Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Which openssl Windows binary do you recommend (to have the latest official version)?
577 views
Skip to first unread message
Arlen Holder
Apr 26, 2020, 4:46:25 AM4/26/20
to
Which openssl Windows binary do you recommend & from where?
(to have the latest official version)
As per the information in this recent thread on alt.free.newsservers:
o [Mixmin] Did a certificate expire recently?
<https://groups.google.com/forum/#!topic/alt.free.newsservers/mGdgWb-zcjg>
I found it's useful to use "openssl" as a debugging utility of free
newsservers, even as I had never installed or used openssl prior.
Yet, the version I installed is an older version.
openssl version
WARNING: can't open config file: C:/OpenSSL/openssl.cnf
OpenSSL 1.0.2d-fips 9 Jul 2015
For those of you use already use openssl, I ask the basic question:
Q: Which openssl Windows binary do you recommend & from where?
--
The high price of freeware is in finding those solutions that work best.
(to have the latest official version)
As per the information in this recent thread on alt.free.newsservers:
o [Mixmin] Did a certificate expire recently?
<https://groups.google.com/forum/#!topic/alt.free.newsservers/mGdgWb-zcjg>
I found it's useful to use "openssl" as a debugging utility of free
newsservers, even as I had never installed or used openssl prior.
Yet, the version I installed is an older version.
openssl version
WARNING: can't open config file: C:/OpenSSL/openssl.cnf
OpenSSL 1.0.2d-fips 9 Jul 2015
For those of you use already use openssl, I ask the basic question:
Q: Which openssl Windows binary do you recommend & from where?
--
The high price of freeware is in finding those solutions that work best.
Gary R. Schmidt
Apr 26, 2020, 5:49:09 AM4/26/20
to
<https://www.openssl.org/source/>, which is currently 1.1.1g:
<https://www.openssl.org/source/openssl-1.1.1g.tar.gz>
Cheers,
Gary B-)
--
Waiting for a new signature to suggest itself...
Libor Striz
Apr 26, 2020, 7:12:22 AM4/26/20
to
Arlen Holder <arlen...@anyexample.com> Wrote in message:r
> The latest stable version is the 1.1.1 series. This is also our Long Term Support (LTS) version, supported until 11th September 2023. All other versions (including 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are now out of support and should not be used. Users of these older versions are encourage to upgrade to 1.1.1 as soon as possible. Extended support for 1.0.2 to gain access to security fixes for that version is available.
--
Poutnik ( the Wanderer )
> Which openssl Windows binary do you recommend & from where?
https://www.openssl.org/source/
> The latest stable version is the 1.1.1 series. This is also our Long Term Support (LTS) version, supported until 11th September 2023. All other versions (including 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are now out of support and should not be used. Users of these older versions are encourage to upgrade to 1.1.1 as soon as possible. Extended support for 1.0.2 to gain access to security fixes for that version is available.
--
Poutnik ( the Wanderer )
Arlen Holder
Apr 26, 2020, 4:16:32 PM4/26/20
to
In response to what Libor Striz
<poutnik4R...@gmailCAPITALS.com.INVALID> wrote :
> https://www.openssl.org/source/
Hi Poutnik,
Thanks for the hint that the only "reliable" build of openssl is one that I
build myself from latest source that I read through to check myself...
But I haven't used a Makefile is something like a decade or so.
Which means the effort would be to find a good freeware Windows compiler
because in this thread they suggested using openssl to debug nntp servers:
o *[Mixmin] Did a certificate expire recently?*
<https://groups.google.com/forum/#!topic/alt.free.newsservers/mGdgWb-zcjg>
There's mention of the following tools/compilers at the curl site:
<https://curl.haxx.se/windows/>
Namely:
o binutils-mingw-w64-i686 2.34
o binutils-mingw-w64-x86_64 2.34
o clang 9.0.1
o gcc-mingw-w64-i686 9.3-win32
o gcc-mingw-w64-x86_64 9.3-win32
o mingw-w64 7.0.0-2
<https://ci.appveyor.com/project/curlorg/curl-for-win/build/1.0.1390/job/oem246ni2r4ueht4>
But all I _really_ wanted is just the Windows binary so that I could debug
why the mixmin nntp server I've been using hasn't worked for about a week.
o *mixmin* = notAfter=Jun 26 19:57:30 2020 GMT
c:\> echo q | openssl s_client -connect news.mixmin.net:563 | openssl x509 -noout -enddate | findstr "notAfter"
It turned out the certificate had expired, where I noticed you're on
Ray Banana's server, so here's the command you can use to test yours:
c:\> echo q | openssl s_client -connect news.eternal-september.org:563 | openssl x509 -noout -enddate | findstr "notAfter"
Which results in an expiry date for your nntp server cert of:
o *eternal-september* = notAfter=Jun 13 09:09:38 2020 GMT
Note the referenced thread has a bunch of other server tests
for those reading this who are on the other nntp servers.
o <http://tinyurl.com/alt.free.newsservers>
--
Usenet is a wondrously rich public helpdesk to politely discuss solutions.
<poutnik4R...@gmailCAPITALS.com.INVALID> wrote :
> https://www.openssl.org/source/
Hi Poutnik,
Thanks for the hint that the only "reliable" build of openssl is one that I
build myself from latest source that I read through to check myself...
But I haven't used a Makefile is something like a decade or so.
Which means the effort would be to find a good freeware Windows compiler
because in this thread they suggested using openssl to debug nntp servers:
o *[Mixmin] Did a certificate expire recently?*
<https://groups.google.com/forum/#!topic/alt.free.newsservers/mGdgWb-zcjg>
There's mention of the following tools/compilers at the curl site:
<https://curl.haxx.se/windows/>
Namely:
o binutils-mingw-w64-i686 2.34
o binutils-mingw-w64-x86_64 2.34
o clang 9.0.1
o gcc-mingw-w64-i686 9.3-win32
o gcc-mingw-w64-x86_64 9.3-win32
o mingw-w64 7.0.0-2
<https://ci.appveyor.com/project/curlorg/curl-for-win/build/1.0.1390/job/oem246ni2r4ueht4>
But all I _really_ wanted is just the Windows binary so that I could debug
why the mixmin nntp server I've been using hasn't worked for about a week.
o *mixmin* = notAfter=Jun 26 19:57:30 2020 GMT
c:\> echo q | openssl s_client -connect news.mixmin.net:563 | openssl x509 -noout -enddate | findstr "notAfter"
It turned out the certificate had expired, where I noticed you're on
Ray Banana's server, so here's the command you can use to test yours:
c:\> echo q | openssl s_client -connect news.eternal-september.org:563 | openssl x509 -noout -enddate | findstr "notAfter"
Which results in an expiry date for your nntp server cert of:
o *eternal-september* = notAfter=Jun 13 09:09:38 2020 GMT
Note the referenced thread has a bunch of other server tests
for those reading this who are on the other nntp servers.
o <http://tinyurl.com/alt.free.newsservers>
--
Usenet is a wondrously rich public helpdesk to politely discuss solutions.
Arlen Holder
Apr 26, 2020, 4:17:17 PM4/26/20
to
In response to what "Gary R. Schmidt" <grsc...@acm.org> wrote :
> The one I build myself, from the source tarball at
> <https://www.openssl.org/source/>, which is currently 1.1.1g:
> <https://www.openssl.org/source/openssl-1.1.1g.tar.gz>
Hi Gary,
Thanks for pointing to the latest canonical src code...
where I certainly get the hint that the only reliable
binary is one I've compiled myself...
But that assumes a few things that aren't the case:
a. It assumes I _can_ run a Makefile (which I haven't done in a decade)
b. It assumes I know which compiler (and other tools) to use
c. Most importantly, it assumes I can read the code itself
(so as to see if the code is trustworthy of its own right)
None of that is true as I haven't compiled in a decade.
And, besides, I just wanted to run the openssl command
to see whether my newsserver certificate had expired, as per:
o *[Mixmin] Did a certificate expire recently?*
<https://groups.google.com/forum/#!topic/alt.free.newsservers/mGdgWb-zcjg>
Luckily I found "Win32/Win64 OpenSSL" "light" installers at:
o <https://slproweb.com/products/Win32OpenSSL.html>
Where that site contained both an MSI & an EXE installer:
o <http://slproweb.com/download/Win64OpenSSL_Light-1_1_1g.msi>
o <https://slproweb.com/download/Win64OpenSSL_Light-1_1_1g.exe>
I readily admit I never understood how to choose between those
two types when archiving software
(why would it matter if I archive the EXE or MSI in my archives?).
Arbitrarily, I tried the MSI first, but it failed with a big blue error:
Windows protected your PC
Microsoft Defender SmartScreen prevented an unrecognized app from starting.
Running this app might put your PC at risk.
More info
App: Win64OpenSSL_Light-1_1_1g.msi
Publisher: Unknown publisher
[Run anyway][Don't run]
So I switched to the EXE which seemed to install just fine
although it asked where to store the DLLs, where, once again,
I have no idea how to decide what the ramifications might be:
(o)Windows System directory
(_)Openssl bin directory
I left it at the default above not knowing whether it would matter.
This created the openssl.exe binary (and a bunch of DLLs):
Name: openssl.exe
Size: 543744 bytes (531 KiB)
SHA256: 96D07FF13B53848165AC9D88C76BF62562600B0E0848702FB0E22FC8D39A9593
Which claims to be the latest version of openssl.exe light:
C:\> openssl version
OpenSSL 1.1.1g 21 Apr 2020
And which worked in the following test below just now:
c:\> echo q | openssl s_client -connect news.albasani.net:563 | openssl x509 -noout -enddate | findstr "notAfter"
Result:
depth=0 C = CH, ST = Some-State, L = Zurich, O = Albasani, OU = Roman Racine, CN = reader.albasani.net, emailAddress = roman....@gmail.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CH, ST = Some-State, L = Zurich, O = Albasani, OU = Roman Racine, CN = reader.albasani.net, emailAddress = roman....@gmail.com
verify error:num=10:certificate has expired
notAfter=Jul 21 15:37:36 2019 GMT
verify return:1
depth=0 C = CH, ST = Some-State, L = Zurich, O = Albasani, OU = Roman Racine, CN = reader.albasani.net, emailAddress = roman....@gmail.com
notAfter=Jul 21 15:37:36 2019 GMT
verify return:1
notAfter=Jul 21 15:37:36 2019 GMT
NOTE: I'm not sure why the findstring doesn't grep out the other
crap though. I found the command by googling so maybe I skipped
a step as the results are more than what I would have expected
from a simple grep.
> The one I build myself, from the source tarball at
> <https://www.openssl.org/source/>, which is currently 1.1.1g:
> <https://www.openssl.org/source/openssl-1.1.1g.tar.gz>
Thanks for pointing to the latest canonical src code...
where I certainly get the hint that the only reliable
binary is one I've compiled myself...
But that assumes a few things that aren't the case:
a. It assumes I _can_ run a Makefile (which I haven't done in a decade)
b. It assumes I know which compiler (and other tools) to use
c. Most importantly, it assumes I can read the code itself
(so as to see if the code is trustworthy of its own right)
None of that is true as I haven't compiled in a decade.
And, besides, I just wanted to run the openssl command
to see whether my newsserver certificate had expired, as per:
o *[Mixmin] Did a certificate expire recently?*
<https://groups.google.com/forum/#!topic/alt.free.newsservers/mGdgWb-zcjg>
Luckily I found "Win32/Win64 OpenSSL" "light" installers at:
o <https://slproweb.com/products/Win32OpenSSL.html>
Where that site contained both an MSI & an EXE installer:
o <http://slproweb.com/download/Win64OpenSSL_Light-1_1_1g.msi>
o <https://slproweb.com/download/Win64OpenSSL_Light-1_1_1g.exe>
I readily admit I never understood how to choose between those
two types when archiving software
(why would it matter if I archive the EXE or MSI in my archives?).
Arbitrarily, I tried the MSI first, but it failed with a big blue error:
Windows protected your PC
Microsoft Defender SmartScreen prevented an unrecognized app from starting.
Running this app might put your PC at risk.
More info
App: Win64OpenSSL_Light-1_1_1g.msi
Publisher: Unknown publisher
[Run anyway][Don't run]
So I switched to the EXE which seemed to install just fine
although it asked where to store the DLLs, where, once again,
I have no idea how to decide what the ramifications might be:
(o)Windows System directory
(_)Openssl bin directory
I left it at the default above not knowing whether it would matter.
This created the openssl.exe binary (and a bunch of DLLs):
Name: openssl.exe
Size: 543744 bytes (531 KiB)
SHA256: 96D07FF13B53848165AC9D88C76BF62562600B0E0848702FB0E22FC8D39A9593
Which claims to be the latest version of openssl.exe light:
C:\> openssl version
OpenSSL 1.1.1g 21 Apr 2020
And which worked in the following test below just now:
c:\> echo q | openssl s_client -connect news.albasani.net:563 | openssl x509 -noout -enddate | findstr "notAfter"
Result:
depth=0 C = CH, ST = Some-State, L = Zurich, O = Albasani, OU = Roman Racine, CN = reader.albasani.net, emailAddress = roman....@gmail.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CH, ST = Some-State, L = Zurich, O = Albasani, OU = Roman Racine, CN = reader.albasani.net, emailAddress = roman....@gmail.com
verify error:num=10:certificate has expired
notAfter=Jul 21 15:37:36 2019 GMT
verify return:1
depth=0 C = CH, ST = Some-State, L = Zurich, O = Albasani, OU = Roman Racine, CN = reader.albasani.net, emailAddress = roman....@gmail.com
notAfter=Jul 21 15:37:36 2019 GMT
verify return:1
notAfter=Jul 21 15:37:36 2019 GMT
NOTE: I'm not sure why the findstring doesn't grep out the other
crap though. I found the command by googling so maybe I skipped
a step as the results are more than what I would have expected
from a simple grep.
Arlen Holder
Apr 26, 2020, 7:53:53 PM4/26/20
to
UPDATE:
Found another set of recent openssl Windows binaries from the haax folks.
<https://curl.haxx.se/windows/dl-7.69.1_2/openssl-1.1.1g_2-win64-mingw.zip>
<https://curl.haxx.se/windows/dl-7.69.1_2/openssl-1.1.1g_2-win32-mingw.zip>
Whose links were found in the "curl" compile "specifications" section:
<https://curl.haxx.se/windows/>
Which points this directory of related compiled Windows binaries:
<https://curl.haxx.se/windows/dl-7.69.1_2/>
See also:
o If I wanted to build the openssl binary from source code,
which free compiler is used nowadays for such things?
<https://groups.google.com/forum/#!topic/alt.comp.freeware/6eVRAN-kPEs>
--
Every Usenet thread should strive to purposefully helpfully add value.
Found another set of recent openssl Windows binaries from the haax folks.
<https://curl.haxx.se/windows/dl-7.69.1_2/openssl-1.1.1g_2-win64-mingw.zip>
<https://curl.haxx.se/windows/dl-7.69.1_2/openssl-1.1.1g_2-win32-mingw.zip>
Whose links were found in the "curl" compile "specifications" section:
<https://curl.haxx.se/windows/>
Which points this directory of related compiled Windows binaries:
<https://curl.haxx.se/windows/dl-7.69.1_2/>
See also:
o If I wanted to build the openssl binary from source code,
which free compiler is used nowadays for such things?
<https://groups.google.com/forum/#!topic/alt.comp.freeware/6eVRAN-kPEs>
--
Every Usenet thread should strive to purposefully helpfully add value.
Arlen Holder
Apr 27, 2020, 2:04:20 AM4/27/20
to
UPDATE:
After searching a while, it appears, so far, there are only TWO openssl
binaries on the net (as far as I can find so far).
Searching for better openssl binaries, I found this, which indicates I was
accidentally lucky that I had prior installed Visual C++ on my PC:
Feb 12, 2020:
o How To Install OpenSSL on Windows
<https://tecadmin.net/install-openssl-on-windows/>
They discuss installing this openssl binary:
<http://slproweb.com/products/Win32OpenSSL.html>
It's from Shining Light Productions, which I do not recommend for quite a
few reasons I've learned in just the past few hours, one of which is that
to install it, you require Microsoft Visual C++ which is just unnecessary,
IMHO, since other available openssl Windows binaries don't seem to need
Microsoft Visual C++ in my tests reported elsewhere in this thread.
Another reason not to install this openssl is that it has an idiotically
designed hard-coded tree for the location of the openssl.cnf file:
<https://github.com/openssl/openssl/blob/master/apps/openssl.cnf>
Which nobody in his right mind would ever use.
Luckily, the hard-coded path can be changed but why deal with that crap?
set OPENSSL_CONF=c:\path-of-your-own-choosing\openssl.cnf
echo %OPENSSL_CONF%
Interestingly, this article also suggests the slproweb openssl binary:
o How to Install OpenSSL in Windows
<https://www.osradar.com/install-openssl-windows/>
Based only on my experience today, I would treat this Shining Light openssl
binary as if it had the virus that causes Covid-19, and, instead use this
zip file which doesn't have the idiotic defaults of the Shining Light
binary:
<https://curl.haxx.se/windows/dl-7.69.1_2/openssl-1.1.1g_2-win64-mingw.zip>
<https://curl.haxx.se/windows/dl-7.69.1_2/openssl-1.1.1g_2-win32-mingw.zip>
I could be wrong though, so treat my comments with a grain of salt.
But so far, nobody in this newsgroup has suggested (yet) a better binary,
so my advice, bad as it may be, is the best there is to date.
Note: The advice to compile your own is a _different_ solution to the
problem set, which is covered in this thread separately:
The high price of freeware is in testing for the solutions that work best.
After searching a while, it appears, so far, there are only TWO openssl
binaries on the net (as far as I can find so far).
Searching for better openssl binaries, I found this, which indicates I was
accidentally lucky that I had prior installed Visual C++ on my PC:
Feb 12, 2020:
o How To Install OpenSSL on Windows
<https://tecadmin.net/install-openssl-on-windows/>
They discuss installing this openssl binary:
<http://slproweb.com/products/Win32OpenSSL.html>
It's from Shining Light Productions, which I do not recommend for quite a
few reasons I've learned in just the past few hours, one of which is that
to install it, you require Microsoft Visual C++ which is just unnecessary,
IMHO, since other available openssl Windows binaries don't seem to need
Microsoft Visual C++ in my tests reported elsewhere in this thread.
Another reason not to install this openssl is that it has an idiotically
designed hard-coded tree for the location of the openssl.cnf file:
<https://github.com/openssl/openssl/blob/master/apps/openssl.cnf>
Which nobody in his right mind would ever use.
Luckily, the hard-coded path can be changed but why deal with that crap?
set OPENSSL_CONF=c:\path-of-your-own-choosing\openssl.cnf
echo %OPENSSL_CONF%
Interestingly, this article also suggests the slproweb openssl binary:
o How to Install OpenSSL in Windows
<https://www.osradar.com/install-openssl-windows/>
Based only on my experience today, I would treat this Shining Light openssl
binary as if it had the virus that causes Covid-19, and, instead use this
zip file which doesn't have the idiotic defaults of the Shining Light
binary:
<https://curl.haxx.se/windows/dl-7.69.1_2/openssl-1.1.1g_2-win64-mingw.zip>
<https://curl.haxx.se/windows/dl-7.69.1_2/openssl-1.1.1g_2-win32-mingw.zip>
I could be wrong though, so treat my comments with a grain of salt.
But so far, nobody in this newsgroup has suggested (yet) a better binary,
so my advice, bad as it may be, is the best there is to date.
Note: The advice to compile your own is a _different_ solution to the
problem set, which is covered in this thread separately:
o If I wanted to build the openssl binary from source code, which free compiler is used nowadays for such things?
<https://groups.google.com/forum/#!topic/alt.comp.freeware/6eVRAN-kPEs>
--
<https://groups.google.com/forum/#!topic/alt.comp.freeware/6eVRAN-kPEs>
The high price of freeware is in testing for the solutions that work best.
0 new messages