mIRC Home    About    Download    Register    News    Help

Print Thread
OpenSSL Version #228352 19/12/10 08:19 PM
Joined: Jul 2003
Posts: 18
K
keystroke Offline OP
Pikka bird
OP Offline
Pikka bird
K
Joined: Jul 2003
Posts: 18
Is there a way to check which version of OpenSSL mirc is using? I may have a few versions installed on my machine (eg. OpenVPN). I notice the new mirc uses the q release, which appears important due to security concerns. Thanks!

Re: OpenSSL Version [Re: keystroke] #228353 19/12/10 08:50 PM
Joined: Dec 2002
Posts: 3,138
C
Collective Offline
Hoopy frood
Offline
Hoopy frood
C
Joined: Dec 2002
Posts: 3,138
You'll need to check the version information for the ssleay32.dll/libeay32.dll files mIRC has loaded. Either find the files manually by following the standard DLL search order or use Process Explorer (select mirc.exe in the upper pane and find ssleay32.dll/libeay32.dll in the lower pane).

Re: OpenSSL Version [Re: Collective] #228356 19/12/10 10:47 PM
Joined: Jul 2003
Posts: 18
K
keystroke Offline OP
Pikka bird
OP Offline
Pikka bird
K
Joined: Jul 2003
Posts: 18
Thanks! I checked and the version was loaded from the mIRC directory which had an old one in it. I deleted that and it instead loaded from the windows\system32 directory which had the new one. Should mIRC have an alert if the version doesn't match the expected one (eg. one known to be the latest at which time mIRC was released)?

Re: OpenSSL Version [Re: keystroke] #228366 20/12/10 06:13 AM
Joined: Aug 2004
Posts: 7,252
R
RusselB Offline
Hoopy frood
Offline
Hoopy frood
R
Joined: Aug 2004
Posts: 7,252
I don't think that's a bad idea. You should make a post in the Feature Suggestions section.

Re: OpenSSL Version [Re: keystroke] #228368 20/12/10 08:32 AM
Joined: Oct 2003
Posts: 3,918
A
argv0 Offline
Hoopy frood
Offline
Hoopy frood
A
Joined: Oct 2003
Posts: 3,918
There is no "expected" version. mIRC uses whatever is installed by the user. Your initial post was wrong in that "the new mIRC" does not "use" the q release (in the sense that mIRC only supports that library). mIRC.com *provides* a precompiled OpenSSL binary installer as a convenience, because lots of people were having trouble installing the other popular openssl packages out there (due to MSVC2005's CRT being linked but not available on a target system, for instance). Khaled decided to provide his own for users if they need it. You don't have to use it, and mIRC doesn't expect this version to be used-- again, it's only released as a convenience for users.

Therefore, there is no way to know what the "expected" openssl library should be, since mIRC has no specific expectation. Furthermore, it wouldn't make sense to say that "the version at the time of release is safe", because mIRC releases would not often be fast enough to keep up with new vulnerabilities. It would be wrong for mIRC to suggest, for instance, that "q" is "expected" just because that's what was available when 7.17 was released. This would be problematic if a vulnerability in q was discovered in the interim. Khaled does not update mIRC everytime a new openssl library is released. I think it's good enough to follow Collective's instructions to verify your libraries for yourself.


- argv[0] on EFnet #mIRC
- "Life is a pointer to an integer without a cast"