 Windows Installer (x64)

Download OpenSSL 3 Installer for Microsoft Windows October 2024

SHA2-256 59198E1E05D9CC47596A99BE94A439E59DBB08180EDBDC373D67B817472C525C

Git commit openssl-3.4.0-0-g98acb6b028

OpenSSL 3.4.0 ZIP File (x64/x86)

Download OpenSSL 3 Installer for Microsoft Windows October 2024

SHA2-256 FFF7C56C1588644A609F63F60FAD15275E2CE6FFC310C320CDCB72554449CCA5

Git commit openssl-3.4.0-0-g98acb6b028


OpenSSL 3.3.2 Windows Installer (x64)
Download OpenSSL 3.1 ZIP for Microsoft Windows
September 2024

SHA2-256 1FD18375FA6515AB295B75DDBE5990558D65B33747BBF3F9B92B13FD2A430D67
Git commit openssl-3.3.2-0-gfb7fab9fa6


OpenSSL 3.3.2 ZIP File (x64/x86)

Download OpenSSL 3 Installer for Microsoft Windows September 2024

SHA2-256 B2C1902786FEF6FE600DD8AEB38E33BDCAF306929FDADF28170CCA71999C30AA

Git commit openssl-3.3.2-0-gfb7fab9fa6


OpenSSL 3.0.15 LTS ZIP File (x64/x86)
Download OpenSSL 3.1 ZIP for Microsoft Windows
September 2024

SHA2-256 C44C6AF164F79E4498B1D64013B4E2B2407655AC886223FC331E9C72B80F6C88

Git commit openssl-3.0.15-0-gc523121f90


OpenSSL 1.1.1w LTS ZIP File (x64/x86)

Download OpenSSL 3 Installer for Microsoft Windows September 2023

SHA2-256 1870B15BF6749E65FFBBADF52CDFF3EE0E9F02943550BF4395574BB432AF3EB8

Git commit OpenSSL_1_1_1w-0-ge04bd3433f


To calculate/verify the SHA2-256 checksums above, please use FireDaemon Lozenge!


OpenSSL maintains a list of 3rd-party maintained binary distributions of OpenSSL.

Please review our Release Policy before downloading and using this distribution.

OpenSSL 1.1.1y or later is only available to OpenSSL customers that have a Premium Support Contract.
We no longer supply OpenSSL 3.1 or 3.2 binaries. Please use the latest 3.4, 3.3 or 3.0 LTS release. 1.1.1 is end of life.


Installing OpenSSL

Windows Installer

You can download the Windows installers in the "Download OpenSSL" section above. Installation is straightforward. OpenSSL is installed into the following file system locations, which is specified during the build and follow OpenSSL's conventions.

%PROGRAMFILES%\FireDaemon OpenSSL 3
%PROGRAMFILES%\Common Files\FireDaemon SSL 3

You can silently install OpenSSL with the following command in an elevated command prompt (noting APPDIR and ADJUSTSYSTEMPATHENV are optional):

FireDaemon-OpenSSL-x64-3.4.0.exe /exenoui /exelog fdopenssl3.log /qn /norestart REBOOT=ReallySuppress APPDIR="C:\Program Files\FireDaemon OpenSSL 3" ADJUSTSYSTEMPATHENV=yes

You can silently uninstall OpenSSL with the following commands:

:: To uninstall at an elevated command prompt, first verify the product GUID
wmic product where name="FireDaemon OpenSSL 3" get IdentifyingNumber

:: Then uninstall silently using msiexec
msiexec /x {0AC2207C-1E50-403D-8CE2-C1A6A4C78C69} /quiet /noreboot

:: You can also use the original FireDaemon OpenSSL installer
FireDaemon-OpenSSL-x64-3.4.0.exe /x // /quiet

:: Or uninstall using PowerShell
$app = Get-WmiObject Win32_Product | where { $_.name -eq "FireDaemon OpenSSL 3" }
$app.Uninstall()

Winget Package Manager

Instead of downloading and installing the Windows Installer, you can use the Microsoft package manager called winget. Winget is built into Windows 10 and 11 or can be installed manually. To install FireDaemon OpenSSL, simply open a command prompt on your computer then:

:: Search for FireDaemon OpenSSL
winget search FireDaemon.OpenSSL

:: Show the FireDaemon OpenSSL package contents
winget show FireDaemon.OpenSSL

:: Install FireDaemon OpenSSL interactively
winget install FireDaemon.OpenSSL --interactive

:: Install FireDaemon OpenSSL silently (default)
winget install FireDaemon.OpenSSL --silent

:: Show installed packages
winget list FireDaemon

:: Uninstall FireDaemon OpenSSL
winget uninstall FireDaemon.OpenSSL

ZIP File

Instead of using the installer or package manager, you can download one of the ZIP files in the "Download OpenSSL" section above.  

  1. Follow the instructions below if you have downloaded one of the ZIP files above and want to deploy OpenSSL manually (e.g. on the local hard disk or a USB drive for a portable installation)
  2. Download the appropriate FireDaemon OpenSSL Binary Distribution ZIP file via the links above.
  3. Unpack the contents of the folder found in the ZIP file to a temporary directory (e.g. C:\Temp)
  4. Copy the contents (i.e. the files and directories contained within) of the x64 folder or x86 folder to your target directory (e.g. C:\OpenSSL)
  5. Copy the ssl folder and contents to the target directory (e.g. C:\OpenSSL).


The commands to copy the files correctly from the location where you unpacked the ZIP file (assuming C:\Temp) are as follows:

: For OpenSSL 1.1.1 LTS
cd C:\Temp\openssl-1.1

: For OpenSSL 3.0 LTS
cd C:\Temp\openssl-3.0

: For OpenSSL 3.3 & 3.4
cd C:\Temp\openssl-3

: Copy the binaries specific to your platform
: Copy 64-bit binaries
robocopy x64 C:\OpenSSL /E

: Or, copy 32-bit binaries. Don't copy both!
robocopy x86 C:\OpenSSL /E

: Copy the ssl folder
robocopy ssl C:\OpenSSL\ssl /E

Your directory structure should look as follows:

C:\OpenSSL>dir /b
bin
include
lib
ssl
To use OpenSSL, simply open an elevated Command Prompt (adjusting the path in OPENSSL_HOME to suit your manual installation):
: You can set OPENSSL_HOME=%~dp0 in a batch script for portable installs
set OPENSSL_HOME=C:\OpenSSL
set OPENSSL_CONF=%OPENSSL_HOME%\ssl\openssl.cnf
set PATH=%OPENSSL_HOME%\bin;%PATH%
cd /d %OPENSSL_HOME%
openssl version -a

To create a certificate signing request and private key using the same environment variables as above:

openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr -sha256
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

OpenSSL Screenshot

Below is a screenshot showing the certificate signing request in an elevated PowerShell:

FireDaemon OpenSSL 3 Command Line


OpenSSL Documentation

Please refer to OpenSSL's documentation.


Checking SSL / TLS Certificate Validity with Certify One

FireDaemon Certify One allows you to audit, check, inspect, and validate SSL / TLS certificates and certificate chains. Fortify also has a browser-based TLS Encryption Check Tool available.


Compiling OpenSSL From Source

Release Policy

Whenever we release an updated version of FireDaemon Fusion, FireDaemon Certify One, or OpenSSL gets updated with security fixes, we will provide the latest tagged version of the OpenSSL stable branch. The currently deployed OpenSSL library commit versions are listed underneath the download links above. Commit is described viz:

git describe --always --tag --long --first-parent --dirty

Source

We directly pull from OpenSSL's official GitHub repository.


Build Script

You can use our build script to create the binary distributions. The build script has the following dependencies:

Compilation

The actual command line to build OpenSSL is as follows (where %toolset% is VC-WIN32 and VC-WIN64A respectively):

perl ..\Configure %toolset% no-asm no-ssl3 no-zlib no-comp no-autoload-config --api=1.1.0 --prefix="%installdir%" --openssldir="%commoninstalldir%" -DOPENSSL_NO_DEPRECATED

Integrating OpenSSL with Your Visual Studio Project

You must configure your project's properties to use the headers and libraries in FireDaemon OpenSSL in your Visual Studio project.


Sample Project

We have included a sample Visual Studio Project in the latest OpenSSL 3.3 and 3.4 ZIP files. The sample project can be found in the "projects" folder.


Additional Include Directories

Prepend "C:\Program Files\FireDaemon Open SSL 3\include"; to Property Pages -> C/C++ -> General -> Additional Include Directories in your project per the screenshot below adjusting the prepended path to suit your installation. In our case, we use a pre-defined User Macro called OpenSslIncludeDir. You can also specify this path on the command line:

/I"C:\Program Files\FireDaemon OpenSSL 3\include"

OpenSSL Visual Studio Project Property Pages Additional Include Directories


Additional Library Directories

Prepend "C:\Program Files\FireDaemon Open SSL 3\lib"; to Property Pages -> Linker -> General -> Additional Library Directories in your project per the screenshot below adjusting the prepended path to suit your installation. In our case, we use a pre-defined User Macro called OpenSslLibraryDir. You can also specify this path on the command line:

/LIBPATH:"C:\Program Files\FireDaemon OpenSSL 3\lib"

OpenSSL Visual Studio Project Property Pages Additional Library Directories


Additional Dependencies

Prepend libcrypto.lib;libssl.lib; to Property Pages -> Linker -> Input -> Additional Dependencies in your project per the screenshot below. You can also specify this on the command line:

/DYNAMICBASE "libcrypto.lib" "libssl.lib" 

OpenSSL Visual Studio Project Property Pages Additional Dependencies


Basic Troubleshooting

If you run into issues compiling or linking FireDaemon OpenSSL, please review the tips below to help you debug your project:

  • Ensure you have set up your Visual Studio project correctly per the previous section
  • When compiling OpenSSL yourself, ensure you choose the correct target platform. For example ./configure <toolset> where <toolset> can be triplets including VC-WIN64A and Cygwin-x86_64. The complete list of toolsets can be found by typing perl ..\configure LIST
  • Verify that the versions of libssl.lib and libcrypto.lib are correct by using dumpbin.exe which is available in the Windows SDK. dumpbin /ALL libssl.lib should refer to libssl-3.dll. dumpbin /ALL libcrypto.lib should refer to libcrypto-3.dll
  • Use /VERBOSE when linking to verify the libraries found and used by the linker
  • Use Dependencies to verify the dependencies of your built executable
  • Ensure you build, rebuild, or clean your project to avoid stale dependencies, outdated object files, and other artifacts and detritus that may have accumulated in your project
  • Double-check, then triple check your compiler and linker command line to ensure your project is not referring to folders or directories that may contain other versions of OpenSSL libs and DLLs
  • Use pre-defined User Macros in your project to ensure you explicitly reference the correct OpenSSL include, lib, and bin directories (e.g. OpenSslIncludeDir, OpenSslLibDir, OpenSslBinDir).

FireDaemon Software Development Services

We offer paid commercial software development services to assist you in building and integrating OpenSSL into your project or product. Please contact us for rates and availability.


Privilege Escalation Mitigation

When building OpenSSL, the build scripts bake the default location of the library (i.e. the installation directory) and the SSL configuration into the final product. By default, OpenSSL automatically loads the SSL configuration file from the default file system location. This leads to an easily exploitable privilege escalation scenario documented in CVE-2019-12572. Our build of OpenSSL mitigates this flaw using the following preventative measures:

  • The target directories we have chosen are Windows' default system program files directories assuming a 64-bit architecture with a shared configuration file directory common to both x64 and x86:
    • x64: C:\Program Files\FireDaemon OpenSSL, C:\Program Files\Common Files\FireDaemon SSL
    • x86: C:\Program Files (x86)\FireDaemon OpenSSL, C:\Program Files\Common Files\FireDaemon SSL
  • To mitigate security issues even on non-default installations, we build the library such that it doesn't automatically load the SSL configuration. Hence, when using the OpenSSL tools or the DLLs in your products you have to explicitly load the SSL configuration.
  • All FireDaemon software products that utilise OpenSSL initialise the OpenSSL library at runtime using a flag that prevents the loading of the default configuration.


Compatibility and Support Matrix

The table below provides a compatibility and support matrix, mapping compatible Microsoft Windows operating system versions to specific FireDaemon OpenSSL software versions.


OpenSSL Versions
OpenSSL 3.4, 3.3, 3.0 LTS, & 1.1.1 LTS
Windows Operating System Version32-bit (x86)64-bit (x64)
Windows XP (1)

Windows Vista (1)

Windows 7 (1)

Windows 8 (1)

Windows 8.1 (1)

Windows 10

Windows 11

Server 2008 (2)

Server 2008 R2 (2)

Server 2012

Server 2012 R2

Server 2016

Server 2019

Server 2022

Server 2025


(1) Windows Desktop Operating System is End of Support

(2) Windows Server Operating System is End of Support


Compatible / SupportedThe software is designed to be installed on the Microsoft Windows operating system. We actively support the operating system version plus software version combination, provided that the 32-bit (x86) version is deployed on a 32-bit (x86) operating system and the 64-bit (x64) version is deployed on a 64-bit (x64) operating system. Please see the License, Warranty, and Support section below.
Compatible / UnsupportedThe software product can be installed on the Microsoft Windows operating system version. We do not support the operating system version plus software version combination. This is typically due to the operating system version reaching End of Support.
Incompatible / UnsupportedThe software product should not or does not install on the Microsoft Windows operating system version or work. We do not support the operating system version plus software version combination.


License, Warranty, and Support

Our OpenSSL Binary Distribution is free to use and redistribute. Product use, redistribution, and warranty are governed by the OpenSSL License. If you have questions regarding OpenSSL, wish to report bugs, or require implementation guidance, please consider joining the OpenSSL Community.


Acknowledgments

This product includes:


Buy SSL / TLS Certificates

Buy SSL / TLS Certificates