mIRC Homepage
Posted By: keystroke OpenSSL Version - 19/12/10 08:19 PM
Is there a way to check which version of OpenSSL mirc is using? I may have a few versions installed on my machine (eg. OpenVPN). I notice the new mirc uses the q release, which appears important due to security concerns. Thanks!
Posted By: Collective Re: OpenSSL Version - 19/12/10 08:50 PM
You'll need to check the version information for the ssleay32.dll/libeay32.dll files mIRC has loaded. Either find the files manually by following the standard DLL search order or use Process Explorer (select mirc.exe in the upper pane and find ssleay32.dll/libeay32.dll in the lower pane).
Posted By: keystroke Re: OpenSSL Version - 19/12/10 10:47 PM
Thanks! I checked and the version was loaded from the mIRC directory which had an old one in it. I deleted that and it instead loaded from the windows\system32 directory which had the new one. Should mIRC have an alert if the version doesn't match the expected one (eg. one known to be the latest at which time mIRC was released)?
Posted By: RusselB Re: OpenSSL Version - 20/12/10 06:13 AM
I don't think that's a bad idea. You should make a post in the Feature Suggestions section.
Posted By: argv0 Re: OpenSSL Version - 20/12/10 08:32 AM
There is no "expected" version. mIRC uses whatever is installed by the user. Your initial post was wrong in that "the new mIRC" does not "use" the q release (in the sense that mIRC only supports that library). mIRC.com *provides* a precompiled OpenSSL binary installer as a convenience, because lots of people were having trouble installing the other popular openssl packages out there (due to MSVC2005's CRT being linked but not available on a target system, for instance). Khaled decided to provide his own for users if they need it. You don't have to use it, and mIRC doesn't expect this version to be used-- again, it's only released as a convenience for users.

Therefore, there is no way to know what the "expected" openssl library should be, since mIRC has no specific expectation. Furthermore, it wouldn't make sense to say that "the version at the time of release is safe", because mIRC releases would not often be fast enough to keep up with new vulnerabilities. It would be wrong for mIRC to suggest, for instance, that "q" is "expected" just because that's what was available when 7.17 was released. This would be problematic if a vulnerability in q was discovered in the interim. Khaled does not update mIRC everytime a new openssl library is released. I think it's good enough to follow Collective's instructions to verify your libraries for yourself.
© mIRC Discussion Forums