Vulnerabilities in OpenSSL 1.1.1w

Compilation and installation of DCMTK

Moderator: Moderator Team

Post Reply
Message
Author
thomb
Posts: 91
Joined: Mon, 2024-05-20, 08:10

Vulnerabilities in OpenSSL 1.1.1w

#1 Post by thomb »

With known vulnerabilities in OpenSSL 1.1.1w, will OFFIS offer prebuilt libraries and include files for 1.1.1y?
If not, will there be one for a 3.0.2?

Thank you.

P.S. I think 1.1.1 is end of life and I didn't see a directory at openssl's site for 1.1.1y source

thomb
Posts: 91
Joined: Mon, 2024-05-20, 08:10

Re: Vulnerabilities in OpenSSL 1.1.1w

#2 Post by thomb »

I should have asked about 3.0.8 instead of 3.0.2. Unless DCMTK 3.6.8 can be used with a later version of OpenSSL and it's been tried by your team.
Thanks

Michael Onken
DCMTK Developer
Posts: 2073
Joined: Fri, 2004-11-05, 13:47
Location: Oldenburg, Germany
Contact:

Re: Vulnerabilities in OpenSSL 1.1.1w

#3 Post by Michael Onken »

Hi,

we might offer them in the future but we don't plan to spend time on this right now.
DCMTK compiles fine with recent versions of OpenSSL, as stated in the INSTALL file:
This release of DCMTK is known to compile with OpenSSL releases 1.1.1, 3.0.x, 3.1.x and 3.2.x.
If you want to use up-to-date dependencies like OpenSSL but have trouble compiling them yourself, I can recommend you using Micro$ofts vcpkg package manager.

Best,
Michael

thomb
Posts: 91
Joined: Mon, 2024-05-20, 08:10

Re: Vulnerabilities in OpenSSL 1.1.1w

#4 Post by thomb »

The 3.6.8 version of the INSTALL file I downloaded doesn't mention those versions.
It only shows:
This release of DCMTK is known to compile with OpenSSL
releases 1.0.2 to 3.0.8.
From:
OpenSSL Support
---------------

Starting with release 3.4.2, DCMTK supports encrypted network transmissions
using the Transport Layer Security (TLS) protocol as defined in DICOM part 15.
DCMTK relies on the OpenSSL toolkit (www.openssl.org) for the underlying
cryptographic routines and the TLS protocol implementation.

This release of DCMTK requires OpenSSL release 1.0.2 or newer. We recommend
the use of OpenSSL 1.1.1 or newer, however, since some optional functions
recommended by RFC 9325 / BCP 195 are only available starting with this OpenSSL
release. Furthermore, users should make care that the most recent OpenSSL
patch level is applied. This release of DCMTK is known to compile with OpenSSL
releases 1.0.2 to 3.0.8.

When using CMake, if support for security enhancements is desired, a compiled
version of the OpenSSL libraries and include files must be available during
compilation of DCMTK. By default, DCMTK checks whether OpenSSL is installed
and enables support automatically if present. By default, DCMTK checks the
standard paths on Unix platforms. For Windows platforms, check the discussion
on CMake below.
I got that code and INSTALL file from: https://dicom.offis.de/download/dcmtk/d ... -3.6.8.zip

Is there a later version of 3.6.8 that has INSTALL file you extracted the OpenSSL releases from?

thomb
Posts: 91
Joined: Mon, 2024-05-20, 08:10

Re: Vulnerabilities in OpenSSL 1.1.1w

#5 Post by thomb »

It is also listed in the DCMTK github repo.
https://github.com/DCMTK/dcmtk/blob/59f ... STALL#L219

Were there any changes in 3.6.8+DEV that would not be in the released version of 3.6.8?

J. Riesmeier
DCMTK Developer
Posts: 2549
Joined: Tue, 2011-05-03, 14:38
Location: Oldenburg, Germany
Contact:

Re: Vulnerabilities in OpenSSL 1.1.1w

#6 Post by J. Riesmeier »

Of course, there were changes after the release of version 3.6.8, and if you take a look at the current INSTALL file, there is actually a "warning" at the beginning:

Code: Select all

-------------------------------------------------------------------------------
 IMPORTANT NOTE FOR CURRENT DEVELOPMENT VERSION 3.6.8+DEV
-------------------------------------------------------------------------------
 Please note that most sections of this document refer to the official release
 DCMTK 3.6.8, i.e. they have not yet been updated to reflect the changes in
 the latest development version.  This will be done for the next release at
 the latest, which will probably be called version 3.6.9.
-------------------------------------------------------------------------------
Support for OpenSSL 3.1 and 3.2 has been added in February this year, i.e. after the release of DCMTK 3.6.8 (see git log).

thomb
Posts: 91
Joined: Mon, 2024-05-20, 08:10

Re: Vulnerabilities in OpenSSL 1.1.1w

#7 Post by thomb »

It had been suggested that I could use versions of OpenSSL that were not mentioned in the released version of the INSTALL file for 3.6.8.
My question was asked because I wanted to understand if it was worth while trying with one of those versions despite them not being in the released version of the INSTALL.
For example, the released version says 3.0.8 is the latest but the unreleased says 3.2.x.

The question was also about whether they are related to the use of OpenSSL to support that latest version.
I had hoped that Michael Onken knew since he suggested the 3.2.x version.

Thanks.

J. Riesmeier
DCMTK Developer
Posts: 2549
Joined: Tue, 2011-05-03, 14:38
Location: Oldenburg, Germany
Contact:

Re: Vulnerabilities in OpenSSL 1.1.1w

#8 Post by J. Riesmeier »

As I said, "support for OpenSSL 3.1 and 3.2 has been added in February this year, i.e. after the release of DCMTK 3.6.8 (see git log)".
That means, if you want to use newer versions of OpenSSL, such as 3.1 or 3.2, this will only work with a newer version of the DCMTK, i.e. a non-release version because 3.6.8 is the latest release of the DCMTK.

thomb
Posts: 91
Joined: Mon, 2024-05-20, 08:10

Re: Vulnerabilities in OpenSSL 1.1.1w

#9 Post by thomb »

Thanks for the clarification. I didn't get that impression from Michael's replies

Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 0 guests