Hello Jane,
Your case is not related to Windows for Business or Windows 365 Enterprise. What you are dealing with is an application dependency issue around OpenSSL versions on Windows. Winget installs the latest OpenSSL binaries into a system path, but applications do not automatically switch to using them. Each program either links statically to its own bundled OpenSSL libraries or dynamically loads them from a specific path. That means even if you have the newest OpenSSL installed globally, older applications may still be calling their embedded or outdated DLLs.
To verify which version is actually being used, you need to inspect the binaries that the application loads. On Windows, the most reliable way is to use Process Explorer from Sysinternals. Launch the application, open Process Explorer, and check the loaded modules under the process. If you see libssl-1_1.dll or libcrypto-1_1.dll, note the file path. That path tells you whether the program is using the system-installed OpenSSL or its own copy. You can also run openssl version from the command line to confirm the version of the OpenSSL binary you installed via Winget, but that only confirms the global installation, not what each application is consuming.
There is no single command line that forces all applications to use the new OpenSSL. Each application must either be updated by its vendor to link against the newer libraries, or you must replace the older DLLs in the application’s directory with the updated ones though this is risky and not recommended unless the vendor explicitly supports it. The best practice is to update the applications themselves to versions that are compiled against the latest OpenSSL.
I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!
Domic Vo.
Answer from Domic Vo on learn.microsoft.comHello Jane,
Your case is not related to Windows for Business or Windows 365 Enterprise. What you are dealing with is an application dependency issue around OpenSSL versions on Windows. Winget installs the latest OpenSSL binaries into a system path, but applications do not automatically switch to using them. Each program either links statically to its own bundled OpenSSL libraries or dynamically loads them from a specific path. That means even if you have the newest OpenSSL installed globally, older applications may still be calling their embedded or outdated DLLs.
To verify which version is actually being used, you need to inspect the binaries that the application loads. On Windows, the most reliable way is to use Process Explorer from Sysinternals. Launch the application, open Process Explorer, and check the loaded modules under the process. If you see libssl-1_1.dll or libcrypto-1_1.dll, note the file path. That path tells you whether the program is using the system-installed OpenSSL or its own copy. You can also run openssl version from the command line to confirm the version of the OpenSSL binary you installed via Winget, but that only confirms the global installation, not what each application is consuming.
There is no single command line that forces all applications to use the new OpenSSL. Each application must either be updated by its vendor to link against the newer libraries, or you must replace the older DLLs in the application’s directory with the updated ones though this is risky and not recommended unless the vendor explicitly supports it. The best practice is to update the applications themselves to versions that are compiled against the latest OpenSSL.
I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!
Domic Vo.
To ensure that your applications are using the new version of OpenSSL after updating, you can follow these steps:
- Check OpenSSL Version: You can verify the installed version of OpenSSL by running the following command in your command line:
This command will display the version of OpenSSL currently in use.openssl version - Verify Application Dependencies: For applications that depend on OpenSSL, you may need to check their documentation or use specific commands to see which version of OpenSSL they are linked against. This can vary by application, but many applications will have a command-line option to display version information.
- Check for Multiple Versions: If you suspect that multiple versions of OpenSSL are installed, you can check the paths of the OpenSSL binaries in your system. Use the following command to find all instances of OpenSSL:
This will show you the locations of the OpenSSL executables, and you can verify if the correct version is being used.where openssl - Update Environment Variables: Ensure that your system's PATH environment variable points to the directory of the new OpenSSL installation. This can help ensure that applications use the correct version.
- Testing Applications: After updating, test your applications to ensure they function correctly. If they fail or report issues related to OpenSSL, they may still be referencing an older version.
By following these steps, you can confirm that your applications are using the updated version of OpenSSL and mitigate any vulnerabilities associated with older versions.
How do I find old versions of OpenSSL across my company?
c - How to know the version of OpenSSL my peer is using? - Stack Overflow
c++ - How to determine version of openssl library? - Stack Overflow
ssl - How to install OpenSSL in Windows 10? - Stack Overflow
How is AutoInstall SSL™ different from Let’s Encrypt or Certbot?
Which SSL certificates are compatible?
Are wildcard certificates supported?
Videos
OpenSSL recently ended LTS for version 1.1, and has suggested to move to version 3.0 or 3.1 as soon as possible. I use Intune and Defender 365 for our windows devices, how can I search for the old installed versions? Since OpenSSL is treated as more of a library/resource it is compiled with some programs, some PC's have multiple versions that I can see through "advanced hunting" in defender (see picture https://imgur.com/a/fBRxiNN). How do I find where these versions are installed so I can address them?
Any help is greatly appreciated.
OpenSSL is not part of Tomcat. It's a seperate application. You don't need OpenSSL to use Tomcat. OpenSSL is used for SSL on Unix and Linux systems. Windows has its own SSL implementation, but you can install openssl on Windows as well.
Do you use SSL for Tomcat? So do you connect to the tomcat webapp using something like https://localhost:8443 or do you have IIS or Apache inbetween? The log example you quote is an example!
If you have Openssl installed, you can find the version by following these steps:
- Click the Windows "Start" button and type "cmd" into the search text box. Press "Enter" to open your Windows command line.
- Type "openssl /?" to view a list of options for the command line utility. This also shows you the proper syntax for the command.
- Type "openssl version" and press "Enter." The OpenSSL version is displayed in the Windows command line utility.
If the openssl command returns an error, it's probably not installed.
There are several common modes of deployment for Tomcat on MS-Windows if HTTPS is enabled:
- Tomcat running behind IIS, OpenSSL is not used
- Tomcat running behind Apache, OpenSSL is that used by Apache
- Tomcat standalone server with JSSE connector (Java SSL), OpenSSL is not used
- Tomcat standalone server with APR connector, OpenSSL in use
If you have a standalone Tomcat server you can determine which HTTPS method is used by inspecting the Connector protocol configuration. The Apache provided Tomcat 6.0 binaries include APR (and hence OpenSSL) by default, though you may not be using it (upgrade anyway!). Further, if you have OpenSSL installed separately, it's irrelevant from Tomcat's point of view (though it might be used by your Apache or other web server).
If you are using an official (contrib) Apache-2.2 web server binary, the OpenSSL version number is typically encoded in the installer package file name. For 2.4 there are several different packaged versions. At least one (Apachehaus) documents the OpenSSL version and provide an openssl.exe you can run, though it may not be in the normal user PATH it's in the bin/ subdirectory of the Apache installation.
If you have LogLevel of "info" or higher, Apache will log the mod_ssl and OpenSSL versions on startup. Since 6.0.36, Tomcat6 does the same (bug #53057).
To peek at what DLLs a running process has loaded Process Explorer is handy, sadly though it appears that the normal Tomcat binary distribution link OpenSSL (and more) into a single DLL (tcnative-1.dll) rather than an easily identifiable (and replaceable) libssl.dll/libcrypto.dll (or similar) as is the convention on *nix systems. (This analysis will work on the Apachehaus Apache httpd though.)
A fairly primitive but reliable way then is to use find (or strings if you have it already), from a cmd prompt:
cd \Program Files\apache-tomcat\bin
find "OpenSSL" tcnative-1.dll
[...]
TLSv1 part of OpenSSL 1.0.1d 5 Feb 2013
SSLv3 part of OpenSSL 1.0.1d 5 Feb 2013
SSLv2 part of OpenSSL 1.0.1d 5 Feb 2013
DTLSv1 part of OpenSSL 1.0.1d 5 Feb 2013
Process Explorer will tell you the location of tcnative-1.dll for a running tomcat6 process if you cannot find it easily.
To summarise:
- check
netstat -abn -p TCPto see what's listening on 443 (or whatever HTTPS port you use) - check your connector to see if, and how, Tomcat provides SSL
- check your webserver version and HTTPS configuration
There is a string inside the library containing the version details called SSLEAY_VERSION - it looks like:
OpenSSL 0.9.5a 1 Apr 2000OpenSSL 1.0.1e-fips 11 Feb 2013
You can find this from the binary library using strings and grep:
Copystrings libcrypto.so | grep "^OpenSSL \S\+ [0-9]\+ \S\+ [0-9]\+"
Well the filtering may may not always work. You could do
Copystrings libssl.so | grep "^OpenSSL"
OpenSSLDie
OpenSSL 1.0.2n 7 Dec 2017
strings libcrypto.so | grep "^OpenSSL"
OpenSSLDie
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
OpenSSL 1.0.2n 7 Dec 2017
OpenSSL HMAC method
OpenSSL EC algorithm
OpenSSL RSA method
OpenSSL DSA method
OpenSSL ECDSA method
OpenSSL DH Method
OpenSSL X9.42 DH method
OpenSSL PKCS#3 DH method
OpenSSL ECDH method
OpenSSL 'dlfcn' shared library method
OpenSSL default
OpenSSL default user interface
OpenSSL CMAC method
I also wanted to use OpenSSL on Windows 10. An easy way to do it without running into the risk of installing unknown software from 3rd party websites and risking viruses, is by using the openssl.exe that comes inside your Git for Windows installation. In my case, I found the OpenSSL executable in the following location of the Git for Windows installation.
C:\Program Files\Git\usr\bin\openssl.exe
If you also want instructions on how to use OpenSSL to generate and use certificates, here is a write-up on my blog. The step by step instructions first explain how to use Microsoft Windows Default Tool and also OpenSSL and explains the difference between them.
If you have chocolatey installed you can install openssl via a single command i.e.
choco install openssl