Desktop: Windows: Client uses ancient OpenSSL version

Hi! It is actually built against 1.1.x but we ran into this issue https://github.com/arvidn/libtorrent/issues/1931 and therefore we had to include 2 older dll's in the installer. I believe that is where this version displayed in settings is coming from.

Just seen this today as well.

AFAIU it is just about the names of dlls, or?

Just checked OC's client on my windows machine and it is using new named files.

The final release of the new client still shows 1.0.1h in the general section.

This is on our todo to look into. However both our windows skillz are suboptimal.

4,5 years are centuries in security years, IMHO . And as @klada linked to, there are known vulnerabilities

@PhilLab Can you help the desktop team to update the libs?

Another vote from our forums.

https://help.nextcloud.com/t/security-openssl-is-seriously-out-of-date-in-client-applications/52634

Hey,

have you seen our latest builds already? They are not outdated anymore ;-)

For the current 2.5.3 release: It's built with a current version and security fixes: OpenSSL 1.0.2s (2019-05-28)

What matters here is the sub-release 's' of May 28. The 1.0.x versions receive security updates till the end of this year.

Great!
Damn, I missed the v2.5.3 release.
Just did the update and hooray, I got a newer ssl lib.

Thank you.

@rakekniven You're welcome :-)

Good news: The next Windows release will include OpenSSL 1.1.1c with TLS 1.3 support 😸

For details see: https://github.com/nextcloud/desktop/issues/906#issuecomment-522713258

Time to close the issue 😼