logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Building & Member Downloads View previous topic :: View next topic
Reply to topic   Topic: Apache 2.4.28 openssl 1.1.0g binary file
Author
markberardi



Joined: 21 Oct 2017
Posts: 6
Location: USA, Irwin PA

PostPosted: Sat 21 Oct '17 15:06    Post subject: Apache 2.4.28 openssl 1.1.0g binary file Reply with quote

Does anyone know where I can find a Windows 64 binary for openssl 1.1.0g or openssl 1.1.0f-git for Apache 24.28. I am using the Apache Lounge download of VC15 Apache 2.4.28. I am trying to fix the vulnerability: OpenSSL CVE-2017-3735 Security Bypass Vulnerability. Thanks in advance for any assistance. The 1.1.0f stable version of openssl provided with the Apache 24.28 VC15 download does not have the fix for this vulnerability.
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 677

PostPosted: Sat 21 Oct '17 15:14    Post subject: Reply with quote

There is no1.10g release at OpenSSL.org. We do not apply non released version.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU

PostPosted: Sun 22 Oct '17 18:39    Post subject: Reply with quote

Shining Light does not have 1.1.0g either:
https://slproweb.com/products/Win32OpenSSL.html

The only solution at the moment: build it yourself.


Last edited by Jan-E on Sat 28 Oct '17 10:43; edited 1 time in total
Back to top
markberardi



Joined: 21 Oct 2017
Posts: 6
Location: USA, Irwin PA

PostPosted: Mon 23 Oct '17 15:08    Post subject: Apache 2.4.28 openssl 1.1.0g binary file Reply with quote

Unfortunately, I do not have an environment/experience setup to build the binary. I am concerned that it will work correctly with the VC15 Apache 2.4.28 that I recently downloaded and installed. I also noticed that there is a version of 1.1.0f called 1.1.0f-git, which does have the fix for CVE-2017-3735. Anyone possibly have this built as 64 bit binary?
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Mon 23 Oct '17 16:38    Post subject: Reply with quote

I cannot find a 1.1.0f-git, where do you see it ?

What is your concern with CVE 2017-3735. At OpenSSL it is rated: Severity: Low

Description:

If an X.509 certificate has a malformed IPAddressFamily extension,
OpenSSL could do a one-byte buffer overread. The most likely result
would be an erroneous display of the certificate in text format.
Back to top
markberardi



Joined: 21 Oct 2017
Posts: 6
Location: USA, Irwin PA

PostPosted: Mon 23 Oct '17 19:09    Post subject: CVE 2017-3735 and openssl 1.1.0f-git Reply with quote

Thanks for the reply, found it on this site. http://www.securityfocus.com/bid/100515
Back to top
markberardi



Joined: 21 Oct 2017
Posts: 6
Location: USA, Irwin PA

PostPosted: Mon 23 Oct '17 19:11    Post subject: Low Severity Reply with quote

I agree completely regarding the Low Vulnerability, but out PCI Compliance team will not certify without a fix.
Back to top
markberardi



Joined: 21 Oct 2017
Posts: 6
Location: USA, Irwin PA

PostPosted: Wed 25 Oct '17 15:33    Post subject: Refreshing Reply with quote

I guess I will have to setup and build the openssl 1.1.0g. Can anyone recommend a good document describing the process.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Thu 26 Oct '17 20:50    Post subject: Reply with quote

See NOTES.WIN in the OpenSSL source https://github.com/openssl/openssl/archive/OpenSSL_1_1_0-stable.zip

Note: For ease of use Perl and NASM need to be in the system's path.

That said, it's easy to build and I suggest if you're going to have to maintain PCI compliance between releases you do learn to build things for yourself.

For expediency however (this time only Smile):
[link removed]

Back up your current libcrypto & libssl DLLs and replace with these for whichever architecture you have, both x64 and x86 are in there.


Last edited by glsmith on Wed 16 May '18 14:50; edited 1 time in total
Back to top
markberardi



Joined: 21 Oct 2017
Posts: 6
Location: USA, Irwin PA

PostPosted: Fri 27 Oct '17 2:25    Post subject: OpenSSl 1.1.0g Build Reply with quote

Thank you very much for the build. It is running quite well. I have schedule my PCI compliance test, and completely expect a passing grade. I greatly appreciate your assistance. thanks... Mark Very Happy
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU

PostPosted: Mon 30 Oct '17 23:01    Post subject: Reply with quote

Forthcoming OpenSSL releases
============================

The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.0g and 1.0.2m.

These releases will be made available on 2nd November 2017 between approximately 1300-1700 UTC.

This is a bug-fix release. It will also include a fix for the low severity security issue previously published here:
https://www.openssl.org/news/secadv/20170828.txt

Please also note that, as per our previous announcements, support for 1.0.1 ended on 31st December 2016.

Yours

The OpenSSL Project Team
Back to top


Reply to topic   Topic: Apache 2.4.28 openssl 1.1.0g binary file View previous topic :: View next topic
Post new topic   Forum Index -> Building & Member Downloads