Vulnerabilities in OpenSSL 1.1.1w
Moderator: Moderator Team
Vulnerabilities in OpenSSL 1.1.1w
With known vulnerabilities in OpenSSL 1.1.1w, will OFFIS offer prebuilt libraries and include files for 1.1.1y?
If not, will there be one for a 3.0.2?
Thank you.
P.S. I think 1.1.1 is end of life and I didn't see a directory at openssl's site for 1.1.1y source
If not, will there be one for a 3.0.2?
Thank you.
P.S. I think 1.1.1 is end of life and I didn't see a directory at openssl's site for 1.1.1y source
Re: Vulnerabilities in OpenSSL 1.1.1w
I should have asked about 3.0.8 instead of 3.0.2. Unless DCMTK 3.6.8 can be used with a later version of OpenSSL and it's been tried by your team.
Thanks
Thanks
-
- DCMTK Developer
- Posts: 2073
- Joined: Fri, 2004-11-05, 13:47
- Location: Oldenburg, Germany
- Contact:
Re: Vulnerabilities in OpenSSL 1.1.1w
Hi,
we might offer them in the future but we don't plan to spend time on this right now.
DCMTK compiles fine with recent versions of OpenSSL, as stated in the INSTALL file:
Best,
Michael
we might offer them in the future but we don't plan to spend time on this right now.
DCMTK compiles fine with recent versions of OpenSSL, as stated in the INSTALL file:
If you want to use up-to-date dependencies like OpenSSL but have trouble compiling them yourself, I can recommend you using Micro$ofts vcpkg package manager.This release of DCMTK is known to compile with OpenSSL releases 1.1.1, 3.0.x, 3.1.x and 3.2.x.
Best,
Michael
Re: Vulnerabilities in OpenSSL 1.1.1w
The 3.6.8 version of the INSTALL file I downloaded doesn't mention those versions.
It only shows:
Is there a later version of 3.6.8 that has INSTALL file you extracted the OpenSSL releases from?
It only shows:
From:This release of DCMTK is known to compile with OpenSSL
releases 1.0.2 to 3.0.8.
I got that code and INSTALL file from: https://dicom.offis.de/download/dcmtk/d ... -3.6.8.zipOpenSSL Support
---------------
Starting with release 3.4.2, DCMTK supports encrypted network transmissions
using the Transport Layer Security (TLS) protocol as defined in DICOM part 15.
DCMTK relies on the OpenSSL toolkit (www.openssl.org) for the underlying
cryptographic routines and the TLS protocol implementation.
This release of DCMTK requires OpenSSL release 1.0.2 or newer. We recommend
the use of OpenSSL 1.1.1 or newer, however, since some optional functions
recommended by RFC 9325 / BCP 195 are only available starting with this OpenSSL
release. Furthermore, users should make care that the most recent OpenSSL
patch level is applied. This release of DCMTK is known to compile with OpenSSL
releases 1.0.2 to 3.0.8.
When using CMake, if support for security enhancements is desired, a compiled
version of the OpenSSL libraries and include files must be available during
compilation of DCMTK. By default, DCMTK checks whether OpenSSL is installed
and enables support automatically if present. By default, DCMTK checks the
standard paths on Unix platforms. For Windows platforms, check the discussion
on CMake below.
Is there a later version of 3.6.8 that has INSTALL file you extracted the OpenSSL releases from?
Re: Vulnerabilities in OpenSSL 1.1.1w
It is also listed in the DCMTK github repo.
https://github.com/DCMTK/dcmtk/blob/59f ... STALL#L219
Were there any changes in 3.6.8+DEV that would not be in the released version of 3.6.8?
https://github.com/DCMTK/dcmtk/blob/59f ... STALL#L219
Were there any changes in 3.6.8+DEV that would not be in the released version of 3.6.8?
-
- DCMTK Developer
- Posts: 2549
- Joined: Tue, 2011-05-03, 14:38
- Location: Oldenburg, Germany
- Contact:
Re: Vulnerabilities in OpenSSL 1.1.1w
Of course, there were changes after the release of version 3.6.8, and if you take a look at the current INSTALL file, there is actually a "warning" at the beginning:
Support for OpenSSL 3.1 and 3.2 has been added in February this year, i.e. after the release of DCMTK 3.6.8 (see git log).
Code: Select all
-------------------------------------------------------------------------------
IMPORTANT NOTE FOR CURRENT DEVELOPMENT VERSION 3.6.8+DEV
-------------------------------------------------------------------------------
Please note that most sections of this document refer to the official release
DCMTK 3.6.8, i.e. they have not yet been updated to reflect the changes in
the latest development version. This will be done for the next release at
the latest, which will probably be called version 3.6.9.
-------------------------------------------------------------------------------
Re: Vulnerabilities in OpenSSL 1.1.1w
It had been suggested that I could use versions of OpenSSL that were not mentioned in the released version of the INSTALL file for 3.6.8.
My question was asked because I wanted to understand if it was worth while trying with one of those versions despite them not being in the released version of the INSTALL.
For example, the released version says 3.0.8 is the latest but the unreleased says 3.2.x.
The question was also about whether they are related to the use of OpenSSL to support that latest version.
I had hoped that Michael Onken knew since he suggested the 3.2.x version.
Thanks.
My question was asked because I wanted to understand if it was worth while trying with one of those versions despite them not being in the released version of the INSTALL.
For example, the released version says 3.0.8 is the latest but the unreleased says 3.2.x.
The question was also about whether they are related to the use of OpenSSL to support that latest version.
I had hoped that Michael Onken knew since he suggested the 3.2.x version.
Thanks.
-
- DCMTK Developer
- Posts: 2549
- Joined: Tue, 2011-05-03, 14:38
- Location: Oldenburg, Germany
- Contact:
Re: Vulnerabilities in OpenSSL 1.1.1w
As I said, "support for OpenSSL 3.1 and 3.2 has been added in February this year, i.e. after the release of DCMTK 3.6.8 (see git log)".
That means, if you want to use newer versions of OpenSSL, such as 3.1 or 3.2, this will only work with a newer version of the DCMTK, i.e. a non-release version because 3.6.8 is the latest release of the DCMTK.
That means, if you want to use newer versions of OpenSSL, such as 3.1 or 3.2, this will only work with a newer version of the DCMTK, i.e. a non-release version because 3.6.8 is the latest release of the DCMTK.
Re: Vulnerabilities in OpenSSL 1.1.1w
Thanks for the clarification. I didn't get that impression from Michael's replies
Who is online
Users browsing this forum: No registered users and 0 guests