Bundled OpenSSL libraries have reached end-of-life #1
Description
Summary
We recently reviewed the Plugin Encryption Tool release binaries and noticed the bundled OpenSSL libraries have reached end-of-life status. Passing this along in case it's useful for a future update.
The tool itself works as expected — the encryption scheme (AES-256-CBC envelope sealed with RSA) is solid. This is purely about the age of the underlying crypto libraries.
Findings
The release/ directory bundles three OpenSSL versions, all past end-of-life:
| DLL(s) | OpenSSL Version | Build Date | EOL Date |
|---|---|---|---|
libcrypto-1_1-x64.dll, libssl-1_1-x64.dll |
1.1.1d | Sep 2019 | Sep 2023 |
libcryptoMD.dll, libsslMD.dll |
1.1.0f | May 2017 | Sep 2018 |
libeay32MD.dll |
1.0.2l | May 2017 | Jan 2020 |
The executable links against the 1.1.1d pair. The 1.1.0f and 1.0.2l DLLs appear to be legacy artifacts that may not be actively loaded.
Recommendation
Rebuilding against OpenSSL 3.5 LTS (supported through April 2030) would bring the tool current and address any accumulated CVEs in the 1.1.x branch. The two legacy DLL sets (*MD.dll, libeay32MD.dll) could likely be removed entirely if they're no longer referenced.
Additional Notes
- The MSVC redistributable DLLs (
msvcp140.dll,vcruntime140.dll,vcruntime140_1.dll) are shipped loose rather than via the VC++ Redistributable installer — minor but worth noting. - The
version.dllappears to be a custom proxy that includes Cabinet extraction (FDI) functions, presumably for.qplugxarchive handling. Renaming it to something descriptive would avoid confusion with the Windows systemversion.dll.
Thanks for maintaining this tool — it's a valuable part of the plugin development workflow.