Openssl Security Vulnerability, Compatibility

I am currently running 6.0.7 on Windows, which came with openssl 3.0.3.0. My IT is requesting I uninstall openssl 3.0.3.0 or update to openssl 3.0.7 due to a recently patched security vulnerability. I’d rather not break the software, so I was hoping someone here could help answer a few questions

Is KiCad 6.0.7 (or a newer version) compatible with openssl 3.0.7? i.e. if I uninstall 3.0.3 and install 3.0.7 will KiCad still work?

If not, could I get away with uninstalling openssl and still be able to run basic features of KiCad?

Thanks

I can’t speak for Windows, but on Linux libraries like openssl generally maintain ABI compatibility within major versions, so a bugfix release like from .0.3 to .0.7 is unlikely to break applications.

I would imagine it would be fine to upgrade openssl as I’m guessing KiCad only uses this to connect to external web sites (via plugins)

Upgrade it and see what happens. Worse case something breaks, you can always reinstall. Maybe at the same time install 6.0.9. They may have updated openssl since then. (I’m on Linux so can’t check)

@marekr kicad on windows uses system ssl libs, right? At least I looked at dll dependencies and couldn’t find anything using libssl or libcrypto, even libcurl uses crypt32.dll and not openssl. Or am I missing something?
Maybe we are still packaging openssl libs with kicad just by inertia and it doesn’t really need them.

I think it’s python thats dependent on openssl actually

I don’t think it has support for windows secure channels at all

I checked that too with deps viewer and it doesn’t use openssl libs.

I even renamed libssl and libcrypto, kicad works fine and python still can access https resources.

image

It’s just that can of worms ^

Oh, I didn’t even notice another copy of those hiding in DLL folder. Yeah, it’s a can of something all right.

Vcpkg recently updated openssl port to 3.0.7 citing the security vulnerability, kicad should probably update the base repo revision.

My organization uses Microsoft Defender for endpoint. It is also flagging these OpenSSL files. For now I’ve just deleted the files.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.